A significant cybercriminal operation, known as EmeraldWhale, was recently exposed by researchers after more than 15,000 credentials were leaked into a stolen AWS S3 bucket as part of a large-scale Git repository theft campaign. This incident serves as a crucial reminder to enhance cloud configurations and thoroughly review source code to avoid mistakes like hardcoded credentials.
During the attack, EmeraldWhale focused on Git configurations to pilfer credentials, cloned over 10,000 private repositories, and extracted cloud credentials from source code.
The operation utilized various private tools to exploit misconfigured Web and cloud services, as reported by the Sysdig Threat Research Team, which uncovered the global operation. Phishing was the primary method used to steal credentials, which can fetch high prices on the Dark Web. Additionally, the operation profits by selling target lists on underground markets for others to engage in similar activities.
EmeraldWhale’s First Breach
Researchers initially detected EmeraldWhale’s activities through the Sysdig TRT cloud honeypot, where they observed a compromised account making a ListBuckets call to an S3 bucket named s3simplisitter.
Further investigation revealed that the publicly exposed bucket, belonging to an unknown account, was part of a multifaceted attack that included Web scraping of Git files in open repositories. A widespread scanning campaign occurred between August and September, impacting servers with exposed Git repository configurations that could contain hardcoded credentials.
Naomi Buckwalter, director of product security at Contrast Security, emphasized the importance of securing sensitive information and educating development teams on securely storing, managing, and accessing secrets to prevent such breaches.
Always Have Your Guard Up
Git directories contain essential information for version control, including commit history, configuration files, branches, and references.
Exposing the .git directory can provide attackers with valuable repository data, such as commit messages, usernames, email addresses, and potentially passwords or API keys if included in the repository.
This incident underscores the necessity for businesses to have visibility into all services, understand potential attack surfaces, and consistently manage and mitigate threats.
Victor Acin, head of threat intel at Outpost24, recommended implementing an External Attack Surface Management (EASM) platform to monitor misconfigurations and shadow IT, emphasizing the importance of securing private repositories and sensitive information.