A large-scale extortion campaign compromised various organizations by exploiting publicly available environment variable (.env) files containing credentials for cloud and social media applications.
“Numerous security lapses occurred during the course of this campaign, including: disclosure of environment variables, use of long-lived credentials, and lack of a least-privilege architecture,” Palo Alto Networks Unit 42 said in a report on Thursday.
What is notable about the campaign is that it places its attack infrastructure in the Amazon Web Services (AWS) environments of the infected organizations and uses them as a launch pad for scanning more than 230 million unique targets for sensitive data.
Attacking 110,000 domains, the malicious activity is said to have stolen over 90,000 unique variables in .env files, 7,000 of which belonged to organizations’ cloud services and 1,500 variables were linked to social media accounts.
“In the campaign, attackers successfully extorted data hosted in cloud storage containers,” Unit 42 said. “In the incident, the attackers did not encrypt the data before demanding the ransom, but rather they exfiltrated the data and placed the ransom note in the compromised cloud storage container.”
What is most striking about these attacks is that they do not rely on security vulnerabilities or misconfigurations in cloud providers’ services, but rather on the inadvertent disclosure of .env files in unsecured web applications to gain initial access.
A successful breach into a cloud environment paves the way for extensive detection and reconnaissance efforts to expand their reach. Threat actors leverage AWS Identity and Access Management (IAM) access keys to create new roles and elevate their privileges.
The new IAM role with administrative permissions is then used to create new AWS Lambda functions to initiate an automated internet-wide scan of millions of domains and IP addresses.
“The script retrieved a list of potential targets from a publicly accessible third-party S3 bucket that was exploited by the threat actor,” said Unit 42 researchers Margaret Zimmermann, Sean Johnstone, William Gamazo and Nathaniel Quist.
“The list of potential targets that the malicious Lambda function ran through contained a record of the victim domains. For each domain in the list, the code executed a cURL request and targeted all environment variable files available in that domain (e.g. https://
If the target domain hosts an exposed environment file, the plaintext credentials contained in the file are extracted and stored in a newly created folder in another public AWS S3 bucket controlled by the threat actor. The bucket has since been removed by AWS.
The attack campaign was found to specifically target cases where the .env files contain Mailgun credentials, suggesting that the attacker is attempting to use these files to send phishing emails from legitimate domains and bypass security measures.
The infection chain ends with the threat actor exfiltrating and deleting sensitive data from the victim’s S3 bucket and uploading a ransom note demanding that the victim contact them and pay a ransom to avoid the information being sold on the dark web.
The financial motives of the attack are also evident in the threat actor’s failed attempts to create new Elastic Cloud Compute (EC2) resources for illegal cryptocurrency mining.
It is currently unclear who is behind the campaign, partly due to the use of VPNs and the TOR network to conceal its true origin, but Unit 42 stated that it discovered two IP addresses geolocated in Ukraine and Morocco as part of the Lambda function and S3 exfiltration activities respectively.
“The attackers behind this campaign likely used extensive automation techniques to operate successfully and quickly,” the researchers said. “This suggests that these threat actor groups have both knowledge and expertise in advanced cloud architecture processes and techniques.”
