Posted on

Lyonel Myrthil Named Special Agent in Charge of the New Orleans Field Office

Source: Federal Bureau of Investigation FBI Crime News (b)

Director Christopher Wray has named Lyonel Myrthil as the special agent in charge of the New Orleans Field Office. He most recently served as the chief of staff to the associate deputy director.

Mr. Myrthil joined the FBI as a special agent in 2008 and was assigned to work violent crime in the St. Louis Field Office. During this time, he also served as a member of the FBI SWAT Team, a certified FBI sniper, a firearms instructor, a defensive tactics instructor, and a tactical instructor. 

In 2012, Mr. Myrthil transferred to the New York Field Office, where he joined the Safe Streets Gang Task Force, investigating violent gangs and drug trafficking organizations. In 2015, he was promoted to supervisory special agent in the Counterterrorism Division, working international terrorism at FBI Headquarters in Washington, D.C.

In 2016, he was promoted to unit chief in the Counterterrorism Internet Operation Section. In 2018, Mr. Myrthil joined the Washington Field Office as the supervisor of the Joint Terrorism Taskforce. He also led the Extraterritorial Counterterrorism Squad, overseeing hostage-taking and terrorism enterprise investigations in Iraq, Syria, Lebanon, and Jordan.

In 2020, he was promoted to assistant special agent in charge of the Counterterrorism branch of the Washington Field Office. In this role, he led the Joint Terrorism Task Force, Domestic Terrorism, Weapons of Mass Destruction, Crisis Management/Response, and Airport Liaison Agent Program matters. 

In 2022, he was promoted to chief of staff to the associate deputy director, where he served as chief advisor in the administration of programs and operations within the FBI’s corporate business portfolio.

Before he joined the FBI, Mr. Myrthil worked as a senior tax accountant in Miami. He earned a bachelor’s degree and a master’s degree in business administration from Florida A&M University, as well as a master’s in leadership from Georgetown University.

Posted on

David J. Scott Named Special Agent in Charge of Criminal/Cyber Division at the Washington Field Office

Source: Federal Bureau of Investigation FBI Crime News (b)

Director Christopher Wray has named David J. Scott as the special agent in charge of the Criminal/Cyber Division of the Washington Field Office. He most recently served as deputy assistant director for the Cyber Division.  
 
Mr. Scott entered on duty as a special agent with the FBI in 2003 and was assigned to the Louisville Field Office, where he worked on a variety of criminal matters and served as a member of the SWAT team.  
 
In 2006, Mr. Scott transferred to the Washington Field Office and investigated numerous violations, including organized crime, counterterrorism, public corruption, and white-collar crime. In 2012, he was promoted to supervisory special agent within the International Terrorism Operations Section. In 2014, he was promoted to unit chief, where he provided program management for all international terrorism investigations in the Northeastern United States.  
 
In 2016, Mr. Scott was promoted to supervisory special agent in the Washington Field Office overseeing the Joint Terrorism Task Force. In 2018, Mr. Scott was selected as assistant special agent in charge for the Washington Field Office Counterterrorism Division, where he was responsible for overseeing all international terrorism threats to the National Capital Region.  
 
In March 2020, he was promoted to the Senior Executive Service as the section chief for the Public Corruption and Civil Rights Section, where he oversaw the Public Corruption, International Corruption, Civil Rights, and International Human Rights programs. In 2021, he was named deputy assistant director of the Cyber Division at FBI Headquarters. In this latest role, he was responsible for the division’s operational branch and served as the director of the National Cyber Investigative Joint Task Force.  
 
Prior to joining the FBI, Mr. Scott was an Infantry Officer in the United States Army. He earned a bachelor’s in business administration from the University of Colorado at Boulder and a master’s in administration of justice from the University of Louisville.  

Posted on

St. Paul Man Pleads Guilty to Producing Child Pornography in Cyberstalking and Child Exploitation Case

Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)

ST. PAUL, Minn. – A St. Paul man has pleaded guilty to producing a video depicting his sexual abuse of a minor, announced U.S. Attorney Andrew M. Luger.

