Threat actors now use Legion to steal AWS-specific credentials from web servers to enable email and SMS spam campaigns. Credit: Shutterstock/Jaiz Anuar A commercial malware tool called Legion that hackers deploy on compromised web servers has recently been updated to extract credentials for additional cloud services to authenticate over SSH. The main goal of this Python-based script is to harvest credentials stored in configuration files for email providers, cloud service providers, server management systems, databases, and payment systems. These hijacked resources enable the attackers to launch email and SMS spam campaigns.“This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications,” researchers from cloud forensics and incident response firm Cado Security said in a new report. “It’s clear that the developer’s targeting of cloud services is advancing with each iteration.”Legion is being sold on a private Telegram group and has additional modules that extend its functionality including: Using the Shodan API to find targetsEnumerating vulnerable SMTP serversLaunching remote code execution (RCE) exploits against web applicationsExploiting vulnerable versions of ApacheBrute-forcing cPanel and WebHost Manager (WHM) accountsDeploying webshells Other tools for abusing AWS servicesThe Cado researchers first documented Legion’s capabilities last month, but the malware seems similar to a tool that researchers from Lacework analyzed in December and dubbed AndroxGh0st. Nevertheless, the new improved sample analyzed by Cado had zero detections on the multi-engine scan site Virus Total, meaning its developers are well versed in evading detection. From server hijacking to spamThe end goal of the attackers who use Legion is to launch mass spam campaigns via email and SMS by using hijacked Simple Mail Transfer Protocol (SMTP) credentials. Some services also provide email to SMS functionality via SMTP and the Legion contains a script for sending SMS in this way to most US mobile carriers.Some of the cloud platform credentials targeted also seem to be tied to this end goal. For example, collected AWS IAM credentials are tested to see if they work with the Amazon Simple Email Service (SES). The tool also attempts to brute-force credentials for SendGrid, a platform for email marketing. Other services targeted by Legion’s credential harvesting functionality include Twilio, Nexmo, Stripe/Paypal, AWS console credentials, AWS SNS, S3 and SES specific credentials, Mailgun, Plivo, Clicksend, Mandrill, Mailjet, MessageBird, Vonage, Nexmo, Exotel, Onesignal, Clickatel, and Tokbox.Some targeted credentials don’t seem to be directly tied to spam but could be used to support the attackers’ operations, such as databases and web hosting administration panels. The new variant observed by Cado also added support for extracting credentials for DynamoDB, Amazon CloudWatch and AWS Owl, an open-source tool for monitoring changes to AWS accounts.Exploiting vulnerabilities and misconfigurationsAttackers deploy Legion by exploiting vulnerabilities in PHP, Apache or content management solutions which allow them to deploy webshells or remotely execute code on servers. Legion then leverages common misconfigurations in web server permissions, PHP applications or PHP frameworks such as Laravel to access configuration files and files containing environment variables that the attackers know are stored in specific locations. Such files often contain secrets and credentials for databases and services that the web applications require to function.“Legion attempts to access these .env files by enumerating the target server with a list of hardcoded paths in which these environment variable files typically reside,” the Cado researchers explained. “If these paths are publicly accessible, due to misconfigurations, the files are saved and a series of regular expressions are run over their contents.”The new Legion variant now also tries to access the server over SSH using any database username and pair found in configuration files based on an assumption that the database user might also exist on the Linux system and the same password was used. The SSH access is achieved with a Python library called Paramiko that implements the SSH protocol. This code was also present in the previous version of Legion but was commented out so it was inactive.If the SSH login succeeds, the malware executes the Linux uname -a shell command, which prints out basic information about the system such as the server’s name, CPU architecture, and operating system version. This tells the attackers that the login is valid and can be used for persistent access to the server in the future. “It’s recommended that developers and administrators of web applications regularly review access to resources within the applications themselves, and seek alternatives to storing secrets in environment files,” the Cado researchers said. If the malware compromises an AWS account, it creates an IAM user with the tag “Owner” set to the value “ms.boharas.” This can serve as a sign of the account being compromised and can be used to build automated detections, the researchers said. Related content interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe