Researchers at Palo Alto Network have reported a serious risk to organizations using cloud services that may result in an organization’s files being deleted and held for ransom. The risk is not due to any vulnerability with the cloud services themselves. The risk is due to the victim organizations misconfiguring their settings and inadvertently exposing their .env files.
From the Executive Summary of the research:
Unit 42 researchers found an extortion campaign’s cloud operation that successfully compromised and extorted multiple victim organizations. It did so by leveraging exposed environment variable files (.env files) that contained sensitive variables such as credentials belonging to various applications.
Multiple security missteps were present in the course of this campaign, including the following:
- Exposing environment variables
- Using long-lived credentials
- Absence of least privilege architecture
The campaign operation set up its attack infrastructure within various organizations’ Amazon Web Services (AWS) environments and used that groundwork to scan more than 230 million unique targets for sensitive information.
This campaign targeted 110,000 domains resulting in over 90,000 unique variables in the .env files. Of those variables, 7,000 belonged to organizations’ cloud services and we traced 1,500 variables back to social media accounts. Additionally, attackers used multiple source networks to facilitate the operation.
Access the full research report at Palo Alto Networks.