Legion Malware Expands Scope To Target AWS CloudWatch Monitoring Tool

Legion, a malware first reported on in April targeting 19 separate cloud services, has widened its scope to include the ability to compromise SSH servers and retrieve additional Amazon Web Service-specific credentials from Laravel web applications.

In a blog post May 24, Cado Security researchers said Legion targets misconfigured PHP web applications and attempts to exfiltrate credentials for cloud services. Legion has especially targeted AWS credentials in AWS CloudWatch, a monitoring and management service for AWS.

Matt Muir, threat intelligence researcher at Cado Security, explained that if the attackers are successful and dependent on the permissions granted to the entity in which the exfiltrated credentials are attached to, it could allow unauthorized access to AWS services and the AWS console.

“This could result in data theft, the account being used to deploy additional resources, or the account’s resources being used in mass spamming campaigns,” said Muir. “Naturally, this would be a serious situation for any cloud security professional to deal with.”

Muir said based on the Telegram distribution Cado Security researchers covered in its last blog on Legion, they believe this malware was developed by an individual in Indonesia. Muir said the malware has been developed with the intention to sell it to other attackers with a desire to exploit cloud services for spamming purposes.

“Legion is highly opportunistic and, from the samples we’ve analyzed, doesn’t appear to target specific industries,” said Muir. “It targets specific [cloud] misconfigurations and uses credentials retrieved from this process to gain unauthorized access to cloud and SMTP services.”

Legion’s latest updates, especially its targeting of AWS CloudWatch, represent a concerning evolution in the capabilities of this hacking tool, said Ani Chaudhuri, chief executive officer at Dasera. Chaudhuri said this development signifies a broadening of the cybercriminal’s scope: they are leveraging misconfigured web servers to steal credentials and expanding their reach to manipulate cloud services.

Chaudhuri explained that AWS CloudWatch operates as a monitoring service for cloud resources and applications. If hackers gain unauthorized access to it, they can interfere with operational insights, potentially leading to significant disruptions or even breaches.

“Security professionals should pay close attention to these developments,” said Chaudhuri. “As the digital landscape becomes increasingly complex, the threats we face evolve. The shift towards exploiting cloud services is particularly alarming, considering the rapid growth of businesses relying on cloud technologies for their operations. Unauthorized access to an organization’s AWS CloudWatch could lead to disruption of services, theft of sensitive data, and a compromise of the overall security posture. This could result in financial losses, damaged reputation, and regulatory penalties.”

Joseph Carson, chief security scientist and Advisory CISO at Delinea, added that as organizations move legacy applications and systems to cloud infrastructure, they still struggle with misconfigurations exposing cloud environments, making them easy targets for cybercriminals. 

“Identities and credentials are a top target, and when attackers find a common misconfiguration that many organizations repeat, it’s only a matter of time before they automate the discovery,” said Carson. “This is exactly what has happened with the recent updates to the cloud credentials harvesting tool known as Legion. Cloud has become even more popular for attackers looking for ways to exploit user identities and credentials, allowing them to find more ways to obtain unauthorized access to victims networks. It must be a top priority for organizations to be proactive and discover these misconfigurations before the attackers do.”

READ MORE HERE