Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

November 1, 2024 at 07:33AM

Cybersecurity researchers have uncovered a campaign, EMERALDWHALE, targeting exposed Git configurations to steal credentials from over 10,000 private repositories. The operation exploits tools to access sensitive files and collect data, leading to extensive credential theft for phishing purposes. A list of 67,000 exposed URLs is being sold online.

### Meeting Takeaways: EMERALDWHALE Cybersecurity Campaign

**Overview of the Threat:**
– The EMERALDWHALE campaign is a significant cybersecurity threat targeting exposed Git configurations.
– It exploits vulnerabilities to siphon credentials, clone private repositories, and extract cloud credentials from source code.

**Scale of the Attack:**
– Over 10,000 private repositories have been compromised, with stolen credentials totaling at least 15,000.
– Stolen data was stored in an Amazon S3 bucket linked to a previous victim, which has since been taken down by Amazon.

**Attack Methods:**
– The operation utilizes private tools to scrape Git config and Laravel .env files and extract credentials.
– EMERALDWHALE targets servers by searching broad IP address ranges for exposed Git repository configuration files.
– Tools employed include MZR V2 and Seyzo-v2, available through underground marketplaces for scanning and exploiting Git repositories.

**Information Gathering:**
– Attackers compile lists of exposed Git configurations using Google Dorks, Shodan, and scanning tools like MASSCAN.
– A noted market exists for exposed Git configuration files; a list with over 67,000 URLs is being sold for $100 on Telegram.

**Implications and Recommendations:**
– The stolen credentials mainly belong to Cloud Service Providers (CSPs), email providers, and various other services, indicating a focus on phishing and spam attacks.
– The research indicates that relying solely on secret management does not sufficiently secure cloud environments.
– Organizations must enhance their security protocols beyond secret management to safeguard their sensitive information effectively.

**Follow-Up Actions:**
– Monitor Git and Laravel configurations for vulnerabilities.
– Implement better credential management and security practices.

**For Further Updates:**
– Stakeholders are encouraged to follow relevant platforms for ongoing information and updates on cybersecurity threats.

Full Article