Understanding a Large-Scale Cloud Extortion Campaign
In the ever-evolving landscape of cybersecurity, a recent large-scale extortion campaign has drawn the attention of cybersecurity professionals due to its sophisticated exploitation of publicly accessible environment variable files (.env
files). This blog post delves into the nuanced tactics and techniques used by the attackers, resulting in the compromise of various organizations’ sensitive cloud and social media credentials.
Campaign Overview
Initial Findings and Impact
The campaign, as reported by Palo Alto Networks Unit 42, exposed critical missteps in cloud security, such as the exposure of environment variables, the use of long-lived credentials, and the absence of a least privilege architecture. The attackers utilized these exposed .env
files to gather credentials and launched an extensive reconnaissance operation within the infected organizations’ Amazon Web Services (AWS) environments.
Key statistics from the campaign include:
- 230 million unique targets scanned
- 110,000 domains targeted
- 90,000 unique
.env
variables extracted - 7,000 cloud service credentials
- 1,500 social media credentials
The attackers notably did not exploit vulnerabilities in cloud service providers but took advantage of misconfigurations and publicly exposed files to initiate their campaign.
Tactical Exploitation of Environment Variables
Initial Access: Exploiting Misconfigured .env
Files
Environment files (.env
files) often contain secrets such as hard-coded cloud access keys, SaaS API keys, and database login information. These files, when improperly secured and exposed publicly, serve as a goldmine for attackers. In this campaign, threat actors scanned for web applications with these exposed files, extracting IAM access keys to gain initial access to cloud environments.
curl https://target/.env
The above curl
command exemplifies the simplicity yet effectiveness of their attack vector.
Discovery and Reconnaissance
Upon gaining access, the threat actors performed various discovery operations using AWS APIs to understand the environment and identify exploitable services. Key API calls included:
GetCallerIdentity
: To verify the principal’s identityListUsers
: To enumerate IAM usersListBuckets
: To identify S3 buckets
These operations enhanced the attackers’ ability to maneuver within the cloud environment, laying the groundwork for privilege escalation and broader reconnaissance.
Privilege Escalation: Creating a New IAM Role
The attackers exploited the permissions of compromised IAM credentials to create new IAM roles with administrative access. This involved using the CreateRole
API call followed by AttachRolePolicy
to grant administrator privileges to a newly created role, facilitating further malicious activities.
{
"IAMPolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
},
"RoleName": "lambda-ex"
}
Execution: Leveraging AWS Lambda for Scanning
Failed attempts to create EC2 instances for cryptomining led the attackers to pivot to AWS Lambda. They succeeded in deploying a malicious lambda function designed to perform internet-wide scanning operations. This lambda function iterated over a list of domains, searching for exposed .env
files to harvest more credentials.
#!/bin/bash
targets=$(curl -s https://thirdparty-bucket/targets.txt)
for domain in $targets; do
env_file=$(curl -s https://$domain/.env)
if [[ $env_file == *"MAILGUN"* ]]; then
echo $env_file > /path/to/storage/$domain.env
fi
done
Exfiltration and Impact
The attackers exfiltrated sensitive data from compromised S3 buckets using the S3 Browser tool, leaving ransom notes in place of the exfiltrated data. These ransom notes warned victims of the potential sale of their data on the dark web unless a ransom was paid.
The ultimate impact included:
- Data exfiltration from cloud storage containers
- Exposure of 90,000 unique credentials
- Persistent risk of large-scale phishing attacks using compromised Mailgun credentials
Analysis and Insights
Key Missteps and Security Failures
- Exposing Environment Variables: Publicly accessible
.env
files provided an easy entry point for attackers. - Use of Long-Lived Credentials: Static access keys without expiration enabled prolonged unauthorized access.
- Lack of Least Privilege Architecture: Over-permissive IAM roles facilitated privilege escalation and extensive malicious activities.
Automation and Advanced Tactics
The campaign’s reliance on automation underscores their operational efficiency in scanning and compromising vast numbers of targets. The use of infrastructure within compromised AWS environments reflects a deep understanding and manipulation of advanced cloud architectural processes.
Recommendations for Mitigation
Organizations must adopt robust security measures to safeguard against such attacks:
- Temporary Credentials: Implement temporary IAM roles to minimize exposure time.
- Least Privilege Principle: Enforce strict IAM policies to limit permissions.
- Secure Configuration Management: Regularly audit and secure
.env
files and other sensitive configurations. - Monitoring and Logging: Enable comprehensive logging and monitoring to detect abnormal activities promptly.
Conclusion
This extensive analysis of the large-scale cloud extortion campaign highlights critical security lapses that organizations must address to protect their cloud environments. By adopting proactive security measures and maintaining vigilant monitoring, organizations can mitigate the risks posed by such sophisticated threat actors.