Attackers Use Public.env Files for Extortion Campaigns by Breaching Cloud Accounts

0
72
Attackers Use Public.env Files for Extortion Campaigns by Breaching Cloud Accounts
Attackers Use Public.env Files for Extortion Campaigns by Breaching Cloud Accounts

Many businesses have been infiltrated by a massive extortion campaign that uses publicly accessible environment variable files (.env) that contain login credentials for cloud and social media apps.

Through the use of publicly accessible environment variable files (.env) that hold login credentials for cloud and social media apps, a widespread extortion effort has compromised a number of enterprises. Palo Alto Networks Unit 42 stated in a report released on Thursday that “multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence of least privilege architecture.” The campaign is famous for using the Amazon Web Services (AWS) environments of the compromised businesses to set up its attack infrastructure and use them as a launchpad for searching over 230 million distinct targets for sensitive data.

The malicious activity is reported to have targeted 110,000 domains and discovered over 90,000 distinct variables in the.env files, of which 1,500 are connected to social media accounts and 7,000 belong to cloud services used by enterprises. “The campaign involved attackers successfully ransoming data hosted within cloud storage containers,” stated Unit 42. “The event did not include attackers encrypting the data before the ransom, but rather they exfiltrated the data and placed the ransom note in the compromised cloud storage container.”

The most notable feature of the attacks is that initial access is obtained by accidently exposing.env files on unprotected web applications, rather than relying on security flaws or misconfigurations in cloud providers’ services. A successful breach of a cloud environment sets the stage for a series of reconnaissance and discovery procedures intended to increase the threat actors’ foothold. These steps involve the weaponization of AWS Identity and Access Management (IAM) access keys by the actors in order to elevate their privileges and create new roles. After that, new AWS Lambda functions are created using the newly granted administrative permissions for the IAM role in order to start an automated process that scans millions of domain names and IP addresses throughout the internet.

The threat actor used a publicly accessible third-party S3 bucket that the script retrieved a list of possible targets from, according to Unit 42 researchers Margaret Zimmermann, Sean Johnstone, William Gamazo, and Nathaniel Quist. Victim domains were included in the list of possible targets that the malicious lambda code repeatedly iterated over. The code executed a cURL request for every domain in the list, aiming for any exposed environment variable files at that domain (for example, https://<target>/.env). “If the target domain is hosting an exposed environment file, the cleartext credentials are extracted from the file and saved in a brand-new folder in a public AWS S3 bucket that is controlled by another threat actor. Amazon has since removed the bucket.

If the target domain is hosting an exposed environment file, the cleartext credentials are extracted from the file and saved in a brand-new folder in a public AWS S3 bucket that is controlled by another threat actor. Amazon has since removed the bucket. It has been discovered that the attack campaign deliberately targets instances in which the.env files contain Mailgun credentials, suggesting an attempt on the part of the adversary to use them to send phishing emails from trustworthy sites and get around security measures.

The threat actor terminates the infection chain by obtaining sensitive information from the victim’s S3 bucket, deleting it, and uploading a ransom note requesting payment in order to prevent the material from being sold on the dark web. The threat actor’s unsuccessful attempts to produce new Elastic Cloud Compute (EC2) resources for illegitimate bitcoin mining are further indications of the attack’s financial goals.

Unit 42 reported that it detected two IP addresses that were geolocated in Morocco and Ukraine as part of the S3 exfiltration activities and the lambda function, respectively. However, the identity of the campaign’s perpetrator is still unknown, in part because of the use of VPNs and the TOR network to hide their true origin. “The attackers behind this campaign likely leveraged extensive automation techniques to operate successfully and rapidly,” according to the investigators. “This indicates that these threat actor groups are both skilled and knowledgeable in advanced cloud architectural processes and techniques.”

Also readAt Jar, we’ve leveraged cutting-edge technology to enhance our platform’s efficiency and user-friendliness, says Nishchay Ag, Co-founder and CEO of Jar

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter 

About us:

CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.

CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.