{"id":88947,"date":"2023-04-17T14:54:44","date_gmt":"2023-04-17T14:54:44","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4068149"},"modified":"2023-04-17T14:54:44","modified_gmt":"2023-04-17T14:54:44","slug":"credential-harvesting-malware-appears-on-deep-web","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88947","title":{"rendered":"Credential harvesting malware appears on deep web"},"content":{"rendered":"
\"Credentials
Image: Adobe Stock\/WunderBild<\/figcaption><\/figure>\n

Cloud-focused credential harvester and spam utilities, used to illicitly extract an organization\u2019s database of usernames, passwords and emails, are on the rise. By some estimates<\/a>, over 24 billion credentials had been stolen by late 2022. One extraction tool, spotted in the wild by cloud forensics and incident response company Cado Security, is a Python-based malware which Cado dubbed Legion \u2014 a tool making it easier to launch business email compromises and other social engineering hacks at scale.<\/p>\n

Jump to:<\/p>\n

Spamming mobile carrier users<\/h2>\n

Legion targets various services for email exploitation, according to Cado, whose research indicates that Legion is likely linked to the AndroxGh0st malware family first reported in December 2022. Threat actors are selling Legion on the deep web<\/a>, via the Telegram messenger (Figure A<\/strong>).<\/p>\n

Figure A<\/strong><\/p>\n

\"Legion
Legion splash page. Image: Cado Security<\/figcaption><\/figure>\n

According to Cado\u2019s new research, Legion uses servers running content management systems, hypertext preprocessors (or PHPs) and frameworks based on PHPs to grab credentials for email providers, cloud service providers, server management systems, databases and payment platforms like Stripe and PayPal. It can also hijack SMS messages and compromise Amazon Web Services credentials and send SMS spam messages to AT&T, Sprint and Verizon users.<\/p>\n

SEE: <\/b>Mobile Device Security Policy<\/b><\/a> (TechRepublic Premium)<\/b><\/p>\n

The report said Legion appears to be part of an emerging generation of hacking tools that aim to automate the credential harvesting process to compromise SMTP (email and SMS transfer protocol) services.<\/p>\n

Scraping web libraries for phone numbers and other data<\/h2>\n

According to Matt Muir, threat intelligence researcher at Cado Security, the malware builds up lists of telecoms or area-specific numbers to target using Python web scraping.<\/p>\n

\u201cScraping is the process of extracting useful (often textual) data from web pages. In Legion\u2019s case, the popular Python web scraping library BeautifulSoup is used to scrape telephone numbers from the randomphonenumbers.com<\/a> website,\u201d he said, adding that it uses SMTP credentials retrieved during the credential harvesting phase to send messages to the numbers.<\/p>\n

\u201cPhishing would be an obvious use for this functionality but it can also be useful for general spamming operations,\u201d he said. \u201cIf you have a requirement to send SMS messages en masse to random phone numbers then Legion can help with this.\u201d<\/p>\n

Cado Labs researchers also found a YouTube channel, \u201cForza Tools,\u201d that included a \u201chow to\u201d  tutorial series for Legion. The researchers said that the fact that the developer Legion has gone to the effort of creating a video series, suggests that the tool is widely distributed and is likely paid malware (Figure B<\/strong>).<\/p>\n

Figure B<\/strong><\/p>\n

\"YouTube
YouTube \u201cForza Tools\u201d channel carrying tutorial videos for Legion. Image: Cado Security<\/figcaption><\/figure>\n

Legion shares features with other cloud-centric malware packages<\/h3>\n

Muir said that while it is difficult to track the provenance of these cloud-focused malware tools because their developers steal code from one another, Legion\u2019s functionality and codebase are similar to those of Andr0xGhost<\/a> and AlienFox<\/a>, discovered and named by Lacework and Sentinel Labs, respectively.<\/p>\n

\u201cThose malware families also target the same SMTP services as Legion, including AWS SES,\u201d he said, adding that these tools are often distributed via Telegram and their features make them attractive to those wishing to conduct mass spam or phishing operations. According to Muir, Legion is likely sold as a tool under a perpetual license model, through a one-off fee paid to the administrator of the Telegram group where the tool is advertised. He said that this revenue-generating model differs from a subscription or recurring payment typically found in malware-as-a-service products.<\/p>\n

\u201cAlthough we can assume not everybody in these groups will purchase a license for the software, it shows that there is considerable demand for such a tool,\u201d he said. \u201cIf even half of the members purchased a license and used the SMTP abuse capabilities for spam or phishing purposes, I don\u2019t think it\u2019s unreasonable to assume that tens of thousands of users would be affected.\u201d<\/p>\n

How Legion differs from other credential harvesting tools<\/h3>\n

Unlike other credential harvesting malware, Legion focuses on compromising SMTP services and exploitation of misconfigured web services to harvest credentials for abuse.<\/p>\n

\u201cIt also bundles additional functionality traditionally found in more common hack tools, such as the ability to execute web server specific exploit code and brute force account credentials,\u201d said Muir.<\/p>\n

He added that Legion does not exploit new vulnerabilities. \u201cMuch of the exploit code shipped with the tool is derived from public proof of concepts or based on code from other offensive security tools,\u201d he said, adding that it most likely employs the search engine Shodan, which lets users filter for specific servers on the web \u2014 to gather targets.<\/p>\n

Users responsible for combatting Legion<\/h2>\n

Muir said that while carriers probably have monitoring in place to identify when mass spamming is conducted on their infrastructure, a target\u2019s best option is to report suspicious messages immediately and get assistance with identifying and mitigating phishing attacks.<\/p>\n

The report pointed out that cloud providers like AWS and Azure are not responsible for these attacks, since they have a shared responsibility model in place that users are obligated to follow.<\/p>\n

\u201cSince Legion relies on misconfigurations in services deployed by users, this would likely fall under the user\u2019s remit in a shared responsibility context,\u201d according to the report.<\/p>\n

\u201cLegion\u2019s credential harvesting relies on misconfigured web servers with exposed credentials,\u201d explained Muir. \u201cUnder CSP shared responsibility models, correct configuration of web servers would be the responsibility of the user rather than the provider, as generally the user is the one deploying and administering the web server.\u201d<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Image: Adobe Stock\/WunderBild Cloud-focused credential harvester and spam utilities, used to illicitly extract an organization\u2019s database of usernames, passwords and emails, are on the rise. By some estimates, over 24 billion credentials had been stolen by late 2022. One extraction tool, spotted in the wild by cloud forensics and incident response company Cado Security, is […]<\/p>\n","protected":false},"author":1,"featured_media":88948,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,783,56,696,287],"tags":[],"class_list":["post-88947","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-cloudsync","category-cybersecurity","category-malware","category-security"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88947"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88947\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88948"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88947"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88947"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}