According to the defendant’s guilty plea and court documents, beginning in July 2019 through February 2023, Chedor TV, 39, created multiple online personas on apps such as Discord and Snapchat in order to cyberstalk a minor victim. He used aliases such as “Chang Vang” and “Hailey Ly” to pose as a minor and communicate with the minor victim, sending her sexually explicit pictures. During this time, while the minor victim was unaware that TV was cyberstalking her using these online aliases, TV also secretly recorded the minor victim while she was naked in the shower at his residence. TV also recorded a sexually explicit video depicting the minor victim while she was asleep at his residence. When the minor victim tried to cease contact with TV’s online persona “Chang,” TV threatened to share publicly explicit videos and images he took of the minor victim without her knowledge, causing her substantial emotional distress.

TV pleaded guilty yesterday in U.S. District Court before Judge Eric C. Tostrud to one count of production of child pornography. A sentencing hearing will be scheduled at a later time.

This case is the result of an investigation conducted by the FBI and St. Paul Police Department. It was brought as part of Project Safe Childhood, a nationwide initiative to combat the growing epidemic of child sexual exploitation and abuse launched in May 2006 by the Department of Justice. Led by U.S. Attorney’s Offices and the Child Exploitation and Obscenity Section (CEOS), Project Safe Childhood marshals federal, state, and local resources to better locate, apprehend and prosecute individuals who exploit children via the Internet, as well as to identify and rescue victims. For more information about Project Safe Childhood, please visit www.justice.gov/psc.

Assistant U.S. Attorney Hillary A. Taylor is prosecuting the case.

Posted on

Big Lake Woman Pleads Guilty to Wire Fraud in $250 Million Feeding Our Future Fraud Scheme

Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)

MINNEAPOLIS – A Big Lake woman has pleaded guilty to her role in the $250 million fraud scheme that exploited a federally-funded child nutrition program during the COVID-19 pandemic, announced United States Attorney Andrew M. Luger. 

According to court documents, Sharon Denise Ross, 53, was the executive director of House of Refuge Twin Cities, a St. Paul-based non-profit which she enrolled in the Federal Child Nutrition Program under the sponsorship of Feeding Our Future and Sponsor A. Ross claimed that House of Refuge operated distribution sites at a dozen locations throughout the Twin Cities that served food by a vendor called Brava Café, a restaurant in Minneapolis run by Hanna Marakegn. Between September 2021 through February 2022, Ross falsely claimed to be serving thousands of children each day at her House of Refuge sites. In total, Ross fraudulently claimed to have served nearly 900,000 meals and received approximately $2.4 million in fraudulent Federal Child Nutrition Program funds. Ross distributed hundreds of thousands of dollars to family members and used the rest of the money to fund her lifestyle, including to pay for vacations to Florida and Las Vegas, to purchase a suite at a Minnesota Timberwolves game, and to purchase a house in Willernie, Minnesota.

Ross, who is the 17th defendant to plead guilty to charges relating to the Feeding Our Future fraud scheme, appeared today in U.S. District Court before Judge Nancy E. Brasel and pleaded guilty to one count of wire fraud. A sentencing hearing will be scheduled at a later time.

This case is the result of an investigation conducted by the FBI, IRS – Criminal Investigations, and the U.S. Postal Inspection Service.

Assistant U.S. Attorneys Joseph H. Thompson, Chelsea A. Walcker, Matthew S. Ebert, and Harry M. Jacobs are prosecuting the case.

Posted on

Maple Grove Felon Indicted for $10 Million Investment Fraud Scheme

Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)

MINNEAPOLIS – A Maple Grove man has been indicted for defrauding investors and financial institutions out of more than $10 million, announced U.S. Attorney Andrew M. Luger.

According to court documents, Aditya Raj Sharma, 50, was the founder, CEO, and president of Crosscode Inc., a cloud-based software development company headquartered first in Maple Grove and later in Foster City, California. From Crosscode’s founding in 2015 through at least May 2019, Sharma was the primary operator of the company, its controlling shareholder and, at times, its only employee and shareholder.

According to court documents, from 2017 through at least 2019, Sharma knowingly and intentionally devised and executed a scheme to defraud investors, financial institutions, and lending and finance companies. Sharma manipulated and falsely inflated Crosscode’s financial records to induce private investors and financial entities to extend capital to his company in order to avoid or delay financial hardship for Crosscode, which was mired in debt with virtually no incoming revenue or cash-on-hand.

