CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack

We Keep you Connected

CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack

Cyberattackers are targeting Apache webservers and websites using the popular Laravel Web application framework in order to steal credentials for the apps.
January 17, 2024
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert about a malware campaign targeting Apache webservers and websites using the popular Laravel Web application framework, leveraging known bugs for initial compromise.
The end goal of the campaign is to steal credentials to high-profile applications such as Amazon Web Services, Microsoft 365, Twilio, and SendGrid, so the threat actors can access sensitive data in the apps or use the apps for other malicious operations.
"For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies," the two agencies said. In many incidents the adversaries have also used the stolen credentials to create new AWS instances for additional, malicious scanning activity, they noted.
The campaign involves a known malware threat dubbed "Androxgh0st" that Lacework first warned about in December 2022. The malware, written in Python, is designed to scan for and extract application secrets such as credentials and API keys from Laravel .env files.
Laravel is an open source PHP Web application framework that many developers use for common Web development tasks without having to write low-level code from scratch. Laravel .env files are a popular adversary target because they often contain credentials and other information that attackers can use to access and abuse high-value apps, such as AWS, Microsoft 365, and Twilo.  
Lacework identified the malware as capable of scanning for and exploiting exposed credentials and APIs and of deploying Web shells on compromised systems.
This is not the first big campaign for the malicious code; last March, Fortinet reported observing threat actors using Androxgh0st to target Laravel .env files on an average of 40,000 Fortinet devices per day.
According to the FBI and CISA, Androxgh0st threat actors are also actively scanning for websites with specific vulnerabilities in them, particularly CVE-2017-9841, a critical remote code execution (RCE) vulnerability in PHPUnit, a module for testing PHP code.
They are exploiting the vulnerability to drop Androxgh0st and other malware on affected websites and make them part of a botnet, used to scan for and gather information on other potential targets. CVE-2017-9841 is a widely targeted vulnerability from 2017, with vendors like Imperva reporting millions of attacks on affected systems through at least early 2020.
In many instances, the Androxgh0st adversaries have also been observed scanning for Web servers running Apache HTTP Server versions 2.4.49 or 2.4.50 that are vulnerable to CVE-2021-41773, a path traversal vulnerability from 2021 that allows for RCE. CISA has previously warned about CVE-2021-41773 being among the list of vulnerabilities that China-backed threat actors tend to exploit the most in their campaigns.
The FBI and CISA alert described the threat actors as using the botnet to scan for websites using the Laravel Web application and to then determine if the domain's root .env file is exposed.
"If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page," the two agencies said. "Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the Web server." 
If either method elicits a successful response, the threat actors are able to look for secrets in the .env file including usernames and passwords to AWS, email accounts and other enterprise apps.
To protect against this and similar threats, CISA recommended the following best practices:
Prioritize patching known exploited vulnerabilities in Internet-facing systems;
Review and ensure only necessary servers and services are exposed to the Internet;
And review platforms or services that have credentials listed in .env files for unauthorized access or use.
Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Pixelle’s OT Security Triumph with Security Inspection
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
Understanding AI Models to Future-Proof Your AppSec Program
Increase Speed and Accuracy with AI Driven Static Analysis Auditing
The Developers Guide to API Security
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.