95% of security breaches happen mainly due to two reasons when you do something which you are not supposed to do or don’t do what needs to be done. Today we will discuss the latter point where we didn’t do what needs to be done, i.e., misconfiguration of servers. These misconfigured assets provide an entry point for attackers to your organization.
In this article, we will discuss on what is the new Alienfox credential stealer toolkit and who Alienfox is targeting.
The most efficient way of intruding into any system is by stealing the credentials. Attackers can go to any length to steal these. Some of the common credential stealer malware can be programs that can log keystroke or something which can wait till the user enter credentials and steal them, or it can be something that dumps already stored credentials from Windows or browsers.
Alienfox is one of the latest toolkits targeting web services, primarily cloud-based email services. Alienfox is highly modular and evolves rapidly. Most of the tools in this toolkit are open source because those highly sophisticated developers take credit for readily adapting and modifying tools as per their needs.
Alienfox is used by threat actors to collect information on misconfigured hosts with the help of security scanning platforms like LeakIX and SecurityTrails. These programs can collect sensitive information such as API keys or any exposed configuration files etc.
There are multiple versions of Alienfox available. The distribution and usage of this tool start from February 2022 onward. Analysis by multiple researchers summarised that the malware used belongs to the malware families Androxgh0st and GreenBot (aka Maintance). The scripts of this malware are available for the public on GitHub, which helps it to adapt and evolve.
The latest version Alienfox V4 has the additional feature of automating malicious actions with the stolen credentials, which includes setting up persistence and privilege escalation in Amazon web services (AWS), and sending spam campaigns from compromised accounts.
AlienfoxV4 logo (Source: Sentinel One)
The general theme of Alienfox is cloud-based and software-as-a-service (SaaS) email hosting services. The threat actors are targeting popular web services like Joomla, Magento, OpenCart, Laravel , WordPress, etc., for any server misconfiguration. The tools in the Alienfox toolkit will check for any above-mentioned web services. The script in the tools will read the list of targets from a text file, and separate scripts such as grabip.py and grabsite.py will generate the targeted files. The target-generated script will provide more details about potential targets. These scripts use web APIs for Opensource intelligence and a combination of Ips and subnets brute force.
Once the target is spotted, the threat actor parses exposed details or configuration files, or any sensitive information. Sentinel One researcher observed secrets from the below services.
Organizations should always practice and follow the least privilege principle, where users only get access to only what they are supposed to have to do the work. Best principles on configuration management also should be followed. Monitoring and detecting interactive activity on OS using containers and using Cloud Workload Protection Platform (CWPP) for virtual machines should be encouraged.
Proper monitoring of logs for any brute force or creation of new profiles etc., should be monitored. Email campaigns and other email activities also should be under monitoring.
The IOCs on Alienfox are available here.
Cyber crimes are evolving at a faster pace, and the Alienfox toolkit is one example of that. This toolset is highly advanced due to skilled developers and added modifications to existing versions. Alienfox toolkit can even attack minimal services, so a compromised victim can lose everything.
I hope this article helped in understanding what is the new Alienfox credential stealer toolkit and who Alienfox is targeting. Please share this post and help secure the digital world. Visit our social media page on Facebook, Instagram, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.
You may also like these articles:
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.