Botnets being used by Hackers to scan The Internet for Unsecured ENV Files

December 1, 2020
botnet hackers unsecured ENV files internet

Moving stealthily in the background, several hackers have been scouring the internet in a vast and massive search campaign that started probably 3-years ago. The targets of their search campaign are the exposed and unprotected ENV files on multiple web servers worldwide.

ENV files (environment files) are data files used by an operating system on a machine. This file type can be used or associated with Adobe dictionary or WordPerfect environment files, allowing customization features like changing environments or backgrounds. Some other frameworks or platforms require ENV files to keep API tokens, user passwords, and of course – database credentials. This is why ENV files are almost always stored in a protected folder or location on a user machine. Well, almost always.

Security analysts have always provided information and exposed the possible situations wherein someone who gets access to an exposed ENV repository on a server uses all the valuable information stored in that database. Any API keys or server credentials they acquire can be used and abused in a manner unimaginable to its owners.

Developers and security researchers are often at the cornerstone of getting all the system warnings whenever something malicious like botnets is trying to breach their networks. With more than 1,000 scanners and ENV detection software running over the past few months alone, thousands of botnet incursion incidents have been documented searching for GIT configuration, SSH private keys, and other server credentials that have been left hanging on the internet or exposed from within a corporate infrastructure.

Over 3,000 single IP addresses have been examined and detected to perform these malicious scanning over 3 years.

Other security research and threat intelligence firms have reported similar occurrences from different world regions – hackers and malicious threat actors exploring the web and infiltrating private networks, looking for unguarded ENV files.


The same actions were noted – acquiring the exposed ENV files, downloading the data set, extracting all sensitive information stored from within the file, and using the newly found credentials to breach the victim company’s network infrastructure.


Everything is downwards from that point on. Follow up attacks are most likely possible, information theft, acquiring trade secrets and sensitive business information, crypto mining attacks, ransomware assaults, malware injections, and other malicious network intrusions.

In light of these findings, security analysts, administrators, and developers are being cautioned regarding the possibility that their networks might contain some unprotected information on their servers, prone to these kinds of attacks. Cybersecurity best practices and robust network security are ideal for preventing any breach or unsavory events on their infrastructure.

About the author

Leave a Reply