Poor cybersecurity hygiene, including exposed environment variable files, long-lived credentials and the absence of least-privilege architecture, has led to multiple organizations being targeted by ransomware attacks, experts have warned.
A report from cybersecurity researchers at Unit 42 described how they observed the cloud operations of a successful extortion campaign that leveraged exposed environment variable (.ENV) files containing sensitive data such as login credentials.
Anonymous threat actors installed their attack infrastructure within Amazon Web Services (AWS) environments belonging to targeted organizations and then used it as a launchpad to scan over 230 million unique targets for sensitive information. As Unit 42 explained, the campaign targeted 110,000 domains and resulted in the exposure of over 90,000 unique variables in .ENV files.
No encryption
Of those variables, 7,000 belonged to organizations' cloud services. However, that doesn't necessarily mean that 7,000 organizations were compromised, as it's very likely that a company owns multiple variables. Still, the criminals stole at least 1,500 variables belonging to social media accounts, which could be a good indicator of the number of victims. Additionally, the attackers used multiple source networks to facilitate the operation.
While the criminals stole sensitive data and demanded money for it, they did not encrypt their targets’ IT infrastructure. This is another example of threat actors moving away from encryption malware and into simple data ransom attacks. Some researchers believe that building, maintaining, and then deploying encryption appliances is too costly and cumbersome. Simply demanding a ransom for the data is apparently just as effective:
“The campaign involved the attackers successfully extracting ransom from data hosted in cloud storage containers,” Unit 42 said. “The event did not involve the attackers encrypting the data prior to ransom, but instead exfiltrating the data and placing the ransom note in the compromised cloud storage container.”
Researchers concluded that the attackers did not exploit any system vulnerabilities or errors. This is all a result of human error and carelessness.
Through Hacker News