Researchers at Cado Labs discovered a new Python-based hacking tool called Legion being distributed on Telegram. Known for its low detection rate on VirusTotal, this modular tool can be utilized by cybercriminals to hack into online services.
The Legion hacking tool targets and exfiltrates data from insecure web servers. It uses a scraping tool to search SHODAN for misconfigured cloud servers and vulnerable SMTP servers. Once identified, Legion can compromise these servers and use them for further attacks like phishing and spam campaigns.
Note that Legion is not exploiting newly discovered vulnerabilities. The tool focuses its attack vector against known vulnerabilities and host misconfigurations.
What Happened?
Legion threat actors performed various malicious activities like server enumeration, remote code execution, memory-related vulnerabilities, brute-forcing accounts, interacting with search engines, abusing AWS services, creating admin users, implanting webshells, and sending spam SMS messages targeting US customers.
“The malware scans for and extracts Laravel application secrets from exposed user environment variables (.env) files. It targets various services for credential theft, including payment API functions, AWS console credentials (specifically SNS, S3, and SES), Mailgun, and database/CMS platforms.”
The malware has impacted carriers such as AT&T, Sprint, and T-Mobile.
The Source of The Legion Hacking Tool
Little is known about Legion malware, but the creators are believed to have enhanced features from AndroxGh0st and Alienfox. The Legion tool uses open-source tools to find vulnerabilities, including executing email phishing or spam attacks. These email phishing attacks became the method to access the target networks.
The researchers have yet to identify the definitive source of Legion. However, security researchers discovered several Indonesian-language comments on the YouTube channel suggesting the possible creator of the malware may be Indonesian. Additionally, references to a user with the handle “my13gion” in the Telegram Group have provided clues to its source.
Recommendations to Protect Your Organization
Organizations should actively review their security processes and make sure credentials are stored securely.
- If credentials are stored in a.env file, they should be kept in directories that are inaccessible from the web.
- The Legion hacking tool is ultimately a credential-harvesting tool and malware. Deploying cloud-based AI-enabled email security tools will help prevent phishing attacks and malware like Legion while reducing the organization’s attack surface.
- Organizations utilizing cloud providers like AWS and Microsoft Azure should review and audit their shared responsibility obligations outlined in the terms of use for those platforms to ensure proper configuration of their web servers to help prevent malware outbreaks.
Credential theft continues to be a major cyber attack, as seen with the recent discovery of the Legion. It’s crucial to regularly review and secure corporate data, especially credentials and user information.
- Virtual Workforce and Workplace: The Role of a vCISO in a Post-Pandemic World
- How Does the Board of Directors Oversight Validate the Organization’s Cybersecurity Strategy?
- Invest in Data Security Now to Avoid Costly GDPR Fines
- Who are the Top 10 Ransomware Groups in 2024?
- How to Hire the Best Cloud Security Consultants for Your Organization
- What are the Top Cybersecurity Predictions for 2024?