Modular “AlienFox” Toolkit Used to Steal Cloud Service Credentials

A new malware toolset has been discovered and analyzed by security authorities at SentinelOne. Dubbed “AlienFox” by the crew, the toolkit can harvest qualifications for various cloud service providers.

An advisory released on Thursday by SentinelOne menace researcher Alex Delamotte reveals that attackers utilised AlienFox to efficiently harvest API keys and secrets from various companies, which include Amazon Web Providers (AWS) Straightforward Email Services (SES) and Microsoft Workplace 365.

“AlienFox is a modular toolset largely distributed on Telegram in the variety of source code archives. Some modules are readily available on GitHub for any would-be attacker to undertake,” Delamotte stated.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Numerous of these modules are open up resource, so risk actors could adapt and modify them to go well with their wants. 

Browse extra on open supply malware below: The Security Challenge of Open up Supply Software package

“The evolution of recurring options suggests the builders are turning out to be more and more complex, with efficiency criteria at the forefront in far more the latest versions,” Delamotte wrote.

Danger actors using AlienFox employed the toolkit to compile lists of misconfigured hosts from several security scanning platforms like LeakIX and SecurityTrails.

“They use various scripts in the toolset to extract sensitive info this sort of as API keys and insider secrets from configuration information exposed on victims’ web servers,” reads the SentinelOne advisory.

Even more, some of the most new variants noticed by the workforce showcased new scripts that automated malicious steps employing the stolen qualifications.

In accordance to Delamotte, the unfold of AlienFox represents a novel development in the direction of attacking additional nominal cloud products and services (unsuitable for cryptomining) to then permit and develop subsequent campaigns.

“Opportunistic cloud attacks are no more time confined to cryptomining: AlienFox instruments aid attacks on minimum companies that absence the assets wanted for mining,” Delamotte extra. “For victims, [service credentials] compromise can direct to extra service costs, reduction in shopper trust and remediation expenses.”

The SentinelOne conclusions arrive days right after Microsoft advised that just 1% of all cloud permissions are actively utilised, likely top to intense security dangers.