- Every dad should build their toolkit with theses 10 DIY gadgets
- Broadcom grows revenues by 20% following VMware purchase, as customers fume about subscription costs
- How global threat actors are weaponizing AI now, according to OpenAI
- The viral Air Purifier Table is my smart home's MVP (and it's on sale for $179)
- Grab the Galaxy S25 Edge for $170 off and get a free Amazon gift card - but act fast
Modular
A new malware toolset has been discovered and analyzed by security experts at SentinelOne. Dubbed “AlienFox” by the team, the toolkit can harvest credentials for multiple cloud service providers.
An advisory published on Thursday by SentinelOne threat researcher Alex Delamotte shows that attackers used AlienFox to successfully harvest API keys and secrets from various services, including Amazon Web Services (AWS) Simple Email Service (SES) and Microsoft Office 365.
“AlienFox is a modular toolset primarily distributed on Telegram in the form of source code archives. Some modules are available on GitHub for any would-be attacker to adopt,” Delamotte explained.
Many of these modules are open source, so threat actors could adapt and modify them to suit their needs.
Read more on open source malware here: The Security Challenge of Open Source Software
“The evolution of recurring features suggests the developers are becoming increasingly sophisticated, with performance considerations at the forefront in more recent versions,” Delamotte wrote.
Threat actors using AlienFox employed the toolkit to compile lists of misconfigured hosts from several security scanning platforms like LeakIX and SecurityTrails.
“They use multiple scripts in the toolset to extract sensitive information such as API keys and secrets from configuration files exposed on victims’ web servers,” reads the SentinelOne advisory.
Further, some of the most recent variants observed by the team featured new scripts that automated malicious actions using the stolen credentials.
According to Delamotte, the spread of AlienFox represents a novel trend towards attacking more minimal cloud services (unsuitable for cryptomining) to then enable and expand subsequent campaigns.
“Opportunistic cloud attacks are no longer confined to cryptomining: AlienFox tools facilitate attacks on minimal services that lack the resources needed for mining,” Delamotte added. “For victims, [service credentials] compromise can lead to additional service costs, loss in customer trust and remediation costs.”
The SentinelOne findings come days after Microsoft suggested that just 1% of all cloud permissions are actively used, potentially leading to severe security risks.
