AndroxGh0st and Mozi: Expanding Botnet Operations Through Exploited Vulnerabilities

 Attack News for October 8th, 2024

The AndroxGh0st malware operators exploit various security vulnerabilities in various internet-facing applications and deploy the Mozi botnet malware.

According to a new report from CloudSEK, this botnet uses remote code execution and credential-stealing techniques to maintain persistent access, exploiting unpatched vulnerabilities to infiltrate critical infrastructures.

AndroxGh0st, a Python-based cloud attack tool, is known for targeting Laravel applications to access sensitive data from services like Amazon Web Services (AWS), SendGrid, and Twilio. Active since at least 2022, it has previously exploited vulnerabilities in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish control over compromised systems.

CloudSEK’s latest analysis shows that the malware is now exploiting a broader array of vulnerabilities for initial access, including:

CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX21 firmware command injection vulnerability

CVE-2024-4577 (CVSS score: 9.8) - PHP CGI argument injection vulnerability

CVE-2024-36401 (CVSS score: 9.8) - GeoServer remote code execution vulnerability

“The botnet cycles through common administrative usernames and uses a consistent password pattern,” CloudSEK noted. “The target URL redirects to /wp-admin/, the backend administration dashboard for WordPress sites. If authentication is successful, it gains access to critical website controls and settings.”

The attacks also exploit unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named “Mozi.m” from various external servers (“200.124.241[.]140” and “117.215.206[.]216”).

Mozi, another well-known botnet, has a history of targeting IoT devices to incorporate them into a malicious network for conducting distributed denial-of-service (DDoS) attacks. Although the malware authors were arrested by Chinese law enforcement in September 2021, a significant decline in Mozi activity wasn’t observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It’s suspected that the botnet creators or Chinese authorities distributed an update to dismantle it.

AndroxGh0st’s integration of Mozi suggests a possible operational alliance, allowing it to spread to more devices than ever before.

“AndroxGh0st is not just collaborating with Mozi but embedding Mozi’s specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard operations,” CloudSEK stated.

“AndroxGh0st has expanded to leverage Mozi’s propagation power to infect more IoT devices, using Mozi’s payloads to achieve goals that would otherwise require separate infection routines.”

 “If both botnets use the same command infrastructure, it points to a high level of operational integration, possibly implying that the same cybercriminal group controls both AndroxGh0st and Mozi. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations.”

OpenID Connect: Enhancing OAuth 2.0 with Secure User Authentication

 OpenID Connect

OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0. It adds an identity layer to OAuth 2.0, enabling clients to verify users' identities and obtain basic profile information in a secure and interoperable manner.

Here’s a breakdown of how OpenID Connect works:

• User Authentication: The user attempts to access a client application (relying party).
• Request to OpenID Provider: The client sends an authentication request to the OpenID Provider (OP).
• User Authentication by OP: The OP authenticates the user and obtains their consent.
• Tokens Issued: The OP issues an ID token and, optionally, an access token to the client.
• User Information: The client can use the ID token to get user information from the UserInfo endpoint.

Key Components:

• ID Token: Contains user identity information and authentication details.
• Access Token: Used to access protected resources.
• OpenID Provider (OP): The server that authenticates the user.
• Relying Party (RP): The application that relies on the OP for user authentication.

OIDC is commonly used for Single Sign-On (SSO) scenarios, allowing users to log in once and access multiple applications without re-entering credentials.

This is covered in CySA+ and Security+.

Understanding OAuth: Secure Data Sharing and Authorization Protocols

 OAuth (Open Authorization)

OAuth, or Open Authorization, is a technological standard that allows users to grant access to their data without sharing their password. OAuth is used when an app asks permission to access a user's profile information.

Here are some steps that OAuth goes through:

1. The user indicates their intent
2. The consumer requests permission
3. The user is redirected to the service provider
4. The user grants permission
5. The consumer obtains an access token
6. The consumer accesses the protected resource

OAuth is an industry-standard that addresses security concerns related to sharing user credentials. It provides authorization flows for web, mobile, desktop, and IoT applications.

OAuth differs from Single Sign-On (SSO), an authentication method that allows users to access multiple apps with a single authentication. With OAuth, the user grants permission to an app to access another app on their behalf.

This is covered in CySA+, Network+, and Security+.

Ensuring Safe and Accurate Automation with Guard Rails

 Guard Rails

Guard rails in scripting refer to mechanisms or controls implemented within scripts to ensure they operate correctly and safely, preventing errors or unintended behavior. Here are some key aspects:

1. Input Validation: Ensures that the data provided to the script meets expected formats and ranges. For example, checking if an email address is valid before processing it.

2. Error Handling: Incorporates try-catch blocks or equivalent error-handling mechanisms to gracefully manage exceptions and errors, ensuring the script doesn't crash unexpectedly.

3. Security Checks: These include measures to prevent security vulnerabilities, such as sanitizing inputs to avoid SQL injection attacks or ensuring safe file paths.

4. Logging and Monitoring: This feature adds logging statements to record the script's operations, making it easier to debug issues and monitor performance.

5. Resource Management: Ensures that resources like file handles, network connections, or memory are properly opened and closed, preventing leaks.

6. Rate Limiting: Implements controls to limit the frequency of certain operations, such as API calls, to prevent abuse or overuse.

7. Conditional Logic: Uses conditional statements to guide the script's flow based on specific criteria, ensuring it behaves correctly under different scenarios.

8. Testing: Incorporates unit and integration tests to verify that the script functions as intended and to catch bugs early.

9. Documentation: The script should include clear comments and documentation explaining its purpose, usage, and any important details.

10. Compliance Checks: Ensures the script adheres to relevant data protection policies, standards, or regulations, such as GDPR.

