Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments

    Friday, August 16, 2024 In: Threat Research Print

    Date: 08/16/2024

    Severity: Medium

    Summary

    Unit 42 researchers uncovered a cloud-based extortion scheme that targeted several organizations. The attackers exploited exposed .env files, which held sensitive credentials and other application secrets, to carry out their campaign.

    Indicators of Compromise (IOC) List

    IP Address 

    185.220.101.29

    80.67.167.81

    185.220.101.190

    192.42.116.187

    95.214.234.103

    45.83.104.137

    198.251.88.142

    144.172.118.62

    89.234.157.254

    185.220.101.86

    185.220.101.21

    94.142.241.194

    185.220.101.19

    185.220.103.113

    185.100.85.25

    185.100.87.41

    192.42.116.201

    192.42.116.199

    192.42.116.218

    192.42.116.18

    176.123.8.245

    192.42.116.181

    62.171.137.169

    199.249.230.161

    192.42.116.208

    192.42.116.192

    109.70.100.71

    185.220.101.30

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address

    dstipaddress IN ("185.220.101.29","80.67.167.81","185.220.101.190","192.42.116.187","95.214.234.103","45.83.104.137","198.251.88.142","144.172.118.62","89.234.157.254","185.220.101.86","185.220.101.21","94.142.241.194","185.220.101.19","185.220.103.113","185.100.85.25","185.100.87.41","192.42.116.201","192.42.116.199","192.42.116.218","192.42.116.18","176.123.8.245","192.42.116.181","62.171.137.169","199.249.230.161","192.42.116.208","192.42.116.192","109.70.100.71","185.220.101.30") or ipaddress IN ("185.220.101.29","80.67.167.81","185.220.101.190","192.42.116.187","95.214.234.103","45.83.104.137","198.251.88.142","144.172.118.62","89.234.157.254","185.220.101.86","185.220.101.21","94.142.241.194","185.220.101.19","185.220.103.113","185.100.85.25","185.100.87.41","192.42.116.201","192.42.116.199","192.42.116.218","192.42.116.18","176.123.8.245","192.42.116.181","62.171.137.169","199.249.230.161","192.42.116.208","192.42.116.192","109.70.100.71","185.220.101.30") or publicipaddress IN ("185.220.101.29","80.67.167.81","185.220.101.190","192.42.116.187","95.214.234.103","45.83.104.137","198.251.88.142","144.172.118.62","89.234.157.254","185.220.101.86","185.220.101.21","94.142.241.194","185.220.101.19","185.220.103.113","185.100.85.25","185.100.87.41","192.42.116.201","192.42.116.199","192.42.116.218","192.42.116.18","176.123.8.245","192.42.116.181","62.171.137.169","199.249.230.161","192.42.116.208","192.42.116.192","109.70.100.71","185.220.101.30") or srcipaddress IN ("185.220.101.29","80.67.167.81","185.220.101.190","192.42.116.187","95.214.234.103","45.83.104.137","198.251.88.142","144.172.118.62","89.234.157.254","185.220.101.86","185.220.101.21","94.142.241.194","185.220.101.19","185.220.103.113","185.100.85.25","185.100.87.41","192.42.116.201","192.42.116.199","192.42.116.218","192.42.116.18","176.123.8.245","192.42.116.181","62.171.137.169","199.249.230.161","192.42.116.208","192.42.116.192","109.70.100.71","185.220.101.30")

    Reference:

    https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/ 

     




     


    Tags

    MalwareExploitExtortion

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.