Cado Security has released an update on Legion, an AWS Credential Harvester and SMTP Hijacker discovered last month by Cado Labs researchers. Matt Muir, Threat Intelligence Researcher at Cado Security, is set to reveal fresh insights into the evolution of the Python-based hacktool that has been actively undergoing development to exploit vulnerable web applications and recent findings that indicate a significant broadening of scope.
Legion has now developed capabilities to compromise SSH servers and presents expanded features to retrieve additional AWS-specific credentials from Laravel web applications. This demonstrates that Legion’s focus on targeting cloud services is becoming increasingly refined with each iteration.
A key update of the Legion malware is its ability to exploit SSH servers. In the prior version, the code to exploit SSH servers using the Python library Paramiko was commented out. However, this code has been uncommented and is now operational.
Researchers also discovered that the updated Legion had expanded its credential harvesting capabilities with an increased focus on cloud services. The malware now searches for credentials specific to several services, including DynamoDB, Amazon CloudWatch, and AWS Owl.
You can read the update here.
Like this:
Like Loading...
Related
This entry was posted on May 24, 2023 at 9:00 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New Research Discovers Updated Version of Legion Malware
Cado Security has released an update on Legion, an AWS Credential Harvester and SMTP Hijacker discovered last month by Cado Labs researchers. Matt Muir, Threat Intelligence Researcher at Cado Security, is set to reveal fresh insights into the evolution of the Python-based hacktool that has been actively undergoing development to exploit vulnerable web applications and recent findings that indicate a significant broadening of scope.
Legion has now developed capabilities to compromise SSH servers and presents expanded features to retrieve additional AWS-specific credentials from Laravel web applications. This demonstrates that Legion’s focus on targeting cloud services is becoming increasingly refined with each iteration.
A key update of the Legion malware is its ability to exploit SSH servers. In the prior version, the code to exploit SSH servers using the Python library Paramiko was commented out. However, this code has been uncommented and is now operational.
Researchers also discovered that the updated Legion had expanded its credential harvesting capabilities with an increased focus on cloud services. The malware now searches for credentials specific to several services, including DynamoDB, Amazon CloudWatch, and AWS Owl.
You can read the update here.
Share this:
Like this:
Related
This entry was posted on May 24, 2023 at 9:00 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.