AlienFox malware targets API keys and secrets for AWS, Google and Microsoft cloud services


March 30, 2023Rabbi LakshmananCloud Security / Cyber ​​Threat

AlienFox malware

A new “comprehensive toolset” called alien fox Distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers.

In a report shared with The Hacker News, Alex Delamotte, a security researcher at SentinelOne, said, “AlienFox’s spread has resulted in more minimal It represents an unreported trend of attacking limited cloud services.

The cybersecurity firm characterized the malware as highly modular and constantly evolving to accommodate new features and performance improvements.

AlienFox’s primary use is to enumerate misconfigured hosts via scanning platforms such as LeakIX and SecurityTrails, and then leverage various scripts in the toolkit to extract malware from publicly available configuration files on servers. to extract the credentials.

Specifically, you should look for susceptible servers related to popular web frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.

Recent versions of this tool have built-in capabilities to establish persistence and escalate privileges in Amazon Web Services (AWS) accounts, as well as automate spam campaigns through compromised accounts.

AlienFox malware

Attacks involving AlienFox are said to be opportunistic, with scripts capable of gathering sensitive data on AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho. I’m here.

Two such scripts are AndroxGh0st and GreenBot, previously documented by Lacework and Permiso p0 Labs.

While Androxgh0st is designed to parse configuration files for certain variables and extract their values ​​for subsequent exploitation, GreenBot (aka Maintance) has the ability to “create new admin accounts and hijack It contains an AWS Persistence Script that deletes legitimate accounts that have been corrupted.

upcoming webinars

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!

Save my seat!

Maintenance also incorporates a license check, suggesting that the script is provided as a commercial tool, and the ability to perform reconnaissance on web servers.

SentinelOne said it has identified three different variants (v2 to v4) of this malware dating back to February 2022. , create a new account using that address.

To mitigate the threat posed by AlienFox, organizations are encouraged to follow configuration management best practices and follow the principle of least privilege (PoLP).

“The AlienFox toolset marks a new stage in the evolution of cybercrime in the cloud,” said Delamotte. “For victims, a breach can lead to additional service costs, loss of customer confidence, and remediation costs.”

Did you find this article interesting?Please follow us twitter and LinkedIn to read more exclusive content we post.


Source link

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

    129184838 soccer index getty

    Premier League clubs avoided £250m in tax, expert estimate

    YES smart

    Yes, improve the user experience of smart TVs