According to court documents, as part of his multi-year scheme, Sharma fraudulently applied for hundreds of thousands in funding from multiple lenders and finance companies. In total, Sharma induced at least one financial institution to provide him with a $950,000 line of credit, and further induced at least 150 investors, including Minnesotans, to provide approximately $9.25 million to Crosscode.

The indictment charges Sharma with four counts of wire fraud and two counts of bank fraud. Sharma made his initial appearance yesterday in U.S. District Court before Magistrate Judge Dulce J. Foster.

This case is the result of an investigation conducted by the FBI.

Assistant U.S. Attorney Matthew S. Ebert is prosecuting the case.

An indictment is merely an allegation and the defendant is presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Posted on

CSAF Leadership Library: January 2024

Source: United States Air Force

Do not follow where the path may lead. Go instead where there is no path and leave a trail.Ralph Waldo Emerson

Airmen,

Amidst an ever-complex security landscape where our competitors are advancing at an alarming rate, our role goes beyond mere observation—we must lead. The Air Force is actively undertaking a transformative journey to address evolving security needs. Fueled by our unwavering commitment to Airmen to reach their full potential, it brings me great excitement to introduce my inaugural additions to the CSAF #23 Leadership Library. Centering on transformative leadership, teamwork, military innovation, and the advancement of technology, these sources are designed to inform and inspire.

In One Mission, Chris Fussell presents a dynamic guide that offers takeaways from real-world examples of successful organizational changes. By applying these battle-tested strategies, readers actively gain insights into revolutionizing large organizations, instilling adaptability, and the collaboration necessary to adapt to the service we must become to face the current and future security environment.

Yuen Khong’s, Analogies at War, provides an astute examination of how historical analogies influence political decision-making. Supported by insights from senior officials and declassified documents, Khong’s book not only unveils the cognitive processes shaping policy choices but also serves as a resource for challenging assumptions and avoiding cognitive traps in contemporary decision-making.

Unlock the secrets to excelling in a world of constant change with Brad Stulberg’s How to Excel When Everything Is Changing. Dive into the transformative “4 Ps” approach—Pause, Process, Plan, Proceed—shaping a mindset of thoughtful response over impulsive reaction. From embracing uncertainty to fostering mental resilience, Stulberg’s insights will guide those seeking adaptability and well-being.

Explore the urgent call for international cooperation on uncontrolled artificial intelligence (AI) in Kissinger and Allison’s thought-provoking article in Foreign Affairs—The Path to AI Arms Control: America and China Must Work Together to Avert Catastrophe. This read underscores the importance of swift action and collaboration to address the potential consequences of unregulated AI development.

This combination of diverse resources offers a multifaceted approach to service, leadership, and resilience. These themes emphasize the importance of informed decision-making, adaptability, and understanding of the environment in which we serve. My desire is that each and every one of you is always prepared to meet the challenges we will continue to face daily. These titles can be accessed and tracked through the E-Learning CSAF Library Journey, available via your web browsers and phone applications. These are extraordinary times, and I am committed to the success of the team.

Editor’s note: The CSAF Leadership Library is a fluid set of media selected by Gen. Allvin that evolves as novel ideas are published, recorded and debated. New entries will be added periodically throughout the year.

One Mission

In Team of Teams, retired four-star General Stanley McChrystal and former Navy SEAL Chris Fussell made the case for a new organizational model combining the agility, adaptability, and cohesion of a small team with the power and resources of a giant organization. Now, in One Mission, Fussell channels all his experiences, both military and corporate, into powerful strategies for unifying isolated and distrustful teams. This practical guide will help leaders in any field implement the Team of Teams approach to tear down their silos, improve collaboration, and avoid turf wars. By committing to one higher mission, organizations develop an overall capability that far exceeds the sum of their parts.

