A new modular tool called "AlienFox" allows attackers to scan misconfigured cloud servers to steal authentication keys and mail service credentials. The toolkit is sold by cybercriminals in their own private Telegram channel.
Researchers at SentinelLabs who analyzed AlienFox report that the toolkit targets common misconfigured servers for popular services such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop and WordPress.
AlienFox is a modular toolbox consisting of various custom tools and modified open source utilities created by various authors. Analysts have identified 3 different versions of AlienFox, which indicates that the authors of the toolkit are actively developing and improving their malicious tool.
Attackers use AlienFox to collect lists of misconfigured cloud servers from security scanning platforms such as LeakIX and SecurityTrails. The toolkit then uses fetch scripts to search these servers for sensitive configuration files that are typically used to store API keys, credentials, and authentication tokens.
The attackers primarily target cloud mail platforms such as 1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho. The toolkit also includes separate scripts for saving and elevating privileges on affected servers.
AlienFox v2, which was the earliest to appear in the wild (ITW), focuses on web server configuration and environment file extraction. The malware then parses the files for credentials and checks them against the target server by trying to connect via SSH using the Paramiko Python library.
AlienFox v2 also includes a script (awses.py) that automates the sending and receiving of messages in AWS SES (Simple Email Services) and applies elevated privileges to the attacker's AWS account. The second version of AlienFox contains an exploit for CVE-2022-31279 , a deserialization vulnerability in the Laravel PHP Framework.
AlienFox v3 already implements automatic extraction of keys and other sensitive data from Laravel environments, and the stolen information contains tags indicating the collection method used. Version 3 also includes performance improvements and includes initialization variables, Python classes with modular functions, and process multithreading.
The most recent version of AlienFox found is v4, which has improved code and script organization, and expanded scope. In particular, the fourth version of the malware added targeting to WordPress, Joomla, Drupal, Prestashop, Magento and Opencart, an account verification tool on Amazon.com retail sites, and acquired an automated cryptocurrency wallet seed cracker.
The scripts being added to the toolkit indicate that the AlienFox developer wants to expand the customer base or simply enrich the toolkit to ensure that existing customers are renewing their subscription.
To protect against this evolving threat, network administrators must ensure that their server configuration has the proper access controls, correct file permissions, and no unnecessary services installed.
Additionally, enabling multi-factor authentication (MFA) and keeping track of any unusual or suspicious account activity can also help stop an intrusion at an early stage.