Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

Avatar
Cybersecurity researchers have flagged a “massive” campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code. The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket,

Cybersecurity researchers have flagged a “massive” campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code.

The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket, consisting of no less than 15,000 stolen credentials, has since been taken down by Amazon.

“The stolen credentials belong to Cloud Service Providers (CSPs), Email providers, and other services,” Sysdig said in a report. “Phishing and spam seem to be the primary goal of stealing the credentials.”

The multi-faceted criminal operation, while not sophisticated, has been found to leverage an arsenal of private tools to steal credentials as well as scrape Git config files, Laravel .env files, and raw web data. It has not been attributed to any known threat actor or group.

Targeting servers with exposed Git repository configuration files using broad IP address ranges, the toolset adopted by EMERALDWHALE allows for the discovery of relevant hosts and credential extraction and validation.

These stolen tokens are subsequently used to clone public and private repositories and grab more credentials embedded in the source code. The captured information is finally uploaded to the S3 bucket.

Two prominent programs the threat actor uses to realize its goals are MZR V2 and Seyzo-v2, which are sold on underground marketplaces and are capable of accepting a list of IP addresses as inputs for scanning and exploitation of exposed Git repositories.

These lists are typically compiled using legitimate search engines like Google Dorks and Shodan and scanning utilities such as MASSCAN.

What’s more, Sysdig’s analysis found that a list comprising more than 67,000 URLs with the path “/.git/config” exposed is being offered for sale via Telegram for $100, signaling that there exists a market for Git configuration files.

“EMERALDWHALE, in addition to targeting Git configuration files, also targeted exposed Laravel environment files,” Sysdig researcher Miguel Hernández said. “The .env files contain a wealth of credentials, including cloud service providers and databases.”

“The underground market for credentials is booming, especially for cloud services. This attack shows that secret management alone is not enough to secure an environment.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Shopping scam sprawled across thousands of websites, bilked ‘tens of millions of dollars’

Next Post

Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare

Related Posts

Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. Russian cybersecurity company Positive Technologies said it discovered last month that an email was sent to an unspecified governmental organization located in one of the Commonwealth of
Avatar
Read More