Malware Activity
Androxgh0st Botnet Becomes the Most Prevalent Malware
The Register reports that Androxgh0st, a new hybrid botnet, has taken the lead as the most prevalent malware globally, impacting around 5% of organizations worldwide in the month of November. Researchers suspect with low confidence that the botnet is operated by Chinese threat actors based on its targeting of a hospital in Hong Kong last year and its focus on compromising technology primarily used in China. Androxgh0st is a hybrid botnet in that it targets both web servers and IoT devices, commonly exploiting known vulnerabilities to compromise devices recruited into the botnet for follow-on attacks including denial of service, surveillance, and data theft. The botnet’s prevalence had increased following the exit of a well-known botnet named “Mozi” last year. Researchers believe that Androxgh0st will likely ramp up its infections by two-fold in 2025. Androxgh0st targets vulnerabilities in multiple technologies including Cisco ASA, Atlassian JIRA, Sophos Firewalls, PHP frameworks, and IoT devices. The malware is capable of stealing sensitive information including credentials and AWS keys, using Laravel files to collect the information. The botnet is notable for its reach and ability to infect a range of targets including Mac, Linux, Windows, and IoT devices. CTIX analysts recommend that organizations stay on top of patching known vulnerabilities, as this is Androxgh0st’s main route of infection. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Operation Destabilise: Russian Ransomware Laundering Networks Disrupted by The UK's National Crime Agency
Operation Destabilise, led by the UK’s National Crime Agency (NCA), was a groundbreaking international investigation that dismantled two (2) Russian-speaking criminal networks, Smart and TGR, which laundered billions of dollars through sophisticated cash-for-crypto schemes. Triggered by blockchain analysis of ransomware payments linked to groups like Ryuk, Conti, and Trickbot, the investigation uncovered a vast financial web connecting street-level drug dealing, global money laundering, and high-level criminal activities. These networks facilitated ransomware attacks, drug trafficking, and Russian espionage, moving funds across thirty (30) countries and evading sanctions. Authorities arrested eighty-four (84) individuals, seized over £20 million in cash and cryptocurrency, and imposed U.S. sanctions on key operatives. The operation revealed the critical role of cryptocurrency in modern organized crime, enabling rapid cross-border transactions to fund activities like South American drug cartels and espionage operations. By leveraging blockchain tracing and pooling multidisciplinary intelligence, the NCA disrupted these networks, exposing unprecedented interconnections between cybercrime, organized crime, and state-sponsored activities, and set a new standard for tackling global criminal enterprises.
Vulnerabilities
Palo Alto Vulnerability Actively Exploited to Cause DoS in PAN-OS Firewalls
Palo Alto Networks has disclosed a high-severity vulnerability in its PAN-OS software, which allows unauthenticated attackers to exploit the DNS Security feature and trigger denial-of-service (DoS) conditions on affected devices. The vulnerability, tracked as CVE-2024-3393, with a CVSS score of 8.7, is exploited by sending malicious DNS packets, causing the firewall to reboot and potentially enter maintenance mode after repeated attacks, requiring manual intervention. This issue impacts PAN-OS versions 10.X and 11.X, as well as Prisma Access devices running PAN-OS 10.2.8 and later or prior to 11.2.3, where DNS Security logging is enabled. The company has confirmed active exploitation of the flaw in the wild, with customers experiencing outages when malicious DNS packets were blocked by their firewalls. While patches have been released for most affected versions—such as PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3—PAN-OS 11.0 will not receive updates due to its end-of-life status. Mitigation steps include disabling DNS Security logging temporarily or adjusting Log Severity settings, with specific instructions provided for firewalls managed via Strata Cloud Manager (SCM) or Panorama. CTIX analysts stress the importance of applying immediate updates or workarounds to protect environments from this actively exploited vulnerability.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
