Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Incidents

EmeraldWhale Operation Steals Credentials

October 31, 2024
Reading Time: 2 mins read
in Incidents

A large-scale cyber operation named “EmeraldWhale” has successfully stolen over 15,000 cloud account credentials by scanning for exposed Git configuration files within thousands of private repositories. The campaign, uncovered by Sysdig, employed automated tools to scan a wide range of IP addresses for Git configuration files that may contain sensitive authentication tokens. These tokens enabled attackers to access and download repositories hosted on platforms like GitHub, GitLab, and BitBucket, allowing them to further search for additional credentials within the downloaded data. The stolen information was then exfiltrated to Amazon S3 buckets, where it was used in various phishing and spam campaigns or sold directly to other cybercriminals.

The exposed Git configuration files, such as /.git/config and .gitlab-ci.yml, are intended to define repository options and can contain sensitive information like API keys, access tokens, and passwords. Developers often include these secrets for convenience, assuming their private repositories are secure. However, if these files are mistakenly made public, they become vulnerable to automated scans by threat actors. The campaign illustrates a significant risk associated with improperly secured configuration files, which could potentially lead to severe data breaches, similar to recent incidents affecting other organizations.

EmeraldWhale’s threat actors utilized open-source tools to conduct extensive scans across an estimated 500 million IP addresses, checking for the presence of exposed /.git/config files and other sensitive environment files. To enhance their scanning capabilities, they maintained an exhaustive list of possible IPv4 addresses, including over 4.2 billion entries. Once a vulnerable configuration file was identified, the attackers used commands to verify the authenticity of the tokens. If confirmed, these tokens were employed to download private repositories, which were subsequently searched for more authentication secrets related to cloud services and email providers.

Despite relying on commonly available tools and automation, the EmeraldWhale operation demonstrated the effectiveness of such tactics in successfully compromising sensitive data. Sysdig’s research revealed that the attackers had accessed credentials from approximately 67,000 URLs that contained exposed configuration files, with a notable portion corresponding to Git repositories. This campaign highlights the ongoing challenges in cybersecurity, particularly for software developers who may inadvertently expose sensitive information. To mitigate these risks, it is recommended that developers utilize dedicated secret management tools and configure sensitive settings using environment variables at runtime, thereby reducing the likelihood of unauthorized access to critical resources.

Reference:

  • EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files
Tags: Amazon S3 bucketBitbucketCredentialscyber incidentsCyber Incidents 2024Cyber threatsData exposedEmeraldWhaleGitHubGitlabMalware CampaignOctober 2024
ADVERTISEMENT

Related Posts

Microsoft 365 Outage Hits Services

GitHub Copilot Chat Flaw Leaks Repo Data

October 10, 2025
Microsoft 365 Outage Hits Services

Crimson Collective Hits AWS Instances

October 10, 2025
Microsoft 365 Outage Hits Services

Microsoft 365 Outage Hits Services

October 10, 2025
BK Technologies Admits Cyber Breach

BK Technologies Admits Cyber Breach

October 10, 2025
BK Technologies Admits Cyber Breach

Dozens Hit in Oracle-Linked Hacks

October 10, 2025
BK Technologies Admits Cyber Breach

Chinese Hackers Hit Williams Connolly

October 10, 2025

Latest Alerts

BatShadow Unleashes Go Vampire Bot

Hackers Exploit Service Finder Flaw

FileFix Attack Evades Security Tools

Hackers Abuse WordPress for Phishing

Severe Framelink Figma MCP Code Flaw

Android Spyware ClayRat Imitates Apps

Subscribe to our newsletter

    Latest Incidents

    Crimson Collective Hits AWS Instances

    GitHub Copilot Chat Flaw Leaks Repo Data

    Microsoft 365 Outage Hits Services

    Dozens Hit in Oracle-Linked Hacks

    BK Technologies Admits Cyber Breach

    Chinese Hackers Hit Williams Connolly

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial