Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments
Aug. 16, 2024, 8:20 a.m.
Description
Unit 42 researchers uncovered an extortion campaign that compromised and extorted multiple victim organizations by leveraging exposed environment variable files containing sensitive credentials. The campaign involved setting up attack infrastructure within victims' Amazon Web Services (AWS) environments and scanning over 230 million targets for sensitive data. It targeted 110,000 domains, resulting in over 90,000 unique variables, including 7,000 cloud service credentials and 1,500 social media account credentials. The attackers used Tor for reconnaissance, VPNs for lateral movement and data exfiltration, and VPS endpoints. They automated various tactics, indicating advanced cloud skills.
Tags
Date
- Created: Aug. 16, 2024, 8:08 a.m.
- Published: Aug. 16, 2024, 8:08 a.m.
- Modified: Aug. 16, 2024, 8:20 a.m.
Linked vulnerabilities
Indicators
- 64e6ce23db74aed7c923268e953688fa5cc909cc9d1e84dd46063b62bd649bf6
- 95.214.234.103
- 95.214.217.33
- 95.214.217.242
- 95.214.217.173
- 95.214.217.224
- 95.214.216.158
- 49.37.170.97
- 46.150.66.226
- 45.94.208.85
- 45.94.208.76
- 45.94.208.63
- 45.94.208.42
- 45.137.126.18
- 45.137.126.12
- 199.249.230.161
- 198.251.88.142
- 196.112.184.14
- 195.158.248.220
- 193.42.99.58
- 193.42.99.169
- 193.42.98.65
- 185.220.103.113
- 178.132.108.124
- 176.123.8.245
- 146.70.184.10
- 144.172.118.62
- 125.20.131.190
- 141.95.89.92
- 45.137.126.41
- 45.137.126.16
- 195.158.248.60
- 193.42.99.50
- 72.55.136.154
- 139.99.68.203
- 192.42.116.187
- 45.83.104.137
Attack Patterns
- TA0010
- TA0004
- TA0002
- TA0040
- TA0007
- TA0001
- CVE-2024-6387
- CVE-2024-3094