Mar 13, 2024The Hacker NewsSaaS Security / Webinar

Identities are the latest sweet spot for cybercriminals, now heavily targeting SaaS applications that are especially vulnerable in this attack vector.

The use of SaaS applications involves a wide range of identities, including human and non-human, such as service accounts, API keys, and OAuth authorizations. Consequently, any identity in a SaaS app can create an opening for cybercriminals to compromise, leading to data breaches, compliance violations, and financial losses.

Many safeguards have been developed to better protect human identities, including multi-factor identification and single sign-on (SSO). These measures can protect enterprises against attacks using stolen credentials, such as password sprays.

Protecting non-human identities is more challenging, as MFA and SSO are usually not feasible with accounts that are not associated with any individual employee. Non-human accounts are also more sensitive since they come with the high privileges needed for integration activities. Cybersecurity for non-human entities requires different tactics, including monitoring tools to detect abnormal behavior indicative of different types of suspicious activity.

Despite the risks, the activity of non-human accounts is often overlooked. For non-human identities, advanced methods such as automated security checks must be deployed to detect unusual activity. Tools such as ITDR provide a defensive layer to help boost identity fabric to protect enterprises from attacks.

Join an informative webinar with Maor Bin, CEO and co-founder of Adaptive Shield, where he will dive into the identity risks in SaaS applications, and explain how to defend the SaaS environment through a strong identity security posture.

Topics to be covered during the webinar:

• The new attack surface: Discover how identities, including human users, service accounts, and API keys, are being exploited by cybercriminals.
• Identity-centric threats: Understand the unique risks posed by compromised identities within your SaaS environment.
• Managing Identities: Learn how to detect Identity threats through SSPM and ITDR

Register for this free webinar today and gain the insights you need to protect your organization from evolving cyber threats.

Jan 11, 2024NewsroomCloud Security / Cyber Attacks

A new Python-based hacking tool called FBot has been uncovered targeting web servers, cloud services, content management systems (CMS), and SaaS platforms such as Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio.

“Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts,” SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.

FBot is the latest addition to the list of cloud hacking tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator, the latter four of which share code-level overlaps with AndroxGh0st.

SentinelOne described FBot as “related but distinct from these families,” owing to the fact that it does not reference any source code from AndroxGh0st, although it exhibits similarities with Legion, which first came to light last year.

The end goal of the tool is to hijack cloud, SaaS, and web services as well as harvest credentials to obtain initial access and monetize it by selling the access to other actors.

FBot, in addition to generating API keys for AWS and Sendgrid, packs an assortment of features to generate random IP addresses, run reverse IP scanners, and even validate PayPal accounts and the email addresses associated with those accounts.

“The script initiates the Paypal API request via the website hxxps://www.robertkalinkin.com/index.php, which is a Lithuanian fashion designer’s retail sales website,” Delamotte noted. “Interestingly, all identified FBot samples use this website to authenticate the Paypal API requests, and several Legion Stealer samples do as well.”

On top of that, FBot packs in AWS-specific features to check for AWS Simple Email Service (SES) email configuration details and determine the targeted account’s EC2 service quotas. The Twilio-related functionality, likewise, is utilized to gather specifics about the account, namely the balance, currency, and phone numbers connected to the account.

The features don’t end there, for the malware is also capable of extracting credentials from Laravel environment files.

The cybersecurity firm said it uncovered samples starting from July 2022 to as recently as this month, suggesting that it is being actively used in the wild. That said, it’s currently not known if the tool is actively maintained and how it’s distributed to other players.

“We found indications that FBot is the product of private development work, so contemporary builds may be distributed through a smaller scale operation,” Delamotte said.

“This aligns with the theme of cloud attack tools being bespoke ‘private bots’ tailored for the individual buyer, which is a theme prevalent among AlienFox builds.”