What is FBot?

Author: MSPAA

FBot is a new Python-based hacking tool in town, stirring up concerns for web servers and a range of Software-as-a-Service (SaaS) technologies such as PayPal and Microsoft Office 365. Unlike other hacking tools, FBot does not use the popular Androxgh0st code. However, it does share similar traits and capabilities with the Legion cloud infostealer.

FBot is primarily a tool of choice for threat actors looking to hijack web services, SaaS, and cloud technologies, and gain unauthorized access to accounts for spamming purposes. The credential harvesting feature within FBot can be used by malevolent actors to gain initial access to systems and then sell this access to other malicious entities.

Balazs Greksza, a respected threat response lead at Ontinue, explains that FBot is essentially a sophisticated collection of scripts, running around 200 KB or 4,000 lines of Python code, with 22 distinct options at their disposal. A notable feature is the “port_scanner” that checks for 7 HTTP headers and utilizes publicly accessible data or breached access keys.

However, Amazon Web Services (AWS) security teams can alleviate their concerns if they stick to recommended practices such as identity and access management, avoiding the use of AWS root users, multi-factor authentication, and monitoring of new identities.

To protect your systems from Python-based hacking tools similar to FBot, it is advisable to enable MFA for sensitive transactions, conduct regular credential audits, train your employees on security awareness, and implement strict access control policies, among others. Find an MSP to help.

In other news, the Cybersecurity and Infrastructure Security Agency has highlighted continued intrusions exploiting a patched privilege escalation flaw in Microsoft SharePoint, designated as CVE-2023-29357. Raptor Technologies, a school software provider, has also made headlines with the exposure of over 4 million sensitive school records due to unprotected web buckets. In addition, vulnerabilities in Ivanti’s Connect Secure VPN devices have also been discovered, which can be exploited by threat actors to execute arbitrary commands on the system.