Home AWS Hackers Exploited Misconfigured AWS .env Files to Attack 110,000 Domains

Hackers Exploited Misconfigured AWS .env Files to Attack 110,000 Domains

0
Hackers Exploited Misconfigured AWS .env Files to Attack 110,000 Domains

The attackers exploited exposed environment variables in misconfigured AWS .env files to ransom data stored in S3 containers by everaging automation to efficiently target over 100,000 domains. 

Their success was due to multiple security failures by cloud users, including the use of long-lived credentials and a lack of least privilege architecture, which highlights the importance of robust authentication and access controls, data encryption, secure configuration management, and comprehensive monitoring and logging in cloud environments to mitigate such attacks.

They initially gained access to organizations’ AWS environments and subsequently scanned over 230 million unique targets for sensitive data by focusing on 110,000 domains and extracting over 90,000 unique variables from .env files, including 7,000 related to cloud services and 1,500 linked to social media accounts. 

By employing a multi-layered infrastructure, attackers leveraged VPS endpoints, the Tor network, and VPNs for reconnaissance, initial access, lateral movement, and data exfiltration. 

Threat actors are exploiting the widespread exposure of .env files to gain unauthorized access to sensitive information containing hard-coded credentials that is being publicly hosted on unsecured web applications, making them easy targets for attackers. 

Recent campaigns have demonstrated the effectiveness of this technique, with attackers successfully obtaining AWS IAM access keys from exposed .env files. 

The attackers exploited exposed IAM credentials to gain initial access to victim cloud environments, while not granting administrators access to all resources, which allowed the attackers to escalate their privileges. 

By leveraging the permission to create and modify IAM roles and policies, they established new IAM resources with unrestricted access. Before escalating their privileges, the attackers used the GetCallerIdentity API to verify the identity and permissions associated with the compromised credentials. 

They initially used the AWS API requests ListUsers and ListBuckets to gather information about the target AWS account, and then escalated their privileges by creating a new IAM role with AdministratorAccess and attaching it to the role. 

Despite failing to create an EC2 infrastructure stack, they successfully created AWS Lambda functions using the CreateFunction20150331 API call, which were used to execute a bash script that scanned for potential targets within the account.

The cloud extortion campaign highlights the risks associated with neglecting cloud security best practices. Exposed .env files, containing sensitive information like API keys and credentials, can be exploited by malicious actors. 

To mitigate these risks, organizations should avoid committing .env files to version control, utilize environment variables, implement robust access controls, conduct regular audits, and leverage secrets management tools. 

Analysis of the campaign by Cyble revealed potential indicators of compromise (IOCs) across various categories, where a single URL associated with a lambda function appears benign. However, a significant number of IP addresses were flagged, including Tor exit nodes, VPS endpoints, and VPN endpoints. 

These IPs suggest the campaign may be leveraging anonymization services and compromised servers to mask its origin and activity, while a SHA256 hash for a script named Lambda.sh was identified, which can be used for further investigation. 

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here