Security News > 2024 > August > Attackers Exploit Public .env Files to Breach Cloud Accounts in Extortion Campaign

Attackers Exploit Public .env Files to Breach Cloud Accounts in Extortion Campaign
2024-08-16 16:30

A large-scale extortion campaign has compromised various organizations by taking advantage of publicly accessible environment variable files that contain credentials associated with cloud and social media applications.

Env files, out of which 7,000 belonged to organizations' cloud services and 1,500 variables are linked to social media accounts.

"The campaign involved attackers successfully ransoming data hosted within cloud storage containers," Unit 42 said.

"The event did not include attackers encrypting the data before ransom, but rather they exfiltrated the data and placed the ransom note in the compromised cloud storage container."

A successful breach of a cloud environment paves the way for extensive discovery and reconnaissance steps with an aim to broaden their foothold, with the threat actors weaponizing AWS Identity and Access Management access keys to create new roles and escalate their privileges.

Env files contain Mailgun credentials, indicating an effort on the part of the adversary to leverage them for sending phishing emails from legitimate domains and bypass security protections.


News URL

https://thehackernews.com/2024/08/attackers-exploit-public-env-files-to.html