- The 35+ best Black Friday Nintendo Switch deals 2024
- Best Black Friday TV deals 2024: 75+ expert-selected deals on QLED, OLED, & more
- The fan-favorite 8TB T5 Evo SSD is almost 50% off at Samsung for Black Friday
- This Samsung projector is secretly the best gaming console you can buy, and it's on sale for Black Friday
- 近視眼的なCEOがCIOに増大する技術的負債を残す
Modular
A new malware toolset has been discovered and analyzed by security experts at SentinelOne. Dubbed “AlienFox” by the team, the toolkit can harvest credentials for multiple cloud service providers.
An advisory published on Thursday by SentinelOne threat researcher Alex Delamotte shows that attackers used AlienFox to successfully harvest API keys and secrets from various services, including Amazon Web Services (AWS) Simple Email Service (SES) and Microsoft Office 365.
“AlienFox is a modular toolset primarily distributed on Telegram in the form of source code archives. Some modules are available on GitHub for any would-be attacker to adopt,” Delamotte explained.
Many of these modules are open source, so threat actors could adapt and modify them to suit their needs.
Read more on open source malware here: The Security Challenge of Open Source Software
“The evolution of recurring features suggests the developers are becoming increasingly sophisticated, with performance considerations at the forefront in more recent versions,” Delamotte wrote.
Threat actors using AlienFox employed the toolkit to compile lists of misconfigured hosts from several security scanning platforms like LeakIX and SecurityTrails.
“They use multiple scripts in the toolset to extract sensitive information such as API keys and secrets from configuration files exposed on victims’ web servers,” reads the SentinelOne advisory.
Further, some of the most recent variants observed by the team featured new scripts that automated malicious actions using the stolen credentials.
According to Delamotte, the spread of AlienFox represents a novel trend towards attacking more minimal cloud services (unsuitable for cryptomining) to then enable and expand subsequent campaigns.
“Opportunistic cloud attacks are no longer confined to cryptomining: AlienFox tools facilitate attacks on minimal services that lack the resources needed for mining,” Delamotte added. “For victims, [service credentials] compromise can lead to additional service costs, loss in customer trust and remediation costs.”
The SentinelOne findings come days after Microsoft suggested that just 1% of all cloud permissions are actively used, potentially leading to severe security risks.