Drawing little attention to themselves, multiple threat actors have spent the past two-three years mass-scanning the internet for ENV files that have been accidentally uploaded and left exposed on web servers.
ENV files, or environment files, are a type of configuration files that are usually used by development tools.
Frameworks like Docker, Node.js, Symfony, and Django use ENV files to store environment variables, such as API tokens, passwords, and database logins.
Due to the nature of the data they hold, ENV files should always be stored in protected folders.
“I’d imagine a botnet is scanning for these files to find API tokens that will allow the attacker to interact with databases like Firebase, or AWS instances, etc.,” Daniel Bunce, Principal Security Analyst for SecurityJoes, told ZDNet.
“If an attacker is able to get access to private API keys, they can abuse the software,” Bunce added.