skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Androxgh0st Botnet Targets Web Servers and IoT Devices

Androxgh0st Botnet Targets Web Servers and IoT Devices

/ 4 min read

stories , cybersecurity , botnet , ransomware , iot vulnerabilities , cloudsek

Quick take - CloudSEK’s Threat Research team has reported that the Androxgh0st botnet, active since January 2024, is targeting web servers and exploiting various vulnerabilities, prompting advisories from the Cybersecurity and Infrastructure Security Agency (CISA) regarding its risks and the need for enhanced cybersecurity measures.

Fast Facts

  • The Androxgh0st botnet, operational since January 2024, primarily targets web servers and is evolving to deploy IoT-focused payloads linked to the Mozi botnet.
  • CISA issued a January 2024 advisory detailing the botnet’s exploitation of vulnerabilities in technologies like Cisco ASA, Atlassian JIRA, and PHP frameworks for unauthorized access and remote code execution.
  • Key vulnerabilities exploited include CVE-2023-1389, CVE-2024-36401, and others related to PHPUnit, Laravel, and Apache web servers.
  • Over 500 devices have been infected, with the botnet expanding its target range to various network devices and applications, emphasizing the need for enhanced cybersecurity measures.
  • Organizations are urged to review server logs, monitor processes, and scan for vulnerabilities to mitigate risks associated with the high-risk Androxgh0st botnet.

Significant Developments in the Androxgh0st Botnet

CloudSEK’s Threat Research team has reported significant developments regarding the Androxgh0st botnet, which has been operational since January 2024. This botnet is primarily targeting web servers and has recently shown indications of deploying Internet of Things (IoT)-focused payloads related to the Mozi botnet.

CISA Advisory and Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory earlier in 2024, detailing the risks associated with the Androxgh0st botnet. The botnet exploits a variety of technologies, including Cisco ASA, Atlassian JIRA, and multiple PHP frameworks, which allow for unauthorized access and remote code execution. Notably, the botnet has shifted its focus towards web application vulnerabilities to gain initial access, in addition to previously reported Common Vulnerabilities and Exposures (CVEs).

Specific vulnerabilities being exploited by the Androxgh0st botnet include CVE-2023-1389 and CVE-2024-36401, with exploitation activities identified as early as August 2024. CISA’s January 2024 advisory highlighted three primary initial access vectors utilized by the botnet:

  1. PHPUnit Framework Vulnerability: Exploiting a vulnerability in the PHPUnit framework (CVE-2017-9841) by targeting exposed /vendor folders.
  2. Laravel .env File Exposure: Targeting exposed Laravel .env files to steal credentials (CVE-2018-15133).
  3. Apache Path Traversal Vulnerability: Exploiting path traversal vulnerabilities in Apache web servers (CVE-2021-41773).

Evolution of the Mozi Botnet

The Mozi botnet, which previously operated predominantly in China, India, and Albania, has seen a decline in its operational capacity following the arrest of its creators in 2021. However, command and control server logs from the Androxgh0st botnet reveal a continuation of similar tactics, indicating a potential evolution of its methods. CloudSEK’s TRIAD has successfully identified command and control servers used by the Androxgh0st botnet through infrastructure scans.

The botnet is known for sending POST requests containing specific strings linked to its operations. A comprehensive list of vulnerabilities exploited by the Androxgh0st botnet includes several high-profile technologies:

  • Cisco ASA: Arbitrary web script injection.
  • Atlassian JIRA: Path traversal vulnerability allowing remote file access.
  • Metabase GeoJSON: Vulnerable to unauthenticated remote file download.
  • Sophos Firewall: Remote code execution vulnerability.
  • Oracle EBS: Susceptible to unauthenticated arbitrary file upload.
  • PHP CGI: Vulnerable to command line argument injection.
  • TP-Link Archer AX21: Affected by unauthenticated command execution.
  • WordPress Plugin Background Image Cropper: Remote code execution vulnerability.
  • Netgear DGN devices: Vulnerable to unauthenticated command execution.
  • GPON Home Routers: Also affected by unauthenticated command execution.

As of the latest report, over 500 devices have been infected by the Androxgh0st botnet. Organizations are advised to take immediate action to mitigate risks.

Recommendations for Mitigation

Recommendations include reviewing server logs for suspicious requests and monitoring system processes. Examining temporary directories for unusual files and scanning for known vulnerabilities are also advised. Currently rated as high risk, the Androxgh0st botnet remains active. It is expanding its target range beyond Laravel and Apache servers to encompass various network devices and applications. The botnet is characterized by systematic exploitation and persistent access through file uploads and backdoors, further emphasizing the need for heightened cybersecurity measures.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks