Warning: AlienFox Stealing Cloud-Based Email Credentials

Summary

AlienFox, a new module toolkit, is allowing threat actors to steal authentication secrets and credentials from cloud-based web hosting and email services through misconfigured servers. The threat actors claim that AlienFox can search for common misconfigured cloud endpoints in Laravel, Drupal,. Joomla, Magento, Opencart, Prestashop, and WordPress frameworks. AlienFox then uses data-extraction scripts to scrap the misconfigured servers for sensitive configuration files that are commonly used API keys, account credentials, and authentication tokens. Additionally, if the toolkit can identify a vulnerability, it is able to establish persistence within a server and escalate privileges. The threat actors behind AlienFox rely on open-source tools and continually modify and adapt the code to suit their needs.

AlienFox Variants

Currently there are three versions of AlienFox: AlienFox v2, AlienFox v3, and AlienFox v4. In the first two versions of AlienFox, the threat actors developed a script set to loop within LeakIX that requests the first 500 pages of items categorized as “leaks.” Within AlienFoxV4 the script created to loop through LeakIX is replaced with code that scraps information from SecuirtyTrails API.

AlienFox v2 is the oldest version of the toolkit and primarily focuses on extracting and modifying files on the web server before attempting to access the targeted server to identify and test credentials within the files on the server.
AlienFox v3 automatically extracts keys from Laravel environments and tags harvested data with the acquisition method utilized.
AlienFox v4 has improved organization of its code and scripts, broadening the toolkits targeting scope. Overall, all three versions obtain inventories of poorly configured cloud endpoints from sources like LeakIX and SecuirtyTrails. Once the endpoints are identified a data-extraction script is utilized to find API keys, account credentials, and authentication tokens.

Targeted Technology

The toolkit is primarily opportunistic in targeting and relies on security scanning platforms like LeakIX and SecurityTrails to identify potential servers based on vulnerability risks. The LeakIX and SecurityTrails API platforms gather crowdsourced information about vulnerable or misconfigured websites to provide an internet surface of any organization. LeakIX then gives impacted websites 30 days to remediate these vulnerabilities or misconfigurations before posting the targets information to the site. Once the threat actors receive a list of “leaks” from LeakIX or SecurityTrails API, the threat actors develop a targeting list. Currently the following platforms targeted have been cloud-based email services like 1and1, Amazon Web Services (AWS), Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho.

Conclusion

Cloud services have been largely confined to crypto mining cyber-attacks until now. The AlienFox toolkit allows threat actors to take advantage of minimal services that lack the resources for mining. This broadens the target sets for cloud-based services. Additionally, the different versions of AlienFox suggest that the threat actors are becoming increasingly sophisticated in developing and improving the malicious toolkit. To reduce the risk of AlienFox being employed against vulnerable endpoints, organizations should ensure their systems are updated to mitigate vulnerability exposures and use the principle of least privileges when building accounts.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: