Widespread Cloud Exposure: Extortion Campaign Used Exposed AWS ENV Files to Target 110,000 Domains
A sophisticated extortion campaign exploited misconfigured AWS .env files to target 110,000 domains, stealing credentials and holding cloud storage data for ransom. The attackers scanned for exposed .env files on unsecured web applications to obtain AWS Identity and Access Management (IAM) access keys. These files often contain sensitive information, including secrets and credentials. The IAM credentials allowed the attackers to create new IAM roles and attach policies to existing roles, granting themselves unlimited access within the victims' cloud environments. The campaign involved scanning over 230 million targets, resulting in the exposure of over 90,000 unique variables from .env files, including 7,000 related to cloud services and 1,500 linked to social media accounts. The attackers used a variety of networks and tools, such as VPS endpoints, the Tor network, and VPNs for reconnaissance, lateral movement, and data exfiltration. They placed ransom notes in compromised containers without encrypting the data but after exfiltrating it. The campaign highlights the importance of cloud security best practices, including robust authentication and access controls, data encryption, secure configuration management, and monitoring and logging. Recommendations to prevent such exposures include not committing .env files to version control, using environment variables directly in deployment environments, limiting access to .env files, conducting regular audits, and utilizing secrets management tools. Indicators of compromise associated with the campaign were also provided. [View Article](https://buaq.net/go-257233.html)