Organizations across the globe have been warned against a new campaign leveraging Androxgh0st malware that steals credentials from various high-profile applications such as AWS, Microsoft 365, Twilio, and SendGrid.

A joint advisory issued by the FBI and the CISA reveals that the campaign actively targets Apache servers and websites using the popular Laravel Web application framework for initial access.

More in detail

  • The advisory highlights that threat actors are scanning for websites and servers vulnerable to old deserialization of untrusted data issue (CVE-2018-15133) to drop the malware.
  • Once the Androxgh0st malware is deployed, it searches for .env files to steal sensitive information such as usernames and passwords to email accounts and other enterprise apps.
  • The stolen credentials are later used to create fake pages on compromised websites, providing threat actors with a backdoor to either deploy more malicious tools or access databases containing sensitive information. 
  • Threat actors were also observed using stolen AWS credentials to create new users and user policies on a vulnerable website.

What else?

In many instances, the attackers were found exploiting other vulnerabilities, such as a remote code execution vulnerability in the PHPUnit testing framework (CVE-2017-9841), and a path traversal vulnerability in the Apache HTTP Server (CVE-2021-41773), to expand their attack scope.

Furthermore, the agency notes that the stolen Twilio and SendGrid credentials can be used by threat actors to conduct spam campaigns impersonating the breached companies.

Conclusion

The agencies have released IOCs associated with the Androxgh0st malware operation and recommended mitigations. Additionally, the CISA has added the Lavarel deserialization of untrusted data flaw to its KEV catalog, ordering federal agencies to secure their systems by February 6. The other two vulnerabilities are already available in the catalog.
Cyware Publisher

Publisher

Cyware