A new update from hackers’ commercial tool called Legion has been released that enables them to extract credentials for additional cloud services to authenticate over SSH. Its main aim is to gather credentials stored in configuration files for email providers, server management systems, databases, cloud service providers and payment systems. It hijacks resources that help the hackers launch email and SMS spam campaigns. The new update demonstrates a widening of its scope, adding capabilities such as the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications, according to the researchers from cloud forensics and incident response firm Cado Security. For the tool to remain undetected, it has zero detections on multi-engine scan site Virus Total, indicating the creators’ level of knowledge of evasion techniques.
Legion is available for sale on a private Telegram group, including additional modules that extend its functionality. It employs the Shodan API to detect targets, enumerates vulnerable SMTP servers, launches remote code execution (RCE) exploits against web applications, exploits unstable versions of Apache, brute-forces cPanel and WHM accounts and deploys web shells. Other tools designed for misusing AWS services also feature, such as Twilio, Nexmo, Stripe/Paypal, AWS console credentials, AWS SNS, S3, and SES specific credentials, Mailgun, Plivo, Clicksend, Mandrill, Mailjet, MessageBird, Vonage, Nexmo, Exotel, Onesignal, Clickatel, and Tokbox.
The researchers from Cado Security first brought Legion’s capabilities to the public’s attention last month, but the malware appears similar to a tool analyzed by researchers from Lacework in December called AndroxGh0st. The tools used no detection techniques, despite their different developers, indicating just how developed hackers’ techniques have become.
Legion’s attackers’ primary motive is to launch email and SMS spam campaigns using hijacked Simple Mail Transfer Protocol (SMTP) credentials. The tool contains scripts to enable email to SMS services to most mobile carriers nationwide via SMTP. Some of the cloud platform credentials targeted also appear to be linked to the end goal of launching anti-spam campaigns. For instance, collected AWS IAM credentials are tested to see if they work with Amazon’s Simple Email Service (SES). The tool also tries to breach credentials for SendGrid, a platform for email marketing purposes.
Other targeted credentials do not seem to be related to spam but might support the attackers’ activities, such as databases and web hosting administration panels. The latest Legion variant now supports extracting credentials for DynamoDB, Amazon CloudWatch, and AWS Owl so that attackers can monitor changes to AWS accounts. The malware’s designers deploy it by exploiting PHP, Apache, or content management system vulnerabilities that allow them to deploy web shells or remotely execute code on servers.
Legion then leverages typical misconfigurations in the web server permissions, PHP applications, or PHP frameworks such as Laravel to reach configuration files and files containing environment variables. Attackers are aware such files store secrets and credentials for databases and services that the web applications require to function. The Cado researchers explained that Legion aims to access these .env files by mapping the target server with a list of hardcoded paths in which these environment variable files reside. When these paths are available to the public because of configuration faults, files are stored, and regular expressions repeatedly run over their contents.
The newest version of Legion retrieves additional AWS-specific credentials from web applications and examines SSH logins. This makes Legion more sophisticated than previous versions, which attacked only by commenting to convert the SSH protocol and then running the code. The SSH login indicates that the attackers have valid login credentials and can continue accessing the server permanently, hence raising the security concerns. The Cado researchers advise web application administrators and developers to examine access to resources within their applications and choose alternatives to store secrets in environment files frequently. They suggest that if the malware compromises an AWS account, the IAM user could be created with the tag “Owner” set to the value “ms.boharas” for suspicious activity detection.