An updated version of the commodity malware called Legion comes with extensions to compromise Amazon Web Services (AWS) credentials associated with SSH servers and DynamoDB and CloudWatch.
“This recent update demonstrates an increased reach with new capabilities such as the ability to compromise SSH servers and obtain additional AWS-specific credentials from Laravel web applications,” said Cado Labs. Researcher Matt Muir said in a report shared with The Hacker News.
“It’s clear that developers are targeting cloud services more and more each time.”
Legion, a Python-based hacking tool, was first documented last month by a cloud security firm, detailing its ability to infiltrate vulnerable SMTP servers to harvest credentials.
It also exploited a web server running a content management system (CMS), leveraged Telegram as a data exfiltration point, and used stolen SMTP credentials to steal dynamically generated US mobile phone numbers. It has also been known to send spam SMS messages to lists.
A notable addition to Legion is the ability to utilize an SSH server using the Paramiko module. It also includes the ability to retrieve additional he AWS-specific credentials related to DynamoDB, CloudWatch, and AWS Owl from the Laravel web application.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
Another change is to include additional paths enumerating the existence of .env files such as /cron/.env, /lib/.env, /sitemaps/.env, /tools/.env, /uploads/.env. Related. /web/.env among others.
“Web application misconfiguration is still the primary method Legion uses to obtain credentials,” said Muir.
“It is therefore recommended that web application developers and administrators periodically check access to resources within the application itself and look for alternatives to storing secrets in environment files.”
