Threat actors are looking for API tokens, passwords, and database logins usually stored in ENV files.
Drawing little attention to themselves, multiple threat actors have spent the past two-three years mass-scanning the internet for ENV files that have been accidentally uploaded and left exposed on web servers. ENV files, or environment files, are a type of configuration files that are usually used by development tools. Frameworks like Docker, Node.js, Symfony, and Django use ENV files to store environment variables, such as API tokens, passwords, and database logins. Due to the nature of the data they hold, ENV files should always be stored in protected folders. “I’d imagine a botnet is scanning for these files to find API tokens that will allow the attacker to interact with databases like Firebase, or AWS instances, etc.
