BTC $68279.0927
ETH $3629.5433
BNB $418.8260
SOL $133.0943
XRP $0.6497
stETH $3620.7348
ADA $0.7707
DOGE $0.1827
AVAX $43.0376
DOT $9.8988
wstETH $4204.4051
TRX $0.1402
LINK $20.4333
WETH $3627.8562
MATIC $1.1461
WBTC $68015.7231
UNI $12.3628
BCH $469.5171
LTC $88.8112
IMX $3.1360
ICP $13.3800
CAKE $3.3523
ETC $35.9657
FIL $10.0244
LEO $4.8744
ATOM $12.4782
TON $2.7811
HBAR $0.1174
RNDR $7.3750
KAS $0.1614
INJ $40.6866
DAI $0.9990
OKB $56.8390
VET $0.0495
PEPE $0.0000
XLM $0.1458
FDUSD $0.9965
STX $3.0333
XMR $148.4317
WEMIX $2.7041
LDO $3.2821
NEAR $4.3354
GRT $0.3080
ARB $1.9787
THETA $2.3471
APEX $2.6824
BSV $115.5449
BTC $68279.0927
ETH $3629.5433
BNB $418.8260
SOL $133.0943
XRP $0.6497
stETH $3620.7348
ADA $0.7707
DOGE $0.1827
AVAX $43.0376
DOT $9.8988
wstETH $4204.4051
TRX $0.1402
LINK $20.4333
WETH $3627.8562
MATIC $1.1461
WBTC $68015.7231
UNI $12.3628
BCH $469.5171
LTC $88.8112
IMX $3.1360
ICP $13.3800
CAKE $3.3523
ETC $35.9657
FIL $10.0244
LEO $4.8744
ATOM $12.4782
TON $2.7811
HBAR $0.1174
RNDR $7.3750
KAS $0.1614
INJ $40.6866
DAI $0.9990
OKB $56.8390
VET $0.0495
PEPE $0.0000
XLM $0.1458
FDUSD $0.9965
STX $3.0333
XMR $148.4317
WEMIX $2.7041
LDO $3.2821
NEAR $4.3354
GRT $0.3080
ARB $1.9787
THETA $2.3471
APEX $2.6824
BSV $115.5449
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • AlienFox massively steals data from cloud services

    A new modular tool called "AlienFox" allows attackers to scan misconfigured cloud servers to steal authentication keys and mail service credentials. The toolkit is sold by cybercriminals in their own private Telegram channel.

    Researchers at SentinelLabs who analyzed AlienFox report that the toolkit targets common misconfigured servers for popular services such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop and WordPress.

    AlienFox is a modular toolbox consisting of various custom tools and modified open source utilities created by various authors. Analysts have identified 3 different versions of AlienFox, which indicates that the authors of the toolkit are actively developing and improving their malicious tool.

    Attackers use AlienFox to collect lists of misconfigured cloud servers from security scanning platforms such as LeakIX and SecurityTrails. The toolkit then uses fetch scripts to search these servers for sensitive configuration files that are typically used to store API keys, credentials, and authentication tokens.

    The attackers primarily target cloud mail platforms such as 1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho. The toolkit also includes separate scripts for saving and elevating privileges on affected servers.

    AlienFox v2, which was the earliest to appear in the wild (ITW), focuses on web server configuration and environment file extraction. The malware then parses the files for credentials and checks them against the target server by trying to connect via SSH using the Paramiko Python library.

    AlienFox v2 also includes a script (awses.py) that automates the sending and receiving of messages in AWS SES (Simple Email Services) and applies elevated privileges to the attacker's AWS account. The second version of AlienFox contains an exploit for CVE-2022-31279 , a deserialization vulnerability in the Laravel PHP Framework.

    AlienFox v3 already implements automatic extraction of keys and other sensitive data from Laravel environments, and the stolen information contains tags indicating the collection method used. Version 3 also includes performance improvements and includes initialization variables, Python classes with modular functions, and process multithreading.

    The most recent version of AlienFox found is v4, which has improved code and script organization, and expanded scope. In particular, the fourth version of the malware added targeting to WordPress, Joomla, Drupal, Prestashop, Magento and Opencart, an account verification tool on Amazon.com retail sites, and acquired an automated cryptocurrency wallet seed cracker.

    The scripts being added to the toolkit indicate that the AlienFox developer wants to expand the customer base or simply enrich the toolkit to ensure that existing customers are renewing their subscription.

    To protect against this evolving threat, network administrators must ensure that their server configuration has the proper access controls, correct file permissions, and no unnecessary services installed.

    Additionally, enabling multi-factor authentication (MFA) and keeping track of any unusual or suspicious account activity can also help stop an intrusion at an early stage.

    Author DeepWeb
    BlackCat brought New York court into the 20th century
    Pakistani APT36 masquerades as training materials for cyberattacks on India

    Comments 0

    Add comment