January 16, 2024 at 08:36PM
The FBI and CISA warn that cybercriminals are leveraging old vulnerabilities to deploy Androxgh0st malware, targeting .env files containing user credentials for AWS, Microsoft Office 365, SendGrid, and Twilio. The malware can be used to steal data, execute code remotely, and create new AWS users and instances. Mitigations include updating Apache servers and reviewing cloud and other credentials for unauthorized use.
Based on the meeting notes, the main takeaways are:
1. Crooks are exploiting old vulnerabilities to deploy Androxgh0st malware and create a cloud-credential stealing botnet, as per a joint warning issued by the FBI and CISA.
2. The Python-scripted malware targets .env files that store user credentials for services like AWS, Microsoft Office 365, SendGrid, and Twilio.
3. Androxgh0st can be used to deploy web shells, remotely execute code, steal sensitive data, and create new AWS users and instances.
4. The malware exploits three old and patched CVEs (CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773) for credential-stealing attacks.
5. The authorities suggest specific tactics to reduce the risk of Androxgh0st infection, including ensuring Apache servers are not running vulnerable versions and reviewing .env files for unauthorized use of credentials.
Let me know if you need any further information or assistance.