Attack News for October 8th, 2024
The AndroxGh0st malware
operators exploit various security vulnerabilities in various internet-facing applications and deploy the Mozi botnet malware.
According to a new report
from CloudSEK, this botnet uses remote code execution and credential-stealing
techniques to maintain persistent access, exploiting unpatched vulnerabilities
to infiltrate critical infrastructures.
AndroxGh0st, a
Python-based cloud attack tool, is known for targeting Laravel applications to
access sensitive data from services like Amazon Web Services (AWS), SendGrid,
and Twilio. Active since at least 2022, it has previously exploited
vulnerabilities in the Apache web server (CVE-2021-41773), Laravel Framework
(CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate
privileges, and establish control over compromised systems.
CloudSEK’s latest analysis
shows that the malware is now exploiting a broader array of vulnerabilities for
initial access, including:
CVE-2023-1389 (CVSS score:
8.8) - TP-Link Archer AX21 firmware command injection vulnerability
CVE-2024-4577 (CVSS score:
9.8) - PHP CGI argument injection vulnerability
CVE-2024-36401 (CVSS
score: 9.8) - GeoServer remote code execution vulnerability
“The botnet cycles through
common administrative usernames and uses a consistent password pattern,”
CloudSEK noted. “The target URL redirects to /wp-admin/, the backend
administration dashboard for WordPress sites. If authentication is successful,
it gains access to critical website controls and settings.”
The attacks also exploit
unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON
home routers to drop a payload named “Mozi.m” from various external servers
(“200.124.241[.]140” and “117.215.206[.]216”).
Mozi, another well-known
botnet, has a history of targeting IoT devices to incorporate them into a
malicious network for conducting distributed denial-of-service (DDoS) attacks.
Although the malware authors were arrested by Chinese law enforcement in
September 2021, a significant decline in Mozi activity wasn’t observed until
August 2023, when unidentified parties issued a kill switch command to
terminate the malware. It’s suspected that the botnet creators or Chinese
authorities distributed an update to dismantle it.
AndroxGh0st’s integration
of Mozi suggests a possible operational alliance, allowing it to spread to more
devices than ever before.
“AndroxGh0st is not just
collaborating with Mozi but embedding Mozi’s specific functionalities (e.g.,
IoT infection and propagation mechanisms) into its standard operations,”
CloudSEK stated.
“AndroxGh0st has expanded
to leverage Mozi’s propagation power to infect more IoT devices, using Mozi’s
payloads to achieve goals that would otherwise require separate infection
routines.”
“If both botnets use the
same command infrastructure, it points to a high level of operational
integration, possibly implying that the same cybercriminal group controls both
AndroxGh0st and Mozi. This shared infrastructure would streamline control over
a broader range of devices, enhancing both the effectiveness and efficiency of
their combined botnet operations.”
