Recently, a widespread cloud extortion operation—affecting 110,000 domains and involving significant financial demands—was uncovered. Unit 42, the cybersecurity research division of Palo Alto Networks, released a report this month detailing how threat actors exploited misconfigured .env files to gain unauthorized access, steal sensitive data, and demand ransoms after deleting cloud assets. 

Large-scale extortion campaigns such as this highlight the urgent need for organizations to adopt a proactive and comprehensive approach to data security in the cloud, which includes: 

1. Knowing where your sensitive data is and who has access to it,

2. Continuously monitoring your data for risky misconfigurations

3. Detecting and acting on data threats early, and

4. Ensuring business continuity and quick recovery following an attack. 

To build cyber resilience, organizations must not only be prepared for wartime scenarios where an active breach must be managed; they must also fortify their defenses during peacetime and maintain robust active intrusion responses. By embracing this holistic approach, organizations can ensure they remain vigilant against ever-evolving threats. And in partnership with the right solution—such as Rubrik—security teams can build a comprehensive data protection strategy designed to reduce the effects of an attack or even prevent one altogether.

Let’s take a look at the tactics employed by cybercriminals during the recent set of attacks on AWS resources, the potential impact on affected organizations, and best practices for safeguarding sensitive data against malicious activities.

Reducing the risk of data exposure during peacetime (pre-attack)

In this threat landscape, the most effective security strategy is to assume and prepare for a future breach. In the case of this particular breach, attackers were able to locate exposed AWS IAM access keys from publicly accessible .env files that were hosted on unsecured web applications. They then used those keys to access the organizations’ AWS-hosted environments. 

As outlined by the Unit 42 team, “multiple security missteps” occurred to make malicious actors’ jobs easier. These critical missteps—including misconfigurations that exposed .env files and overly permissive IAM credentials—could have been avoided had the organizations constructed a more effective data security posture. 

Ideally, ahead of an attack, and with the help of a data security posture management (DSPM) solution, organizations should be able to: 

MITRE ATT&CK TTP Rubrik Cyber Resilience
Initial Access Attackers exploited exposed environment variable (.env) files hosted on AWS, which contained sensitive data such as AWS Identity and Access Management (IAM) access keys. This resulted in unauthorized scanning of over 230 million unique targets for sensitive data. Before an active incident, Rubrik automatically detects and alerts on .env files found within the environment. Once identified as a violation, customers remove public access, thereby preventing exploitation by threat actors.


Detecting threats as early as possible during an active intrusion (at the time of attack)

While the practices above can be enough to reduce the risk of an attack, every breach is different. This means that security teams must also have the tooling and processes in place to contain a variety of threats and minimize the potential damage to the business. 

As outlined in Palo Alto Network’s report, attackers performed a series of discovery API calls to verify the identity of users assigned to exposed IAM credentials. The attackers also identified existing S3 buckets as data exfiltration targets, creating a picture of a) which users’ credentials they could exploit and b) where sensitive data was located. Furthermore, when the malicious actors discovered the IAM credentials they used to gain initial access did not have admin access to all cloud resources, they were still able to create new IAM roles and attach IAM policies to existing roles, thereby escalating their access privileges. 

To get ahead of malicious activity such as this, organizations should have the capabilities to: 

  • Get alerted to anomalous and suspicious activity on sensitive data (e.g. excessive file enumeration or downloads) in near real time. 

  • Detect threat actors that have bypassed perimeter, network, and endpoint defenses using compromised credentials. 

  • Detect sensitive data encryption. 

MITRE ATT&CK TTP Rubrik Cyber Resilience
Discovery Attackers successfully attempted the AWS API request ListUsers to gather a list of IAM users in the AWS account as well as the API request ListBuckets to identify all the existing S3 buckets. These operations gave the attackers additional insight into what IAM users existed that they could exploit for future lateral movement. They also provided S3 bucket names for data exfiltration targets. Rubrik monitors data activity in S3 buckets and promptly alerts on any unusual behavior. This could include discovery or reconnaissance activities, such as “Excessive File Enumeration” or “First-Time Access to a Sensitive Bucket.”
Privilege Escalation When the attackers discovered the original IAM role used for initial access had the permissions to both create new IAM roles and attach IAM policies to existing roles, they successfully escalated their privileges within victim cloud environments by creating new IAM resources with unlimited access. Rubrik is able to detect newly created IAM roles and flag those with access to sensitive data. Additionally, Rubrik monitors any roles—not just admin roles—with excessive data access, providing greater accuracy and context around these newly formed roles.


Accelerating incident response during wartime (post-attack) 

While reputational damage and data exfiltration are detrimental, the worst thing that can happen to a business after a cyber attack is downtime. In this case, after gaining access to sensitive data in S3 buckets, the cybercriminals exfiltrated that data to their servers, deleted data from the bucket, and left a ransom note in its place. Most of the notes asked for payment in Bitcoin and threatened to release sensitive data to the dark web if payment was not made.

Organizations should have the right data security and ransomware recovery solution in place in order to efficiently: 

  • Identify what data was compromised, how sensitive that data was, and when the data was accessed,

  • Determine the blast radius of the attack, and  

  • Contain the ransomware in order to recover without infecting the rest of the environment, ultimately leading to less downtime and ensuring business continuity. 

It is also critical that the above recovery process be conducted alongside the IT operations team to ensure cohesive efforts across the entire IT organization. 
 

MITRE ATT&CK TTP Rubrik Cyber Resilience
Exfiltration These attacks also included data exfiltration operations from S3 buckets through the use of the S3 Browser tool. Rubrik continuously monitors data activity within S3 buckets and promptly alerts on any suspicious behavior. In the case of abnormal exfiltration, Rubrik specifically flags incidents as “Excessive File Download.”
Impact After the threat actor successfully exfiltrated and deleted S3 objects from the target victim’s S3 bucket, they uploaded a ransom note to the now empty bucket. Rubrik enables teams to restore via immutability and leverages Time Series data to determine the blast radius. Rubrik then identifies the exact data access permissions of the compromised identity and what data has been exfiltrated.


Getting ahead

Large-scale, cloud double-extortion campaigns like this one underscore the growing importance of securing cloud environments. With cyber threats becoming increasingly sophisticated, the lessons from this attack serve as a reminder of the need for continuous vigilance and, most importantly, established security measures before, during, and after an attack. By following the above best practices and partnering with the right solution, organizations not only make it harder for malicious actors to get a foothold within their environments, but they also make business continuity more certain in the event of an attack. 

If you’d like to learn more about how Rubrik Data Security Posture Management (DSPM) can benefit your organization, contact our team.