FBI and CISA Issue Urgent Warning on Androxgh0st Botnet Targeting Cloud Credentials
This malicious software targets vulnerabilities in web frameworks and servers, particularly those using older versions of PHPUnit, PHP web frameworks, and Apache web servers with known remote code execution vulnerabilities. The primary objective of Androxgh0st is to infiltrate and exploit .env files, which store sensitive cloud credentials. Notably, it focuses on major platforms like AWS, SendGrid, and Microsoft Office 365.
Androxgh0st, identified by unusual web requests to specific server locations, extracts credentials from compromised .env files. The malware is adept at self-replication, utilizing stolen AWS credentials to create new users and instances, thereby expanding its reach across the internet to discover more vulnerable targets. CISA and the FBI advise service providers to update Apache versions, regularly review cloud credentials, and configure servers to auto-reject unauthorized resource access.
Lacework Labs’ analysis reveals that around 68% of Androxgh0st’s SMTP abuses originate from Windows systems, with 87% of attacks executed through Python. The malware, at its peak in early January, infected nearly 50,000 devices, but this number has since decreased to around 9300. Experts attribute the rapid spread of Androxgh0st to poor patch management and the prevalence of servers running outdated software.
Attackers employing Androxgh0st not only steal credentials for spam campaigns but can also harvest personally identifiable information (PII) from services. The crypto industry has faced significant impact, as bad actors focus on acquiring users’ PII stored in third-party services like SendGrid and Twilio. This information, compiled into “fullz” dossiers, is sold on darknet markets or used for sophisticated phishing attacks, creating believable narratives with stolen data. The FBI and CISA emphasize the importance of addressing these vulnerabilities to mitigate the risk of data theft and identity-related crimes.