Rewterz Threat Advisory – Multiple Microsoft Products Vulnerabilities
January 12, 2024Rewterz Threat Alert – PatchWork APT Threat Actor Group – Active IOCs
January 12, 2024Rewterz Threat Advisory – Multiple Microsoft Products Vulnerabilities
January 12, 2024Rewterz Threat Alert – PatchWork APT Threat Actor Group – Active IOCs
January 12, 2024Severity
High
Analysis Summary
A novel Python-based hacking toolkit dubbed FBot has emerged targeting cloud services, web servers, content management systems (CMS), and SaaS platforms like Microsoft 365, Amazon Web Services (AWS), Twilio, and SendGrid.
FBot is the newest addition to the list of tools that are used for hijacking cloud such as GreenBot (aka Maintance), AlienFox, Predator, and Legion. These shade similarities in code with AndroxGh0st. Researchers detailed some of the notable features of the malware including AWS account hijacking tools, credential harvesting to use in spamming attacks, and functions that enable attacks against PayPal and numerous SaaS accounts. FBot is described as related to these malware families but still distinct, as it doesn’t use any source code from AndroxGh0st and only shares some similarities with Legion.
The toolkit aims to hijack SaaS, cloud, and web services by stealing credentials to gain initial access and monetize it by selling it to other threat actors. In addition to generating API keys for SendGrid and AWS, FBot also has features for generating random IP addresses, validating PayPal accounts and emails, and running reverse IP scanners.
The script starts the PayPal API request through a Lithuanian fashion designer’s retail sales website. It is interesting to note that all the FBot samples identified so far use this website to authenticate the PayPal API requests, just like how many Legion Stealer samples do. Moreover, FBot comes with AWS-specific features that perform a check for AWS Simple Email Service (SES) email configuration details to determine the victim account’s EC2 service quotas. The functionality related to Twilio is used to harvest specific details about the account like the currency, balance, and phone numbers that are linked to the account. The malware is also capable of stealing credentials from Laravel environment files.
The security researchers state that they discovered samples of the malware from at least July 2022 until this month, which suggests that it has been actively used in the wild. However, it is not known currently if the tool is actively maintained and how it is given to other cybercriminals. It is evidenced that FBot is made by private development, so the tool may be distributed in a smaller-scale operation.
Impact
- Credential Theft
- Unauthorized Access
Remediation
- Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.
- Promptly apply security patches and updates for operating systems, software applications, and browsers. This helps to address vulnerabilities that threat actors may exploit to deliver malware.
- Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links.
- Implement network segmentation to restrict access and isolate critical systems, such as those hosting sensitive financial information or accounts. This prevents lateral movement of malware and limits the impact of a potential compromise.
- Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
- Maintain regular backups of critical data, and ensure they are stored securely offline. This enables quick recovery in case of a successful attack or data loss.