Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Vulnerabilities in ENV files led to massive ransomware attacks.
Palo Alto Networks discovered a large-scale ransomware campaign that affected more than 100,000 domains. Attackers used improperly configured ENV files in AWS to gain access to data in cloud storage and demand a ransom for them.
The attack was characterized by a high degree of automation and deep knowledge of the cloud architecture. The main errors of users of cloud services that allowed data to be compromised include: lack of protection of environment variables, use of permanent credentials, and lack of measures to limit privileges.
Exploiting the discovered vulnerabilities, the attackers gained access to the victims cloud data storage facilities and extorted money by placing ransom notes in compromised storage facilities. At the same time, the data was not encrypted, but simply extracted, which allowed extortionists to blackmail victims with the threat of information leakage.
The attack unfolded on Amazon Web Services (AWS) cloud platforms, where attackers configured their infrastructure, scanning more than 230 million unique targets for confidential information. To bypass security systems, attackers used the Tor network, VPN, and VPS.
As a result of the attack, 110,000 domains were affected, and more than 90,000 unique variables were found in .env files. Among them, 7,000 were connected to cloud services, and 1,500 were connected to social media accounts.
A key role in the success of the attack was played by configuration errors within the affected organizations that accidentally made .env files publicly available. ENV files often contain access keys and other sensitive data, which allowed attackers to gain initial access and increase their privileges in the victims cloud environments.
Analysis of the attack revealed that the attackers used the Request API to collect information about the AWS environment and services, including IAM, S3, and SES services, in order to expand their influence on the victims cloud infrastructures. They also tried to increase their privileges by creating new IAM roles with unlimited access.
Organizations that want to protect their cloud environments are encouraged to follow the minimum privilege guidelines, use temporary credentials, and include all possible event logs to ensure monitoring and detection of suspicious activity. Enabling Amazon's advanced security mechanisms, such as GuardDuty and CloudTrail, can also significantly increase the level of protection for cloud resources.
Source
Palo Alto Networks discovered a large-scale ransomware campaign that affected more than 100,000 domains. Attackers used improperly configured ENV files in AWS to gain access to data in cloud storage and demand a ransom for them.
The attack was characterized by a high degree of automation and deep knowledge of the cloud architecture. The main errors of users of cloud services that allowed data to be compromised include: lack of protection of environment variables, use of permanent credentials, and lack of measures to limit privileges.
Exploiting the discovered vulnerabilities, the attackers gained access to the victims cloud data storage facilities and extorted money by placing ransom notes in compromised storage facilities. At the same time, the data was not encrypted, but simply extracted, which allowed extortionists to blackmail victims with the threat of information leakage.
The attack unfolded on Amazon Web Services (AWS) cloud platforms, where attackers configured their infrastructure, scanning more than 230 million unique targets for confidential information. To bypass security systems, attackers used the Tor network, VPN, and VPS.
As a result of the attack, 110,000 domains were affected, and more than 90,000 unique variables were found in .env files. Among them, 7,000 were connected to cloud services, and 1,500 were connected to social media accounts.
A key role in the success of the attack was played by configuration errors within the affected organizations that accidentally made .env files publicly available. ENV files often contain access keys and other sensitive data, which allowed attackers to gain initial access and increase their privileges in the victims cloud environments.
Analysis of the attack revealed that the attackers used the Request API to collect information about the AWS environment and services, including IAM, S3, and SES services, in order to expand their influence on the victims cloud infrastructures. They also tried to increase their privileges by creating new IAM roles with unlimited access.
Organizations that want to protect their cloud environments are encouraged to follow the minimum privilege guidelines, use temporary credentials, and include all possible event logs to ensure monitoring and detection of suspicious activity. Enabling Amazon's advanced security mechanisms, such as GuardDuty and CloudTrail, can also significantly increase the level of protection for cloud resources.
Source
