Nexsecura

Understanding a Large-Scale Cloud Extortion Campaign

Understanding a Large-Scale Cloud Extortion Campaign


In the ever-evolving landscape of cybersecurity, a recent large-scale extortion campaign has drawn the attention of cybersecurity professionals due to its sophisticated exploitation of publicly accessible environment variable files (.env files). This blog post delves into the nuanced tactics and techniques used by the attackers, resulting in the compromise of various organizations’ sensitive cloud and social media credentials.

Campaign Overview

Initial Findings and Impact

The campaign, as reported by Palo Alto Networks Unit 42, exposed critical missteps in cloud security, such as the exposure of environment variables, the use of long-lived credentials, and the absence of a least privilege architecture. The attackers utilized these exposed .env files to gather credentials and launched an extensive reconnaissance operation within the infected organizations’ Amazon Web Services (AWS) environments.

Key statistics from the campaign include:

  • 230 million unique targets scanned
  • 110,000 domains targeted
  • 90,000 unique .env variables extracted
  • 7,000 cloud service credentials
  • 1,500 social media credentials

The attackers notably did not exploit vulnerabilities in cloud service providers but took advantage of misconfigurations and publicly exposed files to initiate their campaign.

Tactical Exploitation of Environment Variables

Initial Access: Exploiting Misconfigured .env Files

Environment files (.env files) often contain secrets such as hard-coded cloud access keys, SaaS API keys, and database login information. These files, when improperly secured and exposed publicly, serve as a goldmine for attackers. In this campaign, threat actors scanned for web applications with these exposed files, extracting IAM access keys to gain initial access to cloud environments.

curl https://target/.env

The above curl command exemplifies the simplicity yet effectiveness of their attack vector.

Discovery and Reconnaissance

Upon gaining access, the threat actors performed various discovery operations using AWS APIs to understand the environment and identify exploitable services. Key API calls included:

  • GetCallerIdentity: To verify the principal’s identity
  • ListUsers: To enumerate IAM users
  • ListBuckets: To identify S3 buckets

These operations enhanced the attackers’ ability to maneuver within the cloud environment, laying the groundwork for privilege escalation and broader reconnaissance.

Privilege Escalation: Creating a New IAM Role

The attackers exploited the permissions of compromised IAM credentials to create new IAM roles with administrative access. This involved using the CreateRole API call followed by AttachRolePolicy to grant administrator privileges to a newly created role, facilitating further malicious activities.

{
  "IAMPolicyDocument": {
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
      }
    ]
  },
  "RoleName": "lambda-ex"
}

Execution: Leveraging AWS Lambda for Scanning

Failed attempts to create EC2 instances for cryptomining led the attackers to pivot to AWS Lambda. They succeeded in deploying a malicious lambda function designed to perform internet-wide scanning operations. This lambda function iterated over a list of domains, searching for exposed .env files to harvest more credentials.

#!/bin/bash
targets=$(curl -s https://thirdparty-bucket/targets.txt)
for domain in $targets; do
  env_file=$(curl -s https://$domain/.env)
  if [[ $env_file == *"MAILGUN"* ]]; then
    echo $env_file > /path/to/storage/$domain.env
  fi
done

Exfiltration and Impact

The attackers exfiltrated sensitive data from compromised S3 buckets using the S3 Browser tool, leaving ransom notes in place of the exfiltrated data. These ransom notes warned victims of the potential sale of their data on the dark web unless a ransom was paid.

The ultimate impact included:

  • Data exfiltration from cloud storage containers
  • Exposure of 90,000 unique credentials
  • Persistent risk of large-scale phishing attacks using compromised Mailgun credentials

Analysis and Insights

Key Missteps and Security Failures

  1. Exposing Environment Variables: Publicly accessible .env files provided an easy entry point for attackers.
  2. Use of Long-Lived Credentials: Static access keys without expiration enabled prolonged unauthorized access.
  3. Lack of Least Privilege Architecture: Over-permissive IAM roles facilitated privilege escalation and extensive malicious activities.

Automation and Advanced Tactics

The campaign’s reliance on automation underscores their operational efficiency in scanning and compromising vast numbers of targets. The use of infrastructure within compromised AWS environments reflects a deep understanding and manipulation of advanced cloud architectural processes.

Recommendations for Mitigation

Organizations must adopt robust security measures to safeguard against such attacks:

  • Temporary Credentials: Implement temporary IAM roles to minimize exposure time.
  • Least Privilege Principle: Enforce strict IAM policies to limit permissions.
  • Secure Configuration Management: Regularly audit and secure .env files and other sensitive configurations.
  • Monitoring and Logging: Enable comprehensive logging and monitoring to detect abnormal activities promptly.

Conclusion

This extensive analysis of the large-scale cloud extortion campaign highlights critical security lapses that organizations must address to protect their cloud environments. By adopting proactive security measures and maintaining vigilant monitoring, organizations can mitigate the risks posed by such sophisticated threat actors.