Extortion Campaign Targets 110,000 Domains With Exposed .ENV Files to Acquire AWS Credentials

A sophisticated cloud extortion campaign has compromised over 110,000 domains by exploiting misconfigured servers with exposed .env files containing Amazon Web Services (AWS) credentials. By scanning for exposed .env files on unsecured web applications, threat actors were able to obtain AWS Identity and Access Management (IAM) access keys.

According to Cyble’s threat intelligence platform, these .env exposures might be more prevalent than anticipated. The platform has detected nearly 1.5 million publicly exposed .env files since January 2024, indicating a systemic issue. From the 110,000 domains, the attackers managed to extract over 90,000 unique variables from the compromised .env files, with 7,000 linked to cloud services and 1,500 to social media accounts.

Insecure Practices

The campaign capitalized on the misconfiguration of environment files, which often contain sensitive data such as API keys and database login information. These insecure practices allowed malicious actors to gain initial access to cloud environments and escalate privileges by creating new IAM resources with unrestricted access.

The campaign leveraged multiple networks and tools, including virtual private servers (VPS), Tor for reconnaissance, and VPNs for lateral movement and data exfiltration. The attackers exfiltrated data from cloud storage containers and placed ransom notes in the compromised containers, demanding payment for its return.

How it Works

Environment files (.env) are used to define configuration variables within applications, often storing sensitive secrets such as hard-coded cloud access keys. By scanning for these files, attackers accessed IAM credentials that, while not having full administrative rights, allowed them to create new IAM roles and escalate privileges.

During the discovery phase, attackers used AWS API requests such as GetCallerIdentity and ListUsers to map out the AWS environment. They then escalated privileges by creating new IAM roles with administrative access.

In the execution phase, the attackers attempted to create an EC2 infrastructure stack but eventually succeeded in launching an automated scanning operation using AWS Lambda functions.

AWS has provided a statement to clarify that their services and infrastructure were not directly affected by the findings. Below is the full statement:

“AWS services and infrastructure are not affected by the findings of these researchers. The issues described in this blog were a result of a bad actor abusing misconfigured web applications—hosted both in the cloud and elsewhere—that allowed public access to environment variable (.env) files. Some of these files contained various kinds of credentials, including AWS credentials which were then used by the bad actor to call AWS APIs. Environment variable files should never be publicly exposed, and even if kept private, should never contain AWS credentials. AWS provides a variety of easy-to-use mechanisms for web applications to access temporary AWS credentials in a secure fashion. We recommend customers follow best practices for AWS Identity and Access Management (IAM) to help secure their AWS resources.” — AWS spokesperson

A Critical Need for Cloud Security

This extortion campaign highlights the critical need for cloud security best practices. The shared responsibility model in cloud security makes users responsible for ensuring secure configurations. Failing to follow best practices, such as robust authentication and access controls, data encryption, and regular auditing, can lead to devastating consequences.

To mitigate the risk of such attacks, Cyble advises organizations to:

1. Avoid committing .env files to version control systems.
2. Utilize environment variables directly in deployment environments.
3. Limit access to .env files.
4. Regularly audit repositories and configurations.
5. Implement secrets management tools for securely storing sensitive information.

As cloud infrastructure continues to grow, so does the importance of adhering to stringent security measures. This campaign is a harsh reminder of the risks that cloud misconfigurations bring and the need for ongoing vigilance to secure cloud environments.