Man
Professional
- Messages
- 3,006
- Reaction score
- 531
- Points
- 113
Elusive cyberattacks bypass even the most advanced security systems.
At the beginning of 2024, CloudSEK specialists discovered the revival of the legendary Mozi botnet, which now operates under a new name — Androxgh0st. This botnet actively exploits vulnerabilities in web servers and IoT devices, such as Cisco ASA, Atlassian JIRA, and PHP platforms, to penetrate critical infrastructures.
According to CloudSEK, since January 2024, Androxgh0st has begun to employ malicious tactics previously inherent in Mozi. As a result, the botnet was able to not only attack web servers, but also scale its operations by targeting Internet of Things (IoT) devices.
Androxgh0st uses sophisticated techniques to remotely execute code and steal credentials, allowing access to infected systems for a long time. Experts note the active use of vulnerabilities previously described in CISA bulletins, including the CVE-2023-1389 (CVSS: 8.8) vulnerability in TP-Link routers and CVE-2024-36401 (CVSS: 9.8) in the GeoServer system.
In addition, the botnet exploits vulnerabilities such as data leakage through the Laravel framework and remote command execution on Apache servers. These attacks allow attackers to access sensitive data and install malicious files to take control of systems.
Earlier, in 2021, Chinese authorities detained the creators of Mozi, which allegedly led to the blocking of its command and control servers. However, despite this, the remaining pieces of infrastructure were integrated into Androxgh0st, giving the new botnet the ability to use Mozi's resources to expand the reach of its attacks.
Of particular concern is that Androxgh0st successfully bypasses many security mechanisms and uses brute-force attacks to access administrative dashboards on sites running on WordPress. This allows attackers to install malicious files and organize further attacks on servers.
CloudSEK experts strongly recommend that organizations immediately install patches to close the above vulnerabilities, as well as regularly scan their systems for signs of compromise. Basic protection measures include monitoring network traffic, checking web server logs, and using incident detection and response tools.
Source
At the beginning of 2024, CloudSEK specialists discovered the revival of the legendary Mozi botnet, which now operates under a new name — Androxgh0st. This botnet actively exploits vulnerabilities in web servers and IoT devices, such as Cisco ASA, Atlassian JIRA, and PHP platforms, to penetrate critical infrastructures.
According to CloudSEK, since January 2024, Androxgh0st has begun to employ malicious tactics previously inherent in Mozi. As a result, the botnet was able to not only attack web servers, but also scale its operations by targeting Internet of Things (IoT) devices.
Androxgh0st uses sophisticated techniques to remotely execute code and steal credentials, allowing access to infected systems for a long time. Experts note the active use of vulnerabilities previously described in CISA bulletins, including the CVE-2023-1389 (CVSS: 8.8) vulnerability in TP-Link routers and CVE-2024-36401 (CVSS: 9.8) in the GeoServer system.
In addition, the botnet exploits vulnerabilities such as data leakage through the Laravel framework and remote command execution on Apache servers. These attacks allow attackers to access sensitive data and install malicious files to take control of systems.
Earlier, in 2021, Chinese authorities detained the creators of Mozi, which allegedly led to the blocking of its command and control servers. However, despite this, the remaining pieces of infrastructure were integrated into Androxgh0st, giving the new botnet the ability to use Mozi's resources to expand the reach of its attacks.
Of particular concern is that Androxgh0st successfully bypasses many security mechanisms and uses brute-force attacks to access administrative dashboards on sites running on WordPress. This allows attackers to install malicious files and organize further attacks on servers.
CloudSEK experts strongly recommend that organizations immediately install patches to close the above vulnerabilities, as well as regularly scan their systems for signs of compromise. Basic protection measures include monitoring network traffic, checking web server logs, and using incident detection and response tools.
Source
