Summary:
A python-based hacking tool named Fbot has emerged, targeting various online platforms including web servers, cloud services, CMS, and SaaS. Fbot, distinct from similar tools, aims to compromise cloud and SaaS services by harvesting credentials for resale. It possess features like AWS account hijacking, PayPal attacks, and API key generation. Notably, Fbot is linked to Legion but differs from AndroxGh0st. Its functionality extends to IP generation, reverse IP scanning, Pay Pal API requests, AWS SES email details, EC2 service quotas, Twilio account specifics, and Laravel credential extraction.

Security Officer Comments:
SentinelOne uncovered FBot samples spanning from July 2022 to the present month, indicating active usage in the wild. The nature of its distribution remains unclear, with indications suggesting private development work and potential distribution through smaller-scale operations. This aligns with the trend of cloud attack tools being customized “private bots” tailored for individual buyers, similar to the theme observed in Alien Fox builds.

Suggested Corrections:
Researchers at Sentinel One labs recommend that organizations should enable multi-factor authentication (MFA) for AWS services with programmatic access. Create alerts that notify security operations teams when a new AWS user account is added to the organization, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible.

IOCs:
https://www.sentinelone.com/labs/ex..malware-targeting-cloud-and-payment-services/

Link(s):
https://thehackernews.com/2024/01/new-python-based-fbot-hacking-toolkit.html