cloudbreach

EnvWatch: Find Exposed Cloud Secrets Before Hackers Do

T​​​here’s a quiet risk that creeps into every developer’s workflow; not flashy, not obvious, but persistent. It’s the slow accumulation of secrets: API keys copied during testing, forgotten .env files, SSH keys scattered across directories, AWS credentials still valid but long ignored. None of it feels urgent in the moment. Collectively, it creates an attack surface that’s hard to reason about.

The 2024 AWS .env Extortion Campaign

In 2024, Palo Alto Networks’ Unit 42 uncovered a large-scale extortion campaign built entirely around one thing: exposed .env files. Attackers ran automated scans across 230 million unique targets, harvesting credentials stored in publicly accessible environment files. The haul included 1,185 AWS access keys, 333 PayPal OAuth tokens, 235 GitHub tokens, and dozens of Slack webhooks and DigitalOcean tokens all extracted from files that developers had left reachable on misconfigured web servers.

Once inside a victim’s AWS environment, attackers escalated privileges by creating new IAM roles with administrator permissions, then spun up Lambda functions to automate further scanning turning each victim’s own infrastructure into attack infrastructure for the next wave.

No sophisticated exploit. Three compounding failures: secrets stored in .env files, those files publicly accessible, and long-lived credentials with no rotation policy. ​​​

EnvWatch was built to address exactly that. It’s a lightweight Go utility that scans your system for exposed cloud secrets fast, local, and deliberately simple

The Problem: Secret Sprawl Is Inevitable

If

By |2026-04-23T13:57:14+03:0022/04/2026|Categories: Blog, Offensive Cloud Security, Tools|Tags: , , , , , , , |Comments Off on EnvWatch: Find Exposed Cloud Secrets Before Hackers Do
Read More

Breaking The Chain: How Threat Actors Exploit Supply Chains in Major CSPs

Introduction

In 2022, a significant phishing campaign known as “0ktapus” targeted Okta users, successfully bypassing their one-time code-based multi-factor authentication (MFA). Attackers sent SMS messages containing links to phishing sites that closely resembled the victims’ organizational Okta login pages. Unsuspecting employees entered their corporate credentials and 2FA codes into these fraudulent sites, which were then captured by the attackers. Many enterprises that integrated Okta with cloud service providers such as AWS, Azure, and Google Cloud Platform (GCP) for authentication and security were affected. The complexity of cloud-native architectures, shared responsibility models, and the dynamic nature of cloud environments further amplify these challenges.

Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack

Cloud supply chain attacks are becoming increasingly frequent and sophisticated, posing significant risks to organizations. As businesses rely more on cloud services for digital transformation, securing cloud supply chains has become a critical challenge. Unlike traditional IT environments, cloud supply chains involve multiple interconnected vendors, third-party software providers, and dependencies, each introducing security vulnerabilities. A single compromised component, such as a vulnerable third-party API, misconfigured software update, or exploited identity federation, can serve as an entry point for widespread breaches, leading to data theft, service disruptions, and regulatory

By |2025-03-07T19:38:09+02:0004/03/2025|Categories: Blog, New, Offensive Cloud Security|Tags: , , , , , , |Comments Off on Breaking The Chain: How Threat Actors Exploit Supply Chains in Major CSPs
Read More
Logo
Go to Top