It’s good news for organizations that don’t make their AWS environment files public. Infosec experts say that organizations that do so risk becoming victims of an extensive and sophisticated extortion campaign.

Security firm Cyble published research this week showing that attackers had targeted 110,000 domains, exploiting misconfigured .env files. These files typically contain secrets such as hardcoded cloud access keys, SaaS API keys and database credentials, the researchers said.

In this particular cluster of activities, attackers are assumed to have a deep understanding of cloud architectures. This is dangerous when organizations are lacking in cloud security in several areas.

The study participants were eventually served a ransom note that replaced their S3-stored credentials. They had exposed their environment variables, failed to refresh credentials regularly, and failed to implement a least-privilege architecture.

Attackers targeted unsecured web applications and scanned for environment files that exposed identity and access management (IAM) keys.

After obtaining the credentials, the criminals executed the GetCallerIdentity API call to verify the credentials within it, the ListUsers API request to enumerate the IAM users in the AWS account, and the ListBuckets API request to find all S3 buckets, the researchers said.

These access keys did not have the administrative privileges the attackers were after, but they did allow the creation of new IAM roles to which policies could be applied, ultimately allowing them to escalate their privileges to people with unrestricted access.

“To escalate privileges, the attackers created an IAM role named lambda-ex with the CreateRole API request and then used the AttachRolePolicy API call to attach the AWS-managed AdministratorAccess policy to the newly created lambda-ex role,” Cyble wrote.

“In the execution phase, the attackers initially failed to create an EC2 infrastructure stack, but using the CreateFunction20150331 API call, they were able to create new AWS Lambda functions for their automated scanning operation. From there, they were able to launch a bash script to scan for targets.”

The Reg asked Cyble for additional information about the victims, their targets and the ransom demands, but the company did not immediately respond.

“This cloud extortion campaign highlights the dangers that arise when cloud users fail to adhere to best practices such as robust authentication and access controls, data encryption, secure configuration management, and monitoring and logging,” the blog post said.

“Exposed .env files may contain API keys and secrets, database credentials, encryption keys, and configurations of sensitive environments. Therefore, the following best practices are recommended.”

In addition to the best practices mentioned, the researchers suggested that cloud users should not commit .env files to version control – a measure to prevent accidental exposure. Using environment variables in the deployment environment reduces the dependency on .env files, and secrets management tools should also be considered.

Both Amazon S3 buckets and the cloud credentials they often contain are popular targets for cybercriminals, so it’s no surprise that sophisticated attempts are being made to attack both.

They are often cheap, especially because they are displayed so often and therefore common on dark web forums.

Last year, experts said The Reg It was possible to purchase cloud credentials for the same price as a box of donuts, but even that small expense wasn’t always necessary given how poorly protected they are. IBM’s X-Force team found plaintext credentials on user endpoints in 33 percent of all engagements it was enabled for.

S3 buckets themselves are hardly infallible either. Whether it’s vulnerabilities that could potentially allow complete takeovers of AWS accounts, or users misconfiguring them, cloud storage misconfigurations are so common that they’re boring for us reporters to write about, so we usually don’t. But we certainly don’t lack for material. ®