FBI warns criminals are building a dangerous new botnet — and it's after your Microsoft or AWS logins and more

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Hackers are building a dangerous new botnet and are going after Microsoft and AWS assets in the process, a new security advisory released by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) has warned.

According to the advisory, researchers have spotted threat actors using the Androxgh0st malware to compromise computers and servers. 

They were seen scanning endpoints for three remote code execution vulnerabilities: CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133. By leveraging these flaws, the attackers would use Androxgh0st to grab .env files that contain sensitive data, including (among others) login credentials for AWS and MIcrosoft assets.


Reader Offer: Save up to 68% on Aura identity theft protection

Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today. 

 Preferred partner (What does this mean?) 

Mitigating the threat

Androxgh0st is capable of more than “just” compromising vulnerable devices and stealing login credentials. It can also abuse the Simple Mail Protocol (SMTP) and check to see the sending limit for the email accounts found on the breached computers. If the limit is satisfactory, the malware can be used to mount phishing and spam campaigns. 

Furthermore, hackers can use the access to Microsoft and AWS assets to create fake pages on compromised websites, which further grants them backdoor access to databases with sensitive information. 

To remain secure, the FBI and CISA say, organizations should make sure their operating systems, software, and firmware are all updated. Making sure their Apache servers aren't running versions 2.4.49 or 2.4.50 was stressed as pivotal. Furthermore, they should make sure the default configuration for all URIs is to deny all requests, unless there’s a specific need for it to be accessible. Also, Laravel applications should not be in debug or testing mode, and cloud credentials should not be present in .env files.

The full list of the recommendations can be found on this BleepingComputer link

CVE-2018-15133, described as Laravel deserialization of untrusted data vulnerability, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog as being actively exploited. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.