SecurityWeek reports that threat actors leveraging misconfigured Amazon Web Services .env files with sensitive data were able to compromise 110,000 domains as part of an extortion campaign.
Inadequate protection of the .env files used for web app configuration variable definitions has enabled the compromise of AWS Identity and Access Management and eventual cloud environment access, according to an analysis from Palo Alto Networks. Attacks also involved reconnaissance through a Tor-based infrastructure, lateral movement and data theft via VPNs, and virtual private server exploitation, researchers added. "The event did not include attackers encrypting the data before ransom, but rather they exfiltrated the data and placed the ransom note in the compromised cloud storage container," said Palo Alto Networks. Such findings have prompted researchers to recommend the utilization of temporary credentials, implementation of the least privilege principle for IAM resources, resource logging and tracking, and deactivation of inactive resources.
