Malware hunters at SentinelOne warn of a newly discovered Python-based hacking tool being used by cybercriminals to hijack cloud platforms and payment services. The tool, called FBot, is capable, according to them, of collecting credentials for spam attacks, AWS account hijacking and functions to enable attacks against PayPal and various SaaS (software as a service) platform accounts.
According to documentation from the cybersecurity solutions provider’s research unit, Fbot is characterized by a smaller footprint compared to similar tools, indicating possible private development and a more targeted distribution approach.
SentinelLabs researcher Alex Delamotte dissected the attack tool’s internal components and found capabilities to target web servers and cloud services, as well as software-as-a-service technologies that include AWS Office365, PayPal, Sendgrid, and Twilio.
While the tool is primarily designed for hackers to hijack cloud, SaaS, and web services, Delamotte discovered a secondary focus on obtaining accounts to conduct spam attacks. “The tool contains several utilities, including an IP address generator and port scanner. There is also an email validation function, which uses an Indonesian technology service provider to validate email addresses,” said the SentinelLabs researcher.
The company also discovered several features targeting payment services, including a PayPal Validator feature, a SendGrid API key generator, and features for collecting important secrets.
Delamotte recommends that organizations enable multi-factor authentication (MFA) for AWS services with programmatic access and set up systems to alert security operations teams when a new AWS user account is added to the organization. It also suggests setting up alerts for new identities added or major configuration changes in SaaS mailing applications.
Sources: CisoAdvisor, SentinelLabs, Alex Delamotte
