Cybersecurity researchers have flagged a “massive” campaign aimed at getting open Git configurations to skim over credentials, clone private repositories, and even extract cloud credentials from source code.
Codenamed activity THE EMERALD WHALEestimated to have collected over 10,000 private vaults and stored them in Amazon S3 storage owned by a previous victim. The bucket, consisting of at least 15,000 stolen credentials, has since been removed by Amazon.
“Stolen credentials belong to Cloud Service Providers (CSPs), email providers and other services” – Sysdig said in the report. “Phishing and spam are the primary targets of credential theft.”
The multifaceted criminal operation, while not sophisticated, was found to use an arsenal of private tools to steal credentials, as well as to scrape Git configuration files, Laravel .env files, and raw web data. It has not been attributed to any known threat actor or group.
Targeting servers with open Git repository configuration files using wide ranges of IP addresses, the toolset adopted by EMERALDWHALE allows discovery of relevant hosts, as well as extraction and verification of credentials.
These stolen tokens are then used to clone public and private repositories and obtain additional credentials embedded in the source code. The resulting information is finally uploaded to the S3 bucket.
Two known programs that the threat uses to accomplish its goals are MZR V2 and Seyzo-v2, which are sold on underground markets and are capable of accepting a list of IP addresses as input to scan and exploit public Git repositories.
These lists are usually compiled using legitimate search engines such as Google Dorks and Shodan and scanning utilities such as MASKANISKY.
Moreover, Sysdig’s analysis found that a list containing more than 67,000 URLs with the public path “/.git/config” is being offered for sale via Telegram for $100, indicating that there is a market for Git configuration files.
“EMERALDWHALE, in addition to Git configuration files, also targeted open Laravel environment files,” said Sysdig researcher Miguel Hernandez. “.env files contain many credentials, including cloud and database providers.”
“The underground credential market is thriving, especially for cloud services. This attack shows that secret controls alone are not enough to secure the environment.”
