A campaign involving a large-scale extortion operation has targeted various organizations by exploiting publicly accessible .env files containing credentials for cloud and social media applications.
Palo Alto Networks Unit 42 highlighted several security flaws in the campaign, including the exposure of environment variables, use of long-lived credentials, and lack of least privilege architecture.
This campaign stands out for deploying its attack infrastructure in infected organizations’ Amazon Web Services (AWS) environments and using them to scan over 230 million unique targets for sensitive data.
The malicious activity targeted 110,000 domains, resulting in the acquisition of over 90,000 unique variables from .env files, with 7,000 related to cloud services and 1,500 linked to social media accounts.
Attackers in this campaign successfully held data in cloud storage containers for ransom, without encrypting the data but exfiltrating it and placing a ransom note in the compromised storage containers.
Notably, the attacks did not exploit vulnerabilities in cloud services but instead focused on exposing .env files in unsecured web applications to gain initial access.
The attackers leveraged AWS IAM access keys to escalate privileges, creating new roles and using them to launch an automated scanning operation targeting millions of domains and IP addresses.
Unit 42 researchers observed that the attackers used a lambda function to retrieve potential targets from a publicly accessible S3 bucket and extract credentials from exposed .env files, storing them in another threat actor-controlled S3 bucket.
The attackers specifically targeted .env files containing Mailgun credentials to send phishing emails from legitimate domains, bypassing security controls.
The attack chain concludes with the threat actor exfiltrating and deleting sensitive data, uploading a ransom note demanding payment to avoid selling the information on the dark web.
The attackers also attempted to create EC2 resources for illicit cryptocurrency mining, indicating financial motivations behind the campaign.
The attackers’ identities remain unknown, with VPNs and the TOR network used to conceal their origins, although IP addresses geolocated in Ukraine and Morocco were detected in the attack activities.
“The attackers leveraged automation techniques to operate swiftly and effectively, showcasing advanced cloud architectural knowledge and skills,” the researchers noted.
