Change in ENV Crawler Tags as Bots Continue to Target Environment Files

Crawlers finding public, unsecured environment files continue to be used to compromise organizations.

On Tuesday, April 25, 2023, GreyNoise is changing how we classify environment file crawlers from unknown intent to malicious intent.  At the time of publication, this change will result in the reclassification of over 11,000 IPs as malicious.  Users who use GreyNoise’s malicious tag to block IPs based on malicious intent will see an increase in blocked IPs.

Background

An environment file crawler is a bot that scours the internet for publicly available env files. The use of these files have been popular for over a decade and are used to pass dynamic environmental variables to software and services.

Environment files are dotfiles; dotfiles are hidden files that are hidden from the user by default but are editable by any text editor and contain configuration settings for various applications. An example of an environment file is:

APP_NAME=The App
APP_ENV=dev

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=theappdb
DB_USERNAME=thedatabaseuser
DB_PASSWORD=theappsecretpassword
API_KEY=abc123def456

Why are attackers so interested in env files?

They almost always contain sensitive data such as authentication information (ex. keys or passwords) and often their specific connection paths.  For this reason, env files should never be exposed publicly; anyone who obtains the file can potentially access sensitive information. Adding insult to injury, organizations often are unaware that they are exposing these files to the public, and these crawlers have been historically overlooked. 

What is GreyNoise changing?

For years, GreyNoise has monitored env scanners and classified them as unknown intent. However, we continuously strive to enhance our datasets to safeguard organizations and increase the effectiveness of SOCs; thus, we have decided to reclassify these crawlers as malicious. 

Click/tap here for more information on GreyNoise classifications.

The reclassification of intent will affect the following tags:

• Git Config Crawler
• AWS Configuration Scanner
• ENV Crawler
• .DS_Store Scanner

Why the change?

These files should never be publicly exposed since they typically contain sensitive information; the internet noise generated by the constant searching for these files is indicative of the scale of opportunistic attackers looking for credentials.

Using environment files to compromise organizations is a well-established tactic

• Analyzing the Hidden Danger of Environment Variables for Keeping Secrets
• BMW exposes clients in Italy | Cybernews 
• Researchers hacked Indian govt sites via exposed git and env files 
• How I Takeover [sic] a Company Database After got Laravel .env file | by Rudra Sarkar
  

There are numerous CVEs related to env files as information disclosure or code execution, including but not limited to:

• CVE-2021-41714 in Tipask
• CVE-2019-17050 in Voyager
• CVE-2017-16894 in Laravel framework
• CVE-2019-5736 in Docker

Final thoughts:

Organizations should take proactive measures to regularly look for exposed .env files; scanning once won’t cut it as they can appear at any time. Searching for unsecured env files should be a part of an organization's vulnerability management program. If you do find a publicly available .env file for your organization, it is imperative that you immediately remediate the exposure and rotate any credentials that were leaked.  GreyNoise will continue to review the classifications of our tags to ensure their efficacy.

Sign up for a free GreyNoise account or request a demo to see how GreyNoise can help provide immediate protection from threats like these, especially when activity mutates from "unknown" or "benign" to "malicious.”