FBI warns about malware ``AndroxGh0st'' that steals authentication information from AWS and Microsoft



On January 16, 2024, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States issued a joint statement warning of attacks on Amazon and Microsoft clouds using malware called ``AndroxGh0st''.

Known Indicators of Compromise Associated with Androxgh0st Malware | CISA

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials
https://www.bleepingcomputer.com/news/security/fbi-androxgh0st-malware-botnet-steals-aws-microsoft-credentials/

CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack
https://www.darkreading.com/cloud-security/cisa-aws-microsoft-365-accounts-androxgh0st-attack

AndroxGh0st is a malware whose existence was first announced in December 2022 by Lacework, a cyber company specializing in cloud security. It has the ability to steal credentials for well-known applications such as AWS), Microsoft Office 365, SendGrid, and Twilio.

It also supports a variety of features that enable SMTP abuse, including scanning and hijacking exposed credentials and APIs, and deploying a web shell as an unauthorized access tool, CISA said.



According to authorities, there have been cases in which attackers using AndroxGh0st created fake pages on compromised websites and created backdoors to infiltrate databases containing sensitive information or install malicious tools. It is said that it has been done.

The attackers were also seen stealing AWS credentials and attempting to create new users and user policies, and using the stolen credentials to launch new AWS instances in order to find their next target.

The dangers of AndroxGh0st have been warned in the past, and in March 2023, security company FortiGuard Labs said, ``Over 40,000 devices a day were attacked with .env files using Androxgh0st.'' We are

observing .''



The FBI and CISA recommended applying the following mitigations that are important in reducing the impact of AndroxGh0st attacks:
- Keep all OS, software, and firmware up to date. Specifically, make sure your Apache server version is not 2.4.49 or 2.4.50.
-Ensure that the default settings for all URIs are to deny all requests unless necessary.
- Make sure your live Laravel application is not in debug or test mode. Also remove all cloud credentials from the .env file and revoke them.
Review the platforms or services that have credentials listed in the .env file, one-time for previously saved cloud credentials, and continuously for other types of credentials that cannot be deleted. Check for unauthorized access or usage history.
- Scan the server's file system and check for unrecognized PHP files, especially in the root directory and the /vendor/phpunit/src/Util/PHP folder.
- Check GET requests using cURL commands to file hosting sites such as GitHub and pastebin, especially access to .php files.

in Security, Posted by log1l_ks