According to infosec researchers, a new toolset named AlienFox is currently being distributed via Telegram, a popular messaging app. The toolset is designed to enable threat actors to harvest credentials from API keys and other sensitive data from various cloud service providers.
The report released by the cybersecurity experts at SentinelOne, reveals that AlienFox is a highly modular malware that is continuously evolving with new features and performance improvements. Threat actors use AlienFox for identifying and collecting service credentials from exposed or misconfigured services. If a victim falls prey to such attacks, it can lead to several consequences, such as increased service costs, loss of customer trust, and remediation costs.
In addition, it can also open the doors for further criminal campaigns as the latest versions of AlienFox include a range of scripts that can automate malicious operations using the stolen credentials. For instance, there is a script that allows for the establishment of persistence, which means that the attacker can maintain control of the compromised system even after a reboot or update. The same script also facilitates privilege escalation in AWS accounts, thereby providing the attacker with greater access and control.
Furthermore, one of the scripts included in AlienFox can automate spam campaigns through victim accounts and services, thereby causing significant harm to the victim's reputation and leading to additional financial losses. Overall, it is evident that the use of AlienFox by cybercriminals can have severe and long-lasting consequences for the victims.
AlienFox Locates Misconfigured Hosts
AlienFox is a tool that attackers use to collect lists of misconfigured hosts via scanning platforms like LeakIX and SecurityTrails. It is noteworthy that this is an increasingly common trait among threat groups as they tend to use legitimate security products, such as Cobalt Strike, in their malicious operations.
Once the attackers have identified the vulnerable servers, they can use a range of scripts from the AlienFox toolkit to steal sensitive information from cloud platforms such as Amazon Web Services and Microsoft Office 365. It is worth noting that while the AlienFox scripts can be leveraged against a range of web services, they are primarily targeted at cloud-based and Software-as-a-Service (SaaS) email hosting services.
Many of the misconfigurations that are exploited are associated with popular web frameworks such as Laravel, Drupal, WordPress, and OpenCart. The AlienFox scripts utilize brute-force techniques for IPs and subnets, and web APIs when it comes to open-source intelligence platforms like SecurityTrails and LeakIX to check for cloud services and generate a list of targets.
Once a vulnerable server is identified, the attackers move in to extract sensitive information. The cybercriminals use scripts targeting tokens and other secrets from over a dozen cloud services, including AWS and Office 365, as well as Google Workspace, Nexmo, Twilio, and OneSignal. It is evident that the use of AlienFox by attackers can pose a significant threat to organizations that rely on cloud services for their operations.
AlienFox Malware Is Still Under Active Development
Three versions of AlienFox going back to February 2022 have been identified so far. It is worth pointing out that some of the scripts found have been tagged as malware families by other researchers.
Each of the SES-abusing toolsets that were analyzed targets servers using the Laravel PHP framework. This fact may suggest that Laravel is particularly susceptible to misconfigurations or exposures.
It is interesting to note that AlienFox v4 is organized differently from the others. For instance, each tool in this version is assigned a numerical identifier, such as Tool1 and Tool2. Some of the new tools suggest that the developers are trying to attract new users or augment what existing toolkits can do. For example, one tool checks for email addresses linked to Amazon retail accounts. If none such emails are found, the script will create a new Amazon account using the email address. Another tool automates cryptocurrency wallet seeds specifically for Bitcoin and Ethereum.
These findings highlight the ever-evolving nature of AlienFox and its increasing sophistication. It is imperative for organizations to remain vigilant and take necessary measures to secure their systems against such threats.