There’s new research by SentinelOne about a Python-based hacking tool known as FBot capable of credential harvesting for spamming attacks, and AWS, PayPal and SaaS account hijacking:
FBot is unique in that it does not apparently adapt the Androxgh0st code so common among similar hacktools, though the earliest reference to FBot is one year more recent than the first sighting of Androxgh0st. However, there are several connections to the Legion cloud infostealer, making it likely the Legion maintainer adapted code from FBot into their tool.
FBot is primarily designed for actors to hijack cloud, SaaS, and web services. There is a secondary focus on obtaining accounts to conduct spamming attacks. Actors can use the credential harvesting features to obtain initial access, which they can sell to other parties.
The tool contains assorted utilities, including an IP address generator and port scanner. There is also an email validator function, which uses an Indonesian technology service provider to validate email addresses.
Ken Westin, Field CISO, Panther Labs had this comment:
Many organizations rely on the vendors to provide security for their cloud platforms and often do not have full visibility into what is happening in their cloud environments. We will continue to see threat groups focus on attacking cloud applications and services, as this is where most corporate data resides, these tools will continue to evolve in maturity and leverage APIs to compromise cloud assets.
The fact that “the cloud” is still a bit of a black box where you have to trust the provider is a problem. But unless there’s full transparency about what goes on behind the curtain, it will allow threats like these to exist, and affect end customers.
SentinelOne Comes Across A New Python-Based Hacking Tool Known As FBot
Posted in Commentary with tags SentinelOne on January 13, 2024 by itnerdThere’s new research by SentinelOne about a Python-based hacking tool known as FBot capable of credential harvesting for spamming attacks, and AWS, PayPal and SaaS account hijacking:
FBot is unique in that it does not apparently adapt the Androxgh0st code so common among similar hacktools, though the earliest reference to FBot is one year more recent than the first sighting of Androxgh0st. However, there are several connections to the Legion cloud infostealer, making it likely the Legion maintainer adapted code from FBot into their tool.
FBot is primarily designed for actors to hijack cloud, SaaS, and web services. There is a secondary focus on obtaining accounts to conduct spamming attacks. Actors can use the credential harvesting features to obtain initial access, which they can sell to other parties.
The tool contains assorted utilities, including an IP address generator and port scanner. There is also an email validator function, which uses an Indonesian technology service provider to validate email addresses.
Ken Westin, Field CISO, Panther Labs had this comment:
Many organizations rely on the vendors to provide security for their cloud platforms and often do not have full visibility into what is happening in their cloud environments. We will continue to see threat groups focus on attacking cloud applications and services, as this is where most corporate data resides, these tools will continue to evolve in maturity and leverage APIs to compromise cloud assets.
The fact that “the cloud” is still a bit of a black box where you have to trust the provider is a problem. But unless there’s full transparency about what goes on behind the curtain, it will allow threats like these to exist, and affect end customers.
Leave a comment »