Researchers have discovered a new Python-based hacking tool being leveraged by cybercriminals to target cloud and SaaS platforms, and payment services, like AWS, Office365, PayPal and Twilio.
The tool, which is called FBot and has functionalities for harvesting credentials and hijacking accounts, shows the continued interest by cybercriminals in cloud platforms as an attack vector, and researchers urge organizations to enable MFA for AWS services with programmatic access to minimize the potential impact of tools like these.
“FBot demonstrates another tool family that continues the trend of adopting cloud attack tool code from one tool into another, while maintaining its own distinct flavor,” said Alex Delamotte, senior threat researcher at SentinelLabs. “We have seen samples spanning July 2022 to January 2024, showing there is continued proliferation of this tool.”
FBot is purpose built for targeting cloud, SaaS and web services. It has several features dedicated to attacking AWS accounts. One such function checks the details of an AWS account’s Simple Email Service configurations - including the maximum send quota and how many messages were sent in the last 24 hours - likely as a way to set the stage for spamming efforts. Another feature checks the targeted AWS account’s service quotas for the Amazon Elastic Compute Cloud (EC2) web service, which allows users to create and run virtual machines in the cloud. The function collects information about the account’s EC2 configurations and capabilities, including what types of EC2 instances are able to run.
FBot has a feature that validates whether email addresses are associated with PayPal accounts. For SaaS platforms, it includes functions for generating API keys for SendGrid and one for checking the balance, currency, and phone numbers connected to Twilio accounts.
In the broader ecosystem of cloud malware families, FBot is somewhat distinct in that it does not use the code of the Androxgh0st credential scraping module (as others, like the Predator and AlienFox malware families do) but instead has several connections to the Legion cloud information stealer. Compared to other tools, FBot also has a smaller footprint that Delamotte said possibly indicates private development or a more targeted approach.
In addition to enabling MFA, enterprises should also set up alerts that can help detect when new AWS user accounts are being added to the organization, or if major configuration changes are made to SaaS bulk mailing applications.
“As far as defending against these types of threats, it is really a matter of… making sure you have basic security hygiene like multi-factor authentication, that you’re limiting the scope of access for credentials, that’s really going to prevent actors from being able to use this tool,” said Delamotte. “One example is that if an AWS Simple Email Service credential has administrator access for the full account, what the actor will do [post compromise] is create a new user account and assign the administrative profile to it, so making sure you’re limiting the scope is crucial.”