The campaign targeted approximately 230 million unique assets, resulting in the exposure of 90,000 unique variables within .env files. Among these, 7,000 were associated with cloud services used by organizations, and 1,500 were linked to social media accounts. The attackers employed various methods, including using the Tor network for reconnaissance and initial access, VPNs for lateral movement and data exfiltration, and virtual private servers (VPS) for supporting campaign components.

According to the researchers, several security misconfigurations contributed to the success of the attack, including exposing environment variables, using long-lasting credentials, and failing to implement a least privilege architecture. The attackers specifically targeted AWS services such as Simple Storage Service (S3), Simple Email Service (SES), and IAM Security Token Service (STS) during their reconnaissance activities.

After gaining initial access through the exposed .env files, the attackers used various API calls, including GetSendQuota, ListVerifiedEmailAddresses, and GetAccount, to further their discovery efforts in AWS SES.

Organizations are advised to follow security best practices, such as never publishing environment files publicly, using temporary credentials, and adhering to the least privilege principle. Additionally, enabling event logs and using advanced AWS security features like GuardDuty and CloudTrail can significantly improve the security of cloud resources.

Impact

• Data Exfiltration
• Exposure of Sensitive Information

Indicators of Compromise

IP

• 45.137.126.12
• 45.137.126.16
• 45.137.126.18
• 45.137.126.41
• 72.55.136.154

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Keep your software up to date. Software updates often include security patches that can help to protect your systems from known vulnerabilities.
• Use strong passwords and multi-factor authentication. This will make it more difficult for attackers to gain access to your systems.
• Back up your data regularly. This will help you to recover in case of a cyber incident.
• Deploy robust endpoint security solutions, including antivirus, anti-malware, and intrusion detection systems to detect and prevent threats.
• Immediately disconnect or isolate the compromised systems from the network to prevent the malware from spreading further. This may involve shutting down affected servers or segments of the network.
• Conduct a thorough investigation to determine the extent of the breach, including identifying which systems and data were compromised.
• Develop a long-term cybersecurity strategy to prevent future incidents, including investing in advanced threat detection and response capabilities.