A large-scale cyber operation named “EmeraldWhale” has successfully stolen over 15,000 cloud account credentials by scanning for exposed Git configuration files within thousands of private repositories. The campaign, uncovered by Sysdig, employed automated tools to scan a wide range of IP addresses for Git configuration files that may contain sensitive authentication tokens. These tokens enabled attackers to access and download repositories hosted on platforms like GitHub, GitLab, and BitBucket, allowing them to further search for additional credentials within the downloaded data. The stolen information was then exfiltrated to Amazon S3 buckets, where it was used in various phishing and spam campaigns or sold directly to other cybercriminals.
The exposed Git configuration files, such as /.git/config and .gitlab-ci.yml, are intended to define repository options and can contain sensitive information like API keys, access tokens, and passwords. Developers often include these secrets for convenience, assuming their private repositories are secure. However, if these files are mistakenly made public, they become vulnerable to automated scans by threat actors. The campaign illustrates a significant risk associated with improperly secured configuration files, which could potentially lead to severe data breaches, similar to recent incidents affecting other organizations.
EmeraldWhale’s threat actors utilized open-source tools to conduct extensive scans across an estimated 500 million IP addresses, checking for the presence of exposed /.git/config files and other sensitive environment files. To enhance their scanning capabilities, they maintained an exhaustive list of possible IPv4 addresses, including over 4.2 billion entries. Once a vulnerable configuration file was identified, the attackers used commands to verify the authenticity of the tokens. If confirmed, these tokens were employed to download private repositories, which were subsequently searched for more authentication secrets related to cloud services and email providers.
Despite relying on commonly available tools and automation, the EmeraldWhale operation demonstrated the effectiveness of such tactics in successfully compromising sensitive data. Sysdig’s research revealed that the attackers had accessed credentials from approximately 67,000 URLs that contained exposed configuration files, with a notable portion corresponding to Git repositories. This campaign highlights the ongoing challenges in cybersecurity, particularly for software developers who may inadvertently expose sensitive information. To mitigate these risks, it is recommended that developers utilize dedicated secret management tools and configure sensitive settings using environment variables at runtime, thereby reducing the likelihood of unauthorized access to critical resources.
Reference:
