Recent cybersecurity research has identified a significant campaign, known as EMERALDWHALE, which exploits exposed Git configurations to extract credentials, clone private repositories, and even obtain cloud service credentials embedded in source code. This operation has reportedly compromised over 10,000 private repositories, with the stolen data stored in an Amazon S3 bucket that belonged to a former victim, now taken offline by Amazon.
The credentials involved include those from major Cloud Service Providers (CSPs), email services, and various other platforms, as detailed in a report by Sysdig. These stolen credentials appear to be primarily used for phishing and spam operations.
This multi-dimensional attack, while not complex, leverages various private tools to capture credentials and scrape Git configuration files, Laravel environment (.env) files, and raw web data. As of now, EMERALDWHALE has not been affiliated with any known malicious actors or groups, raising concerns about the anonymity of cybercriminals in this space.
The campaign has primarily targeted servers exposed via Git repository configuration files, utilizing a set of tools designed for scanning IP ranges to identify systems vulnerable to custodial breaches. According to Sysdig, these attacks are facilitated by robust credential extraction and validation processes, allowing attackers to clone both public and private repositories, thereby gaining access to further embedded credentials. Ultimately, this extracted data is uploaded to the aforementioned S3 bucket for later use.
Central to the EMERALDWHALE operation are tools referred to as MZR V2 and Seyzo-v2, which are available on underground marketplaces. These tools can utilize lists of IP addresses to scan for and exploit exposed Git repositories. Lists for such scanning are typically generated using legitimate search engines, like Google Dorks and Shodan, combined with scanning utilities such as MASSCAN.
This operation underscores the flourishing underground market for credentials, especially those linked to cloud services. Observations of EMERALDWHALE suggest that merely relying on secret management systems is inadequate for securing environments against such sophisticated threats.
