110K domains targeted in 'sophisticated' AWS cloud extortion campaign

Updated It's a good news day for organizations that don't leave their AWS environment files publicly exposed because infosec experts say those that do may be caught up in an extensive and sophisticated extortion campaign.

Security shop Cyble released some research this week after finding 110,000 domains targeted by attackers exploiting misconfigured .env files, which typically contain secrets such as hard-coded cloud access keys, SaaS API keys, and database login information, the researchers said.

In this particular cluster of activity, attackers are believed to have a deep understanding of cloud architectures – a dangerous thing when organizations fail on cloud security in various areas.

Those in the study who eventually found their S3-stored data replaced with a ransom note had exposed their environment variables, failed to refresh credentials regularly, and didn't adopt a least-privilege architecture.

Attackers zeroed in on unsecured web applications, scanning for environment files that exposed identity and access management (IAM) keys.

Once acquired, the crims ran the GetCallerIdentity API call to verify the data inside, the ListUsers API request to enumerate the IAM users in the AWS account, and the ListBuckets API request to find all the S3 buckets, the researchers said.

These access keys didn't have the admin privileges the attackers were after, but they did allow for the creation of new IAM roles to which policies could be applied, ultimately allowing them to escalate their privileges to those with unfettered access.

"To elevate privileges, the attackers created an IAM role named lambda-ex with the API request CreateRole, then used the API call AttachRolePolicy to attach the AWS-managed policy AdministratorAccess to the newly created lambda-ex role," Cyble wrote.

"In the execution phase, the attackers initially failed to create an EC2 infrastructure stack, but using the CreateFunction20150331 API call, they were able to create new AWS Lambda functions for their automated scanning operation. From there, they were able to launch a bash script to scan for targets."

El Reg asked Cyble for additional information on the attackers' victimology, their targets, and ransom demands, but the company did not immediately respond.

"This cloud extortion campaign reveals the dangers that arise when cloud service users fail to follow best practices such as robust authentication and access controls, data encryption, secure configuration management, and monitoring and logging," the blog post continued.

• Deadbeat dad faked his own death by hacking government databases
• OpenAI kills Iranian accounts using ChatGPT to write US election disinfo
• National Public Data tells officials 'only' 1.3M people affected by intrusion
• After nearly 3B personal records leak online, Florida data broker confirms it was ransacked by cyber-thieves

"Exposed .env files may contain API keys and secrets, database credentials, encryption keys, and sensitive environment configurations, so the following best practices are recommended."

In addition to the best practices listed, the researchers suggested cloud users don't commit .env files to version control – a move to prevent accidental exposure. Using environment variables in the deployment environment reduces reliance on .env files, and secret-management tools should also be considered.

Both Amazon S3 buckets and the cloud credentials they so often contain are hot property for cybercriminals, so it's no wonder that sophisticated efforts are being made to target them both.

They often come cheap, mainly because they're so frequently exposed, making them abundant on dark web forums.

Last year experts told The Reg it was possible to buy cloud credentials for the same price as a box of donuts, but even that small outlay wasn't always necessary given how poorly protected they are. IBM's X-Force team found plaintext credentials on user endpoints in 33 percent of all engagements it was brought in to assist.

S3 buckets themselves are hardly infallible either. Whether it's vulnerabilities potentially allowing for complete AWS account takeovers, or users failing to configure them properly, cloud storage misconfigurations are so common they're boring for us reporters to write about them, so we don't most of the time. We're certainly not short on material, though. ®

Updated at 0400 UTC, August 22nd

An AWS spokesperson has contacted The Reg to point out that its "services and infrastructure are not affected by the findings of these researchers" and that "the issues described in this blog were a result of a bad actor abusing misconfigured web applications—hosted both in the cloud and elsewhere—that allowed public access to environment variable (.env) files.

"Some of these files contained various kinds of credentials, including AWS credentials which were then used by the bad actor to call AWS APIs. Environment variable files should never be publicly exposed, and even if kept private, should never contain AWS credentials."

The spokesperson pointed out that AWS offers resources to harden web apps so they can "access temporary AWS credentials in a secure fashion", in addition to best practice guidance.