Tech

Botnets have been silently mass-scanning the internet for unsecured ENV files

Threat actors are looking for API tokens, passwords, and database logins usually stored in ENV files.

Written by Catalin Cimpanu, Contributor Nov. 21, 2020 at 12:00 a.m. PT

microsoft-defender-atp-now-scans-windows-5eef8de69c89f47042ec66fd-1-jun-23-2020-12-00-14-poster.jpg

Drawing little attention to themselves, multiple threat actors have spent the past two-three years mass-scanning the internet for ENV files that have been accidentally uploaded and left exposed on web servers.

techrepublic cheat sheet

How to become a developer: Salaries, skills, and the best languages to learn

ENV files, or environment files, are a type of configuration files that are usually used by development tools.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

Frameworks like Docker, Node.js, Symfony, and Django use ENV files to store environment variables, such as API tokens, passwords, and database logins.

Due to the nature of the data they hold, ENV files should always be stored in protected folders.

"I'd imagine a botnet is scanning for these files to find stored credentials that will allow the attacker to interact with databases like Firebase, or AWS instances, etc.," Daniel Bunce, Principal Security Analyst for SecurityJoes, told ZDNet.

"If an attacker is able to get access to private API keys, they can abuse the software," Bunce added.

More than 1,100 ENV scanners active this month alone

Application developers have often received warnings about malicious botnets scanning for GIT configuration files or for SSH private keys that have been accidentally uploaded online, but scans for ENV files have been just as common as the first two.

More than 2,800 different IP addresses have been used to scan for ENV files over the past three years, with more than 1,100 scanners being active over the past month, according to security firm Greynoise.

Ouch. Anyways, here's a list of every single IP address crawling the entire Internet for .env files using @GreyNoiseIO:https://t.co/pYBXhX6VZN
GNQL: web.paths:".env" https://t.co/mrDYSjswWV pic.twitter.com/LppKdJ5lce
— Andrew Morris (@Andrew___Morris) November 17, 2020

Similar scans have also been recorded by threat intelligence firm Bad Packets, which has been tracking the most common scanned ENV file paths on Twitter for the past year.

185.234.218.174 (🇵🇱) is mass scanning the internet for these paths:
/admin-app/.env
/api/.env
/app/.env
/apps/.env
/back/.env
/core/.env
/cp/.env
/development/.env
/docker/.env
/fedex/.env
/local/.env
/private/.env
/rest/.env
/shared/.env
/sources/.env
/system/.env
. . . pic.twitter.com/vIBDk7Wbnl
— Bad Packets (@bad_packets) February 19, 2020

Threat actors who identify ENV files will end up downloading the file, extracting any sensitive credentials, and then breaching a company's backend infrastructure.

The end goal of these subsequent attacks can be anything from the theft of intellectual property and business secrets, to ransomware attacks, or to the installation of hidden crypto-mining malware.

Developers are advised to test and see if their apps' ENV files are accessible online and then secure any ENV file that was accidentally exposed. For exposed ENV files, changing all tokens and passwords is also a must.