August 21, 2024 at 01:27PM
Cyble Security researchers found 110,000 domains targeted by attackers exploiting misconfigured .env files, exposing cloud access keys and SaaS API keys. Attackers targeted unsecured web applications, accessed IAM keys, and escalated privileges to gain unfettered access. Cloud users are urged to follow best practices and avoid committing .env files to version control. Cybercriminals targeting cloud credentials drive sophisticated extortion campaigns.
The meeting notes highlighted the significant threat posed to organizations with publicly exposed AWS environment files. Infosec experts revealed that attackers are exploiting misconfigured .env files, targeting cloud access keys, SaaS API keys, and database login information. The attackers demonstrate a deep understanding of cloud architectures and were able to manipulate IAM keys, create new IAM roles, and escalate privileges. This underscores the critical importance of robust authentication, access controls, encryption, configuration management, and monitoring. Best practices include not committing .env files to version control, using environment variables in the deployment environment, and considering secret-management tools. The meeting notes also emphasized the prevalence of cloud credentials and S3 bucket exposure, making them prime targets for cybercriminals. The need for proper protection and configuration of S3 buckets was stressed, given the high frequency of misconfigurations.