Cybersecurity researchers have identified an extensive attack campaign exploiting exposed Git configuration files to steal credentials, clone private repositories, and even extract cloud service credentials embedded within source code.
Dubbed “EMERALDWHALE,” this operation has successfully harvested over 10,000 private repositories, storing the stolen data in an Amazon S3 bucket belonging to a previously compromised victim. The storage, which contained at least 15,000 stolen credentials, was taken down after being flagged.
According to a recent report, the stolen credentials include access to cloud service providers, email services, and other sensitive platforms, primarily to support phishing and spam activities.
While the EMERALDWHALE operation is not highly complex, it utilizes various private tools to capture credentials, scrape Git configuration files, Laravel environment files, and raw web content. Notably, this operation has not been linked to any known cybercriminal groups.
The attackers employ a broad IP scanning approach to locate servers with exposed Git configuration files. Their tools allow them to identify vulnerable hosts, extract and validate credentials, and ultimately use these tokens to clone both public and private repositories, obtaining more credentials embedded in source code along the way. This data is then uploaded to the compromised S3 bucket.
Key tools used in this attack include MZR V2 and Seyzo-v2, which are available on underground marketplaces. These tools allow the attackers to input IP lists to scan and exploit exposed Git repositories.
The IP lists are often compiled using search engines such as Google Dorks and Shodan, as well as scanning tools like MASSCAN.
In their analysis, researchers discovered a list of over 67,000 URLs with exposed Git configuration paths being sold on Telegram for $100, indicating a thriving underground market for Git configuration files and related credentials.
Additionally, exposed Laravel environment files containing critical cloud and database credentials were targeted, further broadening the scope of the attack.
The growing demand for cloud-based credentials, particularly in underground marketplaces, reflects the importance of stronger security practices. The researchers emphasized that relying solely on secret management systems is insufficient to protect an organization from these kinds of intrusions.
To prevent similar breaches, regular audits of cloud infrastructure and source code can help identify and mitigate any exposed credentials early. Enforcing network segmentation and utilizing monitoring tools to detect unusual activity will also reduce the risks of unauthorized access.