A new tool called AlienFox has been discovered by SentinelLabs, which allows attackers to harvest credentials for multiple cloud service providers.
The modular toolkit is available for sale and is primarily distributed on Telegram, with some modules available on GitHub.
AlienFox can be customized by threat actors to suit their needs, and allows its operators to harvest API keys and secrets from popular services such as AWS SES and Microsoft Office 365. The malware targets misconfigured servers running popular web frameworks, including WordPress, Joomla, Drupal, Prestashop, Magento, Opencart, and Laravel.
It collects lists of misconfigured cloud endpoints through security scanning platforms such as LeakIX and SecurityTrails.
Furthermoe, AlienFox has evolved over time, with recurring features suggesting that developers are becoming increasingly sophisticated, with performance considerations at the forefront in more recent versions. The researchers analyzed AlienFox versions 2 through 4, which date from February 2022 onward. Version 2 focuses primarily on extracting credentials from web server configuration or environment files.
Additionally, The most recent version, Version 4, shows a totally different structure, adding WordPress, Joomla, Drupal, Prestashop, Magento, and Opencart targeting, an Amazon.com retail site account checker, and “Wallet Cracker” scripts to automate cryptocurrency wallet seeds for Bitcoin and Ethereum.
The AlienFox toolset is an example of how cybercrime is evolving in the cloud. Opportunistic cloud attacks are no longer confined to cryptomining, and AlienFox tools facilitate attacks on minimal services that lack the resources needed for mining.
At the same time, by analyzing the tools and tool output, SentinelLabs found that actors use AlienFox to identify and collect service credentials from misconfigured or exposed services.
The modular and evolving nature of AlienFox makes it a significant threat to cloud security, and businesses should take steps to ensure that their cloud services are properly configured and secure.