A large-scale extortion campaign has compromised numerous organizations by exploiting publicly accessible environment variable files (.env) containing credentials for cloud and social media applications. The attackers have used these credentials to breach cloud accounts, exfiltrate data, and demand ransoms from the affected organizations.
Key Takeaways
Attackers exploited publicly accessible .env files to gain access to cloud and social media credentials.
Over 110,000 domains were targeted, resulting in the exposure of 90,000 unique variables.
The campaign involved exfiltrating data and placing ransom notes in compromised cloud storage containers.
Attackers used AWS IAM access keys to escalate privileges and create new roles.
The infection chain ended with data exfiltration, deletion, and ransom demands.
Exploitation of .env Files
The campaign is notable for its reliance on the accidental exposure of .env files on unsecured web applications. These files, which contain environment variables, were publicly accessible and provided the attackers with cleartext credentials. This initial access allowed the attackers to perform extensive discovery and reconnaissance within the compromised cloud environments.
Attack Infrastructure and Methods
The attackers set up their infrastructure within the infected organizations' Amazon Web Services (AWS) environments. They used AWS Identity and Access Management (IAM) access keys to create new roles with administrative permissions. These new roles were then used to create AWS Lambda functions that initiated an automated internet-wide scanning operation targeting millions of domains and IP addresses.
The malicious Lambda function retrieved a list of potential targets from a publicly accessible third-party S3 bucket. For each domain in the list, the function performed a cURL request to check for exposed .env files. If an exposed file was found, the credentials were extracted and stored in another threat actor-controlled public AWS S3 bucket.
Ransom and Financial Motivations
The attackers exfiltrated and deleted sensitive data from the victims' S3 buckets and uploaded ransom notes demanding payment to avoid selling the information on the dark web. The campaign also included failed attempts to create new Elastic Cloud Compute (EC2) resources for illicit cryptocurrency mining.
Geographic Indicators and Automation
While the true origin of the attackers remains unclear due to their use of VPNs and the TOR network, two IP addresses were geolocated in Ukraine and Morocco. The attackers likely leveraged extensive automation techniques, indicating a high level of skill and knowledge in advanced cloud architectural processes.
The campaign's success underscores the importance of securing environment variable files and implementing least privilege architectures to mitigate the risk of such breaches. In today's digital age, robust cybersecurity measures are more important than ever. At BetterWorld Technology, our team of cybersecurity experts is committed to safeguarding your business from evolving threats. We offer comprehensive solutions tailored to protect your data and infrastructure. Whether you need proactive monitoring, threat assessment, or incident response, BetterWorld Technology has the expertise to keep your business secure. Contact us today to learn how our cutting-edge cybersecurity services can fortify your defenses. Enhance your cybersecurity posture and ensure peace of mind with BetterWorld Technology.