EMERALDWHALE exploits vulnerable Git configuration files

Nov 02, 2024

Sysdig’s Threat Research Team (TRT) has uncovered a global operation known as EMERALDWHALE, which has stolen over 15,000 cloud service credentials by exploiting exposed Git configuration files.

EMERALDWHALE utilised multiple private tools to exploit several misconfigured web services, resulting in the theft of credentials from more than 10,000 private repositories.

Though the operation’s primary targets appeared to be cloud service and email providers, the ultimate aim was believed to be phishing and spam activities. The credentials amassed could fetch hundreds of dollars per account, with additional profits expected from selling target lists on various online marketplaces.

The discovery of this campaign accentuates a key security vulnerability in the digital landscape: secret management, whilst crucial, is insufficient on its own. There are myriad ways through which credentials can be inadvertently exposed.

Discovering an EMERALDWHALE

The operation first came to light when the Sysdig TRT was monitoring a cloud honeypot system and detected an anomalous ListBuckets call used with a compromised account. This activity pointed towards an S3 bucket named ‘s3simplisitter’ that, notably, did not belong to Sysdig but appeared publicly accessible.

Upon investigation, it was identified that the bucket stored over a terabyte of data – including compromised credentials and logs – further evidencing the multi-pronged attack involving web scraping of Git config files, Laravel environment files, and additional web data.

Exploiting exposed Git configuration files

Between August and September, extensive scanning endeavours aimed at locating servers with exposed Git repository configuration files were led by EMERALDWHALE. The scrutiny identified vast swathes of susceptible data across the internet, made easier by open-source tools like httpx used in scanning.

Git is renowned for being a concurrent version system, a tool that heavily relies on configuration files. Should the .git directory become exposed – often due to web server misconfigurations – attackers could exploit valuable data about the repository and access sensitive project information.

EMERALDWHALE capitalised on these misconfigurations to extract, collect, and monetise the leaked information.

Tools and motives

The operation utilised certain key tools that are often traded in underground marketplaces. Two such tools, identified during the investigation, are MZR V2 (MIZARU) and Seyzo-v2. 

  • MZR V2: Comprising Python and shell scripts, MZR V2 explores IPs to identify misconfigured .git/config files and subsequently validates potential credentials. Once stolen, the credentials are used to clone both public and private repositories, searching for further extracts of sensitive data.
  • Seyzo-v2: This toolset employs a similar methodology to MZR V2 but executes more rigorous searches for credentials from SMTP, SMS, and cloud providers.

The motivation behind these attacks mirrors a growing trend in credential harvesting—a profitable and low-risk venture for cybercriminals. With the tools and guidance readily available, attackers can automate their efforts, thus minimising direct exposure or personal risk.

The EMERALDWHALE operation underscores a prevalent challenge in the digital era. Credential leaks are a major concern, made worse by inadequate configuration settings and extensive reliance on default security setups.

Recognising that secret management, while essential, is a part of layered security strategies helps highlight the pressing need for comprehensive exposure management and vulnerability scanning. By conducting thorough internal and external audits, guardians of sensitive data can better fortify against infiltration.

EMERALDWHALE – despite not being highly sophisticated – managed to swipe over 15,000 credentials simply by exploiting existing security missteps, notably exposed Git configuration files. These incidents reiterate the vulnerability present in current systems where private repositories, despite offering illusory protection, can become unintended entry points for malfeasance.

See also: Zscaler highlights security trends challenging developers

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: configuration, credentials, cyber security, cybersecurity, data, emeraldwhale, git, hacking, infosec, security