Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments
Aug. 16, 2024, 8:20 a.m.
Description
Unit 42 researchers uncovered an extortion campaign that compromised and extorted multiple victim organizations by leveraging exposed environment variable files containing sensitive credentials. The campaign involved setting up attack infrastructure within victims' Amazon Web Services (AWS) environments and scanning over 230 million targets for sensitive data. It targeted 110,000 domains, resulting in over 90,000 unique variables, including 7,000 cloud service credentials and 1,500 social media account credentials. The attackers used Tor for reconnaissance, VPNs for lateral movement and data exfiltration, and VPS endpoints. They automated various tactics, indicating advanced cloud skills.
Date
| Published | Created | Modified |
|---|---|---|
| Aug. 16, 2024, 8:08 a.m. | Aug. 16, 2024, 8:08 a.m. | Aug. 16, 2024, 8:20 a.m. |
Indicators
64e6ce23db74aed7c923268e953688fa5cc909cc9d1e84dd46063b62bd649bf6
95.214.234.103
95.214.217.33
95.214.217.242
95.214.217.173
95.214.217.224
95.214.216.158
49.37.170.97
46.150.66.226
45.94.208.85
45.94.208.76
45.94.208.63
45.94.208.42
45.137.126.18
45.137.126.12
199.249.230.161
198.251.88.142
196.112.184.14
195.158.248.220
193.42.99.58
193.42.99.169
193.42.98.65
185.220.103.113
178.132.108.124
176.123.8.245
146.70.184.10
144.172.118.62
125.20.131.190
141.95.89.92
45.137.126.41
45.137.126.16
195.158.248.60
193.42.99.50
72.55.136.154
139.99.68.203
192.42.116.187
45.83.104.137
Attack Patterns
TA0010
TA0004
TA0002
TA0040
TA0007
TA0001
CVE-2024-6387
CVE-2024-3094