Poor cybersecurity hygiene, which included exposed environment variable files, long-lived credentials, and the absence of least privilege architecture have resulted in multiple organizations being targeted with ransom attacks, experts have warned.
A report from cybersecurity researchers Unit 42 outlined how they observed a successful extortion campaign’s cloud operations that leveraged exposed environment variable files (.ENV) that held sensitive data such as login credentials.
The unnamed threat actors set up their attack infrastructure within Amazon Web Services (AWS) environments belonging to target organizations, and then used it as a launchpad to scan more than 230 million unique targets for sensitive information. As Unit 42 further explained, the campaign targeted 110,000 domains, and resulted in more than 90,000 unique variables in the .ENV files being exposed.
No encryption
Of those variables, 7,000 belonged to organizations’ cloud services. That, however, does not necessarily mean 7,000 compromised organizations, as one enterprise most likely owns multiple variables. Still, the crooks stole at least 1,500 variables belonging to social media accounts, which might be a good indication of the number of victims. Furthermore, the attackers used multiple source networks to facilitate the operation.
While the crooks did steal sensitive data and demanded money for it, they did not encrypt their targets’ IT infrastructure. This is yet another example of threat actors pivoting away from encryption malware, and into simple data ransom attacks. Some researchers believe building, maintaining, and then deploying encryptors, is too expensive and cumbersome. Simply holding data ransom is, apparently, equally as effective:
"The campaign involved attackers successfully ransoming data hosted within cloud storage containers," Unit 42 said. "The event did not include attackers encrypting the data before ransom, but rather they exfiltrated the data and placed the ransom note in the compromised cloud storage container."
The attackers did not leverage any system vulnerability or bug, the researchers concluded. This is all the result of human error and recklessness.
“AWS services and infrastructure are not affected by the findings of these researchers," an AWS spokesperson told TechRadar Pro.
"The issues described in this blog were a result of a bad actor abusing misconfigured web applications—hosted both in the cloud and elsewhere—that allowed public access to environment variable (.env) files. Some of these files contained various kinds of credentials, including AWS credentials which were then used by the bad actor to call AWS APIs. Environment variable files should never be publicly exposed, and even if kept private, should never contain AWS credentials. AWS provides a variety of easy-to-use mechanisms for web applications to access temporary AWS credentials in a secure fashion. We recommend customers follow best practices for AWS Identity and Access Management (IAM) to help secure their AWS resources.”
Via The Hacker News
More from TechRadar Pro
- Hundreds of Google Firebase websites might have leaked data online
- Here's a list of the best firewall software around today
- These are the best endpoint security tools right now
