A sophisticated extortion campaign has recently come to light, revealing how cybercriminals are exploiting publicly accessible environment variable files (.env) to compromise various organizations.
These files, which happened to contain sensitive credentials for cloud and social media applications, have become the focal point of a widespread attack that has raised significant concerns in the cybersecurity community.
Key Security Missteps Identified
Palo Alto Networks Unit 42, in a report released on Thursday, highlighted several critical security oversights that facilitated this campaign:
- Exposure of environmental variables
- Use of long-lived credentials
- Lack of least-privilege architecture
These vulnerabilities allowed attackers to gain initial access and subsequently escalate their privileges within compromised systems.
Scale and Impact of the Campaign
The campaign’s scope is noteworthy for its extensive reach:
- Over 230 million unique targets were scanned for sensitive data
- 110,000 domains targeted
- More than 90,000 unique variables extracted from .env files
- 7,000 variables linked to organizations’ cloud services
- 1,500 variables associated with social media accounts
Attack Methodology and Infrastructure
What sets this campaign apart is its innovative approach to attack infrastructure. The threat actors cleverly set up their operations within the infected organizations’ Amazon Web Services (AWS) environments, using these compromised resources as a launchpad for further attacks.
Initial Access and Privilege Escalation
The attackers gained initial access by exploiting unsecured web applications with exposed .env files. Once inside a cloud environment, they conducted extensive reconnaissance to broaden their foothold. By weaponizing AWS Identity and Access Management (IAM) access keys, the threat actors created new roles and escalated their privileges to administrative levels.
Automated Scanning and Data Exfiltration
With elevated permissions, the attackers deployed AWS Lambda functions to initiate an automated, internet-wide scanning operation. This process involved:
- Retrieving potential targets from a publicly accessible third-party S3 bucket
- Iterating through a list of victim domains
- Performing cURL requests to identify exposed .env files
- Extracting and storing cleartext credentials in a threat actor-controlled AWS S3 bucket
Targeting Mailgun Credentials and Ransom Demands
The campaign showed a particular interest in Mailgun credentials, suggesting an intent to use legitimate domains for phishing campaigns. The final stage of the attack involved:
- Exfiltrating sensitive data from the victim’s S3 bucket
- Deleting the original data
- Uploading a ransom note threatening to sell the information on the dark web
Additional Malicious Activities
Beyond data exfiltration and ransom demands, the threat actors also attempted to create new Elastic Cloud Compute (EC2) resources for cryptocurrency mining, highlighting their financial motivations.
Attribution and Threat Actor Sophistication
While the identity of the threat actors remains unknown due to their use of VPNs and the TOR network, Unit 42 researchers detected IP addresses geolocated in Ukraine and Morocco associated with the lambda function and S3 exfiltration activities, respectively.
The researchers emphasized the attackers’ high level of skill and knowledge in advanced cloud architectural processes and techniques, noting their likely use of extensive automation to operate successfully and rapidly.
Implications for Cloud Security
This campaign underscores the importance of securing environment variable files and implementing robust cloud security practices. Organizations must prioritize:
- Proper management of credentials and access keys
- Implementation of least privilege principles
- Regular security audits of cloud environments
- Monitoring for unusual activities within cloud services
As cloud adoption continues to grow, the security of these environments becomes increasingly crucial. This incident is a stark reminder of the sophisticated threats targeting cloud infrastructure and the need for vigilant cybersecurity measures.
Update, we have received a statement from Amazon on this matter:
“AWS services and infrastructure are not affected by the findings of these researchers. The issues described in this blog were a result of a bad actor abusing misconfigured web applications—hosted both in the cloud and elsewhere—that allowed public access to environment variable (.env) files. Some of these files contained various kinds of credentials, including AWS credentials which were then used by the bad actor to call AWS APIs. Environment variable files should never be publicly exposed, and even if kept private, should never contain AWS credentials. AWS provides a variety of easy-to-use mechanisms for web applications to access temporary AWS credentials in a secure fashion. We recommend customers follow best practices for AWS Identity and Access Management (IAM) to help secure their AWS resources.” — AWS spokesperson