A sophisticated cyber operation, dubbed Emeraldwhale, has targeted misconfigured Git configurations worldwide, resulting in the theft of sensitive cloud service credentials. The Sysdig Threat Research Team (TRT) has identified a complex attack vector that exploited vulnerabilities in web services, allowing attackers to gain unauthorized access to private repositories and extract valuable data.
Scope of the Breach
The breach exposed over 10,000 private repositories, with stolen data stored in an Amazon S3 bucket linked to a prior victim. The compromised credentials encompass a broad range of services, including cloud service providers (CSPs) and email platforms. Phishing and spam campaigns are believed to be the primary motivations for the theft.
Stolen Data
- Over 15,000 cloud service credentials, including AWS, Google Cloud, and Microsoft Azure
- Email platform credentials from various providers
- Sensitive data stored in Amazon S3 bucket linked to a prior victim
Value of Stolen Credentials
The stolen credentials are highly valuable on underground marketplaces, where they may fetch hundreds of dollars per account. This highlights the lucrative nature of credential-harvesting tools, which are readily available in the dark web.
Attack Vector and Tools Used
Initial signs of the breach were detected by Sysdig TRT’s cloud honeypot when an unauthorized ListBuckets call was made. The investigation revealed a compromised S3 bucket containing over a terabyte of sensitive data. Attackers used tools capable of scraping exposed Git configuration files and other web data, including Laravel .env files, to harvest credentials.
bash
# Example of the attack vector employed by Emeraldwhale's toolset
httpx -u https://example.com -H "Authorization: Bearer " --json ListBuckets
The use of freely available open-source tools like httpx enabled the large-scale scanning campaign that targeted exposed Git configuration files across thousands of servers.
Security Risks
- Exposure of .git directories: Attackers exploited these vulnerabilities to retrieve sensitive repository information, demonstrating the importance of proper secret management and monitoring of credentials.
- Lack of secret management: The breach highlights the need for organizations to prioritize their security posture and take proactive measures to prevent similar breaches in the future.
Important Statement
“Secret management alone is not enough to secure an environment. Organizations must also monitor the behavior of any identities associated with credentials to protect against such threats.” – Sysdig TRT
Conclusion
The Emeraldwhale operation highlights the critical importance of cloud security best practices, including proper configuration and monitoring of Git repositories. As the market for credential-harvesting tools continues to thrive, it is essential for organizations to prioritize their security posture and take proactive measures to prevent similar breaches in the future.
Recommendations
- Regularly monitor and audit your Git repositories for exposed credentials
- Implement proper secret management practices, including encryption and access controls
- Educate employees on the importance of secure configuration and monitoring
By following these recommendations, organizations can reduce their risk of being targeted by credential-harvesting tools like those used in the Emeraldwhale attack.
