Drawing little attention to themselves, multiple threat actors have spent the past two-three years mass-scanning the internet for ENV files that have been accidentally uploaded and left exposed on web servers.
Frameworks like Docker, Node.js, Symfony, and Django use ENV files to store environment variables, such as API tokens, passwords, and database logins.
Due to the nature of the data they hold, ENV files should always be stored in protected folders.
"I'd imagine a botnet is scanning for these files to find stored credentials that will allow the attacker to interact with databases like Firebase, or AWS instances, etc.," Daniel Bunce, Principal Security Analyst for SecurityJoes, told ZDNet.
"If an attacker is able to get access to private API keys, they can abuse the software," Bunce added.
More than 1,100 ENV scanners active this month alone
Application developers have often received warnings about malicious botnets scanning for GIT configuration files or for SSH private keys that have been accidentally uploaded online, but scans for ENV files have been just as common as the first two.
Threat actors who identify ENV files will end up downloading the file, extracting any sensitive credentials, and then breaching a company's backend infrastructure.
The end goal of these subsequent attacks can be anything from the theft of intellectual property and business secrets, to ransomware attacks, or to the installation of hidden crypto-mining malware.
Developers are advised to test and see if their apps' ENV files are accessible online and then secure any ENV file that was accidentally exposed. For exposed ENV files, changing all tokens and passwords is also a must.
The 15 top malware threats facing you and your organisation