Analogies at War

From World War I to Operation Desert Storm, American policymakers have repeatedly invoked the “lessons of history” as they contemplated taking their nation to war. Do these historical analogies actually shape policy, or are they primarily tools of political justification? Yuen Foong Khong argues that leaders use analogies to justify policies and perform specific cognitive and information-processing tasks essential to political decision-making. Khong identifies what these tasks are and shows how they can be used to explain the U.S. decision to intervene in Vietnam. Relying on interviews with senior officials and on recently declassified documents, the author demonstrates with a precision not attained by previous studies that the three most important analogies of the Vietnam era – Korea, Munich, and Dien Bien Phu – can account for America’s Vietnam choices. A special contribution is the author’s use of cognitive and social psychology to support his argument about how humans analogize and to explain why policymakers often use analogies poorly.

Master of Change: How to Excel When Everything Is Changing

Brad Stulberg researches, writes, and coaches on mental health, well-being, and sustainable excellence. He is the bestselling author of The Practice of Groundedness and Master of Change. He regularly contributes to the New York Times, and his work has been featured in the Wall Street Journal and the Atlantic, among other outlets. He is on the faculty at the University of Michigan’s School of Public Health.

Foreign Affairs: The Path to AI Arms Control: America and China Must Work Together to Avert Catastrophe

This year marks the 78th anniversary of the end of the deadliest war in history and the beginning of the longest period in modern times without great-power war. Because World War I had been followed just two decades later by World War II, the specter of World War III, fought with weapons that had become so destructive they could theoretically threaten all of humankind, hung over the decades of the Cold War that followed. When the United States’ atomic destruction of Hiroshima and Nagasaki compelled Japan’s immediate unconditional surrender, no one thought it conceivable that the world would see.

Posted on

CSAF Memo to Airmen: Leadership Library

Source: United States Air Force

Airmen,

I am excited to announce the launch of our new CSAF Leadership Library, a dynamic and diverse resource designed to expand your perspective as you tackle the challenges and opportunities ahead. This modern-day library marks an evolution in the DAF’s dedication to your professional growth and the strengthening of our Air Force culture.

My vision for this library is to serve as a platform to inform discussions by providing material that draws lessons from the past while addressing pressing emerging topics such as leadership, resiliency, technology, geopolitics, and national security. I am committed to ensuring that you are well-informed on DAF priorities and the strategies shaping the future of our Air Force, and I eagerly anticipate hearing your thoughts. The pursuit of knowledge is a lifelong journey; we are never truly done learning, as every experience and interaction offers an opportunity to expand our understanding of the world.

This library is not merely a collection of books, podcasts, and documentaries; it’s a vibrant platform for dialogue. I encourage discussions, debates, and the sharing of insights among Airmen of all ranks—fostering a culture of open communication and mutual learning. These resources are tailored to equip you with the knowledge, skills, and perspectives essential for effective leadership in the 21st century. Included, you will find a rich blend of both traditional and nontraditional recommendations, all designed to sharpen critical analytical skills and develop the leaders essential for meeting the challenges of the future.

I value your input in shaping our Leadership Library. Your opinions matter and are vital in defining what we value as an organization and what is essential for your leadership journey. I invite you to actively participate and share your thoughts. I will be introducing a series of initiatives to gather feedback and engagement from you. This process will be iterative, guided by your evolving needs and interests. Your active involvement will be pivotal in shaping a vibrant knowledge hub tailored to our service. Together, let’s make our CSAF Leadership Library a thriving center of learning and growth.

Editor’s note: The CSAF Leadership Library is a fluid set of media selected by Gen. Allvin that evolves as novel ideas are published, recorded and debated. New entries will be added periodically throughout the year.

One Mission

In Team of Teams, retired four-star General Stanley McChrystal and former Navy SEAL Chris Fussell made the case for a new organizational model combining the agility, adaptability, and cohesion of a small team with the power and resources of a giant organization. Now, in One Mission, Fussell channels all his experiences, both military and corporate, into powerful strategies for unifying isolated and distrustful teams. This practical guide will help leaders in any field implement the Team of Teams approach to tear down their silos, improve collaboration, and avoid turf wars. By committing to one higher mission, organizations develop an overall capability that far exceeds the sum of their parts.

