A new comprehensive toolset for harvesting credentials across multiple cloud services providers has been spotted in the wild being distributed on Telegram.

Detailed today by researchers at SentinelLabs, the “AlienFox” toolset is described as a cloud spammer’s “Swiss Army knife” thanks to its ability to attack multiple services in numerous ways. Attackers use AlienFox to harvest application programming interface keys and secrets from services, including Amazon Simple Email Service and Microsoft Office 365.

AlienFox is a modular toolset involving the distribution of source code archives. Though primarily distributed on Telegram, some of the modules are also available on GitHub. Most of the tools offered as part of AlienFox are open source, meaning that they can also be modified to suit the specific needs of attackers.

An attack using AlienFox starts with attackers using the toolset to collect lists of misconfigured hosts from security scanning platforms such as LeakIX and SecurityTrails. Having obtained the information, multiple scripts in the toolset are then used to extract sensitive information, such as API keys and secrets from configuration files exposed on victims’ web servers.

Later versions of AlienFox are said to establish Amazon Web Services Inc. account persistence and privilege escalation. The toolkit can also collect send quotas and automate spam campaigns through victim accounts or services. According to the researchers, the spread of AlienFox represents an unreported trend toward attacking more minimal cloud services, unsuitable for cryptomining, to enable and expand subsequent campaigns.

“The emergence of toolkits like AlienFox underscores the increasing sophistication of attacker networks and their collective ability to cause harm and disruption,” Dan Benjamin, chief executive of data security company Dig Security Solutions Ltd., told SiliconANGLE. “This is a very concerning trend where the attackers behind AlienFox are adapting the tool to be effective across more targets, particularly those in use widely across enterprises.”

Benjamin warns that massive amounts of sensitive data in cloud-based email and messaging systems are now at severe risk of exposure. “Considering how widely platforms like AWS, Google Workspace, Office365 and Zoho are used — even if the targeting is opportunistic — the potential for widespread business risk is substantial,” he added. “The whole supply chain can be put at risk. The realities of this threat cannot be ignored, especially as toolkits evolve in the wild.”

Image: AlienFox/SentinelLabs