A industrial malware instrument known as Legion that hackers deploy on compromised net servers has lately been up to date to extract credentials for extra cloud providers to authenticate over SSH. The primary purpose of this Python-based script is to reap credentials saved in configuration information for e-mail suppliers, cloud service suppliers, server administration methods, databases, and fee methods. These hijacked assets allow the attackers to launch e-mail and SMS spam campaigns.
“This current replace demonstrates a widening of scope, with new capabilities such the power to compromise SSH servers and retrieve extra AWS-specific credentials from Laravel net functions,” researchers from cloud forensics and incident response agency Cado Safety mentioned in a brand new report. “It’s clear that the developer’s focusing on of cloud providers is advancing with every iteration.”
Legion is being bought on a personal Telegram group and has extra modules that reach its performance together with:
- Utilizing the Shodan API to seek out targets
- Enumerating weak SMTP servers
- Launching distant code execution (RCE) exploits in opposition to net functions
- Exploiting weak variations of Apache
- Brute-forcing cPanel and WebHost Supervisor (WHM) accounts
- Deploying webshells
Different instruments for abusing AWS providers
The Cado researchers first documented Legion’s capabilities final month, however the malware appears just like a instrument that researchers from Lacework analyzed in December and dubbed AndroxGh0st. Nonetheless, the brand new improved pattern analyzed by Cado had zero detections on the multi-engine scan website Virus Complete, which means its builders are nicely versed in evading detection.
From server hijacking to spam
The tip purpose of the attackers who use Legion is to launch mass spam campaigns through e-mail and SMS through the use of hijacked Easy Mail Switch Protocol (SMTP) credentials. Some providers additionally present e-mail to SMS performance through SMTP and the Legion accommodates a script for sending SMS on this technique to most US cell carriers.
Among the cloud platform credentials focused additionally appear to be tied to this finish purpose. For instance, collected AWS IAM credentials are examined to see in the event that they work with the Amazon Easy E mail Service (SES). The instrument additionally makes an attempt to brute-force credentials for SendGrid, a platform for e-mail advertising.
Different providers focused by Legion’s credential harvesting performance embody Twilio, Nexmo, Stripe/Paypal, AWS console credentials, AWS SNS, S3 and SES particular credentials, Mailgun, Plivo, Clicksend, Mandrill, Mailjet, MessageBird, Vonage, Nexmo, Exotel, Onesignal, Clickatel, and Tokbox.
Some focused credentials are not immediately tied to spam however could possibly be used to help the attackers’ operations, similar to databases and website hosting administration panels. The brand new variant noticed by Cado additionally added help for extracting credentials for DynamoDB, Amazon CloudWatch and AWS Owl, an open-source instrument for monitoring adjustments to AWS accounts.
Exploiting vulnerabilities and misconfigurations
Attackers deploy Legion by exploiting vulnerabilities in PHP, Apache or content material administration options which permit them to deploy webshells or remotely execute code on servers. Legion then leverages frequent misconfigurations in net server permissions, PHP functions or PHP frameworks similar to Laravel to entry configuration information and information containing surroundings variables that the attackers know are saved in particular places. Such information typically include secrets and techniques and credentials for databases and providers that the net functions require to operate.
“Legion makes an attempt to entry these .env information by enumerating the goal server with an inventory of hardcoded paths through which these surroundings variable information usually reside,” the Cado researchers defined. “If these paths are publicly accessible, as a result of misconfigurations, the information are saved and a collection of standard expressions are run over their contents.”
The brand new Legion variant now additionally tries to entry the server over SSH utilizing any database username and pair present in configuration information based mostly on an assumption that the database person may additionally exist on the Linux system and the identical password was used. The SSH entry is achieved with a Python library known as Paramiko that implements the SSH protocol. This code was additionally current within the earlier model of Legion however was commented out so it was inactive.
If the SSH login succeeds, the malware executes the Linux uname -a shell command, which prints out fundamental details about the system such because the server’s title, CPU structure, and working system model. This tells the attackers that the login is legitimate and can be utilized for persistent entry to the server sooner or later.
“It’s really helpful that builders and directors of net functions often evaluation entry to assets inside the functions themselves, and search alternate options to storing secrets and techniques in surroundings information,” the Cado researchers mentioned. If the malware compromises an AWS account, it creates an IAM person with the tag “Proprietor” set to the worth “ms.boharas.” This could function an indication of the account being compromised and can be utilized to construct automated detections, the researchers mentioned.
Copyright © 2023 IDG Communications, Inc.
