Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments

Aug. 16, 2024, 8:20 a.m.

Description

Unit 42 researchers uncovered an extortion campaign that compromised and extorted multiple victim organizations by leveraging exposed environment variable files containing sensitive credentials. The campaign involved setting up attack infrastructure within victims' Amazon Web Services (AWS) environments and scanning over 230 million targets for sensitive data. It targeted 110,000 domains, resulting in over 90,000 unique variables, including 7,000 cloud service credentials and 1,500 social media account credentials. The attackers used Tor for reconnaissance, VPNs for lateral movement and data exfiltration, and VPS endpoints. They automated various tactics, indicating advanced cloud skills.

Date

  • Created: Aug. 16, 2024, 8:08 a.m.
  • Published: Aug. 16, 2024, 8:08 a.m.
  • Modified: Aug. 16, 2024, 8:20 a.m.

Linked vulnerabilities

Indicators

  • 64e6ce23db74aed7c923268e953688fa5cc909cc9d1e84dd46063b62bd649bf6
  • 95.214.234.103
  • 95.214.217.33
  • 95.214.217.242
  • 95.214.217.173
  • 95.214.217.224
  • 95.214.216.158
  • 49.37.170.97
  • 46.150.66.226
  • 45.94.208.85
  • 45.94.208.76
  • 45.94.208.63
  • 45.94.208.42
  • 45.137.126.18
  • 45.137.126.12
  • 199.249.230.161
  • 198.251.88.142
  • 196.112.184.14
  • 195.158.248.220
  • 193.42.99.58
  • 193.42.99.169
  • 193.42.98.65
  • 185.220.103.113
  • 178.132.108.124
  • 176.123.8.245
  • 146.70.184.10
  • 144.172.118.62
  • 125.20.131.190
  • 141.95.89.92
  • 45.137.126.41
  • 45.137.126.16
  • 195.158.248.60
  • 193.42.99.50
  • 72.55.136.154
  • 139.99.68.203
  • 192.42.116.187
  • 45.83.104.137

Attack Patterns

  • TA0010
  • TA0004
  • TA0002
  • TA0040
  • TA0007
  • TA0001
  • CVE-2024-6387
  • CVE-2024-3094