- MacBook Pro vs. MacBook Air: How to decide which Apple laptop is best for you
- Ready to ditch Google Drive? Here are the 5 best alternatives to check out
- ‘필요한 순간에만 활용’··· 생성형 AI에 접목되는 적시 생산(JIT) 개념, 그 효과는?
- Panelists to discuss difficult questions many leaders ask themselves
- Supermicro may be in hot water on the accounting front, but enterprise customers more likely to care about products
Python-Based Tool FBot Disrupts Cloud Security
Security researchers have shed light on a new Python-based hacking tool, FBot, showcasing distinct features from other cloud malware families.
Discovered by the SentinelLabs team, FBot targets web servers, cloud services and Software-as-a-Service (SaaS) platforms like AWS, Office365, PayPal, Sendgrid and Twilio.
FBot’s key features include credential harvesting for spamming attacks, tools for hijacking AWS accounts and functionalities enabling attacks against PayPal and various SaaS accounts.
Writing in an advisory published last Thursday, SentinelLabs security researcher Alex Delamotte explained that FBot demonstrated a smaller footprint than similar tools, suggesting possible private development and a more targeted distribution approach.
Delamotte also explained the malware does not utilize the widely used Androxgh0st code. Instead, it shares functionality and design similarities with the Legion cloud infostealer.
Read more on Legion and similar tools: Predator AI ChatGPT Integration Poses Risk to Cloud Services
The tool’s functionalities span AWS targeting, including an AWS API Key Generator and Mass AWS Checker, as well as targeting payment services such as PayPal, with a unique PayPal Validator feature.
Furthermore, FBot possesses capabilities to target SaaS platforms like Sendgrid and Twilio, showcasing features like Sendgrid API Key Generator and Twilio SID and Auth Token checker. The tool also includes functionalities for web framework reconnaissance, scanning for Laravel environments and extracting credentials from various files.
Despite its unique characteristics, Delamotte clarified that FBot fits into an existing trend in the cybersecurity landscape.
“FBot demonstrates another tool family that continues the trend of adopting cloud attack tool code from one tool into another while maintaining its own distinct flavor,” Delamotte wrote.
The SentinelLabs technical write-up also highlighted that FBot samples have been observed from July 2022 to January 2024, indicating continued proliferation, though the level of active maintenance remains uncertain.
Currently, no identified distribution channel is dedicated to FBot, differentiating it from other cloud infostealers typically sold on platforms like Telegram.
Indications suggest that FBot may be a product of private development work, aligning with the growing trend of bespoke ‘private bots’ tailored for individual buyers in the realm of cloud attack tools.
“Organizations should enable multi-factor authentication (MFA) for AWS services with programmatic access,” Delamotte warned.
“Create alerts that notify security operations teams when a new AWS user account is added to the organization, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible.”