Analogies at War

From World War I to Operation Desert Storm, American policymakers have repeatedly invoked the “lessons of history” as they contemplated taking their nation to war. Do these historical analogies actually shape policy, or are they primarily tools of political justification? Yuen Foong Khong argues that leaders use analogies not merely to justify policies but also to perform specific cognitive and information-processing tasks essential to political decision-making. Khong identifies what these tasks are and shows how they can be used to explain the U.S. decision to intervene in Vietnam. Relying on interviews with senior officials and on recently declassified documents, the author demonstrates with a precision not attained by previous studies that the three most important analogies of the Vietnam era – Korea, Munich, and Dien Bien Phu – can account for America’s Vietnam choices. A special contribution is the author’s use of cognitive and social psychology to support his argument about how humans analogize and to explain why policymakers often use analogies poorly.

Master of Change: How to Excel When Everything Is Changing

Brad Stulberg researches, writes, and coaches on mental health, well-being, and sustainable excellence. He is the bestselling author of The Practice of Groundedness and Master of Change. He regularly contributes to the New York Times, and his work has been featured in the Wall Street Journal and the Atlantic, among other outlets. He is on the faculty at the University of Michigan’s School of Public Health.

Foreign Affairs: The Path to AI Arms Control: America and China Must Work Together to Avert Catastrophe

This year marks the 78th anniversary of the end of the deadliest war in history and the beginning of the longest period in modern times without great-power war. Because World War I had been followed just two decades later by World War II, the specter of World War III, fought with weapons that had become so destructive they could theoretically threaten all of humankind, hung over the decades of the Cold War that followed. When the United States’ atomic destruction of Hiroshima and Nagasaki compelled Japan’s immediate unconditional surrender, no one thought it conceivable that the world would see.

Posted on

Thompson — Thompson RCMP seize guns from traffic stop, leads to search warrants

Source: Royal Canadian Mounted Police

On January 12, 2024, at approximately 5:25 pm, Thompson RCMP initiated a traffic stop on Oak Street in Thompson, Manitoba. The vehicle would not stop and proceeded slowly, but erratically. The officer activated the air horn and siren, and the vehicle eventually stopped on Dominion Bay.

When the officer approached the vehicle, he immediately recognized the male passenger as being wanted on an outstanding warrant. The officer arrested Jodi Alguire, 25, of Thompson. Other officers arrived on scene, and the female driver misidentified herself to police. When she was properly identified, Jolene Spence, 31, of Thompson was also found to have an outstanding warrant for arrest. She was taken into custody.

A search of Alguire located a restricted firearm – a handgun – in a satchel he was wearing around his shoulder. Police also found a loaded prohibited magazine and a large amount of Canadian currency.

A search of Spence also resulted in the seizure of a large amount of Canadian currency.

The vehicle was searched. A prohibited assault rifle with a round in the chamber was located as were two sawed off shotguns; several prohibited magazines, including a high-capacity magazine loaded with rounds that matched the handgun located on Alguire; a large amount of ammunition for all types of firearms; several machetes and throwing knives; numerous cell phones; and bear mace. Upon further investigation, it was determined the handgun located on Alguire’s person was stolen.

The continued investigation lead officers to execute two search warrants on January 13, 2024, on two residences in Thompson – one on Oxford Bay and one on Dominion Bay, both of which are connected with Alguire. At the residence on Dominion Bay, three adults were inside the home and were arrested for Possession of Proceeds Obtained by Crime. The search yielded a large amount of Canadian currency, ammunition, cell phones, parts of firearms, and weapons.

The search on Oxford Bay resulted in the seizure of gang paraphernalia, cellphones, drug paraphernalia, and weapons.

Two of the adults arrested were released without charges as it was determined they were not involved in trafficking. A 56-year-old male was charged with Possession of Proceeds of Crime Over $5000, and was released with an appearance notice.

Alguire is charged with multiple firearms offences, Possession of Proceeds of Crime Over $5000, as well as Fail to Comply with Release Order. He is remanded in custody.

Spence is charged with Obstruct a Peace Officer by Giving False Name, Possession of Proceeds of Crime Over $5000, as well as firearms charges. She is remanded in custody.

In total, four firearms were seized and more than $100,000 in Canadian currency.

The investigation continues.

