Over 110,000 domains have been impacted by a widespread ransomware campaign. The campaign took advantage of misconfigured environment variable files (.env files) that were stored on Amazon Web Services (AWS).
First discovered by Palo Alto Networks, cybercriminals managed to infiltrate cloud environments and extort ransom payments from targeted organizations by accessing their sensitive data.
How it happened
The attackers exploited vulnerable .env files commonly utilized in web applications to store critical information such as API keys, database credentials, and login details.
These files were not properly configured, which made them accessible online. After gaining access to these files, the attackers utilized the information to infiltrate the cloud services of their victims, spanning across various industries and sectors.
The attackers were able to access a large amount of sensitive data due to these misconfigurations. They then held this data for ransom.
Organizations faced immense pressure to comply with the attackers' demands as victims were threatened with the release or destruction of their data unless a ransom was paid.
The campaign was executed using a variety of techniques and tools. They used the Tor network to carry out reconnaissance and gain initial access, maintaining anonymity while searching for vulnerable .env files.
They were able to navigate through the target's cloud infrastructure, using virtual private networks (VPNs) to move within systems and extract data without being detected.
In addition, virtual private servers (VPS) were used to handle various aspects of the operation and support the overall attack infrastructure.
Scale of the ransomware campaign
This ransomware campaign was of an immense scale. The attackers conducted a thorough scan of more than 230 million unique targets, uncovering nearly 90,000 different variables within .env files.
Out of all the variables, 7,000 were connected to cloud services utilized by organizations, like AWS, while an additional 1,500 were associated with social media profiles.
The attackers had a particular interest in the settings and services of Amazon Web Services (AWS).
The campaign focused on popular AWS services such as Simple Storage Service (S3), Simple Email Service (SES), and IAM Security Token Service (STS).
This large-scale campaign affected organizations across different industries, revealing the widespread vulnerability posed by poorly protected cloud environments.
Attackers used a range of networks and services, enhancing the complexity of the operation.
The impact of the attack is currently being evaluated, but the significant number of affected domains emphasizes the crucial security vulnerabilities in cloud setups.