New Androxgh0st botnet targets vulnerabilities in IoT devices and web applications via Mozi integration

Date:
Sun, 22 Dec 2024 21:03:00 +0000

Description:
Androxgh0st integration with Mozi targets critical systems with advanced tactics and exploiting new vulnerabilities.

FULL STORY ======================================================================Androxgh 0sts integration with Mozi amplifies global risks IoT vulnerabilities are the new battleground for cyberattacks Proactive monitoring is essential to combat emerging botnet threats

Researchers have recently identified a major evolution in the Androxgh0st botnet, which has grown more dangerous with the integration of the Mozi botnets capabilities.

What began as a web server-targeted attack in early 2024 has now expanded, allowing Androxgh0st to exploit vulnerabilities in IoT devices, CloudSEKs Threat Research team has said.

Its latest report claims the botnet is now equipped with Mozis advanced techniques for infecting and spreading across a wide range of networked devices. The resurgence of Mozi: A unified botnet infrastructure

Mozi, previously known for infecting IoT devices like Netgear and D-Link routers, was believed to be inactive following a killswitch activation in 2023.

However, CloudSEK has revealed Androxgh0st has integrated Mozis propagation capabilities, significantly amplifying its potential to target IoT devices.

By deploying Mozis payloads, Androxgh0st now has a unified botnet infrastructure that leverages specialized tactics to infiltrate IoT networks. This fusion enables the botnet to spread more efficiently through vulnerable devices, including routers and other connected technology, making it a more formidable force.

Beyond its integration with Mozi, Androxgh0st has expanded its range of targeted vulnerabilities, exploiting weaknesses in critical systems.
CloudSEKs analysis shows Androxgh0st is now actively attacking major technologies, including Cisco ASA, Atlassian JIRA, and several PHP
frameworks.

In Cisco ASA systems, the botnet exploits cross-site scripting (XSS) vulnerabilities, injecting malicious scripts through unspecified parameters. It also targets Atlassian JIRA with a path traversal vulnerability (CVE-2021-26086), allowing attackers to gain unauthorized access to sensitive files. In PHP frameworks, Androxgh0st exploits older vulnerabilities such as those in Laravel (CVE-2018-15133) and PHPUnit (CVE-2017-9841), facilitating backdoor access to compromised systems.

Androxgh0sts threat landscape is not limited to older vulnerabilities. It is also capable of exploiting newly discovered vulnerabilities, such as CVE-2023-1389 in TP-Link Archer AX21 firmware, which allows for unauthenticated command execution, and CVE-2024-36401 in GeoServer, a vulnerability that can lead to remote code execution.

The botnet now also uses brute-force credential stuffing, command injection, and file inclusion techniques to compromise systems. By leveraging Mozis IoT-focused tactics, it has significantly widened its geographical impact, spreading its infections across regions in Asia, Europe, and beyond.

CloudSEK recommends that organizations strengthen their security posture to mitigate potential attacks. While immediate patching is essential, proactive monitoring of network traffic is also important. By tracking suspicious outbound connections and detecting anomalous login attempts, particularly
from IoT devices, organizations can spot early signs of an Androxgh0st-Mozi collaboration. You might also like This devious new malware technique looks
to hijack Windows itself to avoid detection Take a look at the best firewall software These are the best antivirus solutions



======================================================================
Link to news story: https://www.techradar.com/pro/New-Androxgh0st-botnet-targets-vulnerabilities-i n-IoT-devices-and-web-applications-using-Mozi-integration


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)