BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • AlienFox massively steals data from cloud services

    A new modular tool called "AlienFox" allows attackers to scan misconfigured cloud servers to steal authentication keys and mail service credentials. The toolkit is sold by cybercriminals in their own private Telegram channel.

    Researchers at SentinelLabs who analyzed AlienFox report that the toolkit targets common misconfigured servers for popular services such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop and WordPress.

    AlienFox is a modular toolbox consisting of various custom tools and modified open source utilities created by various authors. Analysts have identified 3 different versions of AlienFox, which indicates that the authors of the toolkit are actively developing and improving their malicious tool.

    Attackers use AlienFox to collect lists of misconfigured cloud servers from security scanning platforms such as LeakIX and SecurityTrails. The toolkit then uses fetch scripts to search these servers for sensitive configuration files that are typically used to store API keys, credentials, and authentication tokens.

    The attackers primarily target cloud mail platforms such as 1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho. The toolkit also includes separate scripts for saving and elevating privileges on affected servers.

    AlienFox v2, which was the earliest to appear in the wild (ITW), focuses on web server configuration and environment file extraction. The malware then parses the files for credentials and checks them against the target server by trying to connect via SSH using the Paramiko Python library.

    AlienFox v2 also includes a script (awses.py) that automates the sending and receiving of messages in AWS SES (Simple Email Services) and applies elevated privileges to the attacker's AWS account. The second version of AlienFox contains an exploit for CVE-2022-31279 , a deserialization vulnerability in the Laravel PHP Framework.

    AlienFox v3 already implements automatic extraction of keys and other sensitive data from Laravel environments, and the stolen information contains tags indicating the collection method used. Version 3 also includes performance improvements and includes initialization variables, Python classes with modular functions, and process multithreading.

    The most recent version of AlienFox found is v4, which has improved code and script organization, and expanded scope. In particular, the fourth version of the malware added targeting to WordPress, Joomla, Drupal, Prestashop, Magento and Opencart, an account verification tool on Amazon.com retail sites, and acquired an automated cryptocurrency wallet seed cracker.

    The scripts being added to the toolkit indicate that the AlienFox developer wants to expand the customer base or simply enrich the toolkit to ensure that existing customers are renewing their subscription.

    To protect against this evolving threat, network administrators must ensure that their server configuration has the proper access controls, correct file permissions, and no unnecessary services installed.

    Additionally, enabling multi-factor authentication (MFA) and keeping track of any unusual or suspicious account activity can also help stop an intrusion at an early stage.

    Author DeepWeb
    BlackCat brought New York court into the 20th century
    Pakistani APT36 masquerades as training materials for cyberattacks on India

    Comments 0

    Add comment