A sophisticated extortion campaign targeted 110,000 domains by exploiting exposed .env files on unsecured web applications.
The attackers obtained AWS IAM access keys from these files, which allowed them to create new IAM roles and policies with unlimited access.
This escalated their privileges, enabling them to steal data and ransom cloud storage. The exposed .env files likely contained sensitive information like API keys, passwords, and database credentials, making them valuable targets for cybercriminals.
It leveraged misconfigured AWS .env files to ransom data stored in S3 containers. By targeting over 100,000 domains, the attackers employed automation and in-depth knowledge of cloud infrastructure to efficiently compromise and exfiltrate sensitive data.
The campaign underscores the criticality of cloud security best practices, including robust authentication, access controls, data encryption, secure configuration management, and comprehensive monitoring and logging to mitigate such threats.
Multiple security lapses by cloud users allowed attackers to exploit .env files containing sensitive credentials, which included exposing environment variables, using long-lived credentials, and failing to implement a least privilege architecture.
The attackers gained unauthorized access to AWS environments and scanned millions of targets for sensitive data by focusing on 110,000 domains and extracting over 90,000 unique variables from .env files.
It revealed sensitive information about cloud services and social media accounts, highlighting the attackers’ interest in compromising both organizational and personal data.
The attackers executed a sophisticated cyberattack utilizing a multi-layered approach by leveraging virtual private servers, the Tor network, and VPNs to gain unauthorized access to cloud storage containers.
After infiltrating the system, they exfiltrated sensitive data without encrypting it. A ransom note was then placed within the compromised container, demanding payment for the return of the stolen information, highlighting the increasing complexity of cyber threats and the need for robust security measures to protect sensitive data.
Threat actors are exploiting the widespread exposure of .env files to gain unauthorized access to cloud environments, which often contain sensitive credentials, such as AWS IAM access keys, which can be used to create new IAM roles with elevated privileges.
Cyble’s threat intelligence platform has identified over 1.4 million exposed .env files since the beginning of 2024, highlighting the prevalence of this vulnerability.
By scanning for these files on unsecured web applications, attackers can easily obtain the necessary credentials to escalate their privileges and compromise cloud resources.
The attackers initially verified the identity and account information of the exposed IAM credential and then enumerated existing IAM users and S3 buckets. To elevate privileges, they created a new IAM role with administrator access.
In the execution phase, they failed to create an EC2 infrastructure stack but successfully created AWS Lambda functions, which functions were used to launch a bash script to scan for potential targets.
Security best practices to prevent this include not committing “.env” files to version control and using environment variables instead.
Organizations should also implement access controls, audits, and secret management tools, while the attackers used Tor exit nodes, VPS, and VPN endpoints to mask their locations.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access