Sentinel Labs, a company specializing in technology for threat protection, has discovered AlienFox, a new toolkit that threat actors use to steal credentials from multiple cloud providers.
The company describes Alien Fox as a modular toolset primarily distributed via Telegram in the form of source code archives.
- According to a Sentinel Labs blog post,
AlienFox has been used to harvest API keys and secrets from 18
different cloud providers, including Amazon Web Services (AWS), Google
Workspace, Office 365, Sendgrid, Twilio, and more.
- Sentinel
Labs says the AlienFox toolkit enables hackers to scan for
misconfigured servers to steal authentication codes and credentials to
compromise cloud-based email and web hosting services.
- Perhaps
the most alarming aspect is that some modules are directly available on
GitHub, making access easy for any potential hacker. Furthermore, most
of these tools are open-source, which allows attackers to modify them
based on their specific needs.
- The
researchers have found that AlienFox is continuously evolving and thus
becoming more sophisticated and that the latest version of the toolset
added scripts that automate malicious actions using the stolen
credentials to establish an AWS account persistence and privilege
escalation.