Researchers Uncover Large-Scale Cyber Attacks On AWS Cloud Environments

Tyler Cross
Tyler Cross Senior Writer
Tyler Cross Tyler Cross Senior Writer

Unit 42 researchers discovered a massive cyber campaign that affects more than 230 million unique cloud environments.

Hackers exploited exposed environment variable files (.env) to gain access to multiple organizations’ systems. .env files often contain troves of access codes to various systems and programs. By exploiting these, hackers could further infiltrate a victim’s network and give themselves access to key systems.

Finally, attackers would exfiltrate the company’s data and ransom it.

The hackers wouldn’t stop at gaining access to systems and ransoming data. They’d also use their data to hack employee’s social media accounts.

“Following the threat actor’s discovery operations, they identified that the original IAM credential used to gain initial access to the cloud environment did not have administrator access to all cloud resources,” states researchers with Palo Alto.

“We determined that the attackers discovered the original IAM role used for initial access did have the permissions to both create new IAM roles and attach IAM policies to existing roles.

After taking control of these environments, the hackers began extorting multiple companies. The scope of the extortion attempts is currently unknown. Only by paying the extortion were these companies given back their cloud.

“We have all client personal information from files,” the ransom letter that researchers found states. “In order to prevent their SALE, you will need to make payment of Bitcoin to us.”

If the victim refused to pay, their information would be sold on the dark web for any other hacker to purchase and use as they see fit. The letter also promises to delete the stolen data if payment is received, however, hackers rarely fully delete the data they exfiltrated.

By using automated tools to find vulnerable companies, criminals could quickly target multiple companies at once. Over 110,000 domains were affected by the campaign. As of now, it’s unknown how much money the hackers may have made or the scope of the damage they caused.

About the Author
Tyler Cross
Tyler Cross
Senior Writer

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends.

Leave a Comment