"Legion Malware Upgraded to Target SSH Servers and AWS Credentials"

An updated version of the commodity malware known as Legion includes enhanced capabilities to compromise SSH servers and Amazon Web Services (AWS) credentials linked to DynamoDB and CloudWatch. Cado Labs researcher Matt Muir said the recent update demonstrates a broadening of scope, with new capabilities such as compromising SSH servers and retrieving additional AWS-specific credentials from Laravel web applications. The developer's targeting of cloud services improves with each release. Legion, a Python-based hacking tool, was first documented by the cloud security company in April, describing its ability to breach vulnerable SMTP servers and extract credentials. It is also known to exploit web servers operating Content Management Systems (CMS), use Telegram as a data exfiltration point, and use stolen SMTP credentials to send spam SMS messages to a list of dynamically-generated US mobile numbers. Legion's capability to exploit SSH servers using the Paramiko module is also a notable addition. It includes functionality to retrieve additional AWS-specific credentials for DynamoDB, CloudWatch, and AWS Owl from Laravel web applications. This article continues to discuss the updated Legion malware. 

THN reports "Legion Malware Upgraded to Target SSH Servers and AWS Credentials"