A comprehensive toolset dubbed "AlienFox" has been discovered harvesting credentials for up to 18 cloud service providers.
In a March 30 blog post, SentinelLabs said the threat actor uses AlienFox to harvest API keys and secrets from many major cloud service providers, including AWS Simple Email Service, Google Workspace, Microsoft Office 365, and Twilio, Zimbra, and Zoho.
The researchers said the attackers distribute AlienFox on Telegram in the form of a source code archives. Some modules are now available on GitHub for any would-be attacker to adopt.
Evidently, AlienFox’s spread also represents an unreported trend towards attacking more minimal cloud services that are unsuitable for cryptomining, but serve as launchpads to enable and expand subsequent campaigns.
SentinelLabs identified AlienFox versions 2 through 4, which date from February 2022 onward. Several scripts SentinelLabs analyzed were summarized by other researchers as malware families Androxgh0st (Lacework) and GreenBot (Permiso). As the researchers from the other organizations noted, the scripts are also readily available in open sources, including GitHub, which lends to constant adaptation and variation in the wild.
AlienFox targets one of the most sought after internet resources, our secrets and credentials, that let cybercriminals get past an organization’s authentication and security controls so they can steal data, cause disruption and profit from their actions, said Joseph Carson, chief security scientist and Advisory CISO at Delinea. Carson said AlienFox targets common misconfigurations in cloud-based servers in an automated way — it’s a highly sought-after technique as it lets attackers work at stealing secrets and credentials while they are busy doing other things.
“Automation appears to not just be a top priority for businesses, but also for criminals,” said Carson.
Carson suggested organizations make it as difficult as possible for tools such as AlienFox to succeed by testing and auditing internet-facing servers, and using strong authentication solutions such as privileged access management.
Dan Benjamin, co-founder and CEO at Dig Security, added that the emergence of toolkits such as AlienFox underscores the increasing sophistication of attacker networks and their collective ability to cause harm and disruption. Benjamin said it’s a very concerning trend where the attackers behind AlienFox adapt the tool so it’s effective across more targets, particularly those in use widely across enterprises.
“There are massive amounts of sensitive data in these cloud-based email and messaging systems that are now at severe risk of exposure,” Benjamins said. “Considering how widely platforms like AWS, Google Workspace, Office365, and Zoho are used — even if the targeting is opportunistic — the potential for widespread business risk is substantial. The whole supply chain can be put at risk. The realities of this threat cannot be ignored, especially as toolkits evolve in the wild.”
By now, organizations should realize that for every defensive measure they believe they have in place, there are always purpose-built offensive toolsets readily available to defeat many, if not all of their measures, said Stephen Gates, security evangelist at Checkmarx.
“The real key takeaway for today’s organizations is to obtain the attack tool sets themselves, launch them 'safely' against their own environments, and determine what attackers will likely discover,” Gates said. “This preemptive approach is certainly better than the convalescent measures after getting exploited."