SecurityWeek reports that threat actors leveraging misconfigured web servers exposing.env files with sensitive data were able to target 110,000 domains as part of an extortion campaign.
Inadequate protection of the .env files used for web app configuration variable definitions has enabled the compromise of AWS Identity and Access Management and eventual cloud environment access, according to an analysis from Palo Alto Networks. Attacks also involved reconnaissance through a Tor-based infrastructure, lateral movement and data theft via VPNs, and virtual private server exploitation, researchers added.
"The event did not include attackers encrypting the data before ransom, but rather they exfiltrated the data and placed the ransom note in the compromised cloud storage container," said Palo Alto Networks.
Such findings have prompted researchers to recommend the utilization of temporary credentials, implementation of the least privilege principle for IAM resources, resource logging and tracking, and deactivation of inactive resources.
An AWS spokesperson gave the following statement: “AWS services and infrastructure are not affected by the findings of these researchers. The issues described in this blog were a result of a bad actor abusing misconfigured web applications — hosted both in the cloud and elsewhere — that allowed public access to environment variable (.env) files. Some of these files contained various kinds of credentials, including AWS credentials which were then used by the bad actor to call AWS APIs. Environment variable files should never be publicly exposed, and even if kept private, should never contain AWS credentials. AWS provides a variety of easy-to-use mechanisms for web applications to access temporary AWS credentials in a secure fashion. We recommend customers follow best practices for AWS Identity and Access Management (IAM) to help secure their AWS resources.”
