Hide yo environment files! Or risk getting your cloud-stored data stolen and held for ransom

2024-08-15 14:07

Cybercriminals are breaking into organizations' cloud storage containers, exfiltrating their sensitive data and, in several cases, have been paid off by the victim organizations to not leak or sell the stolen data.

Exposed environment files hold keys to hosting cloud environments.

The attackers gained access to the cloud storage containers by scanning for and leveraging exposed environment files within the victim organization's web applications.

"The attack pattern of scanning the internet for domains and exploiting credentials obtained from exposed environment variable files follows a larger pattern we believe propagates through other compromised AWS environments."

This allowed them to create Amazon Elastic Cloud Compute resources for cryptomining, and to create AWS Lambda functions to perform automated internet-wide scanning for environment variable files exposed at various domains.

"Upon successfully retrieving the domain's exposed environment file, the lambda function uncovered and identified cleartext credentials contained within the file. Once the lambda function identified the credentials, it stored them in a newly created folder within another threat-actor-controlled public S3 bucket," the researchers shared.

News URL

https://www.helpnetsecurity.com/2024/08/15/exposed-environment-files-data-theft/

#cloud #ransom