Augur Predicts Multiple IPs Used in AWS .env Exploit
By
A recent cloud extortion campaign exploited misconfigured .env files to steal credentials and ransom cloud storage data, and Augur predicted that 6 IPs would accompany this campaign.
A recent article in threat intel company Cyble’s blog highlights an extortion campaign that exploited exposed .env files, containing AWS credentials. Attackers used these files to access AWS accounts, steal data from S3 buckets, and demand ransom. The vulnerability arose from misconfigured cloud environments where .env files were inadvertently exposed publicly. This allowed attackers to automate the process of locating these files, stealing sensitive information, and gaining unauthorized access to cloud infrastructure.
For more details, visit the full article here.
Augur predicted 6 IPs related to this vulnerability
192[.]42[.]116[.]218 / 192[.]42[.]116[.]187 / 192[.]42[.]116[.]199 / 192[.]42[.]116[.]208
The first 4 IPs are part of CIDR 192.42.116.192/27 predicted in Q1 2023. Since then all 29 useable IPs predicted in the CIDRs have been confirmed malicious by third-party sources
185[.]220[.]101[.]30
This IP was predicted in late 2017 and first detected in network traffic in early 2020 and has been repeatedly flagged as malicious by multiple threat intel providers.
89[.]234[.]157[.]254
This IP was predicted in 2014 as part of CIDR 89.234.157.252/30 and has been repeatedly flagged as malicious by multiple threat intel providers.
Needless to say, if you aren’t already blocking these IPs, we highly recommend you do so.
Why Does this Matter?
According to the Palo Alto Unit 42 research team, this campaign has already targeted 110,000 domains, resulting in the exfiltration of over 90,000 unique variables from the .env files. Of those variables, 7,000 belonged to organizations' cloud services and 1,500 variables were attributed to social media accounts. Additionally, attackers used multiple source networks to facilitate the operation.
The credentials exfiltrated via this vulnerability can give cybercriminals access to AWS assets and social media accounts.
Get Zero-day Protection Today!
You can learn more about how Augur predicts the future here and how it provides unique protection against emerging vulnerabilities, novel threats and zero-day exploits. If you want to talk to someone about how Augur’s predictive intelligence can improve your overall security posture, email us at augur@seclytics.com.
Stay in the Loop
To stay up to date on all the latest SecLytics news and events, check out our blog or, even better, follow us on LinkedIn!