Legion: Credential Harvester

A new hacking tool called ‘Legion’ is now available for sale on Telegram. The seller, under the username “Forza Tools“ even operates a YouTube channel with tutorials on deploying it to harvest credentials like passwords and usernames.

Legion targets multiple Content Management Systems (CMS) such as WordPress to steal credentials for a variety of services including Twilio, Nexmo, Stripe/Paypal, Amazon Web Service console (AWS), and Mailgun. Legion can also create administrator users and send out spam SMS to customers of U.S. mobile phone carriers or with full administrative access to all AWS services.

Legion is modular malware that is likely based on an existing malware framework featuring plugins to perform SMTP server enumeration, remote code execution, exploit vulnerable Apache web servers, brute-force cPanel and WebHost Manager accounts and leverage existing security audit tools like Shodan to conduct malicious campaigns for the operator.

Acreto Solution

Isolate the Internet and Internal Attack Surface

Acreto’s ecosystem can reduce the Internet attack surface and limit exposure to potential attacks by leveraging Micro-Segmentation and Nano-Segmentation. Using these segmentation methods, individual systems or groups of systems can be isolated on a shared network or entire networks, limiting access only to systems that need to interoperate.

Data Leak Prevention

Acreto’s Data Leak Prevention measures can prevent sensitive data from being leaked, which can help to protect against Legion’s potential data exfiltration attempts such as:

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Access Control

Acreto’s access controls provide Authorization access to the Ecosystem by a user’s identity, including MFA. By using MFA, even if a user’s credentials are compromised, the attacker will not be able to access the target resource without the additional authentication factor.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications are encrypted, yet only 10% of organizations have the means to secure these communications. Secure-Scan decrypts, scans, and re-encrypts communications. Any malicious content embedded in the encrypted payload is blocked, otherwise, the clean and validated communication is delivered to its final destination.

Threat Prevention

After verification of the network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by Acreto’s inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

• Threat Signature: Identifies and mitigates known bad exploits, malware, botnets and ransomware.

• Zero-Day Behavioral Analysis: Looks for behavioral indications of threats based on how the system functions react to the payload, immediately and over time.

Technical Data

• Legion is modular malware that is likely based on the AndroxGhOst malware and features modules to perform SMTP server enumeration, remote code execution, exploit vulnerable Apache versions, brute-force cPanel and WebHost Manager accounts, interact with Shodan’s API, and abuse AWS services.

• Legion targets many services for credential theft, including Twilio, Nexmo, Stripe/Paypal (payment API function), AWS console credentials, AWS SNS, S3 and SES specific, Mailgun, and database/CMS platforms.

• Legion targets unsecured web servers running content management systems (CMS) and PHP-based frameworks like Laravel by using RegEx patterns to search for files commonly known to hold secrets, authentication tokens, and API keys.

• Legion uses an array of methods to retrieve credentials from misconfigured web servers, such as targeting environment variable files (.env) and configuration files that might contain SMTP, AWS console, Mailgun, Twilio, and Nexmo credentials.

• If Legion captures valid AWS credentials, it attempts to create an IAM user named “ses_legion” and sets the policy to give it administrator rights, giving the rogue user full access to all AWS services and resources.

• Legion can also send SMS spam by leveraging stolen SMTP credentials after generating a list of phone numbers with area codes retrieved from online services. The carriers supported by the malware include AT&T, Sprint, US Cellular, T-Mobile, Cricket, Verizon, Virgin, SunCom, Alltel, Cingular, VoiceStream, and more.

• Legion can exploit known PHP vulnerabilities to register a webshell on the targeted endpoint or perform remote code execution to give the attacker full access to the server.

 

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.