AWS .Env Files Hacked in Cloud Extortion Campaign, Data Held for Ransom

Dark Watch
AWS .Env Files Hacked in Cloud Extortion Campaign, Data Held for Ransom

Published:

Written by: Staff Editor
spot_img

Cloud Extortion Campaign Targets 100,000 Domains Using Misconfigured AWS .env Files

Researchers from Palo Alto Networks’ Unit 42 have uncovered a sophisticated extortion campaign that targeted over 100,000 domains by exploiting misconfigured AWS environment variable files (.env files) to ransom data stored in cloud containers. The attackers utilized automation techniques and in-depth knowledge of cloud architecture to enhance the speed and success of their campaign, highlighting the critical need for robust cloud security practices.

The campaign capitalized on multiple security failures within cloud users’ environments, including exposed environment variables, the use of long-lived credentials, and the absence of a least privilege architecture. By setting up infrastructure within organizations’ AWS environments, the attackers scanned over 230 million unique targets for sensitive information.

In total, the campaign targeted 110,000 domains, resulting in the exposure of more than 90,000 unique variables in .env files. The attackers successfully ransomed data hosted within cloud storage containers by exfiltrating the data and leaving ransom notes in compromised containers.

The researchers emphasized that the attack was not a result of vulnerabilities in cloud providers’ services but rather misconfigurations within victim organizations that exposed their .env files. The threat actors behind the campaign demonstrated advanced automation techniques and a deep understanding of cloud architectural processes.

Initial access to organizations’ cloud environments was gained through leaked AWS IAM credentials found in exposed .env files. The threat actors leveraged these credentials to escalate their privileges within victim cloud environments and create new AWS Lambda functions for their automated scanning operation.

The researchers noted a growing trend of attackers targeting cloud IAM credentials for initial access, emphasizing the importance of securing sensitive files and implementing strong authentication and access controls in cloud environments.

spot_img

Related articles

Recent articles

Apple Fixes Vulnerability Used in Paragon Spyware Attacks

Dark Watch
Apple has recently addressed a significant security vulnerability that facilitated zero-click attacks, allowing the installation of Paragon Graphite spyware on the iPhones of two...
Read more

Aussie Firm Skeggs Goldstien Confirms Qilin Ransomware Attack

Global
Investigation Underway at Skeggs Goldstien Following Cybersecurity Incident Cybersecurity Breach Confirmed Skeggs Goldstien, a financial services company based in New South Wales, Australia, is currently addressing...
Read more

IHC Unveils $1 Billion AI-Powered Reinsurance Platform RIQ in Abu Dhabi

Regional
IHC Launches Revolutionary Reinsurance Platform in Abu Dhabi International Holding Company (IHC), a prominent investment firm based in the UAE, has unveiled the Reinsurance Intelligence...
Read more

Over 269,000 Websites Hit by JSFireTruck JavaScript Malware in Just One Month

Global
Jun 13, 2025Ravie LakshmananWeb Security / Network Security The Rise of JSFireTruck: A New Threat in Web Security Cybersecurity experts have recently highlighted a significant threat...
Read more
Sign up to the Newsletter and never miss out on the latest news!
Join the Cyber Warriors community and get Insider Tips & Tricks to defend your digital assets.

© Cyberwarriorsmiddleeast.com