Androxgh0st Botnet Exploits Cloud Credentials — January 9, 2024
CISA, FBI, and MS-ISAC warned that criminals are harvesting secrets from web apps to pivot into cloud services and email providers.
Executive briefing: On CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued Cybersecurity Advisory AA24-008A about the Androxgh0st botnet. The malware targets Laravel, WordPress, and other web applications to steal credentials, access tokens, and API keys.
Threat behavior
- Credential harvesting. Attackers search environment files and configuration stores for cloud provider keys, email API tokens, and payment processor secrets.
- Spam and fraud. Stolen credentials support mass phishing, business email compromise, and the creation of fraudulent cloud resources.
- Rapid exploitation of CVEs. The botnet scans for known vulnerabilities such as CVE-2018-15133 (Laravel) and CVE-2021-41773 (Apache HTTP Server) to gain initial access.
Defensive priorities
- Rotate and revoke exposed API keys, tokens, and passwords discovered in compromised environments.
- Implement web application firewalls, runtime protections, and intrusion detection tuned to Androxgh0st indicators of compromise.
- Require phishing-resistant MFA for email and cloud administrator accounts to prevent follow-on compromise.
Control references
- NIST CSF 2.0 PR.AA & DE.AE. Identity governance and anomaly detection practices help constrain botnet lateral movement.
- CISA CPG PG.6. Credential management and MFA controls mitigate the abuse of harvested secrets.
- PCI DSS v4.0 8.x. Merchants and payment processors targeted through stolen tokens should validate authentication and monitoring requirements.