August 16, 2024 at 12:39PM
A recent extortion campaign targeted organizations by exploiting publicly accessible .env files with cloud and social media credentials. The attackers used AWS environments to scan over 230 million targets, compromised over 90,000 unique variables, and conducted phishing and ransom activities. The campaign demonstrated advanced cloud knowledge, evasion techniques, and financial motives, leaving the culprits unidentified.
Based on the meeting notes, here are the key takeaways:
1. A large-scale extortion campaign targeted organizations by exploiting publicly accessible environment variable files (.env) containing credentials for cloud and social media applications.
2. The campaign set up its attack infrastructure within infected organizations’ AWS environments and scanned over 230 million unique targets for sensitive data.
3. Attackers successfully ransomed data hosted within cloud storage containers, without encrypting the data before ransom.
4. The attacks did not rely on security vulnerabilities but rather on the accidental exposure of .env files on unsecured web applications.
5. Threat actors used AWS IAM access keys to create new roles and escalate privileges within breached cloud environments.
6. The use of automated internet-wide scanning operations and extensive automation techniques indicates skilled and knowledgeable threat actor groups behind the campaign.
7. Financial motivations were evident in the threat actor’s attempts for illicit cryptocurrency mining and leveraging Mailgun credentials for sending phishing emails.
The campaign’s origins were concealed using VPNs and the TOR network, making it challenging to attribute to specific actors, although two IP addresses were geolocated in Ukraine and Morocco during the lambda function and S3 exfiltration activities.