A large-scale malicious operation named “EmeraldWhale” has stolen over 15,000 cloud account credentials from thousands of private repositories. The attackers exploited exposed Git configuration files, which often include authentication tokens. The stolen data is typically exfiltrated to Amazon S3 buckets, some of which belong to other victims.
The compromised credentials are then used in phishing and spam campaigns or sold to other cybercriminals. Git configuration files, such as `/.git/config` or `.gitlab-ci.yml`, can contain sensitive information like API keys, access tokens, and passwords. Accidental exposure of the `.git` directory on websites can lead to severe security breaches.
The threat actors behind EmeraldWhale used open-source tools like ‘httpx’ and ‘Masscan’ to scan approximately 500 million IP addresses across 12,000 IP ranges. They searched for exposed `.env` files containing cloud credentials and API keys in Laravel applications. Security firm Sysdig found that EmeraldWhale had accumulated about one terabyte of sensitive data, including stolen credentials and logging information.
The operation compromised 15,000 cloud credentials from 67,000 URLs with exposed configuration files. Exposed URL lists pointing to Git configuration files are sold on platforms like Telegram for about $100 each.
EmeraldWhale operation targets Git configurations
Those who validate and monetize these stolen secrets can gain significantly more financially. To mitigate such risks, developers should use dedicated secret management tools and environment variables for storing sensitive information, instead of embedding them in Git configuration files. The campaign, dubbed **EMERALDWHALE**, is estimated to have collected over 10,000 private repositories, storing the data in an Amazon S3 storage bucket belonging to a prior victim.
This bucket, containing no less than 15,000 stolen credentials, has since been taken down by Amazon. “The stolen credentials belong to Cloud Service Providers (CSPs), email providers, and other services,” noted cybersecurity firm Sysdig in a report. “Phishing and spam seem to be the primary goal of stealing these credentials.”
The tools used by EMERALDWHALE target servers with exposed Git repository configuration files across broad IP address ranges.
This allows for the discovery of relevant hosts and the extraction and validation of credentials. Two prominent tools used in this operation are **MZR V2** and **Seyzo-v2**, sold on underground marketplaces. These tools can accept lists of IP addresses as inputs for scanning and exploiting exposed Git repositories.
Sysdig’s analysis also found that a list comprising more than 67,000 URLs with the path “/.git/config” is being offered for sale via Telegram for $100, indicating a thriving market for Git configuration files. “EMERALDWHALE, in addition to targeting Git configuration files, also targeted exposed Laravel environment files,” Sysdig researcher Miguel Hernández stated. “The .env files contain a wealth of credentials, including those for cloud service providers and databases.”
This breach underlines the importance of securing exposed configuration files to prevent the extraction of sensitive credentials and the compromise of cloud services.