Laravel Apps Leaking Secrets

An attacker logged in through RDP a few days ago to run a “smtp cracker” that scans a list of IP addresses or URLs looking for misconfigured Laravel systems. These attackers are looking for websites that have debug mode enabled, which allows the attacker to see their .env (config) file. The .env file includes AWS, O365, SendGrid, Twilio credentials and more.

What is Laravel?

Laravel is a free, open-source[3] PHP web framework, created by Taylor Otwell and intended for the development of web applications

https://en.wikipedia.org/wiki/Laravel

Laravel provides drivers for SMTP, Mailgun, Mandrill, Amazon SES, PHP’s mail function, and sendmail, allowing you to quickly get started sending mail through a local or cloud based service of your choice.

https://laravel.com/docs/5.1/mail

The debug option is turned off by default on Laravel systems, but it appears many users are enabling debug and not understanding the consequences. Here’s an example of debug being enabled (set to true) in the .env config file.

web response (not actual config file)

You can check to see if debug is enabled by checking for .env in the web root (site.com/.env) or by sending random data to the webserver and reviewing the response. In the response, you will see the debug option as well as all the information from the .env file, which includes the secrets.

Here’s an example of a web response with debug enabled:

Here’s an example of an .env file:

The “smtp cracker” script, which by the way–is not a cracker, and grabs more than just smtp credentials; it uses the above methods to crawl a list of IPs/URLs looking for specific strings in the response such as PayPal, AWS_KEY, SES_KEY, Twilio, sendgrid, office365, zoho, mailgun and others.

Here’s part of the script, where it looks for a string in mailhost and outputs the secret(s) to the appropriate file.

The output of the script is saved in a folder named Results. The results are divided into groups as seen above.

Inside those files contain the secrets and method used to extract the information. This is a partial example of the sendgrid file:

This is a partial example of the office365 text file:

We are in the process of contacting over 100 people/organizations who’s systems are leaking secrets via Laravel debug in hopes that they will remediate the issue and change their passwords. If anyone needs help fixing this issue, please use the Contact Us form to get in touch.

MITRE ATT&CK

Initial Access

RDP login as local admin from 64.86.198[.]22. No brute force attempts were seen from this IP.

Execution

The attacker installed and used Python 2.7 to execute the smtp cracker script.

Pip was used to install 4 modules.

pip  install requests
pip  install colorama
pip  install bs4
pip  install tldextract

Detections

Web requests to root/.env or post data that includes 0x[]:androxgh0st (hard coded string in smtp.py)

IOCs

If you would like access to our internal MISP and/or threat feeds please see here.

File

filenamesmtp.py
md539e1ec2c704bcdb57034da4ac288446e
sha1352e9c78f08574adbaa0aaf49c19d5853bb4be36
sha256478290f801dafc9086810f857c123d74690920a4c44fb573cd01463c1b6fb432

Network

typevaluecomment
ip-src64.86.198.22RDP Unauthorized Access
Valid Accounts - T1078    
Python - T1059.006    
Scripting - T1064    
User Execution - T1204    
Graphical User Interface - T1061    
Command and Scripting Interpreter - T1059    

Link to IOCs and artifacts