HQ/EMEAFind out how we can help your business
The Python-based credential harvester that appeared last month called Legion has widened its attack scope and added new features during its updates to target cloud services. The improved malware variant could target the credentials that have ties with Laravel web apps and SSH servers. In addition, the Legion developers have completed the incomplete modules during the past version.
Based on reports, the malware could steal the credentials from poorly configured web servers that run on PHP frameworks like Laravel. Hence, the credential harvester searches for the environment variables files on the default pathways where these files stay on the compromised device. Moreover, the upgraded version includes several new paths to search for environment documents, such as /cron/.env and /lib/.env.
Subsequently, the malware will save the environment files if the archive is accessible to the public due to a misconfigured code. The malware could also try to recover credentials for AWS Owl, Amazon CloudWatch, and DynamoDB in the recent samples.
The new variant has also retrained the capabilities of the previous variant, such as stealing credentials from numerous SMTP services, including payment platforms, databases, email providers, server management systems, and cloud service providers.
The Legion credential harvester could also execute techniques that could compromise SSH servers.
A new analysis of the Legion credential harvester revealed new capabilities that could target SSH servers. The investigation showed that the credential harvester uses the Paramiko Library to dissect the exfiltrated database credentials and acquire pairs of usernames and passwords.
The threat operators could then use these essential credentials to log in to the host through SSH. The researchers have also noticed that this functionality is present in the previous variant but is not functional. The latest version however showed that the ability to is now functional.
Currently, Legion utilises server misconfigurations as its primary intrusion tactic for acquiring access to web servers. Hence, admins should regularly audit the digital resources exposed to the internet, which could help avoid such threats. Users should avoid using variable names and default paths when keeping the environment files. Lastly, experts advise everyone to use a guardrail to keep tabs on exposed privileged ports.
