The threat actors utilized automated tools to check for millions of domains, hacking into exposed .env files that contained critical information.
Once in, they started by carrying out extensive reconnaissance of the breached environments with AWS API calls such as GetCallerIdentity, ListUsers, and ListBuckets.
The next thing that happened was the actors elevated their privileges by forming new IAM roles that had full administrative rights on them and this showed how they understood AWS IAM elements well.
They then proceeded to deploy Lambda functions that were maliciously designed to perform recursive scans for more .env files across multiple Amazon Web Services regions including a particular focus on Mailgun credentials useful for a large-scale phishing campaign.
The huge reach of the campaign was visible in that as they were able to access .env files in over 110,000 domains and had a target list that surpassed 230 million unique endpoints.
The operation finished with data exfiltration into S3 buckets controlled by attackers.
Automated scans of everything everywhere for exposed credentials is nothing new?