Posted on

Known Indicators of Compromise Associated with Androxgh0st Malware

Source: US Department of Homeland Security

SUMMARY

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.

The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

Androxgh0st malware has been observed establishing a botnet [T1583.005] for victim identification and exploitation in target networks. According to open source reporting[1], Androxgh0st is a Python-scripted malware [T1059.006] primarily used to target .env files that contain confidential information, such as credentials [T1552.001] for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework). Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning [T1046] and exploiting exposed credentials [T1078] and application programming interfaces (APIs) [T1114], and web shell deployment [T1505.003].

Targeting the PHPUnit

Androxgh0st malware TTPs commonly involves the use of scripts, conducting scanning [T1595] and searching for websites with specific vulnerabilities. In particular, threat actors deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on fallible websites via PHPUnit [T1190]. Websites using the PHPUnit module that have internet-accessible (exposed) /vendor folders are subject to malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier (URI). This PHP page runs PHP code submitted through a POST request, which allows the threat actors to remotely execute code.

Malicious actors likely use Androxgh0st to download malicious files [T1105] to the system hosting the website. Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases.

Laravel Framework Targeting

Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework. After identifying websites using the Laravel web application, threat actors attempt to determine if the domain’s root-level .env file is exposed and contains credentials for accessing additional services. Note: .env files commonly store credentials and tokens. Threat actors often target .env files to steal these credentials within the environment variables.

If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page. Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the web server. This data is frequently used as an identifier for the threat actor. This method appears to be used for websites in debug mode (i.e., when non-production websites are exposed to the internet). A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email (via SMTP) and AWS accounts.

Androxgh0st malware can also access the application key [TA0006] for the Laravel application on the website. If the threat actors successfully identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code [T1027.010]. The encrypted code is then passed to the website as a value in the cross-site forgery request (XSRF) token cookie, XSRF-TOKEN, and included in a future GET request to the website. The vulnerability defined in CVE-2018-15133 indicates that on Laravel applications, XSRF token values are subject to an un-serialized call, which can allow for remote code execution. In doing so, the threat actors can upload files to the website via remote access.

Apache Web Server Targeting

In correlation with CVE-2021-41773, Androxgh0st actors have been observed scanning vulnerable web servers [T1595.002] running Apache HTTP Server versions 2.4.49 or 2.4.50. Threat actors can identify uniform resource locators (URLs) for files outside root directory through a path traversal attack [T1083]. If these files are not protected by the “request all denied” configuration and Common Gateway Interface (CGI) scripts are enabled, this may allow for remote code execution.

If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations. For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies [T1136]. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity [T1583.006].

INDICATORS OF COMPROMISE (IOCs)

Based on investigations and analysis, the following requests are associated with Androxgh0st activity:

  • Incoming GET and POST requests to the following URIs:
    • /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
    • /.env
  • Incoming POST requests with the following strings:
    • [0x%5B%5D=androxgh0st]
    • ImmutableMultiDict([('0x[]', 'androxgh0st')])

In both previously listed POST request strings, the name androxgh0st has been observed to be replaced with other monikers.

Additional URIs observed by the FBI and a trusted third party used by these threat actors for credential exfiltration include:

