A significant extortion campaign has emerged, targeting various organizations by exploiting publicly accessible environment variable files (commonly ending in .env) that contain sensitive credentials for cloud and social media applications. This alarming trend underscores the vulnerabilities in data security practices across industries.
According to a report by Palo Alto Networks’ Unit 42, multiple security flaws were identified during the campaign, notably including the exposure of environment variables, reliance on long-lived credentials, and a failure to implement least privilege access policies.
This campaign is particularly concerning as attackers established their infrastructure within the compromised organizations’ Amazon Web Services (AWS) environments. This enabled them to scan over 230 million unique targets, diligently searching for sensitive information across a wide array of domains and applications.
The scale of the operation is evidenced by the targeting of approximately 110,000 domains, allowing attackers to capture more than 90,000 unique environment variables. Among these, around 7,000 were tied to organizations’ cloud services, while 1,500 variables related specifically to social media accounts.
Unit 42 detailed that the attackers successfully ransomed data stored within compromised cloud storage containers without encrypting it first. Instead, they exfiltrated sensitive data and placed ransom notes directly in the compromised storage, complicating recovery efforts for affected organizations.
Critically, the campaign did not rely on inherent vulnerabilities in cloud services, but rather on the accidental exposure of .env files through unsecured web applications. This highlights a significant area of concern, as the attackers utilized stole credentials obtained from these misconfigured setups to launch extensive reconnaissance efforts.
The breach allowed threat actors to weaponize AWS Identity and Access Management (IAM) roles, creating new roles with elevated permissions to conduct wide-ranging scanning operations. This led them to compile lists of potential targets from a publicly accessible third-party S3 bucket, further enabling their attack strategies.
As part of their method, the attackers targeted any exposed environment variable files, systematically performing cURL requests to extract credentials. Should these files contain plaintext cloud credentials, the information is gathered and stored within a separate, threat actor-controlled AWS S3 bucket, which has since been taken down.
The campaign appears to focus particularly on Mailgun credentials found in the .env files, suggesting an intention to exploit these for sending phishing emails from legitimate domains, thus circumventing traditional security measures. Ultimately, the infection chain concludes with the exfiltration of sensitive data from the victim organizations’ S3 buckets, combined with the uploading of ransom notes demanding payment to prevent the sale of the stolen information on the dark web.
Despite the extensive nature of this operation, the identities of those behind it remain unclear, as attackers employed VPNs and the TOR network to obscure their location. However, Unit 42 did identify two IP addresses linked to Ukraine and Morocco associated with different facets of the lambda function and S3 exfiltration activities, respectively.
Researchers from Unit 42 emphasized that the attackers’ employment of automated techniques points to a high level of skill and deep understanding of advanced cloud architectural processes. This serves as a stark reminder of the urgent need for organizations to strengthen their cybersecurity measures.
In a follow-up statement, an AWS spokesperson noted that their services were not compromised; instead, the issues stemmed from the misuse of misconfigured web applications that allowed public access to critical environment variable files, highlighting the imperative for organizations to follow best practices for AWS Identity and Access Management.
The nature of this breach and the tactics employed reflect a complex landscape of cyber threats that organizations must navigate, emphasizing the need for robust security protocols and constant vigilance. As businesses continue to rely heavily on cloud infrastructure, the necessity of safeguarding sensitive credentials and implementing stringent access controls has never been more critical.
