The U.S. Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have issued a warning that the hackers behind the Androxgh0st malware are creating a new, powerful botnet.

According to today’s joint advisory, Androxgh0st has been observed establishing a botnet for victim identification and exploitation in target networks. The malware primarily targets .env files containing sensitive information, such as credentials for Amazon Web Services Inc. and Office 365, using Python-scripted techniques. It exploits vulnerabilities in web applications and servers, particularly those using the Laravel framework and PHPUnit and in certain versions of the Apache HTTP Server.

The advisory details the specific tactics, techniques and procedures employed by the threat actors. Those behind Androxgh0st have been using critical vulnerabilities, including one designated CVE-2017-9841, which allows remote PHP code execution via PHPUnit. Another exploit favored by the group, designated CVE-2021-41773, affects Apache web servers running versions 2.4.49 or 2.4.50, enabling path traversal attacks and potential remote code execution.

Androxgh0st’s capabilities include the misuse of SMTP for scanning and exploiting exposed credentials and application programming interfaces. The hackers can also deploy web shells for persistent access and control over compromised systems. The approach indicates a high level of sophistication and an ability to adapt to various security environments.

The advisory recommends several mitigation strategies to avoid being targeted by Androxgh0st. Key recommendations include keeping all operating systems, software and firmware updated, particularly updating vulnerable Apache server versions. Organizations are also advised to configure URLs to deny all requests by default unless specific access is necessary, thus reducing unnecessary exposure.

The FBI and CISA also emphasize the need for heightened vigilance regarding Laravel applications. Users should ensure these applications are not in debug or testing mode and should remove and revoke any cloud credentials stored in .env files. Additionally, organizations should regularly scan their servers for unrecognized PHP files and review outgoing GET requests, particularly those found accessing external file-hosting sites.

Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., told SiliconANGLE that one takeaway that appears tangentially but is crucial to understand is how poorly a lot of organizations patch vulnerabilities.

“This particular attack is using unpatched vulnerabilities first announced (and patched) three to seven years ago,” Grimes said. “They are still unpatched and still being exploited. It goes to show that every software vulnerability has some nonminor percentage of people who will never apply the patch in a timely manner. That’s why we need to reduce the number of serious vulnerabilities that appear in software and firmware.”

Image: CISA