​A recent blog post by threat intel specialists Cyble details a sophisticated cyber extortion campaign that exploited misconfigured environment variable files (.env files) across approximately 110,000 domains. These .env files, often used to define configuration variables within applications, inadvertently contained sensitive information such as AWS Identity and Access Management (IAM) access keys. Attackers leveraged these exposed credentials to infiltrate cloud environments, escalate privileges, and ransom data stored in Amazon S3 buckets.

Of the nearly 60 IPs referenced in the Cyble post, 25 were predicted as malicious by Augur and identified for blocking months ahead of the launch of the first attacks in Q1 of 2024. This means that Augur users benefited from +90 days of advanced protection against active threats before patient zero attacks and +180 days ahead of traditional threat intelligence sources.

‍

Key Findings from the Cyble Post

• Scope of Exposure: The campaign targeted over 110,000 domains, extracting over 90,000 unique variables from exposed .env files. Notably, 7,000 variables were linked to organizations' cloud services, and 1,500 pertained to social media accounts.
• Attack Methodology: Attackers scanned for publicly accessible .env files on unsecured web applications. The compromised IAM credentials allowed them to create new IAM roles with elevated privileges, facilitating deeper infiltration into victims' cloud infrastructures.‍
• Operational Tactics: The threat actors used virtual private servers (VPS), the Tor network, and VPNs to conduct reconnaissance, lateral movement, and data exfiltration. They exfiltrated data from compromised S3 buckets and left ransom notes demanding payment for the return of the stolen data.

Here’s What Augur Predicted

‍

‍

CIDR 193.42.99.0/24

4 IPs from CIDR 193.42.99.0/24 were predicted Q2, 2023. 190 confirmed malicious IPs out of 256 have been reported as malicious. This CIDR belongs to ASN 35913 DEDIPATH-LLC (USA), which hosts more than 200 CIDRs that have been reported as having malicious IPs. According to Palo Alto’s Unit 42 these IPs were all used as VPN Endpoints.

193[.]42[.]99[.]169 

193[.]42[.]99[.]58

193[.]42[.]99[.]50

193[.]42[.]98[.]65

‍

CIDR 192.42.116.192/27

6 IPs from CIDR 192.42.116.192/27 were predicted Q2 2023. 100% of IPs in this CIDR have been reported as malicious. This CIDR belongs to ASN 1101 IP-EEND-AS IP-EEND BV (Netherlands), which hosts more than 30 CIDRs that have been reported as having malicious IPs. According to Palo Alto’s Unit 42 these IPs were all used as TOR exit nodes. 

192[.]42[.]116[.]218 

192[.]42[.]116[.]208

192[.]42[.]116[.]201

192[.]42[.]116[.]199

192[.]42[.]116[.]192

192[.]42[.]116[.]187

‍

CIDR 95.214.234.0/24

7 IPs from CIDR 95.214.234.0/24 were predicted in Q2 2019. 100% of IPs in this CIDR have been reported as malicious. This CIDR belongs to ASN 30860 YURTEH-AS (Ukraine), which hosts more than 200 CIDRs that have been reported as having malicious IPs. According to Palo Alto’s Unit 42 these IPs were all used as VPN Endpoints.

95[.]214[.]234[.]103

95[.]214[.]217[.]224

95[.]214[.]217[.]173

95[.]214[.]217[.]224

95[.]214[.]217[.]33

95[.]214[.]217[.]173

95[.]214[.]216[.]158

‍

Other Predicted IPs

89[.]234[.]157[.]254

185[.]220[.]101[.]190

185[.]220[.]101[.]86

As always, if you haven’t already blocked these IPs, we highly recommend you do so.

‍

Get Zero-day Protection Today!

You can learn more about how Augur predicts the future here and how it provides unique protection against emerging vulnerabilities, novel threats and zero-day exploits. But you don’t have to take  our word for all these big claims. Contact us to set up a free trial and see for yourself the immediate impact Augur can have in your SOC.

‍

Stay in the Loop

To stay up to date on all the latest SecLytics news and events follow us on LinkedIn!

‍