A recently discovered comprehensive toolset dubbed AlienFox toolkit is circulating on Telegram.
It’s a modular set of tools that enables malicious actors to scan for poorly configured servers, potentially leading to the theft of cloud-based email service credentials and authentication secrets.
SentinelOne security researcher Alex Delamotte stated:-
“A new trend in cyberattacks involves exploiting less complex cloud services that are unsuitable for cryptocurrency mining. The spread of AlienFox is an example of this trend, as it allows attackers to expand their operations and launch further campaigns. This development has gone largely unreported in the cybersecurity community.”
Cybercriminals can access a private Telegram channel via which the toolkit is sold to them, which has become the usual method for network hackers and malware authors to engage in transactions.
Hosting Frameworks Targeted
Here below, we have mentioned all the hosting frameworks that AlienFox targets:-
- Laravel
- Drupal
- Joomla
- Magento
- Opencart
- Prestashop
- WordPress
Identified versions of AlienFox
All the versions of AlienFox that the security analysts identify:-
- AlienFox V2
- AlienFox V3.x
- AlienFoxV4
The discovery of three different versions of AlienFox suggests that the toolkit’s creator is currently engaged in actively developing and improving the malicious toolkit. While this finding comes from the analysis conducted by cybersecurity experts at SentinelOne security.
AlienFox steals credentials & secrets
There are a number of custom tools in AlienFox that were developed by different authors and utilize a variety of modified open-source utilities.
Using security scanning platforms, malicious actors employ AlienFox to obtain inventories of poorly configured cloud endpoints from sources including:-
Secondly, AlienFox retrieves sensitive configuration files that generally store sensitive data from misconfigured servers using data-extraction scripts, including:-
- API keys
- Account credentials
- Authentication tokens
In addition to its primary function, the toolkit features independent scripts that can enable the tool to establish persistence and elevate privileges on servers with identified vulnerabilities.
AWS account access and privilege escalation have been integrated into recent versions of the tool. Moreover, the toolkit can automate spam campaigns by exploiting compromised accounts to further proceedings.
While the earlier version AlienFox v2 primarily concentrates on extracting and modifying the environment files of the web server.
Then it attempts to access the targeted server using the Paramiko Python library to identify credentials in the files and test them on the targeted server.
With the release of AlienFox v3, the toolkit can now automatically extract keys and secrets from Laravel environments. In addition, harvested data now includes tags that specify the acquisition method.
AlienFox’s latest version, v4, boasts improved organization of its code and scripts. Additionally, the toolkit’s targeting scope has been broadened.
Cloud-based Email Platforms Targeted
There are several cloud-based email platforms that are targeted, such as:-
- 1and1
- AWS
- Bluemail
- Exotel
- Google Workspace
- Mailgun
- Mandrill
- Nexmo
- Office365
- OneSignal
- Plivo
- Sendgrid
- Sendinblue
- Sparkpostmail
- Tokbox
- Twilio
- Zimbra
- Zoho
Recommendation
Here below, we have mentioned all the recommendations offered by the security researchers that will help the defenders to counter this evolving threat:-
- The administrators must ensure that the access control settings of their servers are set accordingly.
- Ensure that the file permissions on their server are set properly.
- Remove any unnecessary services that are running on your server.
- Make sure to enable multi-factor authentication.
- Ensure that any activity on your accounts that seems unusual or suspicious is closely monitored.
Building Your Malware Defense Strategy – Download Free E-Book
Also Read: