Vercara’s Open-Source Intelligence (OSINT) Report – November 1 – November 7, 2024

AndroxGh0st malware integrates Mozi Botnet to target IoT and cloud services. 

(TLP: CLEAR) Recent intelligence reporting has highlighted the increasing sophistication of ‘AndroxGh0st’, a Python-based cloud-targeting attack tool constructed to extract sensitive data from internet services like Amazon Web Services (AWS). According to reporting, analysts have tracked AndroxGh0st’s evolution since January 2024, noting that the malware has adopted advanced payloads and methodologies from the Mozi botnet—a threat actor toolkit notorious for credential harvesting and remote code execution enabling persistent footholds in critical network infrastructure. This convergence of software enhancements has expanded AndroxGh0st’s operational scope to target a broader set of enterprise systems, including Cisco ASA devices, Atlassian JIRA, and PHP-based frameworks. Since AndroxGh0sts inception in 2022, the malware has been observed leveraging known vulnerabilities—such as CVE-2021-41773 in the Apache web server, CVE-2018-15133 in the Laravel Framework, and CVE-2017-9841 in PHPUnit—to gain an initial foothold, escalate privileges, and maintain control over compromised assets. Additionally, back in March 2024, U.S. cybersecurity and intelligence agencies underscored the deployment of AndroxGh0st as a botnet platform, noting its capability to facilitate victim identification and network exploitation across targeted infrastructures. This deployment highlights AndroxGh0st’s evolving role in coordinated cyber-campaigns aimed at targeting and maintaining persistent control over exposed cloud and enterprise assets, reinforcing the urgency for rigorous monitoring and timely vulnerability management in at-risk environments. 

(TLP: CLEAR) Comments: The Mozi botnet, whose developers were arrested by Chinese authorities in September 2021, was a notorious software platform for launching distributed-denial-of-service (DDoS) attacks. Notably, reporting indicates that despite the arrests, a kill-switch command was only deployed to deactivate the botnet as recently as August 2023. The resurgence of the Mozi botnet underscores a deliberate strategy to unify two distinct malware functionalities. By combining both functionalities, the threat actors likely aim to use the Mozi botnet’s internet-of-things (IoT) focused propagation capabilities to extend AndroxGh0st’s reach into more diverse environments, enhancing both malware’s operational scope and infection efficiency. This fusion also allows them to potentially consolidate their command-and-control infrastructure for more streamlined operations. It is highly recommended immediate patching of the identified vulnerabilities to mitigate the threat posed by the AndroxGh0st botnet. Additional indicators of compromise can be found here – https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.1: “For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:   

Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:   

• “By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.2.4.   
• All vulnerabilities are ranked in accordance with requirement 6.3.1.   
• All vulnerabilities are corrected.   
• The application is re-evaluated after the corrections   

OR   

• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:   
• Installed in front of public-facing web applications to detect and prevent web-based attacks. – Actively running and up to date as applicable.   
• Generating audit logs.   
• Configured to either block web-based attacks or generate an alert that is immediately investigated. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, provides protection at the application layer to detect and block DDoS attacks but also unwanted web bots and application attacks such as SQLi, XSS, and CSRF. 

Vercara DDos Protection, UltraDDoS Protect, provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources. 

Source: https://www.infosecurity-magazine.com/news/androxgh0st-botnet-adopts-mozi/?&web_view=true  

Microsoft warns of Chinese botnet exploiting router flaws for credential harvesting. 

(TLP: CLEAR) Microsoft has recently highlighted a sophisticated botnet operation orchestrated by Chinese threat actors determined to facilitate highly evasive password spray attacks which could potentially lead to large-scale credential theft. The botnet in question, dubbed ‘CovertNetwork-1658’ and also known as xlogin and Quad7 (7777), is comprised of a network of compromised small office and home office (SOHO) routers, predominantly manufactured by TP-Link. The botnet also includes devices from Zyxel, Asus, Axentra, D-Link, and NETGEAR. According to Microsoft, threat actors behind this campaign have leveraged vulnerabilities within the aforementioned routers to establish a foothold, incorporating them into the botnet for potential use by other threat groups to further extend attack capabilities. Intelligence reporting further reveals that multiple Chinese threat actors are leveraging credentials obtained through CovertNetwork-1658’s password spray operations in attempts to gain initial unauthorized access into targeted systems. Among these actors is Storm-0940, a group with an established pattern of using valid credentials sourced from CovertNetwork-1658 to gain initial access to target organizations. Storm-0940 have been active since 2021 and has focused its operations on high-value targets in North America and Europe, including think tanks, government agencies, NGOs, and law firms. Investigators have indicated multiple instances where Storm-0940 were observed employing compromised credentials from the CovertNetwork-1658 infrastructure. On various occasions, stolen credentials were swapped on the same day they were acquired, underscoring a closely coordinated relationship between Storm-0940 and the CovertNetwork-1658 operators. Upon securing a foothold within the targeted network, Storm-0940 executes a systematic approach to ensure persistence. This includes deploying advanced scanning and credential-dumping tools to facilitate lateral movement across the network, dropping remote access trojans (RATs) to ensure long-term persistence. The operation then culminates in the exfiltration of sensitive corporate data from the compromised systems. 

