Extortion Group Exploits Cloud Misconfigurations, Targets 110,000 Domains

Threat actors armed with advanced automation techniques and an expansive knowledge of cloud architecture ran an extortion campaign that targeted 110,000 domains and acquired publicly exposed environment variable files that contained valid Amazon Web Services (AWS) credentials.

The .env files contained a range of sensitive information, such as credentials belonging to various applications that were found in misconfigured web servers exposing .env files, researchers with Palo Alto Networks’ Unit 42 threat intelligence arm wrote in a report.

The unknown attackers exploited misconfigurations in victims’ organizations that exposed their .env files. There were no vulnerabilities or misconfigurations in AWS’ services, they wrote. The sophisticated extortion operation set up its attack infrastructure in organizations’ AWS environments, using those to scan more than 230 million unique targets for sensitive information.

“This campaign targeted 110,000 domains resulting in over 90,000 unique variables in the .env files,” the researchers wrote. “Of those variables, 7,000 belonged to organizations’ cloud services and we traced 1,500 variables back to social media accounts. Additionally, attackers used multiple source networks to facilitate the operation.”

No Encryption, Just Extortion

Once such sensitive data was found, the attackers didn’t encrypt the files. Instead, they exfiltrated them and then planted the ransom note in the compromised cloud storage container. In addition, the use of extensive automation techniques “indicates that these threat actor groups are both skilled and knowledgeable in advanced cloud architectural processes and techniques,” they wrote.

The hackers also used a number of source networks for the operation, including the onion router (Tor) network for reconnaissance and initial access, virtual private networks (VPNs) for lateral movement and data exfiltration, and virtual private server (VPS) endpoints for other parts of the campaign.

They noted several security issues found when investigating the campaign, including not only exposing the environment variables but also using long-lived credentials and not having a least-privilege architecture.

Need for Strong Cloud Security

Unit 42’s report is only the latest to highlight the need for strong cybersecurity measures in the cloud. As enterprises move more of their workload into the cloud, bad actors are ramping up their attacks. A report in June by Thales said that cloud resources – such as SaaS applications, cloud storage, and cloud management infrastructure – are now the number-one targets of threat actors. In addition, both that report and a later one from the Cloud Security Alliance (CSA) found that the humans are high on the list of cyberthreats facing the cloud.

The CSA pointed to misconfigurations, inadequate change control, identity and access management (IAM), insecure interfaces and APIs, and inadequate implementation of cloud security strategies as such human-influenced risks.

An AWS spokesperson said neither the cloud giant’s services nor infrastructure were affected by the researchers’ finding.

“The issues described in this blog were a result of a bad actor abusing misconfigured web applications – hosted both in the cloud and elsewhere – that allowed public access to environment variable (.env) files,” the spokesperson said in a statement. “Some of these files contained various kinds of credentials, including AWS credentials which were then used by the bad actor to call AWS APIs. Environment variable files should never be publicly exposed, and even if kept private, should never contain AWS credentials. AWS provides a variety of easy-to-use mechanisms for web applications to access temporary AWS credentials in a secure fashion. We recommend customers follow best practices for AWS Identity and Access Management (IAM) to help secure their AWS resources.”

People a Factor in Security Weaknesses

Humans were a significant factor in the campaign detected by Unit 42 researchers, with the organizations with accounts in the AWS cloud environment using overly permissive IAM credentials that let the attackers to run operations that wouldn’t have been possible if the account operators followed cloud security best practices. One of those best practices is not to expose environment files publicly, they wrote.

“Environment files allow users to define configuration variables used within applications and platforms,” the researchers wrote. “These files often contain secrets such as hard-coded cloud provider access keys, software-as-a-service (SaaS) API keys and database login information then used by the threat actor for initial access. The attack pattern of scanning the internet for domains and exploiting credentials obtained from exposed environment variable files follows a larger pattern we believe propagates through other compromised AWS environments.”

Once in, the bad actors tried to create two different infrastructure stacks. They were unsuccessful doing so using Amazon Elastic Cloud Compute (EC2) resources, but was successful with AWS’ Lambda, creating new Lambda functions for their automated operation scanning domains and looking for misconfigurations.

Among the cloud and SaaS secrets targeted, the threat group was able to steal 1,185 AWS access keys, 333 PayPalOauth secrets, and 111 GitHub secrets.

The researcher laid out several steps organizations can take to protect themselves, from using IAM roles that can act like access keys but are temporary to following the principle of least privilege when provisioning permissions to disabling unused regions within an AWS account.