Discovery, analysis and cybersecurity intelligence
AlienFox is a modular toolkit that includes various custom tools and modified open-source utilities created by different people. It is a new Trojan that targets misconfigured servers to steal credentials and confidential data. According to security shops, the AlienFox toolkit is being sold on Telegram as a way to compromise misconfigured hosts on cloud services platforms, collecting sensitive information such as API keys and other secrets. A rapidly evolving toolkit that can be used to compromise email and web hosting services represents a disturbing evolution of attacks in the cloud that was previously mostly limited to cryptocurrency mining. According to reports by senior threat researchers, today marks a relatively new turn in opportunistic cloud attacks.
According to statements made by cyber security companies, malware is characterized as highly modular and constantly evolving to accommodate new features and performance improvements.
Alienfox Targets Your Secrets
The primary use of AlienFox is to sort through misconfigured hosts via scanning platforms such as LeakIX and SecurityTrails, and then leverage various scripts in the toolkit to extract credentials from configuration files exposed on the servers. Specifically, it entails searching for vulnerable servers associated with popular web frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.
Recent versions of the tool include the ability to create persistence and elevate privileges on an Amazon Web Services (AWS) account, as well as automate spam campaigns through compromised accounts.
The attacks involving AlienFox are said to be opportunistic, with scripts capable of collecting sensitive data related to AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho.
It said it has identified three different variants (v2 to v4) of the malware dating back to February 2022. A notable function of AlienFoxV4 is its ability to check whether an email address is already linked to an Amazon.com retail account.
To mitigate the threats posed by AlienFox, it is recommended that organizations adhere to configuration management best practices and follow the principle of least privilege.