Modular "AlienFox" Toolkit Used to Steal Cloud Service Credentials

Written by

A new malware toolset has been discovered and analyzed by security experts at SentinelOne. Dubbed “AlienFox” by the team, the toolkit can harvest credentials for multiple cloud service providers.

An advisory published on Thursday by SentinelOne threat researcher Alex Delamotte shows that attackers used AlienFox to successfully harvest API keys and secrets from various services, including Amazon Web Services (AWS) Simple Email Service (SES) and Microsoft Office 365.

“AlienFox is a modular toolset primarily distributed on Telegram in the form of source code archives. Some modules are available on GitHub for any would-be attacker to adopt,” Delamotte explained.

Many of these modules are open source, so threat actors could adapt and modify them to suit their needs. 

Read more on open source malware here: The Security Challenge of Open Source Software

“The evolution of recurring features suggests the developers are becoming increasingly sophisticated, with performance considerations at the forefront in more recent versions,” Delamotte wrote.

Threat actors using AlienFox employed the toolkit to compile lists of misconfigured hosts from several security scanning platforms like LeakIX and SecurityTrails.

“They use multiple scripts in the toolset to extract sensitive information such as API keys and secrets from configuration files exposed on victims’ web servers,” reads the SentinelOne advisory.

Further, some of the most recent variants observed by the team featured new scripts that automated malicious actions using the stolen credentials.

According to Delamotte, the spread of AlienFox represents a novel trend towards attacking more minimal cloud services (unsuitable for cryptomining) to then enable and expand subsequent campaigns.

“Opportunistic cloud attacks are no longer confined to cryptomining: AlienFox tools facilitate attacks on minimal services that lack the resources needed for mining,” Delamotte added. “For victims, [service credentials] compromise can lead to additional service costs, loss in customer trust and remediation costs.”

The SentinelOne findings come days after Microsoft suggested that just 1% of all cloud permissions are actively used, potentially leading to severe security risks.

What’s hot on Infosecurity Magazine?