AndroxGh0st Malware Leverages Mozi Botnet to Target IoT and Cloud Services

On November 8, 2024, IoT Security / Vulnerability

The creators of the AndroxGh0st malware are now exploiting a wider range of security vulnerabilities affecting various internet-facing applications, while also deploying the Mozi botnet. According to a recent report by CloudSEK, this botnet employs remote code execution and credential theft techniques to maintain ongoing access, using unpatched vulnerabilities to infiltrate critical infrastructures.

AndroxGh0st is a Python-based attack tool specifically designed to target Laravel applications, aiming to extract sensitive data related to services such as Amazon Web Services (AWS), SendGrid, and Twilio. Active since at least 2022, it has previously exploited vulnerabilities in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and maintain persistent control over compromised systems. Earlier this January, U.S. cybersecurity and intelligence agencies…

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

November 8, 2024

In a notable escalation of cyber threats, the creators of AndroxGh0st malware are now exploiting a wider range of security vulnerabilities affecting numerous internet-facing applications. This malicious software has recently adopted the Mozi botnet, a tool notorious for employing remote code execution and credential-stealing techniques to ensure ongoing access to compromised systems. According to a recent report by CloudSEK, this integration allows attackers to navigate through unpatched vulnerabilities and infiltrate vital infrastructure systems.

AndroxGh0st is a Python-based tool specifically designed for cloud attacks that predominantly focus on Laravel applications. This malware aims to extract sensitive information from various services, including Amazon Web Services (AWS), SendGrid, and Twilio. Having been active since at least 2022, AndroxGh0st has previously exploited critical vulnerabilities in widely used software, such as the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841). These exploits facilitate initial access, privilege escalation, and the establishment of long-term control over the affected systems.

The targets of this malware are primarily organizations utilizing cloud services, particularly those that employ the aforementioned frameworks and platforms. The nature of these compromises presents a significant risk, as businesses increasingly rely on IoT and cloud solutions for their operational frameworks. The persistent threat posed by the Mozi botnet further amplifies this risk, as it has been designed to automate attacks on systems that exhibit weak defenses.

In terms of geographic implications, while the article does not specify the exact location of affected organizations, the attack’s targeting of global services like AWS and Twilio suggests a widespread impact that could span multiple countries, including a significant presence in the United States.

From a cybersecurity perspective, the tactics employed in these attacks align with several methodologies outlined in the MITRE ATT&CK framework. Initial access is achieved through exploiting vulnerabilities in software architectures, while persistence is maintained via credential theft and the entrenchment of botnet operations. Privilege escalation tactics are employed to gain higher levels of access within the targeted systems, enabling attackers to maximize their control over compromised infrastructures.

As businesses continue to embrace cloud technologies, the emergence of sophisticated malware like AndroxGh0st serves as a stark reminder of the vulnerabilities inherent in such ecosystems. Organizations must remain vigilant and proactive in their security measures, ensuring timely patching of software and employing robust monitoring tools to fend off potential breaches. In this evolving landscape of cyber threats, understanding and mitigating these risks is crucial for safeguarding sensitive information and maintaining business integrity.

Source link

Related Posts

Russian RomCom Group Targets Ukrainian Government with New SingleCamper RAT Variant

October 17, 2024
Threat Intelligence / Malware

The Russian threat actor RomCom has been linked to a surge of cyberattacks against Ukrainian government agencies and undisclosed Polish entities since late 2023. These intrusions utilize a new variant of the RomCom RAT, referred to as SingleCamper (also known as SnipBot or RomCom 5.0), according to Cisco Talos, which is monitoring this activity cluster under the designation UAT-5647. “This version is loaded directly from the registry into memory and communicates with its loader via a loopback address,” explained security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura. RomCom, also tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-faceted operations including ransomware, extortion, and targeted credential harvesting since its emergence in 2022. Recent assessments indicate that the frequency of their attacks has ramped up in recent months with the goal of establishing long-term persistent access.

Crypt Ghouls Target Russian Businesses with LockBit 3.0 and Babuk Ransomware Attacks

October 19, 2024
Network Security / Data Breach

A newly emerging threat group known as Crypt Ghouls has been identified in a series of cyberattacks aimed at Russian firms and government agencies. Their operations feature ransomware as a primary tool, focusing on disrupting business activities while reaping financial benefits. According to Kaspersky, “The group utilizes an arsenal of tools including Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, among others.” The primary ransomware employed in these attacks includes the notorious LockBit 3.0 and Babuk variants. Victims encompass various sectors, including government, mining, energy, finance, and retail throughout Russia. Kaspersky noted that they were able to identify the initial breach method in only two cases, where the attackers exploited a contractor’s VPN credentials to gain access to internal systems. These VPN connections reportedly came from IP addresses linked to a Russian hosting provider.