top of page
Writer's pictureJohn Jordan

Hackers Exploit Public .env Files to Breach Cloud Accounts in Massive Extortion Campaign

A large-scale extortion campaign has compromised numerous organizations by exploiting publicly accessible environment variable files (.env) containing credentials for cloud and social media applications. The attackers have used these credentials to breach cloud accounts and demand ransoms from the affected organizations.

Amazon Web Services | BetterWorld Technology

Key Takeaways

  • Attackers exploited publicly accessible .env files to gain credentials for cloud and social media applications.

  • The campaign targeted over 110,000 domains and extracted 90,000 unique variables, including 7,000 cloud service credentials and 1,500 social media account credentials.

  • Attackers used compromised AWS environments to scan over 230 million unique targets for sensitive data.

  • The campaign did not involve encrypting data but exfiltrated it and left ransom notes in compromised cloud storage containers.

  • The attackers leveraged AWS IAM access keys to create new roles and escalate privileges, using AWS Lambda functions for automated scanning.

  • The infection chain ended with data exfiltration, deletion, and ransom note placement, with failed attempts at illicit cryptocurrency mining.

  • The attackers' true origin remains unclear due to the use of VPNs and the TOR network, though some IP addresses were traced to Ukraine and Morocco.

Exploitation of .env Files

The attackers took advantage of publicly accessible .env files, which are often used to store environment variables, including sensitive credentials. These files were exposed on unsecured web applications, allowing the attackers to gain initial access without exploiting security vulnerabilities or misconfigurations in cloud providers' services.

Attack Infrastructure and Scanning

Once inside the compromised AWS environments, the attackers set up their attack infrastructure and used it as a launchpad to scan over 230 million unique targets for sensitive data. They targeted over 110,000 domains, extracting 90,000 unique variables from .env files. Among these, 7,000 variables were linked to cloud services, and 1,500 were associated with social media accounts.

Ransom and Data Exfiltration

The attackers did not encrypt the data before demanding a ransom. Instead, they exfiltrated the data and placed ransom notes in the compromised cloud storage containers. The ransom notes urged the victims to pay to avoid having their information sold on the dark web.

Advanced Techniques and Automation

The attackers demonstrated advanced cloud architectural knowledge and extensive automation techniques. They used AWS IAM access keys to create new roles with administrative permissions, which were then used to create AWS Lambda functions. These functions initiated an automated internet-wide scanning operation, targeting millions of domains and IP addresses.

Failed Cryptocurrency Mining Attempts

In addition to data exfiltration and ransom demands, the attackers attempted to create new Elastic Cloud Compute (EC2) resources for illicit cryptocurrency mining. However, these attempts were unsuccessful.

Concealed Origins

The true origin of the attackers remains unclear due to their use of VPNs and the TOR network. However, some IP addresses involved in the lambda function and S3 exfiltration activities were traced to Ukraine and Morocco.

This campaign highlights the importance of securing environment variable files and implementing least privilege architectures. Organizations must ensure that sensitive credentials are not exposed and that robust security measures are in place to prevent such breaches. In today's digital age, robust cybersecurity measures are more important than ever. At BetterWorld Technology, our team of cybersecurity experts is committed to safeguarding your business from evolving threats. We offer comprehensive solutions tailored to protect your data and infrastructure. Whether you need proactive monitoring, threat assessment, or incident response, BetterWorld Technology has the expertise to keep your business secure. Contact us today to learn how our cutting-edge cybersecurity services can fortify your defenses. Enhance your cybersecurity posture and ensure peace of mind with BetterWorld Technology.

Sources

70 views
bottom of page