January 17, 2024 at 01:21PM
The FBI and CISA have issued an alert about a malware campaign targeting Apache webservers and websites using the Laravel Web application framework. The campaign aims to steal credentials for high-profile applications such as AWS, Microsoft 365, Twilio, and SendGrid. The threat actors use a known malware called “Androxgh0st” to exploit vulnerabilities and deploy Web shells on compromised systems. CISA recommends patching known exploited vulnerabilities and reviewing exposed servers and services.
From the meeting notes, we can deduce that there has been an alert issued by the FBI and CISA regarding a malware campaign targeting Apache webservers and websites using the Laravel Web application framework. The campaign aims to steal credentials for high-profile applications like Amazon Web Services, Microsoft 365, Twilio, and SendGrid. The threat actors are observed attempting to create new users and user policies on compromised AWS instances and are also actively scanning for vulnerable websites with specific vulnerabilities, particularly CVE-2017-9841 and CVE-2021-41773.
The known malware threat involved in the campaign is called “Androxgh0st,” which is designed to scan for and extract application secrets from Laravel .env files. The malware is capable of scanning for and exploiting exposed credentials and APIs, as well as deploying Web shells on compromised systems. It has been reported that the threat actors are using a botnet to scan for websites using the Laravel Web application and are attempting to access the .env file to look for secrets, including usernames and passwords for AWS, email accounts, and other enterprise apps.
To protect against this and similar threats, CISA recommends prioritizing patching known exploited vulnerabilities in Internet-facing systems, reviewing and ensuring only necessary servers and services are exposed to the Internet, and reviewing platforms or services that have credentials listed in .env files for unauthorized access or use.