Cloud Security , Fraud Management & Cybercrime , Malware as-a-Service
Evolving AlienFox Malware Steals Cloud Services CredentialsAttackers Use Toolkit to Harvest API Keys and Secrets From 18 Cloud Providers
Hackers have used a fast-evolving modular toolkit called "AlienFox" to compromise email and web hosting services at 18 companies.
See Also: Rapid Digitization and Risk: A Roundtable Preview
SentinelLabs researchers said the adaptable toolkit can easily be modified to meet attackers' needs. The latest iteration of the tool extracts sensitive information such as API keys and secrets from configuration files from service providers such as AWS, Google Workspace, Office365, OneSignal, Twilio, Zoho and more.
Distributed mainly by Telegram, the toolkit scripts are readily available in open-source repositories such as GitHub, leading to constant adaptation and variation in the wild.
Alex Delamotte, security researcher at SentinelOne, says threat actors use this toolset to collect lists of misconfigured hosts from security scanning platforms, including LeakIX and SecurityTrails.
These server misconfigurations are associated with popular web frameworks such as Laravel, Drupal, Joomla, Magento, OpenCart, PrestaShop and WordPress.
AlienFox scripts check for these services and require a list of targets generated by other scripts, such as grabip.py and grabsite.py.
"The target generation scripts use a combination of brute force for IPs and subnets, as well as web APIs for open-source intelligence platforms to provide details about potential targets," Delamotte said.
Once a vulnerable server is found, the threat actor gains access to files that store sensitive information, such as services enabled and the associated API keys and secrets.
Researchers have uncovered two versions of the tools, beginning with version 2 in February 2022.
Other researchers identified several scripts as belonging to the malware families Androxgh0st and GreenBot.
Version 2, among the oldest AlienFox toolsets, primarily focuses on extracting credentials from web server configuration or environment files. Researchers said they analyzed the archive that contained output from when an actor ran the tools, which included AWS access and secret keys.
The 3.x version of the AlienFox toolset contains the script Lar.py, which automates the extraction of keys and secrets from a compromised web application framework called Laravel. It also logs the results to a text file along with the targeted server details.
"Lar.py is coded in a more mature way than the AlienFox Version 2 scripts and their derivatives. Lar.py applies threading, Python classes with modular functions and initialization variables," the researchers said.