Palo Alto Networks Unit 42 remarked that security missteps like exposing environment variables and using long-lived credentials facilitated the successful extortion campaign which compromised multiple organizations.
This campaign leveraged AWS environments instead of exploiting cloud provider security flaws, taking advantage of publicly accessible .env files to facilitate extensive reconnaissance and data theft.
With 110,000 domains targeted, the attackers exfiltrated data rather than encrypting it before ransoming, utilizing the compromised cloud environment for launching broader data scanning operations.
The attackers utilized AWS Identity and Access Management (IAM) keys to elevate their privileges and launched automated scanning operations, effectively weaponizing the compromised cloud infrastructure.
Collection
[
|
...
]