UPDATED 09:00 EST / JANUARY 11 2024

SECURITY

FBot malware emerges as significant threat to cloud and payment services

A new report released today by SentinelLabs, the research arm of listed cybersecurity company SentinelOne Inc., is warning of a new sophisticated Python-based malware targeting cloud and payment services.

Dubbed “FBot,” the malware is said to represent a significant threat due to its specific targeting of web servers, cloud services and software-as-a-service platforms, including Amazon Web Services Inc., Microsoft Corp.’s Office365, PayPal Holdings Inc., Sendgrid Inc. and Twilio Inc..

Differing from other forms of cloud malware, FBot is not derived from the commonly used Androxgh0st code, but instead shares similarities with the Legion cloud infostealer, suggesting a different lineage in malware development. Its primary functions include credential harvesting, AWS account hijacking tools and capabilities to attack PayPal and various SaaS accounts.

FBot is said to be characterized by a smaller footprint compared with similar tools, indicating possible private development and a more focused distribution strategy.

The malware features a range of tools, including an IP address generator, port scanner, email validator, AWS API Key Generator, Mass AWS Checker, AWS EC2 Checker and specific tools targeting Sendgrid and Twilio. FBot is also capable of targeting popular content management systems such as WordPress.

It also has features for validating if URLs host a Laravel environment file, a configuration file used in Laravel applications to store environment-specific variables such as database credentials, application programming interface keys and other sensitive information. Operating through configuration files or headers, FBot is also available in versions compiled as a Windows executable.

The SentinelLabs researchers argue that the private nature of FBot’s development sets it apart from other widely distributed malware tools. The report warns of FBot’s potential impact on cloud and payment security and a need for heightened vigilance among organizations. Organizations are advised to enable multifactor authentication for AWS accounts if they haven’t done so already and to set up alerts for unusual activities in their cloud services to mitigate the risk posed by this emerging threat.

“Create alerts that notify security operations teams when a new AWS user account is added to the organization, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible,”  the researchers conclude.

Image: DALL-E 3

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU