Poor cybersecurity hygiene, which included exposed environment variable files, long-lived credentials, and the absence of least privilege architecture have resulted in multiple organizations being targeted with ransom attacks, experts have warned.
A report from cybersecurity researchers Unit 42 outlined how they observed a successful extortion campaign’s cloud operations that leveraged exposed environment variable files (.ENV) that held sensitive data such as login credentials.
The unnamed threat actors set up their attack infrastructure within Amazon Web Services (AWS) environments belonging to target organizations, and then used it as a launchpad to scan more than 230 million unique targets for sensitive information. As Unit 42 further explained, the campaign targeted 110,000 domains, and resulted in more than 90,000 unique variables in the .ENV files being exposed.
No encryption
Of those variables, 7,000 belonged to organizations’ cloud services. That, however, does not necessarily mean 7,000 compromised organizations, as one enterprise most likely owns multiple variables. Still, the crooks stole at least 1,500 variables belonging to social media accounts, which might be a good indication of the number of victims. Furthermore, the attackers used multiple source networks to facilitate the operation.
While the crooks did steal sensitive data and demanded money for it, they did not encrypt their targets’ IT infrastructure. This is yet another example of threat actors pivoting away from encryption malware, and into simple data ransom attacks. Some researchers believe building, maintaining, and then deploying encryptors, is too expensive and cumbersome. Simply holding data ransom is, apparently, equally as effective:
“The campaign involved attackers successfully ransoming data hosted within cloud storage containers,” Unit 42 said. “The event did not include attackers encrypting the data before ransom, but rather they exfiltrated the data and placed the ransom note in the compromised cloud storage container.”
The attackers did not leverage any system vulnerability or bug, the researchers concluded. This is all the result of human error and recklessness.
Via The Hacker News
