The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory warning of the escalating threat posed by Androxgh0st malware. Threat actors are using this Python-scripted malware to build a botnet focused on cloud credential theft, with the stolen information being leveraged to deliver additional malicious payloads.
Androxgh0st primarily targets files containing confidential information, such as credentials for various high-profile applications. The botnet scans for websites and servers that are susceptible to specific remote code execution (RCE) vulnerabilities, including CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server) and CVE-2018-15133 (Laravel PHP web framework).
In response to this threat, cybersecurity firm Nuspire is actively threat hunting for indications of compromise within client environments and applying patches as they are released, in accordance with vendor recommendations.
The FBI and CISA have urged organizations to implement the recommended mitigation measures outlined in the advisory to limit the impact of malware attacks and reduce the risk of compromise. These measures include:
The advisory also recommends that software manufacturers incorporate secure-by-design principles and tactics into their software development processes. This includes reviewing and ensuring that only necessary servers and services are exposed to the internet, and reviewing platforms or services that have credentials listed in .env files for unauthorized access.
The Androxgh0st malware threat is a stark reminder of the importance of maintaining robust cybersecurity practices. By staying informed about potential threats, implementing recommended mitigation measures, and maintaining a proactive approach to patching and updating software, organizations can significantly reduce their risk of compromise.