[German]AlienFox is a toolkit for compromising email and web hosting services. This toolkit is highly modular, comes in multiple versions, and attempts to exploit misconfigurations in the cloud to grab credentials for services such as AWS, Microsoft 365, Google Workspace, 1and1, etc. Security researchers from SentinelLabs, the research division of SentinelOne, have analyzed multiple versions of AlienFox and are making their findings available. Companies should arm themselves accordingly and protect themselves from attacks by the toolkit.
Advertising
The analysis revealed that the toolkit is highly modular and regularly evolves to target and then tap into the credentials of multiple cloud email services. Interestingly, most of the tools in the toolkit are open source. This gives actors the ability to easily modify and adapt them to their needs. Many threat actors have collaborated on different versions of the tools, and the development of recurring features suggests that developers are constantly improving their attack techniques.
Finding misconfigured hosts in the cloud
SentinelLabs writes that the actors use the AlienFox toolset to collect lists of misconfigured hosts from security scanning platforms such as LeakIX and SecurityTrails. They use multiple scripts in the toolset to extract sensitive information such as API keys and secrets from configuration files located on victims' web servers.
LeakIX is a web-based, search engine developed in Belgium that indexes all services and web applications on IPv4 and now also on IPv6 and works similarly to Shodan. The platform allows security researchers (but also thread actors) to search the Internet for services with vulnerabilities or misconfiguration. Pentesting has published an overview article on LeakIX here.
SecurityTrails allows security researchers to examine current and historical data (IP and DNS history, domain, SSL and open port information) for any Internet asset. Thus, both platforms are legitimate projects used by security researchers for their analysis, but they can also be abused by thread actors.
According to SentinelLabs, later versions of the toolset use scripts that allow actors to automate certain actions using the stolen credentials. These include:
- Set up Amazon Web Services (AWS) account persistence and privilege escalation.
- Collect sending quotas and automate spam campaigns via victim accounts or services.
So the AlienFox toolkit is sort of like the "Swiss Army knife" for cybercriminals to automate their actions and attack victims.
Broad target groups for AlienFox
The AlienFox Toolkit combines tools that target a wide range of web services. But the overarching theme is to focus on cloud-based and software-as-a-service (SaaS) email hosting services.
Advertising
SentinelLabs' current observations indicate that AlienFox is primarily opportunistic (i.e., adapting to the situation). Actors exploit server misconfigurations related to popular web frameworks, including Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.
When a vulnerable server is identified, the actor analyzes the exposed environment or configuration files, which store sensitive information such as enabled services and their associated API keys and other sensitive information. The security researchers found scripts aimed at tapping tokens and other confidential data from services such as:
- AWS SES
- Google Workspace
- Microsoft 365
target. The captured information can then be used to plan and execute targeted attacks.
Different AlienFox versions
So far, security researchers have identified AlienFox versions 2 to 4, which are available as of February 2022. The techniques of the tool and their organization vary from version to version.
Several analyzed scripts were grouped into Androxgh0st and GreenBot (alias Maintance) malware families. As could be noted, the scripts are readily available in open sources such as GitHub, which allows for constant adaptation and variation in the wild.
AlienFox V2
Version 2 is the oldest of the known AlienFox toolsets and focuses primarily on extracting credentials from web server configuration or environment files. The archive analyzed by the security researchers contains the output of an actor who ran the tools, including AWS access and secret keys. In this version of the AlienFox toolset, the core utility is housed in a script called s3lr.py, which is similar to the env.py described in later versions.
Recommendations for enterprises
To protect against AlienFox toolsets, security researchers recommend enterprises rely on configuration management best practices to adhere to the principle of least privilege when configuring services. The use of a Cloud Workload Protection Platform (CWPP) on virtual machines and containers should be considered to detect interactive activities with the operating system.
Since activities such as brute force or password spray attempts may not be logged by certain service providers, monitoring follow-up actions, including the creation of new accounts or service profiles – especially those with high privileges – is recommended. In addition, on company platforms, newly added email addresses should be reviewed.
The conclusion of the security researchers
According to SentinelLabs researchers, the AlienFox toolset shows another stage in the evolution of cybercrime targeting the cloud. Cloud services have well-documented, powerful APIs that allow developers of all skill levels to easily write tools for the service. The toolset has been gradually improved through better coding practices and the addition of new modules and features.
Opportunistic cloud attacks are no longer limited to cryptomining: AlienFox tools facilitate attacks on minimal services that do not have the resources required for mining. Analysis of the tools and tool output revealed that actors use AlienFox to identify and collect service credentials from misconfigured or unprotected services. For victims, compromise can result in additional service costs, loss of customer trust, and remediation costs.
SentinelLabs published the result of their investigation with further details at the end of March 2023 in the blog post Dissecting AlienFox | The Cloud Spammer's Swiss Army Knife.
Advertising
