Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Incidents

EmeraldWhale Operation Steals Credentials

October 31, 2024
Reading Time: 2 mins read
in Incidents

A large-scale cyber operation named “EmeraldWhale” has successfully stolen over 15,000 cloud account credentials by scanning for exposed Git configuration files within thousands of private repositories. The campaign, uncovered by Sysdig, employed automated tools to scan a wide range of IP addresses for Git configuration files that may contain sensitive authentication tokens. These tokens enabled attackers to access and download repositories hosted on platforms like GitHub, GitLab, and BitBucket, allowing them to further search for additional credentials within the downloaded data. The stolen information was then exfiltrated to Amazon S3 buckets, where it was used in various phishing and spam campaigns or sold directly to other cybercriminals.

The exposed Git configuration files, such as /.git/config and .gitlab-ci.yml, are intended to define repository options and can contain sensitive information like API keys, access tokens, and passwords. Developers often include these secrets for convenience, assuming their private repositories are secure. However, if these files are mistakenly made public, they become vulnerable to automated scans by threat actors. The campaign illustrates a significant risk associated with improperly secured configuration files, which could potentially lead to severe data breaches, similar to recent incidents affecting other organizations.

EmeraldWhale’s threat actors utilized open-source tools to conduct extensive scans across an estimated 500 million IP addresses, checking for the presence of exposed /.git/config files and other sensitive environment files. To enhance their scanning capabilities, they maintained an exhaustive list of possible IPv4 addresses, including over 4.2 billion entries. Once a vulnerable configuration file was identified, the attackers used commands to verify the authenticity of the tokens. If confirmed, these tokens were employed to download private repositories, which were subsequently searched for more authentication secrets related to cloud services and email providers.

Despite relying on commonly available tools and automation, the EmeraldWhale operation demonstrated the effectiveness of such tactics in successfully compromising sensitive data. Sysdig’s research revealed that the attackers had accessed credentials from approximately 67,000 URLs that contained exposed configuration files, with a notable portion corresponding to Git repositories. This campaign highlights the ongoing challenges in cybersecurity, particularly for software developers who may inadvertently expose sensitive information. To mitigate these risks, it is recommended that developers utilize dedicated secret management tools and configure sensitive settings using environment variables at runtime, thereby reducing the likelihood of unauthorized access to critical resources.

Reference:

  • EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files
Tags: Amazon S3 bucketBitbucketCredentialscyber incidentsCyber Incidents 2024Cyber threatsData exposedEmeraldWhaleGitHubGitlabMalware CampaignOctober 2024
ADVERTISEMENT

Related Posts

Luxembourg Probes Huawei Tech Outage

Luxembourg Probes Huawei Tech Outage

August 4, 2025
Luxembourg Probes Huawei Tech Outage

Hackers Leak Alleged Aeroflot Data

August 4, 2025
Luxembourg Probes Huawei Tech Outage

Dermatology Clinics Hit by Data Breach

August 4, 2025
Everest Ransomware Hits Mailchimp

Everest Ransomware Hits Mailchimp

August 1, 2025
Everest Ransomware Hits Mailchimp

Cyberattack Hits French Natural History Museum

August 1, 2025
Everest Ransomware Hits Mailchimp

Russia Faces Second Major Cyberattack

August 1, 2025

Latest Alerts

Fake OAuth Apps Breach Microsoft 365

Akira Hits SonicWall VPNs in Zero‑Day

PlayPraetor Trojan Android Devices

Dahua Camera Flaws Enable Remote Hacking

NOVABLIGHT Steals Logins and Crypto

PyPI Warns of Email Phishing Attack

Subscribe to our newsletter

    Latest Incidents

    Hackers Leak Alleged Aeroflot Data

    Luxembourg Probes Huawei Tech Outage

    Dermatology Clinics Hit by Data Breach

    Everest Ransomware Hits Mailchimp

    Cyberattack Hits French Natural History Museum

    Russia Faces Second Major Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial