Cybercriminals Exploit AWS ENV Files to Target 115,000 Domains and Steal Credentials

Introduction

A sophisticated extortion campaign has recently been uncovered, targeting an alarming 115,000 domains through the exploitation of exposed .env files on unsecured web applications. This breach highlights a critical vulnerability in cloud security, leveraging common misconfigurations to enable attackers to gain unauthorized access and control. The attackers managed to exploit AWS IAM (Identity and Access Management) access keys found in these files, allowing them to create new IAM roles and policies with extensive permissions. This campaign underscores the importance of stringent cloud security practices to protect sensitive data and infrastructure.

Exploitation Method

.env Files
.env files are commonly used in web applications to store environment variables and sensitive configuration details, such as API keys, passwords, and database credentials. These files are essential for managing application settings but can become a serious security risk if exposed. Attackers specifically target these files to gain access to critical credentials that facilitate further compromise.

Access Gained
By exploiting exposed .env files, attackers were able to obtain AWS IAM access keys, which are powerful credentials used to manage permissions within AWS environments. These keys enabled the attackers to create new IAM roles and policies, effectively granting them unlimited access to the affected cloud environments. This privilege escalation allowed them to perform a range of malicious activities, from data theft to full control over cloud storage.

Privilege Escalation
Once the attackers obtained the IAM keys, they used them to elevate their privileges. This involved creating new IAM roles with administrator-level access, bypassing any existing access controls. With these elevated permissions, they could manipulate cloud resources, access sensitive data, and deploy malicious payloads.

Campaign Details

Target Scope
The campaign targeted over 115,000 domains, demonstrating a highly organized and large-scale operation. Attackers utilized automated tools to scan for and exploit vulnerabilities in unsecured web applications, facilitating rapid and widespread data exfiltration. The use of automation allowed them to efficiently compromise a vast number of targets with minimal manual intervention.

Data Ransom
A significant aspect of the attack involved ransoming data stored in AWS S3 containers. After compromising cloud storage, the attackers extracted sensitive data and placed a ransom note within the compromised containers. This note demanded payment for the return of the stolen information, adding a financial incentive to their malicious activities.

Automation and Expertise
The attackers’ use of automation and their in-depth knowledge of cloud infrastructure were key factors in the campaign’s success. Their ability to efficiently scan, compromise, and exfiltrate data from a large number of domains demonstrates a high level of sophistication and planning.

Security Lapses

Misconfiguration
The success of the attack was largely due to several critical security lapses:

• Exposed Environment Variables: .env files containing sensitive credentials were improperly exposed, allowing attackers to access crucial information.
• Long-Lived Credentials: The use of long-lived credentials without regular rotation or revocation increased the risk of exploitation.
• Lack of Least Privilege Architecture: The absence of a least privilege approach meant that attackers could escalate their privileges and access sensitive resources without restrictions.

Exploitation
These lapses allowed attackers to gain unauthorized access to AWS environments. By focusing on 115,000 domains and extracting over 90,000 unique variables from .env files, they could effectively compromise cloud resources and exfiltrate valuable data.

Attack Execution

Access Methods
The attackers employed a sophisticated approach to gain unauthorized access to cloud storage containers:

• Virtual Private Servers (VPS): Used to host malicious activities and manage connections.
• Tor Network and VPNs: Employed to mask their locations and maintain anonymity, complicating detection and attribution.

Data Exfiltration
Once inside the system, the attackers exfiltrated sensitive data without encrypting it, making it vulnerable to interception during the exfiltration process. They then placed a ransom note within the compromised storage containers, demanding payment for the return of the stolen data.

Attack Complexity
The multi-layered approach, including the use of VPS, Tor, and VPNs, highlights the increasing complexity of cyber threats. The attackers’ ability to evade detection and execute their plan with precision underscores the need for advanced security measures.

Impact and Data Exposure

Sensitive Data
The attack revealed a significant amount of sensitive information, including details about cloud services and social media accounts. This exposure affected both organizational and personal data, demonstrating the broad impact of the breach.

Statistics
The campaign resulted in the extraction of over 90,000 unique variables from .env files, further illustrating the scale of the data compromised. The sheer volume of exposed credentials highlights the critical nature of the vulnerability.

Prevention and Best Practices

Cloud Security Best Practices:

• Authentication: Implement robust authentication measures to secure access to cloud environments.
• Access Controls: Establish strict access controls to limit permissions based on the principle of least privilege.
• Configuration Management: Ensure secure configuration of cloud services and applications to prevent misconfigurations.
• Monitoring and Logging: Utilize comprehensive monitoring and logging to detect and respond to suspicious activities promptly.

Specific Measures:

• Avoid .env in Version Control: Do not commit .env files to version control systems to prevent accidental exposure of sensitive credentials.
• Use Environment Variables: Prefer environment variables over .env files for storing sensitive information securely.
• Implement Secret Management Tools: Utilize tools designed for managing and securing sensitive credentials, such as AWS Secrets Manager or HashiCorp Vault.

Threat Intelligence

Exposure Data
Cyble’s threat intelligence platform has identified over 1.4 million exposed .env files since the beginning of 2024, highlighting the widespread nature of this vulnerability. This large number of exposed files emphasizes the need for heightened vigilance and improved security practices.

Scanning and Credential Use
Attackers’ ability to scan for exposed .env files on unsecured web applications underscores the ease with which credentials can be obtained and misused. Regular scanning and monitoring for such exposures are essential to mitigating risks.

Execution Phase

Role Creation
In the execution phase, attackers created a new IAM role with administrator access to further escalate their privileges. This role allowed them to perform administrative actions within the AWS environment, increasing their control over the compromised resources.

Function Creation
Although the attackers initially failed to create an EC2 infrastructure stack, they successfully created AWS Lambda functions. These functions were used to launch a bash script designed to scan for additional targets, demonstrating their continued efforts to expand the scope of the attack.

Conclusion

The extortion campaign targeting 115,000 domains through exploited .env files highlights the critical need for robust cloud security practices. Ensuring proper configuration, secure credential management, and ongoing vigilance are essential to protecting against such sophisticated threats. Organizations must prioritize these measures to safeguard their cloud environments and sensitive data from similar attacks.