A new “comprehensive toolset” called alien fox Distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers.
In a report shared with The Hacker News, Alex Delamotte, a security researcher at SentinelOne, said, “AlienFox’s spread has resulted in more minimal It represents an unreported trend of attacking limited cloud services.
The cybersecurity firm characterized the malware as highly modular and constantly evolving to accommodate new features and performance improvements.
AlienFox’s primary use is to enumerate misconfigured hosts via scanning platforms such as LeakIX and SecurityTrails, and then leverage various scripts in the toolkit to extract malware from publicly available configuration files on servers. to extract the credentials.
Specifically, you should look for susceptible servers related to popular web frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.
Recent versions of this tool have built-in capabilities to establish persistence and escalate privileges in Amazon Web Services (AWS) accounts, as well as automate spam campaigns through compromised accounts.
Attacks involving AlienFox are said to be opportunistic, with scripts capable of gathering sensitive data on AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho. I’m here.
Two such scripts are AndroxGh0st and GreenBot, previously documented by Lacework and Permiso p0 Labs.
While Androxgh0st is designed to parse configuration files for certain variables and extract their values for subsequent exploitation, GreenBot (aka Maintance) has the ability to “create new admin accounts and hijack It contains an AWS Persistence Script that deletes legitimate accounts that have been corrupted.
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
Maintenance also incorporates a license check, suggesting that the script is provided as a commercial tool, and the ability to perform reconnaissance on web servers.
SentinelOne said it has identified three different variants (v2 to v4) of this malware dating back to February 2022. , to create a new account using that address.
To mitigate the threat posed by AlienFox, organizations are encouraged to follow configuration management best practices and follow the principle of least privilege (PoLP).
“The AlienFox toolset marks a new stage in the evolution of cybercrime in the cloud,” said Delamotte. “For victims, a breach can lead to additional service costs, loss of customer confidence, and remediation costs.”
