Malware Devs Update Legion Hacktool, Boost Capabilities
A recently discovered cloud-focused malware tool has seemingly been updated with additional functionality.
The Legion hacktool, marketed in Telegram and in public groups and channels, harvests credentials from misconfigured web servers and use those credentials for email abuse, researchers at Cado Labs, who discovered Legion, said in a blog post.
“In the sample of Legion previously analysed by Cado, the developers included code within a class named ‘legion’ to parse a list of exfiltrated database credentials and extract username and password pairs,” the researchers said. “The function then attempted to use these credentials in combination with a matching host value to log in to the host via SSH–assuming that these credentials were being reused across services.”
The malware uses the Parmiko library to use the credentials within Python.
Researchers noted that the malware hunts “for environment variable files in misconfigured web servers running PHP frameworks such as Laravel,” and then tries to access .env files “by enumerating the target server with a list of hardcoded paths in which these environment variable files typically reside.” If misconfigurations have made the paths publicly accessible, “the files are saved and a series of regular expressions are run over their contents,” they explained.
Searches performed on the environment variable files revealed “the services the malware attempts to retrieve credentials for,” the researchers said. The updated version of Legion searches for credentials to DynamoDB, Amazon CloudWatch and AWS Owl.
“For CloudWatch specifically, the malware searches for the environment variable CLOUDWATCH_LOG_KEY. This variable name appears in the documentation for public Laravel projects, including a project for handling CloudWatch logging in Laravel,” Cado researchers said. “This fits with Legion’s capabilities, as the tool’s credential harvesting feature targets Laravel apps.”
Misconfigurations continue to be a weak spot in the cloud and is ripe for exploitation. “As organizations continue to move legacy applications and systems to cloud infrastructure, they still struggle with misconfigurations exposing cloud environments. This makes them easy targets for cybercriminals,” said Joseph Carson, chief security scientist and advisory CISO at Delinea.
“Identities and credentials are a top target, and when attackers find a common misconfiguration that many organizations repeat, it is only a matter of time before they automate the discovery process,” said Carson. “This is exactly what has happened with the recent updates to the cloud credentials harvesting tool known as Legion.”
Cado warned that “this recent update demonstrates a widening of scope with new capabilities, such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications. It’s clear that the developers’ targeting of cloud services is advancing with each iteration.”
“The cloud has been here for some time now. Hybrid attacks are well-known; however, organizations are not prepared,” said Zur Ulianitzky, vice president of research at XM Cyber.
“This actually provides solid proof of why it is important to define our critical assets properly. This includes web servers that contain highly sensitive cloud credentials which must be protected,” he said. ”Attackers will continue to evaluate and find more creative ways to compromise sensitive information and systems.”
Zane Bond, head of product at Keeper Security, said defenders should be aware of tools used by threat actors to run campaigns and take action. “For example, if the tool looks for credentials, stop hard-coding credentials into your systems. If you can’t do that, track any unexpected activity related to that credential,” he said. “Systems tend to be predictable. If svc_account_02 only ever ships logs from server A to server B, then a sign the account is being used for anything else should be suspicious.”
And if a tool “looks for environmental variables, stop hard-coding variables into your build systems for the life of the workload,” said Bond.
“Make the variable only available to a specific process and not the entire system,” he said. “Use a vault that allows for specific access to a credential only when needed, instead of making it available all the time.”
