Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)
Sysdig’s Threat Research Team (TRT) has uncovered a global operation known as EMERALDWHALE, which has stolen over 15,000 cloud service credentials by exploiting exposed Git configuration files.
EMERALDWHALE utilised multiple private tools to exploit several misconfigured web services, resulting in the theft of credentials from more than 10,000 private repositories.
Though the operation’s primary targets appeared to be cloud service and email providers, the ultimate aim was believed to be phishing and spam activities. The credentials amassed could fetch hundreds of dollars per account, with additional profits expected from selling target lists on various online marketplaces.
The discovery of this campaign accentuates a key security vulnerability in the digital landscape: secret management, whilst crucial, is insufficient on its own. There are myriad ways through which credentials can be inadvertently exposed.
Discovering an EMERALDWHALE
The operation first came to light when the Sysdig TRT was monitoring a cloud honeypot system and detected an anomalous ListBuckets call used with a compromised account. This activity pointed towards an S3 bucket named ‘s3simplisitter’ that, notably, did not belong to Sysdig but appeared publicly accessible.
Upon investigation, it was identified that the bucket stored over a terabyte of data – including compromised credentials and logs – further evidencing the multi-pronged attack involving web scraping of Git config files, Laravel environment files, and additional web data.
Exploiting exposed Git configuration files
Between August and September, extensive scanning endeavours aimed at locating servers with exposed Git repository configuration files were led by EMERALDWHALE. The scrutiny identified vast swathes of susceptible data across the internet, made easier by open-source tools like httpx used in scanning.
Git is renowned for being a concurrent version system, a tool that heavily relies on configuration files. Should the .git directory become exposed – often due to web server misconfigurations – attackers could exploit valuable data about the repository and access sensitive project information.
EMERALDWHALE capitalised on these misconfigurations to extract, collect, and monetise the leaked information.
Tools and motives
The operation utilised certain key tools that are often traded in underground marketplaces. Two such tools, identified during the investigation, are MZR V2 (MIZARU) and Seyzo-v2.
- MZR V2: Comprising Python and shell scripts, MZR V2 explores IPs to identify misconfigured .git/config files and subsequently validates potential credentials. Once stolen, the credentials are used to clone both public and private repositories, searching for further extracts of sensitive data.
- Seyzo-v2: This toolset employs a similar methodology to MZR V2 but executes more rigorous searches for credentials from SMTP, SMS, and cloud providers.
The motivation behind these attacks mirrors a growing trend in credential harvesting—a profitable and low-risk venture for cybercriminals. With the tools and guidance readily available, attackers can automate their efforts, thus minimising direct exposure or personal risk.
The EMERALDWHALE operation underscores a prevalent challenge in the digital era. Credential leaks are a major concern, made worse by inadequate configuration settings and extensive reliance on default security setups.
Recognising that secret management, while essential, is a part of layered security strategies helps highlight the pressing need for comprehensive exposure management and vulnerability scanning. By conducting thorough internal and external audits, guardians of sensitive data can better fortify against infiltration.
EMERALDWHALE – despite not being highly sophisticated – managed to swipe over 15,000 credentials simply by exploiting existing security missteps, notably exposed Git configuration files. These incidents reiterate the vulnerability present in current systems where private repositories, despite offering illusory protection, can become unintended entry points for malfeasance.
See also: Zscaler highlights security trends challenging developers
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
Tags: configuration, credentials, cyber security, cybersecurity, data, emeraldwhale, git, hacking, infosec, security