CISA and the FBI warn of a campaign aiming to steal cloud credentials. Cybercriminals are attempting to use the Androxgh0st malware to create a botnet that steals credentials from cloud services. This data is then used to deliver malicious payloads.
Androxgh0st is known as an “SMTP cracker,” which targets vulnerabilities in legacy protocols. For example, it exploits open-source PHP framework Laravel to detect configuration data from AWS and others.
In late 2022, Lacework Labs disclosed that this type of malware was hunting for login credentials for cloud services. According to U.S. authorities, the new botnet can identify and exploit potential victims in corporate networks.
Old problems, old solutions
The vulnerabilities exploited by the botnet are anything but new. For example, CVE-2017-9841 is used to remotely execute PHP code via PHPUnit. Meanwhile, CVE-2021-41773 allows access to protected files via unpatched Apache servers.
Therefore, the main advice of the joint advisory is to keep all operating systems, software and firmware up-to-date. In any case, Apache servers should no longer be running on version 2.4.49 or 2.4.50. Also, U.S. authorities have urged users to block access from unknown URLs unless specifically needed.
In addition, Laravel applications should not be set to debug or test mode. Also, servers should be scanned for unrecognized PHP files and users should be on guard for outgoing GET requests that may lead to external file-hosting sites.
Patch management
Androxgh0st is thus relatively easy to avoid. At the same time, unpatched vulnerabilities continue to yield results for cybercriminals, which shows that patch management is still flawed among many organizations. The U.S. advisory also points out that access to corporate data is often too straightforward, lacking effective authentication measures.
Adopting a zero-trust architecture (ZTA), where access to data is significantly reduced, could prevent much of this. Even if credentials are stolen, access to data remains limited when adopting ZTA. Fortunately, research from Okta found that zero-trust is already in high demand in business.
Also read: ‘Companies often struggle to implement zero trust policies’
2 days ago
