Multiple Cloud Accounts Breached in .env File Exploit

UGCERT is aware of a large-scale extortion campaign that has compromised multiple organizations by exploiting publicly accessible environment variable files (.env) containing credentials linked to cloud and social media applications.

The campaign is notable for setting its attack infrastructure within the infected organizations’ Amazon Web Services (AWS) environments and using them as a launchpad for scanning more than 230 million unique targets for sensitive data.

With 110,000 domains targeted, the malicious activity is said to have netted over 90,000 unique variables in the .env files, out of which 7,000 belonged to organizations’ cloud services and 1,500 variables are linked to social media accounts.
The most striking aspect of the attacks is that it doesn’t rely on security vulnerabilities or misconfigurations in cloud providers’ services, but rather stems from the accidental exposure of .env files on unsecured web applications to gain initial access.

A successful breach of a cloud environment paves the way for extensive discovery and reconnaissance steps with an aim to broaden their foothold, with the threat actors weaponizing AWS Identity and Access Management (IAM) access keys to create new roles and escalate their privileges. The new IAM role with administrative permissions is then used to create new AWS Lambda functions to initiate an automated internet-wide scanning operation containing millions of domains and IP addresses.

The financial motivations of the attack are also evident in the threat actor’s failed attempts to create new Elastic Cloud Compute (EC2) resources for illicit cryptocurrency mining. It’s currently not clear who is behind the campaign, in part due to the use of VPNs and the TOR network to conceal their true origin, although Unit 42 said it detected two IP addresses that were geolocated in Ukraine and Morocco as part of the lambda function and S3 exfiltration activities, respectively.

Safeguard your environment by securely storing .env files in private repositories, setting strong and unique passwords and enforcing strict access control policies. Additionally, conduct regular security audits to identify and address potential misconfigurations or accidental exposure of sensitive information.

You may also like these