Androxgh0st, a botnet notorious for stealing cloud credentials and exploiting vulnerabilities in web-based applications, is expanding its reach to IoT devices, including home routers, according to cybersecurity firm CloudSEK. Originally written in Python, Androxgh0st was first highlighted in a joint FBI and CISA advisory in January. It targets cloud credentials by exploiting weak spots in web frameworks and servers. For example, it searches for web applications using Laravel and scans their environment files (.env) for sensitive data like Amazon Web Services (AWS) credentials, aiming to spread the malware further.
Androxgh0st has now added exploits from Mozi, an older botnet. People thought Mozi was no longer active after authorities arrested its creators in 2021. Mozi’s exploits target weaknesses in IoT devices. Adding these to Androxgh0st has boosted its ability to infect a wide range of devices, from routers to web servers. Think of it like a spy that could sneak into government buildings before. With Mozi’s new tricks, this spy can now break into homes too. This means it can access and compromise IoT devices on a huge scale.
CloudSEK’s report highlights that Androxgh0st has incorporated nine additional exploits, even targeting platforms like Cisco ASA and Atlassian JIRA, as well as well-known vulnerabilities such as those in Oracle EBS and Sophos Firewall. Androxgh0st uses a particular method to take advantage of a weakness in the WebVPN login page of Cisco ASA appliances. This allows it to upload files and run commands from afar. By tweaking these weak spots, Androxgh0st gets wider access and stays active on both old and new devices.
The rise of Androxgh0st highlights how crucial it is for companies to keep up with security patches for IoT gadgets, which have poor defenses. Picture IoT devices as unlocked windows in a house, providing easy access if not secured. Since IoT devices often lack robust built-in protection, they can become prime targets for malicious software. Companies can safeguard these devices by checking their networks for vulnerabilities and rolling out updates as soon as they become available. This approach helps seal off potential access points that Androxgh0st and similar threats might exploit to gain unauthorized entry.
