Attackers are using known vulnerabilities that have been around for several years to deploy malicious software and create a botnet for stealing accounting data in the cloud, according to the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
In a joint warning released on January 16, the agencies revealed that the malicious software, called Androxgh0st, primarily targets “.env” files that contain accounting data for users of AWS, Microsoft Office 365, Sendgrid, and Twilio. The malware, which is written in Python, can be used for scanning and operating stolen accounts, deploying a web shell, executing remote code, stealing confidential data, and creating new users and copies of AWS.
For instance, if an attacker successfully compromises an AWS account on a vulnerable website, they may create new users and modify user permissions. The operators of Androxgh0st have also been observed creating new AWS copies for further scanning.
The attackers behind Androxgh0st prefer three outdated vulnerabilities for which patches have been released a long time ago. These vulnerabilities are CVE-2017-9841 (vulnerability in phpunit that allows remote code execution), CVE-2018-15133 (vulnerability in Laravel’s web application that allows remote code execution through unsafe deserialization), and CVE-2021-41773 (vulnerability in Apache HTTP Server that allows remote code execution).
CVE-2017-9841 enables remote execution of PHP code through a malicious HTTP post request, allowing attackers to download files from compromised websites. Attackers can also create fake pages to trick users into downloading additional malicious files and gaining access to databases.
Androxgh0st also scans for Laravel websites and targets the “.env” files to steal accounting data and tokens using GET or POST requests.
The third method involves exploiting a vulnerability in Apache HTTP Server versions 2.4.49 or 2.4.50. Attackers scan URLs that are not protected by the Request All Denied configuration and do not include Common Gateway Interface (CGI) scripts. This vulnerability allows them to execute remote code on the server.
The security warning issued by the FBI and CISA includes a list of indicators of compromise for Androxgh0st. To reduce the risk of infection, they recommend ensuring that Apache servers are not using vulnerable versions 2.4.49 or 2.4.50. It is also important to confirm that the default configuration for all URLs prohibits requests unless there are valid access rights.