Exposed .env Files Open Doors to Widespread AWS Cloud Compromises

An extortion campaign that has compromised numerous organizations by exploiting exposed environment variable files (.env files) containing sensitive credentials is reported by Unit 42 researchers. These breaches facilitated unauthorized access to critical cloud services and social media accounts, impacting a significant number of domains as over 110,000 were targeted, resulting in the extraction of more than "90,000 unique combinations of leaked environment variables that contained access keys or IAM credentials," according to the Unit 42 report. Approximately 7,000 variables were linked to cloud services and 1,515 to social media accounts. The campaign's result did not involve data encryption but rather directly ransomed data after exfiltration. Unit 42 highlights several security oversights leading to these breaches, including the exposure of environment variables, the use of persistent, long-lived credentials, and a lack of strict least privilege controls within victim organizations' cloud architectures.

Exposed credentials in .env files were central to this campaign as the means for threat actors to gain initial access. These exposed credentials are often inadvertently accessible on public internet spaces due to misconfigurations. Unit 42 notes "a growing trend of attackers targeting cloud IAM credentials leading to initial access of organizations’ cloud environments." This initial foothold enabled threat actors to conduct a series of discovery operations within the AWS environment, utilizing API calls such as 'GetCallerIdentity' to ascertain the compromised account's details and further API calls to query the Security Token Service (STS), Simple Storage Service (S3), and Simple Email Service (SES). The discovery API calls observed included 'ListUsers,' 'ListBuckets,' 'GetSendQuota,' 'ListVerifiedEmailAddresses,' 'GetAccountSendingEnabled,' 'GetAccount,' and 'ListIdentities.'

As the campaign advanced, the attackers sought to elevate their privileges by creating and manipulating IAM roles—specifically, they created a new role with administrative privileges using the 'CreateRole' and 'AttachRolePolicy' API calls to add the 'AdministratorAccess' policy to their newly created 'lambda-ex' IAM role. However, some attempts, like creating new EC2 instances or security groups, were thwarted, indicating partial success in their attempts to scale privileges and resource manipulation potential for operations like cryptomining. Various efforts were made to create/manipulate cloud resources. Given the speed of the API calls, researchers assess the failed automated activity to include creating a security group with 'CreateSecurityGroup,' adding a new ingress rule with 'AuthorizeSecurityGroupIngress,' and attempting to run new compute instances with 'CreateKeyPair,' and 'RunInstances.'

Despite some failed executions, the attackers successfully created and executed a Lambda function named 'ex,' which was vital in their campaign to scan for further exploitable targets across the internet. This function, residing in the compromised AWS environment, pulled a list of potential targets from a publicly accessible S3 bucket controlled by the attackers. Finally, the campaign culminated with the exfiltration of vast amounts of data from multiple S3 buckets, utilizing an array of API calls targeting S3 buckets with API calls: 'ListBuckets,' 'GetBucketLocation,' 'GetBucketObjectLockConfiguration,' 'GetBucketLogging,' 'GetBucketVersioning,' 'GetBucketRequestPayment,' 'GetAccelerateConfiguration,' 'GetBucketReplication,' 'GetBucketLifecycle,' 'GetBucketPublicAccessBlock,' 'GetBucketOwnershipControls,' and 'GetBucketAcl.' This enabled the attackers to identify, access, and exfiltrate data across a broad spectrum of resources.

Following the data exfiltration, ransom notes were deployed within the compromised containers. The scope and automation of this campaign, investigated by Unit 42 researchers, highlight not only the advanced capabilities of the attackers but also the critical vulnerabilities that arise from common misconfigurations and inadequate security practices in cloud environments. "Note: The presence of these secrets resulted from misconfigurations of victim organizations who inadvertently exposed their .env files. None of the listed vendors’ applications or services had vulnerabilities or misconfigurations that resulted in this exposure," the researchers emphasized in their research report.