AlienFox is a malicious modular toolkit that threat actors can buy via a private Telegram channel.
New AlienFox toolkit steals credentials for 18 cloud services (bleepingcomputer.com)
The malware can be configured to scan for misconfigured servers and steal authentication details and credentials for a range of popular cloud-based services such as WordPress, Drupal, Joomla, Opencart and Prestashop. It’s information-extraction scripts searches out sensitive configuration files storing data that includes credentials, API keys, authentication tokens and email system credentials. Targeted email systems include:
- 1and1
- AWS
- Google Workspace
- Office365,
- Twilio
- Zimbra
- Zoho
The article has a more comprehensive list – I have listed the ones we work with.
The malware can also be expanded to establish a persistent presence on the server and will attempt to escalate user account privileges.
Your take away – as always in this type of situation attacking popular platforms – is keep things patched and up to date. In this particular case make sure installations such as WordPress, Drupal etc. are configured correctly when initially set up and then maintained.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
How much are you relying on your web designer to protect your reputation?
The following article includes a short case study about how we implement WordPress account types for better security:
Why you should care about the TLA AAA! – CyberAwake
My advice: Either you or your IT support need to check whether these issues impact your systems. You need to have a master document that details your systems, hardware, software, online, networks, back-ups, suppliers etc – so when cyber security (or operational) issues arise you and your support teams can quickly check if you are affected. From there you can take fast, effective action.
