Legion, a Python-based credential harvester discovered last month, is widening its attack scope with some additional feature updates to target cloud services. An updated variant of this malware targets the credentials associated with Laravel web applications and SSH Servers. Moreover, its developers have worked further on some modules that were incomplete in the previous iteration.
Legion exploiting cloud services
According to the Cado Labs researchers, the malware steals the credentials from misconfigured web servers running PHP frameworks such as Laravel.
For this, it scans for the environment variable files (.env) on the default paths where these files reside on the infected machine. The updated variant includes several new paths to search for environment files, such as /lib/.env and /cron/.env.
If the environment file is publicly accessible due to any misconfiguration, the malware saves the environment files.
In the latest samples, the malware attempts to retrieve credentials for three specific services: DynamoDB, Amazon CloudWatch, and AWS Owl.
The previous variant was already capable of stealing credentials from a large number of SMTP services, including email providers, payment platforms, databases, server management systems, and other cloud service providers.
Attack on SSH servers
The latest variant of Legion is further equipped with the ability to target SSH servers.
It uses the Paramiko library to parse the list of exfiltrated database credentials and obtain available pairs of usernames and passwords.
These sets of credentials are then used to log in to the host via SSH.
The code for this functionality was already present in the previous variant, but it was not working. The latest version has this functionality enabled.
Preventive measures
Legion uses server misconfigurations as the main intrusion tactic for getting access to the web servers. Thus, a regular audit of the digital resources exposed to the internet can help avoid such risks. Avoid using default paths and variable names when storing the secrets in environment files. Further, a guardrail can be used to keep a check on any exposed privileged ports.