Earlier this week, researchers revealed a significant cybercriminal operation known as EmeraldWhale. The attackers exposed over 15,000 credentials by depositing them into an unsecured AWS S3 bucket during a large-scale Git repository theft campaign. This incident serves as a reminder to strengthen cloud configurations and carefully review source code to avoid errors such as hardcoding credentials. During the course of their attack, EmeraldWhale’s focus was on Git configuration to steal credentials. They cloned over 10,000 private repositories and extracted cloud credentials from source code.
According to the Sysdig Threat Research Team, which uncovered this worldwide scheme, the campaign exploited various private tools to misuse improperly configured Web and cloud services. The main method used by the campaign for stealing credentials—valued at hundreds of dollars per account on the Dark Web—is phishing. Additionally, they generate revenue by selling their target lists in underground marketplaces so others can replicate these activities.
EmeraldWhale’s First Breach
The researchers began their investigation by monitoring the Sysdig TRT cloud honeypot. During this process, they detected a ListBuckets call made with a compromised account linked to an S3 bucket named s3simplisitter.
The bucket was linked to an unidentified account and had been left publicly accessible. Upon conducting a thorough investigation, researchers unearthed evidence of a complex attack that involved web scraping Git files from open repositories. According to the researchers, there was an extensive scanning campaign between August and September that impacted servers with exposed Git repository configuration files—these often contain hardcoded credentials.
Naomi Buckwalter, the director of product security at Contrast Security, emphasized in an email to Dark Reading that complacency is not an option for security professionals. It’s crucial to ensure sensitive secrets such as API tokens and authentication credentials are kept out of source code. She stressed that information security experts should take a proactive role in educating development teams about secure methods for storing, managing, and accessing these secrets. Additionally, she recommended regular scans of source code for any hard-coded credentials and vigilant monitoring of credential usage to detect any unusual activities.
Also Read: how to protect your company from data breach
Always Have Your Guard Up
In essence, Git directories hold all necessary information for version control. This includes the entire commit history, configuration files, branches, and references.
“The researchers noted that exposing the .git directory allows attackers to access crucial data regarding the repository’s history, structure, and sensitive project information. This encompasses commit messages, usernames, email addresses, and potentially passwords or API keys if they are necessary for the repository or have been committed.”
The incident clearly reminds us of the importance for businesses and organizations to maintain visibility over all services. It’s crucial to have a comprehensive understanding of potential attack surfaces in order to effectively manage them and mitigate threats consistently.
“According to Victor Acin, head of threat intelligence at Outpost24, a significant number of breaches happen when internal services are unintentionally exposed to the public Internet, leaving them vulnerable to malicious actors,” he stated in an emailed message to Dark Reading.
Acin advised enterprises to implement an “effective external attack surface management (EASM) platform” in order to monitor potential misconfigurations and shadow IT.
Even when private repositories are considered secure, it is advisable to implement extra protective measures and ensure that the information remains well-protected.