  • /info
  • /phpinfo
  • /phpinfo.php
  • /?phpinfo=1
  • /frontend_dev.php/$
  • /_profiler/phpinfo
  • /debug/default/view?panel=config
  • /config.json
  • /.json
  • /.git/config
  • /live_env
  • /.env.dist
  • /.env.save
  • /environments/.env.production
  • /.env.production.local
  • /.env.project
  • /.env.development
  • /.env.production
  • /.env.prod
  • /.env.development.local
  • /.env.old
  • //.env
    • Note: the actor may attempt multiple different potential URI endpoints scanning for the .env file, for example /docker/.env or /local/.env.
  • /.aws/credentials
  • /aws/credentials
  • /.aws/config
  • /.git
  • /.test
  • /admin
  • /backend
  • /app
  • /current
  • /demo
  • /api
  • /backup
  • /beta
  • /cron
  • /develop
  • /Laravel
  • /laravel/core
  • /gists/cache
  • /test.php
  • /info.php
  • //.env
  • /admin-app/.env%20
  • /laravel/.env%20
  • /shared/.env%20
  • /.env.project%20
  • /apps/.env%20
  • /development/.env%20
  • /live_env%20
  • /.env.development%20
Targeted URIs for web-shell drop:
  • /.env/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //dev/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //lib/phpunit/phpunit/Util/PHP/eval-stdin.php
  • //lib/phpunit/src/Util/PHP/eval-stdin.php
  • //lib/phpunit/Util/PHP/eval-stdin.php
  • //new/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //old/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //phpunit/phpunit/Util/PHP/eval-stdin.php
  • //phpunit/src/Util/PHP/eval-stdin.php
  • //phpunit/Util/PHP/eval-stdin.php
  • //protected/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/evalstdin.php
  • //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
  • //vendor/phpunit/src/Util/PHP/eval-stdin.php
  • //vendor/phpunit/Util/PHP/eval-stdin.php
  • //wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /admin/ckeditor/plugins/ajaxplorer/phpunit/src/Util/PHP/eval-stdin.php
  • /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /api/vendor/phpunit/phpunit/src/Util/PHP/Template/eval-stdin.php
  • /lab/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /laravel_web/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /laravelao/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /lib/phpunit/phpunit/Util/PHP/eval-stdin.php
  • /lib/phpunit/phpunit/Util/PHP/eval
  • stdin.php%20/lib/phpunit/src/Util/PHP/eval-stdin.php
  • /lib/phpunit/src/Util/PHP/eval-stdin.php
  • /lib/phpunit/Util/PHP/eval-stdin.php
  • /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /libraries/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /phpunit/phpunit/Util/PHP/eval-stdin.php
  • /phpunit/phpunit/Util/PHP/eval-stdin.php%20/phpunit/src/Util/PHP/evalstdin.php
  • /phpunit/src/Util/PHP/eval-stdin.php
  • ./phpunit/Util/PHP/eval-stdin.php
  • /phpunit/Util/PHP/eval-stdin.php%20/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php.dev
  • /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
  • /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php%20/vendor/phpunit/src/Util/PHP/eval-stdin.php
  • /vendor/phpunit/src/Util/PHP/eval-stdin.php
  • /vendor/phpunit/Util/PHP/eval-stdin.php
  • /vendor/phpunit/Util/PHP/eval-stdin.php%20
  • /phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
An example of attempted credential exfiltration through (honeypot) open proxies:

POST /.aws/credentials HTTP/1.1
host: www.example.com
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
accept-encoding: gzip, deflate
accept: */*
connection: keep-alive
content-length: 20
content-type: application/x-www-form-urlencoded

0x%5B%5D=androxgh0st

An example of attempted web-shell drop through (honeypot) open proxies:

GET http://www.example.com/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
host: www.example.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76
accept-encoding: gzip, deflate
accept: */*
connection: keep-alive
x-forwarded-for: 200.172.238.135
content-length: 279

Monikers used instead of Androxgh0st (0x%5B%5D=???):
  • Ridho
  • Aws
  • 0x_0x
  • x_X
  • nopebee7
  • SMTPEX
  • evileyes0
  • privangga
  • drcrypter
  • errorcool
  • drosteam
  • androxmen
  • crack3rz
  • b4bbyghost
  • 0x0day
  • janc0xsec
  • blackb0x
  • 0x1331day
  • Graber
Example malware drops through eval-stdin.php:

hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt
59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4

hxxps://chainventures.co[.]uk/.well-known/aas
dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6

hxxp://download.asyncfox[.]xyz/download/xmrig.x86_64
23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066

hxxps://pastebin[.]com/raw/zw0gAmpC
ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72

hxxp://raw.githubusercontent[.]com/0x5a455553/MARIJUANA/master/MARIJUANA.php
0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef

hxxp://45.95.147[.]236/tmp.x86_64
6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc

hxxp://main.dsn[.]ovh/dns/pwer
bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7

hxxp://tangible-drink.surge[.]sh/configx.txt
de1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1ba

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 1-10 for all referenced threat actor tactics and techniques in this advisory.

