A new toolkit named AlienFox targets misconfigured servers to steal credentials and secret data from popular cloud service providers. According to SentinelLabs, the threat actors deploying the malware rely on server misconfigurations associated with popular web frameworks, including Drupal. AlienFox also targets frameworks like WordPress, Laravel, Joomla, and Magento.

Researchers at SentinelLabs also found the malware to be highly modular. Analysts identified three versions of AlienFoX which date from February 2022. This indicates that the author of the toolkit is actively developing and improving the malicious tool. The modular nature enables it to use custom tools for separate acts.

You May Like

Article

A Peek into the Vibrant Tapestry of NERD Summit 2024

Article

A Peek into the Vibrant Tapestry of NERD Summit 2024

AlienFox targets servers associated with popular web frameworks such as #Laravel, #Drupal, #Joomla, #Magento, #Opencart, #Prestashop, and #WordPress.

Recent versions of AlienFox can establish persistence on #AWS accounts, escalate privileges, and automate spam campaigns.…

— The Hacker News (@TheHackersNews) March 30, 2023

As per reports, AlienFox uses data-extraction scripts to search for susceptible servers. Once the loopholes are exploited, the code extracts API keys, account credentials, and authentication tokens. SentinelLabs found the malware targeting sensitive data from cloud-based platforms, including AWS, Google Workspace, Office365, Mailgun, and Zoho. To step up defences against AlienFox, organizations are recommended to use configuration management best practices and adhere to the principle of least privilege (PoLP).