Drawing little attention to themselves, multiple threat actors have spent the past two-three years mass-scanning the internet for ENV files that have been accidentally uploaded and left exposed on web servers.
ENV files, or environment files, are a type of configuration files that are usually used by development tools.
Frameworks like Docker, Node.js, Symfony, and Django use ENV files to store environment variables, such as API tokens, passwords, and database logins.
Due to the nature of the data they hold, ENV files should always be stored in protected folders.
"I'd imagine a botnet is scanning for these files to find stored credentials that will allow the attacker to interact with databases like Firebase, or AWS instances, etc.," Daniel Bunce, Principal Security Analyst for SecurityJoes, told ZDNet.
"If an attacker is able to get access to private API keys, they can abuse the software," Bunce added.
More than 1,100 ENV scanners active this month alone
Application developers have often received warnings about malicious botnets scanning for GIT configuration files or for SSH private keys that have been accidentally uploaded online, but scans for ENV files have been just as common as the first two.
More than 2,800 different IP addresses have been used to scan for ENV files over the past three years, with more than 1,100 scanners being active over the past month, according to security firm Greynoise.
188.8.131.52 (🇵🇱) is mass scanning the internet for these paths:
. . . pic.twitter.com/vIBDk7Wbnl— Bad Packets (@bad_packets)
Threat actors who identify ENV files will end up downloading the file, extracting any sensitive credentials, and then breaching a company's backend infrastructure.
The end goal of these subsequent attacks can be anything from the theft of intellectual property and business secrets, to ransomware attacks, or to the installation of hidden crypto-mining malware.
Developers are advised to test and see if their apps' ENV files are accessible online and then secure any ENV file that was accidentally exposed. For exposed ENV files, changing all tokens and passwords is also a must.
- ^ Daniel Bunce (twitter.com)
- ^ SecurityJoes (www.securityjoes.com)
- ^ SSH private keys (www.bleepingcomputer.com)
- ^ 2,800 different IP addresses (viz.greynoise.io)
- ^ 1,100 scanners (viz.greynoise.io)
- ^ most common scanned ENV file paths (twitter.com)
- ^ pic.twitter.com/vIBDk7Wbnl (t.co)
- ^ February 19, 2020 (twitter.com)