An extortion campaign targeted more than 100,000 domains by using misconfigured AWS environment variable files (.env files) to ransom data stored in S3 containers.
The sophisticated campaign employed automation techniques and extensive knowledge of cloud architecture to increase the speed and success of the campaign, underscoring the need for cloud security best practices such as robust authentication and access controls, data encryption, secure configuration management, and monitoring and logging.
The attackers were able to leverage .env files that contained sensitive information such as credentials from numerous applications because of multiple security failures on the part of cloud users. These insecure practices include:
After achieving initial access, the attack campaign set up its infrastructure within organizations’ AWS environments and from there scanned more than 230 million unique targets for sensitive information.
The campaign targeted 110,000 domains, resulting in more than 90,000 unique variables in the .env files. Of those variables, 7,000 belonged to organizations’ cloud services and 1,500 variables were traced back to social media accounts.
Attackers used multiple networks and tools in their operation, such as virtual private server (VPS) endpoints, the onion router (Tor) network for reconnaissance and initial access operations, and VPNs for lateral movement and data exfiltration.
Attackers successfully ransomed data hosted within cloud storage containers. They did not encrypt the data before ransom, but instead exfiltrated it and placed a ransom note in the compromised container.
Environment files let users define configuration variables used within applications and platforms, and often contain secrets such as hard-coded cloud access keys, SaaS API keys and database login information, which the threat actors used for initial access.
By scanning for exposed .env files hosted on unsecured web applications, the threat actors were able to obtain exposed AWS Identity and Access Management (IAM) access keys.
How common are .env file exposures? Perhaps much greater than even this campaign would suggest – Cyble’s threat intelligence platform has detected 1,472,925 .env files since 1 Jan 2024 that have been exposed publicly.
The IAM credentials uncovered by the attackers in this case did not have administrator access to all cloud resources, but the attackers discovered that the IAM role used for initial access had permissions to create new IAM roles and attach IAM policies to existing roles. Using these capabilities, the attackers successfully escalated their privileges within victim cloud environments by creating new IAM resources with unlimited access.
In the discovery phase of this campaign, the attackers ran the GetCallerIdentity API call to verify the identity of the user or role assigned to the exposed IAM credential, including UserID, AWS account number and Amazon Resource Name (ARN).
The attackers also used the AWS API request ListUsers to obtain a list of IAM users in the AWS account, and the API request ListBuckets to identify all existing S3 buckets.
To elevate privileges, the attackers created an IAM role named lambda-ex with the API request CreateRole, then used the API call AttachRolePolicy to attach the AWS-managed policy AdministratorAccess to the newly created lambda-ex role.
In the execution phase, the attackers initially failed to create an EC2 infrastructure stack, but using the CreateFunction20150331 API call, they were able to create new AWS Lambda functions for their automated scanning operation. From there, they were able to launch a bash script to scan for targets.
The shared responsibility model of cloud security places responsibility for secure configuration squarely on the service’s users. This cloud extortion campaign reveals the dangers that arise when cloud service users fail to follow best practices such as robust authentication and access controls, data encryption, secure configuration management, and monitoring and logging.
Exposed .env files may contain API keys and secrets, database credentials, encryption keys, and sensitive environment configurations, so the following best practices are recommended:
Here are indicators of compromise identified in the campaign:
URL
IPv4
SHA256 for Lambda.sh – 64e6ce23db74aed7c923268e953688fa5cc909cc9d1e84dd46063b62bd649bf6