Researchers at Palo Alto Networks’ Unit 42 have uncovered a large-scale extortion campaign targeting AWS environments. Attackers exploited a common misconfiguration – insecurely stored environment variables (.env files) on web servers – to steal AWS access keys and credentials for various cloud services.
The campaign involved scanning over 110,000 domains, leading to the exposure of over 90,000 unique environment variables. These exposed credentials included AWS access keys, database logins, social media tokens, and API keys for various services.
Once attackers gained access to AWS credentials, they used their knowledge of AWS APIs to move laterally within compromised environments, escalating privileges and deploying malicious scripts. The ultimate goal was to exfiltrate data from S3 buckets, a popular storage option for many web applications. After stealing the data, attackers left ransom notes demanding payment to prevent its sale.
The researchers highlight the importance of secure configuration practices. Web servers should be configured to prevent access to sensitive files like .env. Organizations should also implement logging and monitoring solutions to detect suspicious activity within their AWS environments. Additionally, using temporary IAM roles with least privilege access can minimize the damage caused by compromised credentials.
This extortion campaign demonstrates the significant risks associated with misconfigured web servers and insecure credential storage. Businesses are urged to review their cloud security practices and implement the recommended measures to prevent falling victim to similar attacks.