+1 607 252-6647 Email Questions

Botnets have been silently mass-scanning the internet for unsecured ENV files

  • Published in News
  • Hits: 36

Drawing little attention to themselves, multiple threat actors have spent the past two-three years mass-scanning the internet for ENV files that have been accidentally uploaded and left exposed on web servers.

ENV files, or environment files, are a type of configuration files that are usually used by development tools.

Frameworks like Docker, Node.js, Symfony, and Django use ENV files to store environment variables, such as API tokens, passwords, and database logins.

Due to the nature of the data they hold, ENV files should always be stored in protected folders.

"I'd imagine a botnet is scanning for these files to find API tokens that will allow the attacker to interact with databases like Firebase, or AWS instances, etc.," Daniel Bunce[1], Principal Security Analyst for SecurityJoes[2], told ZDNet.

"If an attacker is able to get access to private API keys, they can abuse the software," Bunce added.

More than 1,100 ENV scanners active this month alone

Application developers have often received warnings about malicious botnets scanning for GIT configuration files or for SSH private keys[3] that have been accidentally uploaded online, but scans for ENV files have been just as common as the first two.

More than 2,800 different IP addresses[4] have been used to scan for ENV files over the past three years, with more than 1,100 scanners[5] being active over the past month, according to security firm Greynoise.

Similar scans have also been recorded by threat intelligence firm Bad Packets, which has been tracking the most common scanned ENV file paths[6] on Twitter for the past year.

Threat actors who identify ENV files will end up downloading the file, extracting any sensitive credentials, and then breaching a company's backend infrastructure.

The end goal of these subsequent

Read more from our friends at ZDNet

Contact us

By Mail

PO Box 5613

Katy, TX 77491


Social: twitter facebook

Phone: +1 607 252-6647

Fax: +1 866 573-1096

Email: info [AT] synapticweb [DOT] co