Feds: Androxgh0st Botnet Is Targeting AWS, Office 365, and Azure Credentials
Federal cybersecurity officials are warning server and website owners of a spike in Androxgh0st malware, which is targeting Amazon Web Services (AWS), Microsoft Office 365, SendGrip, and Twilio credentials.
The botnet has been around since late 2022 and is often used to steal credentials for use in spam or crypto-mining. According to FortiGuard Labs, the botnet has control of approximately 30,000 devices as of this week, though that’s down from 50,000 in the first week of January.
The botnet is capable of abusing the Simple Mail Transfer Protocol (SMTP) as well as application programming interfaces (APIs), according to a report from the Cybersecurity and Infrastructure Security Agency (CISA). Bleeping Computer says SendGrip and Twilio credentials can be “used by threat actors to conduct spam campaigns impersonating the breached companies.”
Recommended by Our Editors
This Tweet is currently unavailable. It might be loading or has been removed.
CISA outlines how to check and see if your server is compromised and alternative monikers that you may see instead of Androxgh0st. The FBI and CISA also posted several mitigations that organizations can take to ensure that they stay safe from the botnet. They include:
-
Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
-
Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it.
-
Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from ENV files and revoke them.
-
On a one-time basis for previously stored cloud credentials, and on an ongoing basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the ENV file for unauthorized access or use.
-
Scan the server’s file system for unrecognized PHP files.
-
Review outgoing GET requests (via cURL command) to file hosting sites.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links….