(TLP: CLEAR) Comments: In the past, CovertNetwork-1658 has primarily been leveraged to conduct brute-force attacks on accounts linked to the widely used Microsoft 365. To mitigate the threat of password spraying, organizations should prioritize security measures such as implementing multi-factor authentication (MFA) universally across all network accounts. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara can deploy two solutions in this instance. Vercara’s Web Application Firewall, UltraWAF, can help safeguard SSL VPNs against vulnerabilities and brute-force logins. It also provides protection at the application layer to detect and block DDoS attacks and also unwanted web bots and application attacks such as SQLi, XSS, and CSRF. 

Once attackers are inside the enterprise network, Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block tool downloads, data exfiltration, and other activities on compromised endpoints. UltraDDR also filters internal DNS responses from users and machines using both defined categories, including botnet Command and Control (C2), as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://thehackernews.com/2024/11/microsoft-warns-of-chinese-botnet.html 

Source: https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/  

German police disrupt DDoS-for-Hire platform dstat[.]cc; suspects arrested. 

(TLP: CLEAR) Recent reporting sheds light on the Passion Group, a cyber hacktivist group affiliated with Killnet and Anonymous Russia, has recently established itself as a significant threat actor in the cyber threat landscape by launching a distributed denial-of-service (DDoS) as-a-Service platform specifically catering to pro-Russian hacktivists. This service, accessible through various Telegram channels, simplifies access and functionality when pertaining to the DDoS tools, allowing even non-technical users to engage in cyber-attacks. Back on January 27, 2023, the Passion group leveraged their botnet to execute coordinated DDoS attacks targeting medical facilities across multiple countries, including the United States, Portugal, Spain, Germany, Poland, and the United Kingdom in retaliation against nations supporting Ukraine militarily, underscoring the group’s intent to disrupt entities viewed as adversaries to Russian interests. The Passion group’s DDoS infrastructure, known as the Passion Botnet, equips them with the capability to conduct high-volume, multi-vector DDoS attacks, including application-layer strikes, TCP SYN floods, DNS amplification, and UDP floods. With customizable options for attack intensity and duration, Passion allows subscribers to fine-tune their attack vectors and thresholds against specific targets, enhancing the likelihood of successful operational impact. The botnet itself is likely composed of a broad network of compromised devices, sourced through malware deployment and exploitation of vulnerabilities within internet-of-things (IoT) devices. Intelligence reporting indicates that in order to market their service and attract new subscribers, the Passion group conducts live demonstration attacks on platforms like dstat[.]cc, highlighting their botnet’s capability to bypass and overwhelm various defensive measures. These demonstrations serve to function as both a promotional tool and a testing ground to refine their attack techniques under real-world conditions. 

(TLP: CLEAR) Comments: The rise of DDoS-as-a-Service offerings from groups like Passion represents a growing threat to critical infrastructure, as it empowers a broader range of actors to engage in coordinated cyber operations. The accessibility of these tools could drive a surge in both the frequency and scale of attacks, particularly against high-value sectors. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Source address spoofing is often combined with reflection and amplification from poorly administered open internet servers (e.g., DNS, NTP) to multiply the attack traffic volume by a factor of 50 or more. The attacker may use a single high-capacity computer with a high bandwidth internet connection or a botnet consisting of many compromised devices to send query requests to high-performance internet servers. The attacking systems employ source address spoofing, which inserts the IP address of the target as the source address in the requests. For internet services that use the User Datagram Protocol (UDP) (e.g., DNS, NTP), the query and response are each contained in a single packet, and the exchange does not require the establishment of a connection between the source and the server (unlike Transmission Control Protocol (TCP)). The responses from such open internet servers are directed to the attack target since the target’s IP address was forged as the source address field of the request messages. Often, the response from the server to the target address is much larger than the query itself, amplifying the effect of the DoS attack. Such reflection and amplification attacks can result in massive DDoS with attack volumes in the range of hundreds of Gbps.” 

(TLP: CLEAR) Vercara: Vercara’s DDos Protection, UltraDDoS Protect,  provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds. 

Source: https://therecord.media/german-police-arrest-two-ddos-for-hire-platform 

Source: https://thehackernews.com/2024/11/german-police-disrupt-ddos-for-hire.html  

DocuSign’s Envelopes API abused to send realistic fake invoices. 

(TLP: CLEAR) The following reporting sheds light on a refined exploitation threat actors have recently taken that leverages DocuSign’s API and legitimate account features. Shifting from traditional phishing methods that rely on deceptive emails and suspicious links, this approach involves the use of genuine DocuSign accounts and templates, causing the fraudulent invoices to appear authentic and evade email security filters. In order to facilitate such attacks, threat actors secure paid DocuSign accounts, gaining access to the software’s customization tools and API capabilities. With these resources, they craft templates that closely mimic authentic e-signature requests from well-known brands, particularly in the software industry. These fraudulent invoices are highly convincing, often including accurate product pricing and additional fees, such as a $50 activation charge. Some invoices even contain direct wire instructions or purchase orders, adding further legitimacy. Once the victim signs the document, attackers leverage the signed invoice as a confirmation for authorization. They either route it back through DocuSign to the organization’s finance department or initiate follow-up contact outside of DocuSign, exploiting the credibility of the signed document to substantiate their payment requests. This tactic significantly boosts the scam’s legitimacy and increases the likelihood of successful fund transfers. Reports of these fraudulent invoices have surged in recent months, with DocuSign users sharing concern and raising alarms across various cyber community forums. 

