Security
Headlines
HeadlinesLatestCVEs

Headline

Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities

CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of…

HackRead
#xss#vulnerability#web#cisco#ddos#apache#git#oracle#wordpress#php#backdoor#rce#botnet#jira

CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of vulnerabilities in web applications and IoT devices. Learn about the specific vulnerabilities being targeted, the techniques used by the attackers, and how to protect your systems from this evolving threat.

Cybersecurity researchers at Contextual AI company, CloudSEK’s AI digital risk platform XVigil have uncovered a new development in the Androxgh0st botnet. This malicious network, initially targeting web servers since January 2024, has re-emerged after undergoing transformation.

Reportedly, the botnet now shares components from the infamous Mozi botnet, historically known for infecting internet-of-things (IoT) devices. The analysis of Androxgh0st‘s C&C logs revealed an operational change as the botnet now appears to be deploying Mozi-linked payloads.

This means Androxgh0st may have integrated Mozi’s payload as a module within its botnet architecture, leveraging its IoT infection and propagation mechanisms. This expansion allows Androxgh0st to infect more IoT devices without needing separate infection routines, researchers observed during the investigation, shared exclusively with Hackread.com.

Furthermore, researchers noted an expansion of Androxgh0st’s attack methods. The botnet now targets vulnerabilities beyond web servers, including:

  • Cisco ASA: Exploiting cross-site scripting (XSS) vulnerabilities to inject malicious scripts.

  • Atlassian JIRA: Leveraging path traversal vulnerabilities (CVE-2021-26086) to access sensitive files.

  • PHP Frameworks: Targeting vulnerabilities in Laravel (CVE-2018-15133) and PHPUnit (CVE-2017-9841) to gain backdoor access.

  • New Exploits: The botnet demonstrates the ability to adapt by exploiting recently discovered vulnerabilities like CVE-2023-1389 (TP-Link) and CVE-2024-36401 (GeoServer), showcasing its evolving capabilities.

  • Metabase: Local file inclusion vulnerabilities that can lead to information disclosure and potential remote code execution.

  • Apache Web Server: The botnet also exploits CVE-2021-41773, affecting Apache versions 2.4.49 and 2.4.50 to run arbitrary code and potentially gain sensitive data or credentials.

  • IoT Devices: By integrating Mozi botnet capabilities, Androxgh0st can now target a broader range of IoT devices, including routers, security cameras, and other network-connected devices.

The botnet is also targeting vulnerabilities in Metabase, Sophos Firewall, Oracle E-Business Suite, OptiLink ONT1GEW GPON, PHP CGI, TP-Link Archer AX21, WordPress Plugin Background Image Cropper, Netgear DGN devices, and GPON Home Routers, all vulnerable to remote code execution, information disclosure, and exploitation.

“Androxgh0st actively deploys brute-force credential stuffing, command injection, file inclusion, and malware propagation. By leveraging Mozi’s IoT capabilities, Androxgh0st now exploits misconfigured routers and devices across a vast geographical range, infecting devices in Asia, Europe, and beyond,” researchers noted.

Mozi Botnet targeting GPON Router (Via CloudSEK)

Here’s a full list of countries being targeted by the Androxgh0st botnet. This list ranks countries by the number of devices targeted by the Androxgh0st botnet. Germany, at the top, has the most infected devices, while Singapore, at the bottom, has the least. However, all these countries are active targets of the botnet:

  1. Germany
  2. Turkey
  3. United States of America
  4. India
  5. Hong Kong Special Administrative Region
  6. Romania
  7. Portugal
  8. Poland
  9. Lithuania
  10. Slovenia
  11. Austria
  12. United Kingdom of Great Britain and Northern Ireland
  13. Korea (Republic of)
  14. Thailand
  15. Canada
  16. Spain
  17. Qatar
  18. Singapore

For your information, the Mozi botnet, which primarily targeted Netgear, Dasan, D-Link routers, and MVPower DVR Jaws servers, operated from China, India, and Albania. In 2021, Chinese law enforcement arrested its creators, forcing them to cooperate and distribute an update that killed the botnet’s ability to connect to the outside world in 2023.

The shared command infrastructure between Androxgh0st and Mozi suggests a high level of operational integration, possibly being controlled by the same cybercriminal group. This integration will affect web applications and IoT devices globally.

