CISA: AWS, Microsoft 365 accounts under active ‘Androxgh0st’ attack

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert about a malware campaign targeting Apache webservers and websites using the popular Laravel Web application framework, leveraging known bugs for initial compromise.

The end goal of the campaign is to steal credentials to high-profile applications such as Amazon Web Services, Microsoft 365, Twilio, and SendGrid, so the threat actors can access sensitive data in the apps or use the apps for other malicious operations.

“For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies,” the two agencies said. In many incidents the adversaries have also used the stolen credentials to create new AWS instances for additional, malicious scanning activity, they noted.

Credential Threat & Misuse

The campaign involves a known malware threat dubbed “Androxgh0st” that Lacework first warned about in December 2022. The malware, written in Python, is designed to scan for and extract application secrets such as credentials and API keys from Laravel .env files.

Laravel is an open source PHP Web application framework that many developers use for common Web development tasks without having to write low-level code from scratch. Laravel .env files are a popular adversary target because they often contain credentials and other information that attackers can use to access and abuse high-value apps, such as AWS, Microsoft 365, and Twilo.  

Lacework identified the malware as capable of scanning for and exploiting exposed credentials and APIs and of deploying Web shells on compromised systems.

This is not the first big campaign for the malicious code; last March, Fortinet reported observing threat actors using Androxgh0st to target Laravel .env files on an average of 40,000 Fortinet devices per day.

Active Scanning for Vulnerable Websites

According to the FBI and CISA, Androxgh0st threat actors are also actively scanning for websites with specific vulnerabilities in them, particularly CVE-2017-9841, a critical remote code execution (RCE) vulnerability in PHPUnit, a module for testing PHP code.

To read the complete article, visit Dark Reading.