CISA: Androxgh0st Malware Poses Serious Threat to Microsoft 365 and AWS Credentials

Security – 4

Key Takeaways:

  • The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI have jointly issued a warning about the emergence of the Androxgh0st malware.
  • This Python-based malware focuses on vulnerable Apache webservers and websites that utilize the Laravel Web application framework.
  • The CISA and FBI have urged administrators to adhere to recommended best practices to mitigate the potential impact of Androxgh0st malware attacks.

The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI have issued a warning regarding the recently discovered Androxgh0st malware. This malicious campaign empowers threat actors to steal credentials and deploy malicious payloads, specifically targeting vulnerable Apache web servers and websites.

The malware dubbed “Androxgh0st” was first discovered by the cybersecurity firm Lacework back in December 2022. The Python-based malware is designed to target Apache webservers and websites using the Laravel Web application framework. It enables attackers to steal data (like credentials and API keys) from Laravel .env files and deploy Web shells on vulnerable systems. Laravel .env files are used to store sensitive information that can be used to access Microsoft 365, Amazon Web Services (AWS), and other high-profile applications.

“If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page,” the CISA and FBI explained. “Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the Web server.”

According to the CISA and FBI, the threat actors are actively targeting web servers and websites susceptible to three remote code execution vulnerabilities. The first flaw (CVE-2017-9841) pertains to a critical remote code execution vulnerability found in PHPUnit. Moreover, CVE-2021-41773 highlights a path traversal vulnerability within the Apache HTTP Server. Lastly, CVE-2018-15133 identifies a security flaw within the Laravel Framework, enabling threat actors to carry out remote code execution.

Best practices to protect against Androxgh0st attacks

The CISA has detailed some best practices to help system administrators minimize the impact of Androxgh0st malware attacks in enterprise environments. The first recommendation is to ensure that all Internet-facing systems are up-to-date within their organizations.

Additionally, IT admins should regularly review and limit the exposure of servers and services to reduce the potential attack surface. CISA also advises conducting regular reviews of platforms and services to ensure that credentials stored in .env files are not used to gain unauthorized access to corporate networks.