A large-scale extortion campaign has targeted various organizations by exploiting publicly accessible environment variable files (.env), which contain sensitive credentials for cloud and social media applications. The attackers have used these credentials to compromise cloud environments, particularly Amazon Web Services (AWS).

Key Points:

Security Missteps Identified:

1. Exposing Environment Variables: Sensitive .env files left publicly accessible.
2. Using Long-Lived Credentials: Lack of short-lived, rotational credentials.
3. Absence of Least Privilege Architecture: Excessive permissions granted unnecessarily.

Campaign Highlights:

• Attack infrastructure set within compromised AWS environments.
• Scanned over 230 million unique targets for sensitive data.
• Targeted 110,000 domains, compromising 90,000 unique variables in .env files.
• Obtained credentials for 7,000 cloud services and 1,500 social media accounts.

Attack Methods:

• Initial Access: Gained through exposed .env files on unsecured web applications.
• Credential Use: Weaponized AWS IAM access keys to escalate privileges and create new roles.
• Automation: Created AWS Lambda functions to scan millions of domains for exposed .env files.
• Data Exfiltration and Ransom: Exfiltrated sensitive data and left ransom notes in compromised cloud storage containers without encrypting the data.

Detailed Attack Steps:

1. Scanning: Malicious Lambda functions scanned domains for exposed .env files.
2. Credential Extraction: Extracted credentials were stored in threat actor-controlled S3 buckets.
3. Ransom Note: Uploaded to victim’s cloud storage urging ransom payment to prevent data sale on the dark web.

Notable Aspects:

• Focus on Mailgun credentials for sending phishing emails.
• Attempts to create EC2 instances for illicit cryptocurrency mining.
• Use of VPNs and TOR network for anonymity.
• Two IP addresses linked to activities were geolocated in Ukraine and Morocco.

Conclusion: The campaign demonstrates the attackers’ sophisticated knowledge of cloud architectures and extensive use of automation, posing significant threats to organizations through seemingly benign misconfigurations and exposures.