Security News > 2023 > April > Legion: New hacktool steals credentials from misconfigured sites
Apart from extracting credentials and breaching web services, Legion can also create administrator users, implant webshells, and send out spam SMS to customers of U.S. carriers.
The tool uses an array of methods to retrieve credentials from misconfigured web servers, like targeting environment variable files and configuration files that might contain SMTP, AWS console, Mailgun, Twilio, and Nexmo credentials.
Regardless of how the credentials are obtained, Legion will use them to gain access to email services and send out spam or phishing emails.
If Legion captures valid AWS credentials, it attempts to create an IAM user named 'ses legion,' and sets the policy to give it administrator rights, giving the rogue user full access to all AWS services and resources.
Legion can also send SMS spam by leveraging stolen SMTP credentials after generating a list of phone numbers with area codes retrieved from online services.
In conclusion, Legion is an all-purpose credential harvester and hacking tool gaining traction in the world of cybercrime, increasing the risk for poorly managed and misconfigured web servers.