AlienFox, a new and highly modular malware, has been discovered targeting API keys and secrets from major cloud service providers such as AWS, Google, and Microsoft. Distributed via Telegram, this comprehensive toolset allows threat actors to harvest credentials from vulnerable servers. According to a report by SentinelOne security researcher Alex Delamotte, AlienFox is an emerging trend in attacking smaller cloud services not suited for crypto mining, ultimately enabling and expanding subsequent cyber campaigns.

The malware scans platforms like LeakIX and SecurityTrails to identify misconfigured hosts and extracts credentials from exposed configuration files on servers. It targets popular web frameworks, including Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. Recent versions of AlienFox can establish persistence on AWS accounts, escalate privileges, and automate spam campaigns through compromised accounts.

Attacks involving AlienFox are opportunistic, gathering sensitive data from various services such as AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho. The scripts AndroxGh0st and GreenBot (aka Maintance), previously documented by Lacework and Permiso p0 Labs, are associated with AlienFox.

To mitigate threats posed by AlienFox, organizations are advised to follow configuration management best practices and adhere to the principle of least privilege (PoLP). Delamotte highlights that AlienFox represents another stage in the evolution of cybercrime in the cloud, with victims potentially facing additional service costs, loss of customer trust, and remediation expenses.

Read the full article on The Hacker News