Threat Research

Leaked Environment Variables Enable Widespread Cloud Extortion Operation

Unit42

Unit 42 researchers uncovered a cloud extortion campaign that abused misconfigurations, particularly exposed environment variable files (.env files), to compromise and extort multiple organizations. The attackers automated operations across AWS services to exfiltrate data from S3 and leave ransom notes without encrypting the data. #Unit42 #Mailgun

Keypoints

  • Attackers compromised organizations by exploiting exposed .env files containing sensitive credentials.
  • Misconfigurations included long-lived credentials and lack of least privilege architecture.
  • The operation targeted over 110,000 domains, uncovering more than 90,000 unique variables.
  • Initial access was gained through AWS IAM credentials found in exposed .env files.
  • Discovery operations targeted various AWS services to expand control over the environment.
  • Privilege escalation was achieved by creating new IAM roles with administrative permissions.
  • Data exfiltration occurred from S3 buckets, followed by the upload of ransom notes.

MITRE Techniques

  • [T1552.001] Unsecured Credentials in Files – ‘exposed AWS IAM access keys obtained from publicly accessible .env files.’
  • [T1087] Account Discovery – ‘GetCallerIdentity’ API calls and discovery actions like ListUsers to enumerate identities and resources.
  • [T1068] Privilege Escalation – ‘Created a IAM role named lambda-ex with CreateRole and attached AdministratorAccess to the newly created lambda-ex role’ to gain admin permissions.
  • [T1059] Command and Scripting Interpreter – ‘The malicious lambda function bash script configured to perform internet-wide scanning using a preconfigured set of sources’.
  • [T1041] Exfiltration – ‘S3 Browser tool for data exfiltration from S3 buckets.’
  • [T1499] Impact – ‘Uploaded ransom notes to compromised S3 buckets after data exfiltration.’

Indicators of Compromise

  • [URL] context – https://github.com/brentp/gargs/releases/download/v0.3.9/gargs_linux
  • [IPv4] Tor exit nodes – 109.70.100.71, 144.172.118.62
  • [Hash] Lambda.sh – 64e6ce23db74aed7c923268e953688fa5cc909cc9d1e84dd46063b62bd649bf6

Read more: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/