Androxgh0st Botnet Targets IoT Devices, Exploiting 27 Vulnerabilities

Category	Details
Threat Actors	– Androxgh0st botnet, integration with Mozi botnet, potential links to Chinese CTF communities
Campaign Overview	– Exploits 27 vulnerabilities across web servers, IoT devices, and global technologies – Incorporates Mozi payloads, signaling operational coordination
Target Regions (Victims)	– Global targets – Chinese-specific technologies and software
Methodology	– Exploits vulnerabilities for RCE and unauthorized access – Employs brute-force attacks, credential stuffing, default/weak password exploitation
Product Targeted	– Cisco ASA, Atlassian JIRA, TP-Link routers, Netgear devices, GPON routers, Sophos Firewall, Oracle EBS, Spring Cloud Gateway, PHP frameworks
Malware Reference	– Mozi payloads – Persistent backdoors
Tools Used	– Credential stuffing tools, file appenders, code injection techniques
Vulnerabilities Exploited	– Cisco ASA (CVE-2014-2120), Atlassian JIRA (CVE-2021-26086), Local File Inclusion in Laravel (CVE-2021-41277), PHP CGI Argument Injection (CVE-2024-4577), Sophos Firewall authentication bypass, Oracle EBS RCE vulnerability
TTPs	– Initial Access: Exploitation of known vulnerabilities (T1190) – Persistence: Code injection and file appending – Credential Access: Brute-force and credential stuffing (T1110) – Command and Control: Shared infrastructure with Mozi botnet
Attribution	– Potential links to Chinese CTF communities (e.g., Kanxue events)
Recommendations	– Patch vulnerable systems immediately – Strengthen password policies – Monitor for unauthorized access and persistent backdoors – Leverage automated detection and mitigation systems
Source	Hackread

Read full article: https://hackread.com/androxgh0st-botnet-iot-devices-exploit-vulnerabilities/

The above summary has been generated by an AI language model