Misconfigured Git Configurations Targeted in Emeraldwhale Attack
A global operation called Emeraldwhale has targeted misconfigured Git configurations, resulting in the theft of over 15,000 cloud service credentials.
According to the Sysdig Threat Research Team (TRT), attackers used a blend of private tools to exploit misconfigured web services, gaining unauthorized access to cloud credentials, cloning private repositories and extracting sensitive information.
Scale of the Breach
This breach allowed access to over 10,000 private repositories, with the stolen data stored in an Amazon S3 bucket linked to a prior victim.
The exposed credentials encompass a wide array of services, including cloud service providers (CSPs) and email platforms, with phishing and spam campaigns cited as primary motivations for the theft.
In addition to direct use, these stolen credentials are valuable on underground marketplaces, where they may fetch hundreds of dollars per account.
Tools and Techniques Used by Attackers
Initial signs of this breach appeared when Sysdig TRT’s cloud honeypot detected an unauthorized ListBuckets call, leading to the discovery of a compromised S3 bucket containing over a terabyte of sensitive data. The investigation revealed tools capable of scraping exposed Git configuration files and other web data, including Laravel .env files, to harvest credentials.
Emeraldwhale’s toolset automates scanning, extracting and validating stolen tokens, allowing attackers to clone public and private repositories while searching for additional credentials within.
In connection with the toolset, a large-scale scanning campaign targeted exposed Git configuration files across thousands of servers, enabled by freely available open-source tools such as httpx. This operation highlights the security risk posed by .git directories exposed due to web server misconfigurations, which attackers exploited to retrieve sensitive repository information.
The market for credential-harvesting tools, including MZR V2 and Seyzo-v2, is thriving, with these tools enabling the automation of IP scanning and credential extraction for spam and phishing campaigns.
These tools are readily available in underground markets, where they are often bundled with courses on credential theft tactics.
“The underground market for credentials is booming, especially for cloud services. This attack shows that secret management alone is not enough to secure an environment. There are just too many places credentials could leak from,” Sysdig warned. “Monitoring the behavior of any identities associated with credentials is becoming a requirement to protect against these threats.”