An attacker logged in through RDP a few days ago to run a “smtp cracker” that scans a list of IP addresses or URLs looking for misconfigured Laravel systems. These attackers are looking for websites that have debug mode enabled, which allows the attacker to see their .env (config) file. The .env file includes AWS, O365, SendGrid, Twilio credentials and more.
What is Laravel?
Laravel is a free, open-source[3] PHP web framework, created by Taylor Otwell and intended for the development of web applications
https://en.wikipedia.org/wiki/Laravel
Laravel provides drivers for SMTP, Mailgun, Mandrill, Amazon SES, PHP’s mail function, and sendmail, allowing you to quickly get started sending mail through a local or cloud based service of your choice.
https://laravel.com/docs/5.1/mail
The debug option is turned off by default on Laravel systems, but it appears many users are enabling debug and not understanding the consequences. Here’s an example of debug being enabled (set to true) in the .env config file.
You can check to see if debug is enabled by checking for .env in the web root (site.com/.env) or by sending random data to the webserver and reviewing the response. In the response, you will see the debug option as well as all the information from the .env file, which includes the secrets.
Here’s an example of a web response with debug enabled:
Here’s an example of an .env file:
The “smtp cracker” script, which by the way–is not a cracker, and grabs more than just smtp credentials; it uses the above methods to crawl a list of IPs/URLs looking for specific strings in the response such as PayPal, AWS_KEY, SES_KEY, Twilio, sendgrid, office365, zoho, mailgun and others.
Here’s part of the script, where it looks for a string in mailhost and outputs the secret(s) to the appropriate file.
The output of the script is saved in a folder named Results. The results are divided into groups as seen above.
Inside those files contain the secrets and method used to extract the information. This is a partial example of the sendgrid file:
This is a partial example of the office365 text file:
We are in the process of contacting over 100 people/organizations who’s systems are leaking secrets via Laravel debug in hopes that they will remediate the issue and change their passwords. If anyone needs help fixing this issue, please use the Contact Us form to get in touch.
Initial Access
RDP login as local admin from 64.86.198[.]22. No brute force attempts were seen from this IP.
Execution
The attacker installed and used Python 2.7 to execute the smtp cracker script.
Pip was used to install 4 modules.
pip install requests pip install colorama pip install bs4 pip install tldextract
Detections
Web requests to root/.env or post data that includes 0x[]:androxgh0st (hard coded string in smtp.py)
IOCs
If you would like access to our internal MISP and/or threat feeds please see here.
File
| filename | smtp.py |
| md5 | 39e1ec2c704bcdb57034da4ac288446e |
| sha1 | 352e9c78f08574adbaa0aaf49c19d5853bb4be36 |
| sha256 | 478290f801dafc9086810f857c123d74690920a4c44fb573cd01463c1b6fb432 |
Network
| type | value | comment |
| ip-src | 64.86.198.22 | RDP Unauthorized Access |
Valid Accounts - T1078 Python - T1059.006 Scripting - T1064 User Execution - T1204 Graphical User Interface - T1061 Command and Scripting Interpreter - T1059 Link to IOCs and artifacts