(TLP: CLEAR) Comments: In order to launch the aforementioned DocuSign scams on a broad scale, threat actors exploit DocuSign’s API-friendly environment, particularly the Envelopes: Create API, to automate the distribution of high volumes of fake invoices with minimal manual input. This API enables the streamlined creation and dispatch of customized invoices, allowing attackers to operate at scale. With access to DocuSign’s templates, they meticulously tailor each invoice to mimic the branding of targeted companies, incorporating unauthorized logos and trademarks from recognizable brands such as Norton. 

(TLP: CLEAR) Recommended best practices/regulations: NIST OWASP API Top 10, API9:2023 “Improper Inventory Management”:   

• Inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g. production, staging, test, development), who should have network access to the host (e.g. public, internal, partners) and the API version.  
• Inventory integrated services and document important aspects such as their role in the system, what data is exchanged (data flow), and their sensitivity.  
• Document all aspects of your API such as authentication, errors, redirects, rate limiting, cross-origin resource sharing (CORS) policy, and endpoints, including their parameters, requests, and responses.  
• Generate documentation automatically by adopting open standards. Include the documentation build in your CI/CD pipeline.  
• Make API documentation available only to those authorized to use the API.  
• Use external protection measures such as API security specific solutions for all exposed versions of your APIs, not just for the current production version.  
• Avoid using production data with non-production API deployments. If this is unavoidable, these endpoints should get the same security treatment as the production ones.  
• When newer versions of APIs include security improvements, perform a risk analysis to inform the mitigation actions required for the older versions. For example, whether it is possible to backport the improvements without breaking API compatibility or if you need to take the older version out quickly and force all clients to move to the latest version.” 

(TLP: CLEAR) Vercara: Vercara’s API Security solution, UltraAPI Compy, surfaces the security risk that your APIs contain, ensuring you know which APIs pose the greatest risk to your organization. API Sentinel’s Compliance module ensures that your APIs are compliant, conform to security and governance best practices, and produce an accurate runtime API inventory. API Sentinel’s Testing module finds and addresses API coding errors and tests for vulnerabilities before they go into production. 

Source: https://lab.wallarm.com/attackers-abuse-docusign-api-to-send-authentic-looking-invoices-at-scale/ 

 Source: https://www.bleepingcomputer.com/news/security/docusigns-envelopes-api-abused-to-send-realistic-fake-invoices/  

Malicious PyPI package ‘Fabrice’ found stealing AWS keys from developers. 

(TLP: CLEAR) Cybersecurity researchers have recently uncovered a highly evasive malicious package on the Python Package Index (PyPI) that, for over three years, has accumulated thousands of downloads while covertly siphoning AWS credentials from developers. Since its initial deployment in March 2021, “fabrice” has covertly harvested AWS credentials from unsuspecting developers, leveraging its resemblance to “fabric,” a library with over 202 million downloads known for facilitating remote command execution over SSH. According to recent reporting, an updated metric indicates “fabrice” has been downloaded more than 37,100 times. On Windows operating sytems, “fabrice” employs two payloads: a Visual Basic Script (VBScript) that acts as a launcher for a hidden Python script stored in the Downloads folder. This setup enables attackers to remotely control the system and deploy further payloads. Additionally, “fabrice” includes a secondary malicious Python script designed to download a fake executable from the same server, saving it in the Downloads folder. To ensure persistence, the executable is scheduled to run every 15 minutes. The script then removes the original “d.py” file to conceal its presence, keeping the malicious processes active and undetected on the infected system. On Linux systems, the package deploys a targeted function to retrieve, decode, and execute four distinct shell scripts from a remote command-and-control server. This approach grants the attacker precise control over the compromised system, enabling remote command execution and sustained access. 

This long-running operation demonstrates a sophisticated approach to supply chain compromise, exploiting developer trust in widely-used open-source repositories to facilitate undetected credential exfiltration. 

(TLP: CLEAR) Comments: The main goal of “fabrice,” across all operating systems, is credential harvesting, with a particular focus on exfiltrating AWS access and secret keys. B leveraging the Boto3 AWS SDK, the package systematically harvests these credentials and transmits them to the attacker’s command-and-control server. With these keys, attackers gain unauthorized access to the victim’s cloud resources, opening pathways to sensitive data exposure, unauthorized control over virtual infrastructure, and the ability to execute further malicious actions within the compromised cloud environment. 

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION   

Control:   

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.   
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.   
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection. 
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. 

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections. 

Source: https://thehackernews.com/2024/11/malicious-pypi-package-fabrice-found.html