aws

EnvWatch: Find Exposed Cloud Secrets Before Hackers Do

T​​​here’s a quiet risk that creeps into every developer’s workflow; not flashy, not obvious, but persistent. It’s the slow accumulation of secrets: API keys copied during testing, forgotten .env files, SSH keys scattered across directories, AWS credentials still valid but long ignored. None of it feels urgent in the moment. Collectively, it creates an attack surface that’s hard to reason about.

The 2024 AWS .env Extortion Campaign

In 2024, Palo Alto Networks’ Unit 42 uncovered a large-scale extortion campaign built entirely around one thing: exposed .env files. Attackers ran automated scans across 230 million unique targets, harvesting credentials stored in publicly accessible environment files. The haul included 1,185 AWS access keys, 333 PayPal OAuth tokens, 235 GitHub tokens, and dozens of Slack webhooks and DigitalOcean tokens all extracted from files that developers had left reachable on misconfigured web servers.

Once inside a victim’s AWS environment, attackers escalated privileges by creating new IAM roles with administrator permissions, then spun up Lambda functions to automate further scanning turning each victim’s own infrastructure into attack infrastructure for the next wave.

No sophisticated exploit. Three compounding failures: secrets stored in .env files, those files publicly accessible, and long-lived credentials with no rotation policy. ​​​

EnvWatch was built to address exactly that. It’s a lightweight Go utility that scans your system for exposed cloud secrets fast, local, and deliberately simple

The Problem: Secret Sprawl Is Inevitable

If

By |2026-04-23T13:57:14+03:0022/04/2026|Categories: Blog, Offensive Cloud Security, Tools|Tags: , , , , , , , |Comments Off on EnvWatch: Find Exposed Cloud Secrets Before Hackers Do
Read More

Understanding Supply Chain Attacks in the Cloud: An Introduction to the Silent Threat

In March 2024, Microsoft employee and PostgreSQL developer Andres Freund while investigating a performance regression in Debian Sid he noticed unusually high CPU usage in SSH connections and errors in the Valgrind memory debugging tool. During his investigation, Freund discovered a backdoor in the popular Xz Utils application. He reported the findings to the Openwall Project’s security mailing list, alerting software vendors.

Andrew's first report to openwall mailing list Andrew’s first report to Openwall mailing list

The Xz Utils backdoor supply chain attack involved the insertion of malicious code into a widely used open-source library, Xz Libs, which is essential for Unix-based systems. The attacker had attempted to obfuscate the backdoor by implementing it in multiple stages. This supply chain attack gave attackers unauthorized access and control over systems using the compromised versions of the library.

The threat was particularly severe, as it targeted a critical part of server infrastructure used by millions. This incident highlighted once more the raising trend in sophisticated supply chain attack over the recent years.

Introduction to Supply Chain Attacks

What Are Supply Chain Attacks?

Supply chain attacks have existed for decades, initially focusing on physical goods and manufacturing processes, often referred to as physical supply chain attacks. Historically, adversaries exploited networks of

By |2025-02-05T11:28:56+02:0003/02/2025|Categories: Blog, Offensive Cloud Security|Tags: , , , , , , |Comments Off on Understanding Supply Chain Attacks in the Cloud: An Introduction to the Silent Threat
Read More

Intro To AWS Enumeration – Part 1

Hello and welcome to CloudBreach’s first blog post on “Introduction to AWS Enumeration” with a special emphasis on the security aspects. In the dynamic realm of cloud security, the paramount first step of any offensive security engagement is undoubtedly enumeration. This methodical process of gathering comprehensive information about target systems is not just a preliminary step; it is the cornerstone upon which successful security engagements are built. Even in the intricate and expansive cloud environments, the principle of ‘Enumeration First’ holds its ground as the key to unveiling the concealed vulnerabilities and potential attack vectors.

Our short blog delves deep into unlocking the secrets of unauthenticated AWS S3 enumeration through the lens of a potential adversary. Upcoming blogposts will explore the security dimensions other AWS services.

What is Amazon S3 ?

Amazon Simple Storage Service (Amazon S3) is a scalable object storage service provided by Amazon Web Services (AWS). It is designed to store and retrieve any amount of data from anywhere on the web.

Image Source: Amazon S3 Documentation [https://aws.amazon.com/s3/]

In the context of AWS enumeration, particularly when discussing Amazon S3, there are two main types of enumeration: unauthenticated and authenticated. Each type has its own methodologies, tools, limitations. In this article, we will focus

By |2024-03-10T13:26:25+02:0005/02/2024|Categories: #BreachingAWS, Offensive Cloud Security|Tags: , , , |Comments Off on Intro To AWS Enumeration – Part 1
Read More
Logo
Go to Top