Security researchers at Palo Alto Networks have spotted a threat actor extorting organizations after compromising their cloud environments using inadvertently exposed environment variables.
As part of the large-scale extortion campaign, Palo Alto Networks warned that the attackers targeted 110,000 domains, collecting exposed .env files containing sensitive information, which were stored on unsecured web applications and misconfigured servers.
These .env files allow organizations to define configuration variables for their web applications, and often include hard-coded access keys for cloud services, SaaS API keys, and database login information.
The victim organizations’ failure to properly protect these files allowed the threat actor to extract AWS Identity and Access Management (IAM) access keys and use them to access the hosting cloud environments.
Palo Alto Networks identified over 90,000 unique variables in the exposed .env files, including 7,000 belonging to organizations’ cloud services and 1,500 for social media accounts. Credentials for on-premises applications were also exposed.
A combination of factors contributed to the success of these attacks, including misconfigurations leading to the exposed environment variables, the use of long-lived credentials, and the lack of least privilege policies.
The threat actor was observed relying on Tor-based infrastructure for reconnaissance and initial access, using VPNs for lateral movement and data exfiltration, and using a virtual private server (VPS) for other operations.
“The campaign involved attackers successfully ransoming data hosted within cloud storage containers. The event did not include attackers encrypting the data before ransom, but rather they exfiltrated the data and placed the ransom note in the compromised cloud storage container,” the research firm said.
The attackers likely relied on automation to operate quickly and successfully, and only exploited inadvertently exposed .env files, instead of vulnerabilities or misconfigurations in cloud providers’ services.
Palo Alto Networks observed threat actors scanning and identifying exposed .env files, and performed various discovery API calls to learn more about services such as IAM, Security Token Service (STS), Simple Storage Service (S3), and Simple Email Service (SES).
“We found these services targeted by threat actors while they looked to expand their operation’s control over an organization’s cloud environment,” the company added.
The attackers were seen using the initial-access IAM role to create new IAM resources with unlimited access and escalate privileges within the victims’ cloud environments. They also attempted to create new resources to use for crypto-mining, but failed.
However, they were able to pivot to the AWS Lambda service and create a malicious lambda function to perform internet-wide scanning of millions of domains and IP addresses, retrieving a list of potential targets from publicly accessible third-party S3 buckets hosted in compromised cloud environments.
“We identified more than 230 million unique targets that the threat actor was scanning for misconfigured and exposed environment files,” the company said.
The scanning operation targeted exposed environment variable files, retrieved them, extracted cleartext credentials contained within these files, and stored them in a threat-actor-controlled public S3 bucket.
Analysis of the bucket showed that “the threat actor was able to collect the exposed environment files of at least 110,000 domains,” Palo Alto Networks added.
To protect against this type of attacks, organizations are advised to use temporary credentials, which limit the time an attacker has access to a compromised account, to implement the principle of least privilege for IAM resources, disable unused within AWS accounts, and to enable logging and monitoring of resources.
“The issues described in this blog were a result of a bad actor abusing misconfigured web applications—hosted both in the cloud and elsewhere—that allowed public access to environment variable (.env) files. Some of these files contained various kinds of credentials, including AWS credentials which were then used by the bad actor to call AWS APIs. Environment variable files should never be publicly exposed, and even if kept private, should never contain AWS credentials,” an AWS spokesperson told SecurityWeek.
*Updated with statement from AWS
Related: GitHub Actions Artifacts Leak Tokens and Expose Cloud Services
Related: Cloudflare Tunnels Abused for Malware Delivery
Related: OWASP Data Breach Caused by Server Misconfiguration
Related: Vulnerabilities in CUSG CMS Exposed Credit Unions to Attacks