Cybercriminals have been infiltrating organizations’ cloud storage containers, stealing sensitive data, and in some cases, extorting the victim organizations for not leaking or selling the stolen information. According to researchers at Palo Alto Networks, these attackers likely utilized advanced automation techniques to operate quickly and successfully.
One of the key methods used by these cybercriminals to access cloud storage containers was through exposed environment files (.env) within the victim organization’s web applications. These files often contain crucial information such as cloud provider IAM keys, SaaS API keys, and database login details. The attackers would then use this information for initial access to the organization’s cloud environment.
Once inside, the attackers would verify the identity associated with the IAM credential they used, create lists of other IAM users and existing S3 buckets, and identify the services in use within the AWS account. They would then create new roles with admin permissions, allowing them unlimited access to the compromised AWS account. This access enabled them to carry out activities such as creating resources for cryptomining and scanning the internet for exposed environment variable files.
One particular focus of the attackers was on compromised Mailgun credentials found in the .env files. With these credentials, they could launch large-scale phishing attacks against organizations using legitimate domains, increasing the chances of bypassing security measures.
The attackers would exfiltrate data and objects from the victims’ S3 buckets using tools like the S3 Browser and upload ransom notes. In some cases, they would also send the ransom notes to the victim company’s stakeholders.
Surprisingly, the S3 bucket used by the attackers to store the stolen .env files was also publicly exposed, allowing researchers to identify over 90,000 unique combinations of leaked environment variables containing access keys or IAM credentials. Some of these credentials were associated with popular cloud services like AWS, PayPal, GitHub, and social media platforms.
The success of these attacks was also attributed to the broad permissions associated with IAM resources. To prevent such incidents, organizations are advised to properly configure servers to avoid exposing environmental files, use IAM roles instead of keys, implement the principle of least privilege when granting permissions, disable unused regions within AWS accounts, and enable logging and monitoring for abnormal activities.
In conclusion, the threat of cybercriminals targeting organizations’ cloud storage containers is a growing concern. It is crucial for organizations to implement robust security measures to protect their data and prevent falling victim to such attacks. Being proactive and implementing best practices can help mitigate the risks associated with cloud security breaches.