A simple mail transfer protocol (SMTP) abuse tool dubbed Legion can scan Shodan to identify misconfigured cloud servers and then take over SMTP email marketing programs or launch phishing campaigns.
In a blog post Thursday, Cado Security said Legion was focused on enumerating vulnerable SMTP servers, conducting remote code execution, and exploiting vulnerable versions of Apache. The tool has been targeting 19 different cloud services, including AWS, PayPal, Stripe and Twilio.
Legion can also send SMS text messages to launch mobile-based phishing and disinformation campaigns and has targeted 14 different telecoms, including AT&T, Sprint, T-Mobile, and Verizon. It can also bundle additional functionality traditionally found in more common hacking tools, such as the ability to execute web server specific exploit code and brute force account credentials.
Matt Muir, a threat intelligence researcher at Cado, said security administrators can neutralize Legion by making sure their environment files are not exposed to the public internet.
“Environment files are text files used to store credentials,” explained Muir. “By securing the environment files there’s not much Legion can do. Admins have to make sure that the environment files are not located in a directory that’s exposed to the internet.”
Muir said Cado researchers consider Legion an emerging generation of cloud-focused credential harvester/spam utilities. Developers of these tools often steal each other's code, making attribution to a particular group difficult.
During their research, Muir said the researchers also realized that Legion was related to a more recent malware sample that Ian Ahl from Permiso had analyzed. In the spirit of collaboration and considering they have a mutual interest in cloud security, Cado reached out to Ahl to get his thoughts on this particular sample, which he shared in a recent blog.
“Mail and SMS abuse are big business for attackers,” wrote Ahl. “We have come across close to a dozen variants of similar scripts that are being sold regularly for nefarious purposes. Legion is not the first nor will it be the last.”
Muir said Legion also bears some similarities to tools such as Andr0xGhost, discovered by Lacework, and AlienFox, discovered by SentinelOne. These tools are often distributed via Telegram and their features make them attractive to those wishing to conduct mass spam or phishing operations.
The Telegram groups used to distribute Legion have a combined membership of about 5,000. Muir said although we can assume not everybody in these groups will purchase a license for the software, it’s clear that there’s now considerable demand for such a tool.
“If even half of the members purchased a license and used the SMTP abuse capabilities for spam or phishing purposes, I don’t think it’s unreasonable to assume that tens of thousands of users would be affected,” said Muir, who also footnoted that at the time the blog was written, Cado researchers had seen zero detections on VirusTotal.
It’s important to note that the credentials being harvested in this case are potentially privileged API credentials, said Nick Rago, Field CTO at Salt Security. Rago said stolen credentials pose a critical risk to APIs.
“Attackers often look to get access to an API using credentials or tokens obtained through nefarious means,” said Rago. “Once they gain the valid privileged credential or token, the attacker can leverage the API to exfiltrate data or compromise a service.”
Davis McCarthy, principal security researcher at Valtix, added that Legion automates real world tactics, techniques and procedures at scale, reducing the threat actors time to initial access. McCarthy explained that if the hacker can’t exploit the target organization’s infrastructure remotely, then there are options to brute-force AWS credentials and set up phishing campaigns with Amazon SES.
“The AWS module also tags newly created malicious users, working as a defense evasion technique and establishing legitimacy,” said McCarthy. “Even target reconnaissance is made easy by integrating with Shodan.”