Organizations should adopt immediate patching for vulnerabilities exploited by Androxgh0st, monitor network traffic for suspicious connections and login attempts, and analyze HTTP and web server logs for signs of compromise.

  1. P2Pinfect Botnet Now Targets Servers with Ransomware
  2. New Gorilla Botnet Hits 0.3 Million Devices in 100 Countries
  3. New Golang Botnet “Zergeca” Delivers Brutal DDoS Attacks
  4. Goldoon Botnet Hits D-Link Devices, Exploits 9-Year-Old Flaw
  5. Russian Hackers Hits Ubiquiti Routers for Data, Botnet Creation

Related news

US Ban on TP-Link Routers More About Politics Than Exploitation Risk

While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company's popular routers is more about geopolitics than actual cybersecurity — and that may not be a bad thing.

Androxgh0st Botnet Targets IoT Devices, Exploiting 27 Vulnerabilities

Androxgh0st, a botnet targeting web servers since January 2024, is also deploying IoT-focused Mozi payloads, reveals CloudSEK’s latest research.

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a

Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware

A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools. The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed Earth Baxia

China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

The APT group uses spear-phishing and a vulnerability in a geospatial data-sharing server to compromise organizations in Taiwan, Japan, the Philippines, and South Korea.

GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk. The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances. In

CISA Warns of Actively Exploited RCE Flaw in GeoServer GeoTools Software

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. It is the reference implementation of the Open

Geoserver Unauthenticated Remote Code Execution

GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets. In the GeoServer versions before 2.23.6, greater than or equal to 2.24.0, before 2.24.4 and greater than equal to 2.25.0, and before 2.25.1, multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the system.

GHSA-6jj6-gm7p-fcvv: Remote Code Execution (RCE) vulnerability in geoserver

### Summary Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. ### Details The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. ### PoC No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. ### Impact This vulnerability can lead to exec...

Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks

Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.

FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft

By Deeba Ahmed The AndroxGh0st malware was initially reported in December 2022. This is a post from HackRead.com Read the original post: FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft

FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft

By Deeba Ahmed The AndroxGh0st malware was initially reported in December 2022. This is a post from HackRead.com Read the original post: FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft

FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft

By Deeba Ahmed The AndroxGh0st malware was initially reported in December 2022. This is a post from HackRead.com Read the original post: FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that threat actors deploying the AndroxGh0st malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware, AndroxGh0st was first documented by Lacework in December 2022, with the malware

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that threat actors deploying the AndroxGh0st malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware, AndroxGh0st was first documented by Lacework in December 2022, with the malware

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that threat actors deploying the AndroxGh0st malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware, AndroxGh0st was first documented by Lacework in December 2022, with the malware

Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments

The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a "new experimental campaign" designed to breach cloud environments. "Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP)," cloud

TP-Link Archer AX21 Command Injection

TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.

New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers

By Deeba Ahmed FortiGuard Labs has identified numerous Condi DDoS botnet samples that exploit other known security flaws, putting unpatched software at a higher risk of being exploited by botnet malware. This is a post from HackRead.com Read the original post: New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers

New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks

A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel

Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited”

Categories: Exploits and vulnerabilities Categories: News Tags: Oracle Tags: WebLogic Tags: CVE-2023-21839 Tags: CVE-2023-1389 Tags: CVE-2021-45046 Tags: CISA Tags: reverse shell An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch. (Read more...) The post Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited” appeared first on Malwarebytes Labs.

Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The security vulnerabilities are as follows - CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted

Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware

Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil

CVE-2023-1389: Unauthenticated Command Injection in TP-Link Archer AX21 (AX1800)

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

Joint Advisory AA22-279A and Vulristics

Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]

Chinese APT's favorite vulnerabilities revealed

Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.

Gentoo Linux Security Advisory 202208-20

Gentoo Linux Security Advisory 202208-20 - Multiple vulnerabilities have been discovered in Apache Webserver, the worst of which could result in remote code execution. Versions less than 2.4.54 are affected.

CVE-2022-32263: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.

CVE-2022-22721: Apache HTTP Server 2.4 vulnerabilities

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-21363: Oracle Critical Patch Update Advisory - January 2022

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2021-44790: Apache HTTP Server 2.4 vulnerabilities

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2021-35576: Oracle Critical Patch Update Advisory - October 2021

Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVE-2020-9490: Apache HTTP Server 2.4 vulnerabilities

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.