Over 15,000 credentials have been exposed, and 10,000 private repositories were compromised in a major cybersecurity incident recently. Researchers called this campaign EMERALDWHALE, which targets exposed Git configurations in order to obtain cloud credentials embedded in source code, clone repositories, and extract credentials.
The EMERALDWHALE campaign is thought to have amassed over 10,000 private repositories, with the stolen data stored in an Amazon S3 storage bucket associated with a previous victim. Amazon has since deactivated the compromised bucket. The stolen credentials span across Cloud Service Providers (CSPs), email providers, and other critical services, with the primary objective of the breach appearing to be phishing and spam operations, according to reports.
Though not a highly sophisticated campaign, EMERALDWHALE employs a variety of private tools to gather sensitive information.
These tools are capable of scraping critical Git configuration files, Laravel `.env` files, and raw web data from vulnerable servers. Despite its success, the campaign has yet to be attributed to any known threat actors or groups.
The operation primarily targets servers with exposed Git repository configurations across wide IP address ranges, using specialised tools to identify, extract, and validate credentials. Once captured, these stolen tokens allow the perpetrators to clone public and private repositories, further enabling the acquisition of additional credentials embedded within the source code. The compromised data is then uploaded to the S3 bucket, centralising the stolen information.
Two key tools, MZR V2 and Seyzo-v2, play a central role in this campaign. Sold on underground marketplaces, these programs enable the scanning and exploitation of exposed Git repositories by accepting lists of IP addresses for targeted attacks. These IP lists are often generated using legitimate search engines like Google Dorks and Shodan, along with scanning utilities such as MASSCAN.
In an alarming development, in depth analysis uncovered a list of over 67,000 URLs containing exposed Git configuration paths, marketed on Telegram for $100. This market for Git configuration files underscores the growing demand for sensitive credentials among cyber criminals.
EMERALDWHALE is also actively targeting exposed Laravel environment files (`.env`), which often contain valuable credentials for cloud services and databases, further expanding the reach of the breach. Researchers remarked that this attack highlights the booming underground market for credentials, especially those related to cloud services. They noted that effective secret management alone may not be sufficient to protect against this evolving threat landscape.
This breach discusses the risks associated with exposed Git configurations. Organisations are urged to review their repository security, implement stringent access controls, and prioritise comprehensive credential management to defend against similar threats.