norm. threat bulletin: 19th April 2023

Norm threat bulletin

The Telegram phishing market

In recent years, the online messaging app Telegram has been gaining popularity with users as a fast and secure alternative to apps such as Facebook Messenger and WhatsApp. This rise in popularity has also been affected by cyber-criminals who have already sunk their hooks into the platform for nefarious usage. Cyber-criminals have not just used Telegram as a platform to perform their attacks, they have also used it to sell their services and phishing kits to anyone who is willing to pay. To promote their services, attackers create channels on Telegram in which they educate users on how to use the services they’re providing, and these channels are advertised on various social network platforms such as Reddit and YouTube.

Automated phishing via Telegram bots

Telegram bots are commonly used by businesses in customer support functions and for business related FAQs, but bad actors make use of Telegram bot accounts to generate phishing pages and harvest user data. Phishing campaign operators allow cyber criminals to configure phishing kits via Telegram bots including language and target service. Criminals then distribute the list of generated phishing links provided by the bot and any harvested credentials are relayed to the criminal by, you guessed it, another Telegram bot. Telegram provides the complete platform to enable underground criminal markets to sell and distribute malware and leaked user data, which falls in line with recent trends of malware as a service (MaaS).

Along with free services provided by scammers, Telegram channels are used to advertise and sell “premium” phishing kits and pages which provide more features than those offered for free. These features can include elements of social engineering, anti-detection systems and promises of prizes or money to entice a user to pursue further. These types of kits come at a price, which could be as low as $10 per page up to $300 for a fully functioning phishing site.

Another paid service that attackers advertise using these Telegram channels is user data that has already been obtained. This data could include the details used to log into a user’s bank account with full access to the account and all the funds found within it, and the attacker will usually sell it on for a certain price depending on how much is in the account (e.g. an account with $1400 could be sold for just $110).

The Cyber Safety and Phishing module from norm. can educate users on how to spot a malicious email with simulated phishing emails putting this to the test.


The Telegram phishing market

Researchers Uncover Thriving Phishing Kit Market on Telegram Channels

Sophos command injection vulnerability

Sophos have resolved several security vulnerabilities with the release of Sophos Web Appliance (SWA) SWA is a hardware appliance directly connected to your network that acts as a traffic gateway to block access to malicious content while scanning inbound traffic simultaneously, all via a browser-based dashboard.

Sophos’ bug bounty program had an external security researcher responsibly disclose a pre-auth command injection vulnerability in the warn-proceed handler allowing execution of arbitrary code. CVE-2023-1671 has a critical severity rating of 9.8 and is present in SWA and below.

Sophos have also patched two further CVEs with this latest update both were also responsibly reported via their bug bounty program. The first, CVE-2022-4934, is a post-auth command injection vulnerability in the exception wizard allowing administrators to execute arbitrary code.

The second is a reflection XSS via POST vulnerability in report scheduler allowing execution of JavaScript code in the victim browser. The victim must be tricked into submitting a malicious form on an attacker-controlled website while logged in to the SWA for the attack to succeed. CVE-2020-36692 has a medium severity rating 5.4.


Make sure you have the latest version of Sophos Web Appliance (SWA) Sophos provides direct and automated updates for these security advisories. Finally, ensure that your SWA devices are protected by a firewall and cannot be accessed via the public internet.

Sophos Web Appliance will be going end of life on 20th July 2023 which means updates will no longer be provided. Please consider this date when planning infrastructure upgrades.

By utilising norm.‘s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.


Sophos Web Appliance Resolves Security Vulnerabilities | Sophos

NVD – CVE-2023-1671 (

NVD – CVE-2022-4934 (

NVD – CVE-2020-36692 (

Is LockBit coming for MacOS?

LockBit is a notorious ransomware group responsible for crippling Royal Mail’s international operations not too long ago, and for the more notable attack on the NHS 111 service in 2022.

Lockbit’s operations are business-like, utilising criminal (or customer, depending on how you see it) feedback for service improvements, rolling out regular updates for their ransomware configuration software, hiring talented hackers, and adopting an affiliate scheme to build an extremely vast group [1]. LockBit also offers customer support via live chat services to negotiate or ask questions about paying up ransoms. Companies that are compromised with LockBit are named and shamed via Lockbit’s data leak site as another layer of extortion and ransom blackmail.

MalwareHunterTeam (@malwrhunterteam) tweeted details of a potential LockBit ransomware sample targeting Apple devices for the first time. Patrick Wardle (@patrickwardle) took a dive into the malware [1] knowing that LockBit have only ever released ransomware for Windows, Linux, and VMWare ESXi in the past. Analysis of this macOS LockBit sample confirms that this has been developed for Linux-based systems and compiled for macOS but originally ported from LockBit’s existing ransomware for Windows. Only ARM64 based macOS devices are affected as of the writing of this bulletin, but this could change to include Intel-based Apple devices too.

This has potential to be a pivotal turning point for LockBit as they could be spreading out even further by targeting Apple-based products.

By utilising norm.’s Threat Detection & Response service your network and endpoints are monitored around the clock for the deployment and detonation of ransomware.


[1]  The Unrelenting Menace of the LockBit Ransomware Gang | WIRED

[2] Objective-See’s Blog – The LockBit ransomware (kinda) comes for macOS

Legion & AlienFox malware steals API keys from popular cloud services

Two comprehensive and emerging pieces of ‘modular’ malware have been seen recently scouring the internet for misconfigured servers to steal API keys of popular cloud service providers including AWS, Stripe, PayPal, Mailgun, and Twilio.

Legion and AlienFox are described as comprehensive and modular hacking tools by Sentinel One and Cado Security. Written using Python they make use of many open-source tools and can be heavily adapted and reconfigured depending on attacker requirements. Sentinel One has analysed several variants or evolutions of AlienFox. The tools are sold and distributed via the Telegram messaging app with video demonstrations of Legion published on YouTube on the Forza Tools channel.

Image 2
Forzatools’ youtube channel demonstrating legion’s abilities while advertising the operator’s telegram channel

Security scanning platforms such as LeakIX, Shodan, and Security Trails are used to identify misconfigured servers that expose sensitive web resources and files. Legion and Alienfox target these servers that use popular web frameworks such as Laravel, WordPress, Joomla, that expose ‘.env’ environment variable files that often contain sensitive application or service credentials, API keys, usernames, passwords, etc.

ApacheLaravelGeneric Debug Paths
Commonly targeted sensitive files by Legion

One of Legion’s ‘modular’ capabilities is the built-in feature to brute force AWS accounts with the credentials that are gathered. SMTP credentials gathered are also used to compromise mailboxes for the distribution of phishing emails.

Norm. has observed activity matching that of tools such as Legion and AlienFox and recommends to all customers affected to ensure that web servers are configured correctly by not exposing sensitive files to the internet and closing unnecessary ports.

By utilising norm.’s Threat Detection & Response service your public facing assets are monitored for web scraping activity performed by tools such as Legion and AlienFox.


Legion: New hacktool steals credentials from misconfigured sites (

Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife – SentinelOne

AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services (

Legion: an AWS Credential Harvester and SMTP Hijacker

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: