• Menu
  • Skip to main content
  • Skip to primary sidebar

All Tech News

Latest Technology News

AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services

You are here: Home / Cyber Security News / AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services

A new “thorough toolset” called AlienFox is being dispersed on Telegram as a way for danger actors to harvest credentials from API keys and secrets from well-liked cloud assistance vendors.

“The unfold of AlienFox signifies an unreported craze to attacking much more nominal cloud providers, unsuitable for crypto mining, in purchase to enable and broaden subsequent strategies,” SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.

The cybersecurity corporation characterized the malware as very modular and constantly evolving to accommodate new characteristics and effectiveness advancements.

The main use of AlienFox is to enumerate misconfigured hosts by using scanning platforms like LeakIX and SecurityTrails, and subsequently leverage numerous scripts in the toolkit to extract credentials from configuration information uncovered on the servers.

Particularly, it entails looking for vulnerable servers involved with popular web frameworks, such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.

The latest variations of the resource integrate the capacity to build persistence on an Amazon Web Expert services (AWS) account and escalate privileges as properly as automate spam campaigns by way of the compromised accounts.

Attacks involving AlienFox are claimed to be opportunistic, with the scripts capable of accumulating sensitive facts pertaining to AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho.

Two these types of scripts are AndroxGh0st and GreenBot, which were beforehand documented by Lacework and Permiso p0 Labs.

While Androxgh0st is developed to parse a configuration file for precise variables and pull out their values for adhere to-on abuse, GreenBot (aka Maintance) includes an “AWS persistence script that results in a new administrator account and deletes the hijacked authentic account.”

THN WEBINARBecome an Incident Reaction Pro!

Unlock the tricks to bulletproof incident response โ€“ Master the 6-Period approach with Asaf Perlman, Cynet’s IR Leader!

Will not Miss Out โ€“ Preserve Your Seat!

Maintance more incorporates licensing checks, suggesting that the script is staying supplied as a professional tool, and the capability to execute reconnaissance on the web server.

SentinelOne reported it determined three different variants of the malware (from v2 to v4) dating again to February 2022. A notable performance of AlienFoxV4 is its skill to check if an email tackle is by now joined to an Amazon.com retail account, and if not, generate a new account utilizing that deal with.

To mitigate threats posed by AlienFox, corporations are proposed to adhere to configuration administration best practices and abide by the basic principle of least privilege (PoLP).

“The AlienFox toolset demonstrates yet another phase in the evolution of cybercrime in the cloud,” Delamotte explained. “For victims, compromise can direct to supplemental service fees, decline in customer believe in, and remediation expenses.”

Found this short article attention-grabbing? Stick to us on Twitter ๏‚™ and LinkedIn to go through a lot more distinctive material we publish.

Some parts of this article are sourced from:
thehackernews.com

Previous Post: « Volume of HTTPS Phishing Sites Surges 56% Annually
Next Post: NCA Celebrates Multimillion-Pound Fraud Takedowns »

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • Hackers Use Leaked Shellter Tool License to Spread Lumma Stealer and SectopRAT Malware
  • Anatsa Android Banking Trojan Hits 90,000 Users with Fake PDF App on Google Play
  • Malicious Pull Request Infects 6,000+ Developers via Vulnerable Ethcode VS Code Extension
  • 5 Ways Identity-based Attacks Are Breaching Retail
  • RondoDox Botnet Exploits Flaws in TBK DVRs and Four-Faith Routers to Launch DDoS Attacks

Copyright © 2025 ยท AllTech.News, All Rights Reserved.