Security researchers at Palo Alto Networks uncovered a large-scale extortion campaign exploiting misconfigured cloud environments. Attackers targeted over 110,000 domains by accessing exposed .env files, which contained sensitive information like AWS IAM keys, SaaS API keys, and database logins. These misconfigurations allowed attackers to infiltrate cloud environments, exfiltrate data, and place ransom notes within compromised storage containers. Despite attempts to escalate their privileges and create resources for crypto-mining, the attackers focused on scanning millions of domains and IP addresses for further vulnerabilities.
The attackers used Tor-based infrastructure and VPNs for their operations, compromising an IAM role to create malicious resources and conduct internet-wide scans. They stored the harvested credentials in a public S3 bucket under their control. Palo Alto Networks urges organizations to implement best practices, such as using temporary credentials, enforcing least privilege policies, and enabling logging and monitoring to protect against similar attacks.