AlienFox is a new toolkit used by cybercriminals to steal login credentials and sensitive data from cloud-based email services by scanning for misconfigured servers. Researchers at SentinelLabs who analyzed AlienFox report that The toolkit is available for purchase through a private Telegram channel, and it targets at least 18 cloud services, including well-known web hosting frameworks like Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. AlienFox is a cloud spammer’s Swiss army knife, and it can bypass two-factor authentication, making it particularly dangerous. The toolkit has three versions: v2, v3, and v4, and it enhances its capabilities with each version.
AlienFox v2, the toolkit’s first known version, extracts credentials from web server configuration or environment files. Other scripts included are awses.py and ssh-smtp.py. The awses.py script automates activities such as sending/receiving messages and elevating a privilege persistence profile on AWS SES by utilizing the AWS SDK Boto3 Python client. The second script validates SSH configurations on the webserver to find vulnerabilities, and it potentially tries to exploit CVE-2022-31279, a rejected vulnerability in the Laravel PHP framework.
AlienFox v3 has four variations under it, created between February and April 2022. This version includes a Lar.py script, which extracts keys and secrets from compromised Laravel .env files. The script then logs that information to a text file, along with additional information about the server and tags, to indicate whether the data was obtained using a configuration parser or a regular expression.
AlienFox v4, the latest version, differs from the previous ones in that each tool is assigned a numerical identifier. The ALIENFOXV4.py script in the root directory acts as a bootstrap for the tool scripts. Tools 5, 6, 7, and 8 collect target lists. The other tools check if the targets are misconfigured or have a security vulnerability, and they improve the overall functionality of the AlienFox toolkit. There is, again, a script to focus on AWS and SES. Another tool in version 4 uses the cms.py script to check sites for the presence of web hosting frameworks. There are also cryptocurrency wallet crackers for Bitcoin and Ethereum, as well as an Amazon account checker tool.
Tactics:
- Initial Access: AlienFox is used to gain initial access to target cloud-based email and web hosting services by scanning for misconfigured servers.
- Credential Access: AlienFox is used to steal login credentials and sensitive data from cloud-based email services.
Techniques:
- T1566.001: Phishing: AlienFox may be distributed via phishing emails to potential victims.
- T1078: Valid Accounts: AlienFox is used to obtain valid login credentials for cloud-based email and web hosting services.
- T1110.002: Brute Force: AlienFox may be used to brute force login credentials for cloud-based email and web hosting services.
- T1204.002: User Execution: AlienFox requires user interaction to execute on a vulnerable server.
- T1527.001: Application Access Token: AlienFox is capable of stealing application access tokens for cloud-based email services.
- T1555.003: Steal Web Session Cookie: AlienFox is capable of stealing web session cookies for cloud-based email services.
To prevent the use of AlienFox toolkit, organizations should monitor interactions with their cloud services and adhere to the least privilege principle. Following best practices for cloud configuration management and monitoring the condition of cloud environments are also essential.
- Implement multi-factor authentication for all cloud-based email and web hosting services to make it more difficult for attackers to gain access using stolen credentials.
- Ensure that all servers are properly configured with appropriate security settings, and regularly scan for misconfigured servers.
- Regularly monitor all interactions with cloud-based email and web hosting services for any suspicious activity.
- Use Threat Intelligence Cloud Security Module to enhance the security of cloud storage and detect any unauthorized access attempts.
In conclusion, the AlienFox toolkit is a significant threat to cloud-based email services and can be used to steal login credentials and sensitive data. To prevent such attacks, organizations should follow best practices for cloud configuration management and monitoring the condition of cloud environments.
0 Comments