Table 1: Reconnaissance
Technique Title ID Use

Active Scanning: Vulnerability Scanning

T1595.002

The threat actor scans websites for specific vulnerabilities to exploit.
Table 2: Resource Development
Technique Title ID Use

Acquire Infrastructure: Botnet

T1583.005

The threat actor establishes a botnet to identify and exploit victims.

Acquire Infrastructure: Web Services

T1583.006

The threat actor creates new AWS instances to use for scanning.
Table 3: Initial Access
Technique Title ID Use

Exploit Public-Facing Application

T1190

The threat actor exploits CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on websites via PHPUnit.
Table 4: Execution
Technique Title ID Use

Command and Scripting Interpreter: Python

T1059.006

The threat actor uses Androxgh0st, a Python-scripted malware, to target victim files.
Table 5: Persistence
Technique Title ID Use

Valid Accounts

T1078

The threat actor abuses the simple mail transfer protocol (SMTP) by exploiting exposed credentials.

Server Software Component: Web Shell

T1505.003

The threat actor deploys web shells to maintain persistent access to systems.

Create Account

T1136

The threat actor attempts to create new users and user policies with compromised AWS credentials from a vulnerable website.
Table 6: Defense Evasion
Technique Title ID Use

Obfuscated Files or Information: Command Obfuscation

T1027.010

The threat actor can exploit a successfully identified Laravel application key to encrypt PHP code, which is then passed to the site as a value in the XSRF-TOKEN cookie.
Table 7: Credential Access
Technique Title ID Use

Credential Access

TA0006

The threat actor can access the application key of the Laravel application on the site.

Unsecured Credentials: Credentials in Files

T1552.001

The threat actor targets .env files that contain confidential credential information.
Table 8: Discovery
Technique Title ID Use

File and Directory Discovery

T1083

The threat actor can identify URLs for files outside root directory through a path traversal attack.

Network Service Discovery

T1046

The threat actor uses Androxgh0st to abuse simple mail transfer protocol (SMTP) via scanning.
Table 9: Collection
Technique Title ID Use

Email Collection

T1114

The threat actor interacts with application programming interfaces (APIs) to gather information.
Table 10: Command and Control
Technique Title ID Use

Ingress Tool Transfer

T1105

The threat actor runs PHP code through a POST request to download malicious files to the system hosting the website.

MITIGATIONS

The FBI and CISA recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on Androxgh0st threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

These mitigations apply to all critical infrastructure organizations and network defenders. FBI and CISA recommend that software manufacturers incorporate secure by design principles and tactics into their software development practices, limiting the impact of actor techniques and strengthening their customers’ security posture. For more information on secure by design, see CISA’s Secure by Design webpage.

The FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by actors using Androxgh0st malware.

  • Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
  • Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
  • Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.
  • On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
  • Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
  • Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 1-10).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REPORTING

The FBI encourages organizations to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this CSA, indicators should always be evaluated in light of an organization’s complete security situation.

When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA via its Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870.

RESOURCES

REFERENCES

  1. Fortinet – FortiGuard Labs: Threat Signal Report: AndroxGh0st Malware Actively Used in the Wild

ACKNOWLEDGEMENTS

Amazon contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.

VERSION HISTORY

January 16, 2024: Initial version.

Posted on

Warman —  Warman RCMP seeks public assistance locating missing 14-year-old boy

Source: Royal Canadian Mounted Police

On January 15, 2024, Warman RCMP received a report of a missing 14-year-old boy, Jaxton Smith.

Jaxton was last seen on January 15 at approximately 1 a.m. on Haichert Street in Warman.

Since receiving the report, officers have been checking places Jaxton is known to visit and following up on information received. They are now asking members of the public to report all information on his whereabouts.

Jaxton is described as approximately 5’4″ and 120 lb. He has blue eyes and short blond hair. He has a small scar between his eyes. He was last seen wearing a black sweater, cargo pants and a black toque.

Please note his hair has grown out slightly since this photo was taken.

If you’ve seen Jaxton or know where he is, contact Warman RCMP at 306-975-1670. Information can also be submitted anonymously by contacting Saskatchewan Crime Stoppers at 1-800-222-TIPS (8477) or www.saskcrimestoppers.com.