Unit 42 researchers detected a large-scale cyber extortion campaign targeting organizations utilizing cloud systems, particularly Amazon Web Services (AWS). The campaign, which exploited exposed environment variable files, affected over 230 million unique targets and revealed sensitive data such as access codes. Attackers employed automated tools to identify vulnerable domains, gaining unauthorized access and conducting extensive reconnaissance of the cloud environments.
The threat actors elevated their privileges by creating new IAM roles with administrative rights, showcasing a deep understanding of AWS’s security architecture. They deployed malicious Lambda functions designed to scan for more exposed .env files, specifically targeting Mailgun credentials for a potential phishing campaign. The operation concluded with data exfiltration into attacker-controlled S3 buckets, culminating in ransom notes demanding payment to prevent data leaks and restore deleted information.
This sophisticated campaign emphasizes the necessity of robust IAM policies and vigilant monitoring of cloud activities to mitigate risks of data loss. Organizations are urged to implement security measures, including disabling unused AWS regions and employing Amazon GuardDuty, while adopting a least privilege access model and periodic security audits.
AWS responded to the findings, clarifying that their infrastructure was not directly compromised; instead, the issues stemmed from misconfigured web applications allowing public access to sensitive .env files. They stressed the importance of securing environment variable files and using temporary credentials to prevent unauthorized access.
Reference: