Threat Research

“Extortion Campaign Targets 110,000 Domains Using Exposed AWS ENV Files”

Cyble

An extortion campaign targeted over 110,000 domains by exploiting misconfigured AWS .env files to steal credentials and ransom cloud storage data. The attackers leveraged exposed IAM keys and automated cloud operations, underscoring the need for strong cloud security practices. #AWS #IAM

Keypoints

  • The campaign targeted more than 110,000 domains and led to exfiltration of sensitive data from cloud storage.
  • Attackers scanned unsecured web apps for exposed .env files to obtain AWS IAM access keys.
  • Exposed .env files contained secrets such as API keys and database credentials.
  • Automation and cloud-architecture knowledge were leveraged to accelerate the operation.
  • Best practices recommended include robust authentication, strict access controls, encryption, and secure configuration management.
  • Indicators of compromise include specific URLs, IP addresses, and SHA256 hashes related to the activity.

MITRE Techniques

  • [T1552.001] Exposed Credentials – Exposed .env files allowed obtaining AWS IAM access keys. Quote: “Exploitation of exposed .env files to obtain AWS IAM access keys.”
  • [T1548] Abuse Elevation Control – Creation of new IAM roles and attachment of policies to existing roles to escalate privileges. Quote: “created new IAM resources with unlimited access” and “AttachRolePolicy to AdministratorAccess.”
  • [T1087] Account Discovery – ListUsers used to obtain a list of IAM users in the AWS account. Quote: “ListUsers to obtain a list of IAM users in the AWS account.”
  • [T1567.002] Exfiltration to Cloud Storage – Exfiltration of data from cloud storage containers without encryption. Quote: “Exfiltration of data from cloud storage containers without encryption.”
  • [T1090] Proxy – Use of VPNs and VPS endpoints for lateral movement and data exfiltration. Quote: “Use of VPNs and VPS endpoints for lateral movement and data exfiltration.”

Indicators of Compromise

  • [URL] context – https://github.com/brentp/gargs/releases/download/v0.3.9/gargs_linux (used by the lambda function)
  • [IPv4] context – 109.70.100.71, 192.42.116.181 (Tor exit nodes referenced in the campaign)
  • [Hash] context – 64e6ce23db74aed7c923268e953688fa5cc909cc9d1e84dd46063b62bd649bf6 (SHA256 for Lambda.sh)
  • [File name] context – gargs_linux, Lambda.sh (files mentioned in IOCs)

Read more: https://cyble.com/blog/widespread-cloud-exposure/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint