Cybersecurity researchers have flagged a “massive” campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code.
The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket, consisting of no less than 15,000 stolen credentials, has since been taken down by Amazon.
“The stolen credentials belong to Cloud Service Providers (CSPs), Email providers, and other services,” Sysdig said in a report. “Phishing and spam seem to be the primary goal of stealing the credentials.”
The multi-faceted criminal operation, while not sophisticated, has been found to leverage an arsenal of private tools to steal credentials as well as scrape Git config files, Laravel .env files, and raw web data. It has not been attributed to any known threat actor or group.
Targeting servers with exposed Git repository configuration files using broad IP address ranges, the toolset adopted by EMERALDWHALE allows for the discovery of relevant hosts and credential extraction and validation.
These stolen tokens are subsequently used to clone public and private repositories and grab more credentials embedded in the source code. The captured information is finally uploaded to the S3 bucket.
Two prominent programs the threat actor uses to realize its goals are MZR V2 and Seyzo-v2, which are sold on underground marketplaces and are capable of accepting a list of IP addresses as inputs for scanning and exploitation of exposed Git repositories.
These lists are typically compiled using legitimate search engines like Google Dorks and Shodan and scanning utilities such as MASSCAN.
What’s more, Sysdig’s analysis found that a list comprising more than 67,000 URLs with the path “/.git/config” exposed is being offered for sale via Telegram for $100, signaling that there exists a market for Git configuration files.
“EMERALDWHALE, in addition to targeting Git configuration files, also targeted exposed Laravel environment files,” Sysdig researcher Miguel Hernández said. “The .env files contain a wealth of credentials, including cloud service providers and databases.”
“The underground market for credentials is booming, especially for cloud services. This attack shows that secret management alone is not enough to secure an environment.”