SECURITY
SECURITY
SECURITY
FBot malware emerges as significant threat to cloud and payment services
A new report released today by SentinelLabs, the research arm of listed cybersecurity company SentinelOne Inc., is warning of a new sophisticated Python-based malware targeting cloud and payment services.
Dubbed “FBot,” the malware is said to represent a significant threat due to its specific targeting of web servers, cloud services and software-as-a-service platforms, including Amazon Web Services Inc., Microsoft Corp.’s Office365, PayPal Holdings Inc., Sendgrid Inc. and Twilio Inc..
Differing from other forms of cloud malware, FBot is not derived from the commonly used Androxgh0st code, but instead shares similarities with the Legion cloud infostealer, suggesting a different lineage in malware development. Its primary functions include credential harvesting, AWS account hijacking tools and capabilities to attack PayPal and various SaaS accounts.
FBot is said to be characterized by a smaller footprint compared with similar tools, indicating possible private development and a more focused distribution strategy.
The malware features a range of tools, including an IP address generator, port scanner, email validator, AWS API Key Generator, Mass AWS Checker, AWS EC2 Checker and specific tools targeting Sendgrid and Twilio. FBot is also capable of targeting popular content management systems such as WordPress.
It also has features for validating if URLs host a Laravel environment file, a configuration file used in Laravel applications to store environment-specific variables such as database credentials, application programming interface keys and other sensitive information. Operating through configuration files or headers, FBot is also available in versions compiled as a Windows executable.
The SentinelLabs researchers argue that the private nature of FBot’s development sets it apart from other widely distributed malware tools. The report warns of FBot’s potential impact on cloud and payment security and a need for heightened vigilance among organizations. Organizations are advised to enable multifactor authentication for AWS accounts if they haven’t done so already and to set up alerts for unusual activities in their cloud services to mitigate the risk posed by this emerging threat.
“Create alerts that notify security operations teams when a new AWS user account is added to the organization, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible,” the researchers conclude.
Image: DALL-E 3
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
