Large-scale extortion via secrets in .env files: Why Secret Vaults just aren’t enough

August 20, 2024

by

Roni Lichtman

On August 15th, Palo Alto Network’s Unit 42 published an article describing a sophisticated large-scale attack on multiple victim organizations that leveraged exposed developer secrets in .env files.

What are .env files?

.env files are used by services at runtime to configure environment variables which are sensitive. See for example the following:

Example: .env file

.env files usually contain very sensitive secrets such as AWS Access Keys, Database Credentials and 3rd party SaaS API Keys. Therefore, .env files are usually (but not always) prevented from reaching the Github repository. Instead they are manually configured on all endpoints on which the code is meant to run including both production servers and also on engineer endpoints to enable testing features.

Why would a .env file be exposed over the public internet?

Oftentimes, .env files are used to configure web servers which must be publicly accessible in order to serve a customer-facing web application. Unfortunately, depending on configuration, the behavior for several popular web server frameworks (including nginx, apache, node.js express) when asked to serve a local file over the public internet is to serve it as-is if the file is in the same directory as the web server.

Therefore, an attacker can visit http://your-website.com/.env and retrieve the .env file being used in production if the web server is misconfigured.

How do I know if this impacted me?

As noted by Unit 42 researchers, the attackers left a digital footprint following the initial access to victim cloud environments. In order to identify whether you were impacted, search for API calls leveraged by the attackers and search for anomalies, try to correlate with access keys that are used within .env files in your organization.

  1. Search in AWS CloudTrail for the GetCallerIdentity API call which was leveraged by the attackers for Discovery
  2. Search in AWS CloudTrail for CreateRole and AttachPolicy API calls which were leveraged by the attackers for Privilege Escalation

How to respond if I am impacted?

If you are impacted:

  1. Make sure to promptly rotate all sensitive keys that may have been exposed
  2. Make sure to discover and remove all potential backdoor identities which the attacker may have left in your environment

How can I proactively protect against these kinds of threats?

  1. Inventory your secrets, identify where they are located, which are at risk of leakage and who owns them
  2. Migrate to ephemeral credentials, for example migrate IAM Users to IAM Roles
  3. Rotate secrets frequently
  4. Enforce Least Privilege to mitigate damage post-breach

Let’s Talk

Have any comments or notes? Shoot me a message and let’s discuss. If you found this article helpful and you want to get notified on future research by Torch Security, sign up here.

Keep your secrets safe

Book a demo

©2025 Torch Security.
All rights reserved.

About

CompanyBlogCareers

Resources

Terms of UsePrivacy Policy

Follow

LinkedIn

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

Text link

Bold text

Emphasis

Superscript

Subscript

All done

Book a Demo

All done

We'll be in touch within 24 hours.
Something went wrong. Please try again.