In a recent discovery, Palo Alto Networks unearthed a large-scale extortion campaign that targeted over 100,000 domains. The attackers exploited incorrectly configured ENV files in Amazon Web Services (AWS) to gain entry into cloud storage systems and demand a ransom for the data they accessed.
This attack stood out due to its high level of automation and in-depth understanding of cloud architecture. Common user errors in cloud service utilization that facilitated data compromise included inadequately protected environments, use of permanent credentials, and absence of privilege restriction measures.
By exploiting the identified vulnerabilities, the attackers infiltrated the cloud storage of their targets and extorted money by posting ransom notes in the compromised storage locations. Notably, the data was not encrypted but was simply extracted, enabling the extortionists to blackmail the victims by threatening to leak the information.
The attack primarily targeted the cloud platforms of AWS, where the perpetrators established their infrastructure and scanned over 230 million unique targets in search of confidential data. To circumvent security protocols, the attackers utilized Tor, VPN, and VPS networks.
As a result of the attack, 110,000 domains were affected, with more than 90,000 unique variables identified in .env files. Of these, 7,000 were linked to cloud services, while 1,500 pertained to social network accounts.
The success of the attack hinged on configuration errors within the impacted organizations that inadvertently exposed .env files. These files often contain access keys and other sensitive information, enabling attackers to gain initial access and escalate their privileges within the victims’ cloud environments.
Investigations into the attack revealed that the perpetrators utilized API requests to gather details about the AWS environment and services, including IAM, S3, and SES services, to expand their control over victims’ cloud infrastructure. They also attempted to elevate their privileges by creating new IAM roles with unrestricted access.
To safeguard their cloud environments, organizations are advised to adhere to the principles of least privilege, utilize temporary credentials, and implement comprehensive monitoring to detect suspicious activities. Leveraging advanced Amazon security features like GuardDuty and CloudTrail can significantly enhance the protection of cloud resources.