A new modular tool called “Alienfox” is being used by cybercriminals to scan improperly configured cloud servers for theft of authentication and accounting data of postal services. Researchers at SENTINELABS, who analyzed Alienfox, reported that the toolkit is targeted towards commonly misconfigured servers of popular services such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop and WordPress. This modular set of tools consists of various user tools and modified utilities with open-source created by various authors. Analysts have identified three different versions of Alienfox, indicating that the authors of the tools are actively developing and improving their malicious tool.
Attackers use Alienfox to collect lists of incorrectly configured cloud servers from security scanning platforms like Leakix and SecurityTrails. The toolkit then uses data extraction scenarios to search for confidential configuration files on these servers, which are usually used to store API keys, accounting data, and authentication tokens. The primary targets of these attacks are cloud postal platforms such as 1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, NexMo, Office365, OneSignal, Sendgrid, Sendinblupe, SPARKPALUR Zoho. The toolkit also includes separate scenarios to preserve and increase privileges on vulnerable servers.
Alienfox V2, which previously appeared in the wild, focuses on the configuration of the webserver and extracting environmental files. Then the malware analyzes the files for the availability of accounting data and checks it on the target server, attempting to connect by SSH using the Paramiko Python library. Alienfox V2 also contains a script (AWSES.PY), which automates sending and receiving messages to AWS SES (Simple Email Services), and the attacker’s AWS record is given increased privileges.
Another version of Alienfox contains an exploit for CVE-2022-31279, the vulnerability of the tenialsation in Laravel Php Framework. The third version, Alienfox V3, has already implemented automatic removal of keys and other confidential data from the Laravel media. The stolen information contains tags indicating the method used. Alienfox V3 also improves performance and includes variables of initialization, Python classes with modular functions, and multiflow processes.
Alienfox is sold by cybercriminals in their closed Telegram channel. Companies using cloud servers are advised to take preventive measures to avoid data breaches by properly configuring their servers or employing the services of a cloud hosting provider to ensure the best possible protection of their data.