CloudSEK cybersecurity experts have recently discovered a significant threat with AndroxGh0st malware, which has now integrated the Mozi botnet to target IoT and cloud-based services. This combination expands AndroxGh0st’s reach, making it a powerful tool for cybercriminals to compromise various devices and networks, including cloud platforms like AWS and TwilioSendGrid. By merging with Mozi’s capabilities, AndroxGh0st now has a broader attack surface, putting countless IoT devices such as home routers, cameras, and industrial gadgets at risk.
AndroxGh0st is a Python based cloud attack tool initially aimed at cloud services and business-critical applications, with the ability to exploit system vulnerabilities, steal data, and remotely control devices. On its own, AndroxGh0st was already a significant risk to organisations. But with its recent integration of Mozi, a notorious botnet that infects IoT devices, AndroxGh0st has transformed into a much more powerful tool for attackers. Mozi spreads by targeting IoT devices with weak security settings, turning them into part of a botnet (a network of infected devices) that attackers can control.
This new AndroxGh0st-Mozi combo is critical because it exemplifies how malware can evolve, creating even greater cybersecurity challenges. In a world where IoT devices are becoming part of everyday life, from home security cameras to industrial control systems, such threats can have far-reaching impacts.
CloudSEK has analysed that the malware is now exploiting an array of vulnerabilities for initial access and they have provided the list with Common Vulnerability Scoring System (CVSS).
- CVE-2014-2120 (CVSS score: 4.3) – Cisco ASA WebVPN login page XSS vulnerability
- CVE-2018-10561 (CVSS score: 9.8) – Dasan GPON authentication bypass vulnerability
- CVE-2018-10562 (CVSS score: 9.8) – Dasan GPON command injection vulnerability
- CVE-2021-26086 (CVSS score: 5.3) – Atlassian Jira path traversal vulnerability
- CVE-2021-41277 (CVSS score: 7.5) – Metabase GeoJSON map local file inclusion vulnerability
- CVE-2022-1040 (CVSS score: 9.8) – Sophos Firewall authentication bypass vulnerability
- CVE-2022-21587 (CVSS score: 9.8) – Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
- CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX21 firmware command injection vulnerability
- CVE-2024-4577 (CVSS score: 9.8) – PHP CGI argument injection vulnerability
- CVE-2024-36401 (CVSS score: 9.8) – GeoServer remote code execution vulnerability
Malware is an ever evolving threat exploiting any vulnerabilities it can find, therefore, both individuals and organisations should prioritise implementing security best practices to guard against these threats. Ensure that all IoT and network devices are updated with the latest patches and avoid using default login credentials. Organisations should also have network monitoring tools to flag up unusual activity, enforce robust firewalls, and regularly audit device configurations. Taking proactive steps is essential to reduce the risk of falling victim to AndroxGh0st and similar threats.
Source: The Hacker News
