AlienFox malware caught in the cloud hen house
Malicious toolkit targets misconfigured hosts in AWS and Office 365
A fast-evolving toolkit that can be used to compromise email and web hosting services represents a disturbing evolution of attacks in the cloud, which for the most part have previously been confined to mining cryptocurrencies.
The AlienFox toolkit is being hawked on Telegram as a way to compromise misconfigured hosts on cloud services platforms and harvest sensitive information like API keys and other secrets, according to security shop SentinelOne.
It's a relatively fresh turn in opportunistic cloud attacks, Alex Delamotte, senior threat research with SentinelLabs, wrote in a report today.
"AlienFox tools facilitate attacks on minimal services that lack the resources needed for mining," she wrote. "By analyzing the tools and tool output, we found that actors use AlienFox to identify and collect service credentials from misconfigured or exposed services. For victims, compromise can lead to additional service costs, loss of customer trust, and remediation costs."
It can also open the doors to further criminal campaigns. Later versions of AlienFox include scripts that automate malicious operations using the stolen credentials, such as establishing persistence and allowing privilege escalation in AWS accounts. Another script automates spam campaigns through victim accounts and services.
Searching for misconfigured hosts
Through AlienFox, attackers are able to collect lists of misconfigured hosts through scanning platforms like LeakIX and SecurityTrails, exhibiting an increasingly common trait among threat groups of using legitimate security products – as with threat emulation tool Cobalt Strike – in their malicious operations.
They can then use multiple scripts in the toolkit to steal sensitive information from the misconfigured hosts on such cloud platforms like Amazon Web Services and Microsoft Office 365. While the AlienFox scripts can be used against a range of web services, they primarily target cloud-based and software-as-a-service (SaaS) email hosting services, Delamotte wrote.
- Capital One: Convicted techie got in via 'misconfigured' AWS buckets
- What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm
- Google says slap some GUAC on your software supply chain
- AT&T Alien Labs warns of 'zero or low detection' for TeamTNT's latest malware bundle
Most of the misconfigurations that are exploited are tied to a number of web frameworks, including Laravel, Drupal, WordPress, and OpenCart. The AlienFox scripts check for cloud services and includes a list of targets that are generated by a separate script, such as grabipe.py and grabsite.py. The targeting scrips use brute force methods for IPs and subnets and web APIs for open-source intelligence platforms like SecurityTrails and LeakIX.
When a vulnerable server is found, the miscreants move in for the sensitive information. SentinelOne found scripts targeting tokens and other secrets from more than a dozen cloud services, not only AWS and Office 365 but also Google Workspace, Nexmo, Twilio, and OneSignal.
A highly adaptable threat
AlienFox is a modular open source toolkit that is highly adaptable. While primarily available via Telegram, some modules can be found on GitHub, which can lead to constant adaptation and multiple variants being used, according to the report.
"The evolution of recurring features suggests the developers are becoming increasingly sophisticated, with performance considerations at the forefront in more recent versions," Delamotte wrote.
Given the massive amounts of sensitive data in cloud-based email and messaging systems that now are at "severe risk of exposure," the threat represented by AlienFox is a worry, according to Dan Benjamin, co-founder and CEO of cloud data security startup Dig Security.
"The emergence of toolkits like AlienFox underscores the increasing sophistication of attacker networks and their collective ability to cause harm and disruption," Benjamin told The Register. "This is a very concerning trend where the attackers behind AlienFox are adapting the tool to be effective across more targets, particularly those in use widely across enterprises."
Three versions, so far
SentinelOne has detected three versions of AlienFox dating back to February 2022 and some of the scripts found has been tagged as malware families by other researchers, such as Androxgh0st by Lacework.
"It is worth noting that each of the SES-abusing toolsets we analyzed targets servers using the Laravel PHP framework, which could indicate that Laravel is particularly susceptible to misconfigurations or exposures," she wrote.
AlienFox v4 is organized differently than the others – for example, each tool gets a numerical identifier, such as Tool1 and Tool2 – and some new ones suggest the developers are looking for new users or augmenting what existing toolkits can do. For example, one checks to see if email addresses are linked to Amazon retail accounts. If not, the script will create a new Amazon account using the email address. Another automates cryptocurrency wallet seeds for Bitcoin and Ethereum.
Given its ongoing evolution, it's likely that AlienFox will be around for a while.
"Cloud services have well-documented, powerful APIs, enabling developers of all skill levels to readily write tooling for the service," Delamotte wrote. "The toolset has gradually improved through improved coding practices as well as the addition of new modules and capabilities." ®