In 2022, the Lacework Labs team discovered a new, large-scale threat called AndroxGh0st, a Python malware being used to exploit AWS keys. Its discovery was a concern, but it was only last week that AndroxGh0st finally gained the widespread public attention it deserved, when the FBI and CISA issued a warning about the threat and key signs to watch out for. 

When Lacework Labs first encountered AndroxGh0st while researching our first AWS composite alert (research conducted in 2022, published a little over a year ago), they found that it was capable of scanning for and exploiting exposed credentials and APIs. AndroxGh0st targets specific files known as Laravel.env files, which are crucial because they contain access keys and credentials for major services like AWS and Microsoft Office 365. The abuse actions leveraging compromised keys require the third party to already have the keys with the required privileges to take the malicious actions.

The theft of these files poses a serious risk, as it enables hackers to gain unauthorized access and potentially disrupt services. More alarmingly, this malware has been used by hackers to build a botnet, which is a network of compromised computers, to then be used for additional credential theft and launching further cyberattacks.

The recent advisory from the FBI and CISA marks a turning point in the perception of AndroxGh0st, with it now recognized as a significant national cybersecurity threat because of its  potential widespread impact on both businesses and individual users. News platforms and experts are now intensively covering AndroxGh0st, offering detailed analysis of its operation, potential risks, and preventive measures.

Here’s a preview of what experts have been saying: