A newly identified Python-based hacking tool called FBot has been targeting web servers and software-as-a-service (SaaS) technologies such as Amazon Web Services (AWS), Microsoft Office 365, PayPal, Sendgrid, and Twilio.
In a Jan. 11 blog post, SentinelOne researchers said FBot does not leverage the widely-used Androxgh0st code, but shares similarities with the Legion cloud infostealer in functionality and design.
The researchers said FBot was primarily designed for threat actors to hijack cloud, SaaS, and web services. There’s a secondary focus on obtaining accounts to conduct spamming attacks, and bad actors can use the credential harvesting features to obtain initial access, which they can sell to other parties.
Balazs Greksza, threat response lead at Ontinue, said security pros should think of FBot as a collection of high level scripts: the tool only runs about 200 KB or 4,000 lines of Python code with 22 options, meaning each functionality is pretty simplistic.
By comparison, Greksza said network mapper (NMAP), which the industry considers the Swiss Army knife of port scanning, is 17 megabytes compressed. The FBot “port_scanner” only attempts some specific checks for 7 HTTP headers. The script works with publicly available data or assumes the access keys of sensitive, already compromised credentials, so it does not take care of the hacking-brute forcing at all.
“For more important targets, AWS security teams shouldn’t be all too worried about FBot, rather, should focus on the general cloud security concerns,” said Greksza. “The AWS attack options check simple mail transfer protocol (SMTP) targets, Amazon elastic compute cloud (EC2) instances, and list resources. As long as they follow AWS identity and access management (IAM) best practices, don’t use AWS root users, and configure MFA [multi-factor authentication] for normal users, monitor new identities, as a means of persistence and potential actors of attacks, the AWS operators should be fine.”
John Bambenek, president at Bambenek Consulting, added that the important defenses here are enabling MFA for at least the most sensitive transactions, such as adding or deleting users, creation of new API keys, or the creation of new resources, as well as to ingest all of the logs for these SaaS platforms into a SIEM.
“Much of this abuse can be detected by simple frequency analysis or by detecting login anomalies,” said Bambenek. “While the quality of logging varies greatly, all of the platforms have audit logs for logins and resource modification, which give security pros the raw tools for rapid detection and remediation of misuse, as long as those logs make it to the SIEM.”
Emily Phelps, director at Cyware, said to safeguard against Python-based hacking tools like FBot targeting cloud and SaaS platforms, security teams should focus on a multi-pronged approach: enforce MFA, conduct regular credential audits, train employees on security awareness, and implement endpoint security.
“They should also engage in network segmentation, enhance activity monitoring, maintain up-to-date software, and enforce strict access control policies,” said Phelps. “Regular penetration testing, data encryption, and collaboration with cloud service providers are also crucial for comprehensive protection against such cyber threats.”
