Researchers uncovered an extortion campaign that exploited exposed environment variable files (.env) in cloud environments. These files, which contained sensitive credentials, were accessed and leveraged by attackers to ransom data from victim organizations. The attackers used misconfigured AWS environments to scan millions of targets, exfiltrate data, and extort victims without encrypting their data. The campaign relied on automation and operational missteps, including overly permissive IAM credentials and exposed cloud services.
The attack began with threat actors scanning for exposed .env files, which are configuration files that often contain sensitive information such as cloud provider access keys. Attackers obtained these credentials, gained initial access to AWS environments, and performed discovery operations using API calls like GetCallerIdentity and ListUsers to gather details about the cloud infrastructure. They also escalated privileges by creating new IAM roles with administrator access, allowing full control over compromised cloud environments. Once in control, attackers deployed AWS Lambda functions to automate scanning and data exfiltration from S3 buckets, later placing ransom notes in the compromised storage containers.
The attackers used services such as Tor for reconnaissance, VPNs for lateral movement, and S3 for exfiltrating sensitive data. Their operations were highly automated, targeting over 230 million domains and harvesting over 90,000 environment variables, with 7,000 linked to cloud services