Tag Archive for: credentials

Androxgh0st Botnet Malware Steals AWS, Microsoft Credentials

/in


Threat actors use botnet malware to gain access to the network of compromised systems that enable them to perform several types of illicit activities.

They get attracted to botnet malware due to its distributed and anonymous infrastructure, which makes it stealthy and sophisticated.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently discovered that hackers are actively deploying Androxgh0st botnet malware that steals AWS and Microsoft credentials.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Androxgh0st Botnet Malware

Androxgh0st malware builds a botnet to find and exploit victims in target networks. It’s a Python-scripted threat targeting .env files with sensitive data, like credentials for AWS, Office 365, SendGrid, and Twilio. 

This botnet malware, “Androxgh0st,” also misuses SMTP for scanning, exploiting credentials and APIs, and deploying web shells on compromised targeted systems.

To scan for websites with vulnerabilities, Androxgh0st malware uses scripts by exploiting CVE-2017-9841 to run PHP code remotely via PHPUnit.

It targets /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI on websites with exposed /vendor folders, which allows threat actors to execute code. 

Not only that, but this malware also enables downloading malicious files, setting up fake pages for backdoor access, and accessing databases in cyber operations.

The malware targets the .env files for credentials, and to scan Laravel web applications, it forms a botnet.

Threat actors issue GET/POST requests to /.env URI by searching for usernames, passwords, and more. In debug mode, they use a POST variable (0x[]) as an identifier. 

If successful, they access email, AWS credentials, and the Laravel application key. 

Besides this, by exploiting CVE-2018-15133, they encrypt PHP code to pass…

Source…

Androxgh0st Malware Botnet Steals AWS, Microsoft Credentials and More

/in


The Federal Bureau of Investigation and Cybersecurity & Infrastructure Security Agency warned in a joint advisory about a threat actor deploying a botnet that makes use of the Androxgh0st malware. This malware is capable of collecting cloud credentials, such as those from AWS or Microsoft Azure and more, abusing the Simple Mail Transfer Protocol, and scanning for Amazon Simple Email Service parameters.

What is the Androxgh0st malware?

The Androxgh0st malware was exposed in December 2022 by Lacework, a cloud security company. The malware is written in Python and is primarily used to steal Laravel.env files, which contain secrets such as credentials for high-profile applications. For instance, organizations can integrate applications and platforms such as AWS, Microsoft Office 365, SendGrid or Twilio to the Laravel framework, with all of the applications’ secrets being stored in the .env file.

The botnet hunts for websites using the Laravel web application framework before determining if the domain’s root level .env file is exposed and contains data for accessing additional services. The data in the .env file might be usernames, passwords, tokens or other credentials.

The cybersecurity company Fortinet exposed telemetry on Androxgh0st, which shows more than 40,000 devices infected by the botnet (Figure A).

Figure A

Graph showing number of devices infected by Androxgh0st.
Number of devices infected by Androxgh0st. Image: Fortinet

The FBI/CISA advisory states: “Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment.”

How can Androxgh0st malware exploit old vulnerabilities?

In addition, Androxgh0st can access the Laravel application key; if that key is exposed and accessible, the attackers will try to use it to encrypt PHP code that is passed to the website as a value for the XSRF-TOKEN variable. This is an attempt to exploit the CVE-2018-15133 vulnerability in some versions of the Laravel web application framework. A successful attempt allows the attacker to remotely upload files to the website. CISA added the CVE-2018-15133 Laravel…

Source…

No secrets or stored credentials with Badge’s new authentication system

/in


Badge Inc., a digital privacy firm founded by MIT cryptographers, is celebrating the launch of its patented authentication software, which allows users to enroll once and authenticate across devices thereafter without re-registration. According to a press release, the biometric public key system is easily integrated with leading digital identity providers, and eliminates the risk of centrally stored personal identity information and biometric data being exposed to breaches, thus rendering passwords, knowledge-based authentication (KBA) and biometric credential storage obsolete.

“The problem of storing credentials has vexed the security community for decades,” says Ray Rothrock, Badge advisor, venture capitalist and former CEO of Red Seal. According to Badge, by doing away with stored credentials the system eliminates the target of 49 percent of all data breaches. “The pervasive concern of PII being in the open and unprotected is over,” says Rothrock. “Badge enables identity without secrets.”

The product does so by letting users derive private keys on the fly using their biometrics and factors of choice, without having to rely on hardware tokens or secrets. It also dodges the problem of on-device authentication that locks users to a specific device that can be lost or rendered inoperable, leading to cumbersome account recovery processes. Per the release, users enroll once then “seamlessly authenticate across any device using authentication factors that are unique and inherent to them, including biometric factors such as fingerprint or face. These biometric factors can be combined with other factors such as passive attributes, attestation signals, PINs, etc.,” for an MFA method that does not rely on a specific device or token.

“You are your token”

Tina P. Srivastava, co-founder of Badge and an MIT aerospace PhD, says Badge’s core mission is to move the trust-anchor for digital identities to the human instead of hardware. “After losing my own identity in a breach,” says Srivastava, “we went back to the fundamentals. We relied on math to solve the problem and used cryptography to build a user-centric solution that makes people their own…

Source…

Feds: Androxgh0st Botnet Is Targeting AWS, Office 365, and Azure Credentials

/in


Federal cybersecurity officials are warning server and website owners of a spike in Androxgh0st malware, which is targeting Amazon Web Services (AWS), Microsoft Office 365, SendGrip, and Twilio credentials.

The botnet has been around since late 2022 and is often used to steal credentials for use in spam or crypto-mining. According to FortiGuard Labs, the botnet has control of approximately 30,000 devices as of this week, though that’s down from 50,000 in the first week of January.

The botnet is capable of abusing the Simple Mail Transfer Protocol (SMTP) as well as application programming interfaces (APIs), according to a report from the Cybersecurity and Infrastructure Security Agency (CISA). Bleeping Computer says SendGrip and Twilio credentials can be “used by threat actors to conduct spam campaigns impersonating the breached companies.”

Recommended by Our Editors

CISA outlines how to check and see if your server is compromised and alternative monikers that you may see instead of Androxgh0st. The FBI and CISA also posted several mitigations that organizations can take to ensure that they stay safe from the botnet. They include:

  • Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.

  • Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it.

  • Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from ENV files and revoke them.

  • On a one-time basis for previously stored cloud credentials, and on an ongoing basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the ENV file for unauthorized access or use.

  • Scan the server’s file system for unrecognized PHP files.

  • Review outgoing GET requests (via cURL command) to file hosting sites.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links….

Source…