The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert about a malware campaign targeting Apache webservers and websites using the popular Laravel Web application framework, leveraging known bugs for initial compromise.
The end goal of the campaign is to steal credentials to high-profile applications such as Amazon Web Services, Microsoft 365, Twilio, and SendGrid, so the threat actors can access sensitive data in the apps or use the apps for other malicious operations.
“For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies,” the two agencies said. In many incidents the adversaries have also used the stolen credentials to create new AWS instances for additional, malicious scanning activity, they noted.
Credential Threat & Misuse
The campaign involves a known malware threat dubbed “Androxgh0st” that Lacework first warned about in December 2022. The malware, written in Python, is designed to scan for and extract application secrets such as credentials and API keys from Laravel .env files.
Laravel is an open source PHP Web application framework that many developers use for common Web development tasks without having to write low-level code from scratch. Laravel .env files are a popular adversary target because they often contain credentials and other information that attackers can use to access and abuse high-value apps, such as AWS, Microsoft 365, and Twilo.
Lacework identified the malware as capable of scanning for and exploiting exposed credentials and APIs and of deploying Web shells on compromised systems.
This is not the first big campaign for the malicious code; last March, Fortinet reported observing threat actors using Androxgh0st to target Laravel .env files on an average of 40,000 Fortinet devices per day.
Active Scanning for Vulnerable Websites
According to the FBI and CISA, Androxgh0st threat actors are also actively scanning for websites with specific vulnerabilities in them, particularly CVE-2017-9841, a critical remote code execution (RCE) vulnerability in PHPUnit, a module for testing PHP code.
They are exploiting the vulnerability to drop Androxgh0st and other malware on affected websites and make them part of a botnet, used to scan for and gather information on other potential targets. CVE-2017-9841 is a widely targeted vulnerability from 2017, with vendors like Imperva reporting millions of attacks on affected systems through at least early 2020.
In many instances, the Androxgh0st adversaries have also been observed scanning for Web servers running Apache HTTP Server versions 2.4.49 or 2.4.50 that are vulnerable to CVE-2021-41773, a path traversal vulnerability from 2021 that allows for RCE. CISA has previously warned about CVE-2021-41773 being among the list of vulnerabilities that China-backed threat actors tend to exploit the most in their campaigns.
The FBI and CISA alert described the threat actors as using the botnet to scan for websites using the Laravel Web application and to then determine if the domain’s root .env file is exposed.
“If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page,” the two agencies said. “Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the Web server.”
If either method elicits a successful response, the threat actors are able to look for secrets in the .env file including usernames and passwords to AWS, email accounts and other enterprise apps.
To protect against this and similar threats, CISA recommended the following best practices:
-
Prioritize patching known exploited vulnerabilities in Internet-facing systems;
-
Review and ensure only necessary servers and services are exposed to the Internet;
-
And review platforms or services that have credentials listed in .env files for unauthorized access or use.
