Experts warn that poor cybersecurity, including exposed environment variable files, long-lived credentials and the lack of a least-privilege architecture, have led to multiple organizations becoming targets of ransomware attacks.
A report Cybersecurity researchers from Unit 42 outlined how they observed a successful cloud extortion campaign that leveraged exposed environment variable (.ENV) files containing sensitive data such as login credentials.
The anonymous threat actors set up their attack infrastructure within Amazon Web Services (AWS) environments belonging to target organizations, and then used it as a launchpad to scan over 230 million unique targets for sensitive information. As Unit 42 further explained, the campaign targeted 110,000 domains, and resulted in the exposure of over 90,000 unique variables within the .ENV files.
No encryption
Of those variables, 7,000 belonged to organizations’ cloud services. However, that doesn’t necessarily mean that 7,000 organizations were compromised, as a single company likely owns multiple variables. Still, the attackers stole at least 1,500 variables belonging to social media accounts, which could be a good indication of the number of victims. Furthermore, the attackers used multiple source networks to facilitate the operation.
While the attackers stole sensitive data and demanded money for it, they did not encrypt their targets’ IT infrastructure. This is another example of threat actors moving away from encryption malware and toward simple data ransom attacks. Some researchers argue that building, maintaining, and then deploying encryptors is too expensive and cumbersome. Simply holding data ransom appears to be just as effective:
“The campaign involved attackers successfully holding data hosted in cloud storage containers hostage,” Unit 42 said. “The incident did not involve attackers encrypting the data prior to holding it hostage, but rather exfiltrating the data and placing the ransom note into the compromised cloud storage container.”
The attackers did not exploit a vulnerability or bug in the system, the researchers concluded. This is all the result of human error and carelessness.
Via The Hacker News