Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments

Aug. 16, 2024, 8:20 a.m.

Description

Unit 42 researchers uncovered an extortion campaign that compromised and extorted multiple victim organizations by leveraging exposed environment variable files containing sensitive credentials. The campaign involved setting up attack infrastructure within victims' Amazon Web Services (AWS) environments and scanning over 230 million targets for sensitive data. It targeted 110,000 domains, resulting in over 90,000 unique variables, including 7,000 cloud service credentials and 1,500 social media account credentials. The attackers used Tor for reconnaissance, VPNs for lateral movement and data exfiltration, and VPS endpoints. They automated various tactics, indicating advanced cloud skills.

Date

Published: Aug. 16, 2024, 8:08 a.m.

Created: Aug. 16, 2024, 8:08 a.m.

Modified: Aug. 16, 2024, 8:20 a.m.

Indicators

64e6ce23db74aed7c923268e953688fa5cc909cc9d1e84dd46063b62bd649bf6

95.214.234.103

95.214.217.33

95.214.217.242

95.214.217.173

95.214.217.224

95.214.216.158

49.37.170.97

46.150.66.226

45.94.208.85

45.94.208.76

45.94.208.63

45.94.208.42

45.137.126.18

45.137.126.12

199.249.230.161

198.251.88.142

196.112.184.14

195.158.248.220

193.42.99.58

193.42.99.169

193.42.98.65

185.220.103.113

178.132.108.124

176.123.8.245

146.70.184.10

144.172.118.62

125.20.131.190

141.95.89.92

45.137.126.41

45.137.126.16

195.158.248.60

193.42.99.50

72.55.136.154

139.99.68.203

192.42.116.187

45.83.104.137

Attack Patterns

TA0010

TA0004

TA0002

TA0040

TA0007

TA0001

CVE-2024-6387

CVE-2024-3094