FBot Emerges: Python-Based Hacking Tool Targets AWS, Microsoft 365, PayPal, and More
Plus, GitHub Becomes a Haven for Cyber Threats: Adversaries Exploit Platform's Ubiquity for Stealthy Malicious Activities
SentinelOne Uncovers FBot, a New Cloud Hacking Tool with Diverse Attack Capabilities
A newly discovered Python-based hacking tool named FBot is causing concern in cybersecurity circles as it actively targets web servers, cloud services, content management systems (CMS), and SaaS platforms, including heavyweights like Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio. Uncovered by SentinelOne researchers, FBot stands out due to its diverse set of features, including credential harvesting for spamming attacks, tools for AWS account hijacking, and functionalities enabling assaults on PayPal and various SaaS accounts.
While FBot shares similarities with other cloud hacking tools like AlienFox, GreenBot, Legion, and Predator, it distinguishes itself by not referencing any source code from AndroxGh0st. Its primary objective is to compromise cloud, SaaS, and web services, harvesting credentials for initial access, with the eventual goal of monetizing this access by selling it to other threat actors.
FBot's capabilities include generating API keys for AWS and Sendgrid, random IP address generation, reverse IP scanning, and validation of PayPal accounts and associated email addresses. Interestingly, FBot initiates PayPal API requests through a retail sales website, "robertkalinkin.com," indicating a noteworthy point of convergence with several Legion Stealer samples.
The tool also features AWS-specific functionalities, checking for AWS Simple Email Service (SES) email configuration details and determining EC2 service quotas for targeted accounts. Additionally, its Twilio-related functionality gathers information about the account, such as balance, currency, and connected phone numbers.
SentinelOne uncovered FBot samples dating from July 2022 to the present, suggesting active usage in the wild. While it remains unclear whether the tool is actively maintained and how it's distributed, the cybersecurity firm notes indications that FBot is likely a product of private development work, potentially being distributed through smaller-scale operations. This aligns with the trend of bespoke "private bots" in the realm of cloud attack tools, tailored to individual buyers and highlighting the evolving landscape of cyber threats.
Cybersecurity Alert: GitHub's Popularity Exploited by Threat Actors for Command-and-Control and Payload Delivery
The widespread adoption of GitHub in IT environments has inadvertently turned the platform into a prime choice for threat actors seeking to host and deliver malicious payloads, establish command-and-control (C2) operations, and serve as points for data exfiltration. Recorded Future has coined this tactic as "living-off-trusted-sites" (LOTS), a play on the living-off-the-land (LotL) techniques employed by threat actors to camouflage their activities within legitimate platforms, making detection and attribution more challenging.
GitHub's appeal to threat actors lies in its ability to blend with legitimate network traffic, effectively evading traditional security defenses. While the platform is not commonly used for full-fledged C2 implementations, it serves as a prevalent dead drop resolver, wherein threat actors leverage actor-controlled GitHub repositories to obtain the actual C2 URL. This tactic is notably employed by malware such as Drokbk and ShellBox.
Another observed but less frequent use of GitHub by threat actors is for data exfiltration. Recorded Future suggests that this rarity could be attributed to concerns related to file size and storage limitations, as well as discoverability issues.
Beyond these main schemes, threat actors employ various GitHub features for infrastructure-related purposes. GitHub Pages, for example, have been repurposed as phishing hosts or traffic redirectors, with some campaigns employing GitHub repositories as backup C2 channels.
This trend aligns with a broader pattern of malicious actors exploiting legitimate internet services, including Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord. Other source code and version control platforms like GitLab, BitBucket, and Codeberg are also not immune to exploitation.
Recorded Future emphasizes the complexity of addressing GitHub abuse detection, noting that a combination of detection strategies tailored to specific environments, organizational structures, service usage patterns, and risk tolerance is essential in combating these evolving cyber threats. The report serves as a cybersecurity alert, highlighting the need for heightened vigilance in the face of adversaries leveraging trusted platforms for nefarious purposes.