Implementing these guard rails helps create robust, reliable, and secure scripts that are easier to maintain and less prone to errors. Do you have a specific scripting scenario where you'd like to apply these principles?

This is covered in Security+.

Understanding Expansionary Risk Appetite

 Expansionary Risk Appetite

An "expansionary risk appetite" refers to a company's willingness to take on a high level of risk in pursuit of significant growth and potential rewards, often by entering new markets, developing innovative products, or making large investments, even if it means facing higher uncertainty and potential losses compared to a more conservative approach; essentially, they prioritize potential for large gains over stability, making them more "aggressive" in their risk-taking strategy. 

Key points about expansionary risk appetite:

• High-growth focus: Companies with an expansionary risk appetite are often in industries with high growth potential, like technology startups or venture capital firms, where rapid expansion is prioritized over maintaining a steady status quo. 
• Greater potential returns: By embracing higher risk, these companies aim to achieve substantially larger profits than those with a low-risk appetite. 
• Unconventional strategies: Expansionary risk appetite leads to venturing into new, uncharted territories, adopting innovative technologies, or making bold strategic decisions that others consider too risky. 
• Market entry considerations: Companies with this appetite may be more likely to enter emerging markets with significant potential, despite potential political or economic instability, to gain first-mover advantage. 

Examples of expansionary risk appetite behavior:

• Investing heavily in R&D: A pharmaceutical company dedicates a large portion of its budget to developing new drugs with potentially high market impact, even if there's a significant chance of failure.
• Acquiring a competitor in a new market: A retail company buying a smaller competitor in a foreign market to rapidly gain market share despite the challenges of navigating a new regulatory environment. 

Important factors to consider with expansionary risk appetite:

• Risk management: Even with a high-risk appetite, companies need robust risk management practices to identify, assess, and mitigate potential downsides. 
• Market conditions: A company's risk appetite should adapt to changing market conditions, as aggressive strategies might be less viable during economic downturns. 
• Stakeholder expectations: Companies need to consider the risk tolerance of their investors and other stakeholders when deciding how much risk to take.

This is covered in Security+.

Local File Inclusion (LFI): How It Works and How to Prevent It

 Local File Inclusion

Local File Inclusion (LFI) is a type of web vulnerability that occurs when a web application includes files on the server based on user input without proper validation. This can allow an attacker to read or execute files on the server, potentially leading to severe security issues. Here’s a detailed explanation:

How LFI Works:

• User Input Handling: The web application takes a file path as input from the user. For example, a URL might look like this: http://example.com/?file=page.php.
• Inclusion of Files: The application includes the specified file in its response. If the input is not properly sanitized, an attacker can manipulate the input to include unintended files.
• Exploitation: An attacker can exploit this by providing a path to sensitive files on the server. For example, changing the URL to http://example.com/?file=../../../../etc/passwd could allow the attacker to read the contents of the /etc/passwd file, which contains user account information on UNIX systems.

Potential Impacts:

• Information Disclosure: Attackers can access sensitive files, such as configuration files, logs, or databases, which may contain valuable information.
• Remote Code Execution: If the attacker can upload a malicious file to the server and include it via LFI, they can execute arbitrary code on the server.
• Cross-Site Scripting (XSS): In some cases, LFI can inject malicious scripts into web pages, leading to XSS attacks.

Mitigation Strategies:

• Input Validation: Always validate and sanitize user inputs. Use whitelists to allow only specific, safe file paths.
• Disable Unnecessary Functions: Disable functions that allow file inclusion if not needed.
• Use Secure Coding Practices: Implement secure coding practices to avoid vulnerabilities like LFI. Regularly update and patch your software to fix known vulnerabilities.
• Web Application Firewalls (WAFs): Use WAFs to detect and block malicious requests that attempt to exploit LFI vulnerabilities.

This is covered in Security+.

Understanding DrDoS Attacks: Mechanisms, Impact, and Mitigation Strategies

 DrDoS Attack

A Distributed Reflection Denial of Service (DrDoS) attack is a powerful form of DDoS attack where attackers exploit vulnerable, publicly accessible servers to amplify their attack by sending requests with spoofed IP addresses belonging to the target victim, causing those servers to send large responses back to the victim, effectively flooding their network and preventing legitimate users from accessing the service; this technique allows attackers to remain largely anonymous and generate massive amounts of traffic using minimal resources, often targeting protocols like NTP, DNS, and SNMP to maximize the amplification effect.

Key points about DrDoS attacks:

• Reflection Mechanism: Attackers send requests to legitimate servers with the victim's IP address spoofed as the source, tricking the server into responding to the victim's network with a large response.
• Amplification Factor: Certain protocols, like NTP and DNS, can generate significantly larger response packets than the initial request, greatly amplifying the attack traffic.
• Anonymity: By using spoofed IP addresses, attackers can hide their identities, making it difficult to trace the attack source.
• High Impact: Due to the amplification effect, DrDoS attacks can generate massive traffic, overwhelming the victim's network and causing a denial of service.

Commonly exploited protocols in DrDoS attacks:

• NTP (Network Time Protocol): Can generate large response packets when queried with a crafted request.
• DNS (Domain Name System): Allows attackers to send large DNS resolution responses to the victim.
• SNMP (Simple Network Management Protocol): Due to its design, this protocol can be exploited to send amplified responses.

Mitigation strategies against DrDoS attacks:

• Rate Limiting: Configure servers to limit the requests received from a single IP address within a specific timeframe.
• Ingress Filtering: Implement network filters to block traffic with spoofed source IP addresses.
• DDoS Protection Services: Utilize specialized services that detect and mitigate attacks in real-time, including traffic filtering and mitigation techniques.

This is covered in Network+ and Security+.