A commercial malware tool called Legion that hackers deploy on compromised web servers has recently been updated to extract credentials for additional cloud services to authenticate over SSH. The main goal of this Python-based script is to harvest credentials stored in configuration files for email providers, cloud service providers, server management systems, databases, and payment systems. These hijacked resources enable the attackers to launch email and SMS spam campaigns.
“This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications,” researchers from cloud forensics and incident response firm Cado Security said in a new report. “It’s clear that the developer’s targeting of cloud services is advancing with each iteration.”
To read this article in full, please click here