A threat actor recently conducted a large-scale extortion campaign targeting multiple victim organizations by compromising their cloud environments through leaked env files containing sensitive credentials.

Description

Over 230 million unique targets were scanned [2] [3], with 110,000 domains targeted and over 90,000 unique variables extracted from env files [2], including 7,000 related to cloud services and 1,500 to social media accounts [4]. The attackers exploited unsecured web applications to gain initial access [2], then leveraged AWS environments [2], including IAM keys [2], Lambda functions [1] [3] [4] [5] [6] [7] [8], and S3 buckets [4] [5], to escalate privileges [2] [3] [5] [7] [8]. They used VPNs, the TOR network [1] [3] [4] [5] [6] [7], and VPS endpoints for attacks to conceal their origins and facilitate their operations. The attackers successfully ransomed data hosted in compromised cloud storage containers by exfiltrating the data and placing ransom notes [4]. They demonstrated knowledge of cloud architectural processes and likely leveraged extensive automation techniques to target misconfigurations in victim organizations and gain access. Privilege escalation was achieved by creating new IAM roles with unlimited access [4], and execution tactics involved creating infrastructure stacks using EC2 resources and Lambda functions [4]. The attackers focused on Mailgun credentials in env files for sending phishing emails [3] [7] [8]. The attackers’ IP addresses were traced to Ukraine and Morocco for lambda function activities and data exfiltration to S3 [8], respectively [8]. Proper credential management [2], least privilege principles [2], security audits [2], and monitoring for unusual activities are recommended for cloud security [2].

Conclusion

This incident highlights the importance of robust security measures in cloud environments to prevent unauthorized access and data breaches. Organizations should prioritize proper credential management, implement least privilege principles [2], conduct regular security audits, and monitor for unusual activities to enhance their cloud security posture and protect against similar threats in the future.

References

[1] https://www.sos-vo.org/news/cloud-misconfigurations-expose-110000-domains-extortion-widespread-campaign
[2] https://zerosecurity.org/2024/08/large-scale-extortion-campaign-exploits-exposed-env-files-cloud-environments/
[3] https://thecyberpost.com/news/hackers/attackers-exploit-public-env-files-to-breach-cloud-and-social-media-accounts/
[4] https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
[5] https://www.csoonline.com/article/3488207/aws-environments-compromised-through-exposed-env-files.html
[6] https://medium.com/cloud-security-research/last-week-in-cloud-security-august-15-72f560679199
[7] https://thehackernews.com/2024/08/attackers-exploit-public-env-files-to.html
[8] https://securityaffairs.com/167180/cyber-crime/extortion-campaign-environment-variable-files.html