Extensive Git Configuration Violation Reveals 15,000 Credentials Compromised; 10,000 Private Repositories Duplicated
Cybersecurity professionals have identified an “enormous” initiative that aims at exposed Git setups to steal usernames and passwords, mirror confidential repositories, and even extract cloud access details from the program’s source code.
The campaign, known as EMERALDWHALE, has allegedly gathered more than 10,000 private repositories and preserved them in an Amazon S3 storage container owned by a previous target. The container, containing at least 15,000 purloined credentials, has subsequently been removed by Amazon.
“The obtained credentials include those for Cloud Service Providers (CSPs), Email services, and other platforms,” Sysdig stated in a report. “The prime objective of the pilfered credentials appears to be phishing and spam activities.”
The composite criminal scheme, though lacking sophistication, has been discovered to rely on an array of private tools to pilfer credentials and scrape Git configuration files, Laravel .env documents, and raw internet data. So far, no known threat actor or group has been linked to the operation.
By targeting servers equipped with exposed Git repository configuration files using broad IP address ranges, the set of tools employed by EMERALDWHALE enables the identification of pertinent servers, the extraction and validation of usernames and passwords.
The seized tokens are subsequently employed to copy both public and private repositories and acquire more usernames and passwords embedded within the source code. The obtained information is ultimately transmitted to the S3 container.
The threat actor employs two primary programs, MZR V2 and Seyzo-v2, to achieve its objectives. These programs, available for purchase on clandestine marketplaces, can accept a list of IP addresses for scanning and exploiting exposed Git repositories.
These lists are typically crafted using authorized search engines such as Google Dorks and Shodan, and scanning tools like MASSCAN.
Sysdig’s examination also uncovered a list containing over 67,000 URLs with the path “/.git/config” exposed, being offered for sale on Telegram for $100, indicating a market demand for Git configuration files.
“Besides targeting Git configuration files, EMERALDWHALE also focused on exposed Laravel environment files,” stated Sysdig researcher Miguel Hernández. “The .env files include a trove of credentials, including those for cloud platforms and databases.”
“There is a thriving underground economy for credentials, especially those related to cloud services. This attack underscores the fact that merely managing secrets is insufficient to safeguard an environment.”
About Author
