A recently discovered comprehensive toolset dubbed AlienFox toolkit is circulating on Telegram.
It’s a modular set of tools that enables malicious actors to scan for poorly configured servers, potentially leading to the theft of cloud-based email service credentials and authentication secrets.
SentinelOne security researcher Alex Delamotte stated:-
“A new trend in cyberattacks involves exploiting less complex cloud services that are unsuitable for cryptocurrency mining. The spread of AlienFox is an example of this trend, as it allows attackers to expand their operations and launch further campaigns. This development has gone largely unreported in the cybersecurity community.”
Cybercriminals can access a private Telegram channel via which the toolkit is sold to them, which has become the usual method for network hackers and malware authors to engage in transactions.
Hosting Frameworks Targeted
Here below, we have mentioned all the hosting frameworks that AlienFox targets:-
All the versions of AlienFox that the security analysts identify:-
The discovery of three different versions of AlienFox suggests that the toolkit’s creator is currently engaged in actively developing and improving the malicious toolkit. While this finding comes from the analysis conducted by cybersecurity experts at SentinelOne security.
There are a number of custom tools in AlienFox that were developed by different authors and utilize a variety of modified open-source utilities.
Using security scanning platforms, malicious actors employ AlienFox to obtain inventories of poorly configured cloud endpoints from sources including:-
Secondly, AlienFox retrieves sensitive configuration files that generally store sensitive data from misconfigured servers using data-extraction scripts, including:-
In addition to its primary function, the toolkit features independent scripts that can enable the tool to establish persistence and elevate privileges on servers with identified vulnerabilities.
AWS account access and privilege escalation have been integrated into recent versions of the tool. Moreover, the toolkit can automate spam campaigns by exploiting compromised accounts to further proceedings.
While the earlier version AlienFox v2 primarily concentrates on extracting and modifying the environment files of the web server.
Then it attempts to access the targeted server using the Paramiko Python library to identify credentials in the files and test them on the targeted server.
With the release of AlienFox v3, the toolkit can now automatically extract keys and secrets from Laravel environments. In addition, harvested data now includes tags that specify the acquisition method.
AlienFox’s latest version, v4, boasts improved organization of its code and scripts. Additionally, the toolkit’s targeting scope has been broadened.
Cloud-based Email Platforms Targeted
There are several cloud-based email platforms that are targeted, such as:-
Here below, we have mentioned all the recommendations offered by the security researchers that will help the defenders to counter this evolving threat:-
Building Your Malware Defense Strategy – Download Free E-Book
We're currently living in an age where digital threats loom large. Among these, ransomware has…
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…
Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…
An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…
One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…
In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…