Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Incidents

EmeraldWhale Operation Steals Credentials

October 31, 2024
Reading Time: 2 mins read
in Incidents

A large-scale cyber operation named “EmeraldWhale” has successfully stolen over 15,000 cloud account credentials by scanning for exposed Git configuration files within thousands of private repositories. The campaign, uncovered by Sysdig, employed automated tools to scan a wide range of IP addresses for Git configuration files that may contain sensitive authentication tokens. These tokens enabled attackers to access and download repositories hosted on platforms like GitHub, GitLab, and BitBucket, allowing them to further search for additional credentials within the downloaded data. The stolen information was then exfiltrated to Amazon S3 buckets, where it was used in various phishing and spam campaigns or sold directly to other cybercriminals.

The exposed Git configuration files, such as /.git/config and .gitlab-ci.yml, are intended to define repository options and can contain sensitive information like API keys, access tokens, and passwords. Developers often include these secrets for convenience, assuming their private repositories are secure. However, if these files are mistakenly made public, they become vulnerable to automated scans by threat actors. The campaign illustrates a significant risk associated with improperly secured configuration files, which could potentially lead to severe data breaches, similar to recent incidents affecting other organizations.

EmeraldWhale’s threat actors utilized open-source tools to conduct extensive scans across an estimated 500 million IP addresses, checking for the presence of exposed /.git/config files and other sensitive environment files. To enhance their scanning capabilities, they maintained an exhaustive list of possible IPv4 addresses, including over 4.2 billion entries. Once a vulnerable configuration file was identified, the attackers used commands to verify the authenticity of the tokens. If confirmed, these tokens were employed to download private repositories, which were subsequently searched for more authentication secrets related to cloud services and email providers.

Despite relying on commonly available tools and automation, the EmeraldWhale operation demonstrated the effectiveness of such tactics in successfully compromising sensitive data. Sysdig’s research revealed that the attackers had accessed credentials from approximately 67,000 URLs that contained exposed configuration files, with a notable portion corresponding to Git repositories. This campaign highlights the ongoing challenges in cybersecurity, particularly for software developers who may inadvertently expose sensitive information. To mitigate these risks, it is recommended that developers utilize dedicated secret management tools and configure sensitive settings using environment variables at runtime, thereby reducing the likelihood of unauthorized access to critical resources.

Reference:

  • EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files
Tags: Amazon S3 bucketBitbucketCredentialscyber incidentsCyber Incidents 2024Cyber threatsData exposedEmeraldWhaleGitHubGitlabMalware CampaignOctober 2024
ADVERTISEMENT

Related Posts

Avantic Lab Affected By Ransomware

Avantic Lab Affected By Ransomware

July 11, 2025
Avantic Lab Affected By Ransomware

Microsoft’s Outlook Long Outage

July 11, 2025
Avantic Lab Affected By Ransomware

$40M+ Stolen from GMX Crypto Platform

July 11, 2025
Nippon Steel Solutions Data Breach

Bitcoin Depot Breach Exposes Data

July 10, 2025
Nippon Steel Solutions Data Breach

McDonald’s AI Hiring Bot Exposes Data

July 10, 2025
Nippon Steel Solutions Data Breach

Nippon Steel Solutions Data Breach

July 10, 2025

Latest Alerts

Fake Sites Push Investment Scams

Fake Firms Push Malware on Crypto Users

Severe WordPress Flaw 200K Sites at Risk

RondoDox Botnet Exploits Router Flaws

ServiceNow Data Exposure via ACLs

Hackers Revive SEO Poisoning

Subscribe to our newsletter

    Latest Incidents

    Microsoft’s Outlook Long Outage

    Avantic Lab Affected By Ransomware

    $40M+ Stolen from GMX Crypto Platform

    Bitcoin Depot Breach Exposes Data

    McDonald’s AI Hiring Bot Exposes Data

    Nippon Steel Solutions Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial