Hackers steal 15,000 cloud credentials from exposed Git config files

A large-scale malicious operation named “EmeraldWhale” scanned for exposed Git configuration files to steal over 15,000 cloud account credentials from thousands of private repositories.

According to Sysdig, who discovered the campaign, the operation involves using automated tools that scan IP ranges for exposed Git configuration files, which may include authentication tokens.

These tokens are then used to download repositories stored on GitHub, GitLab, and BitBucket, which are scanned for further credentials.

The stolen data was exfiltrated to Amazon S3 buckets of other victims and was subsequently used in phishing and spam campaigns and sold directly to other cybercriminals.

While exposing Git authentication tokens can allow data theft, it could also lead to full-blown data breaches like we recently saw with the Internet Archive.

The threat actors behind EmeraldWhale use open-source tools like ‘httpx’ and ‘Masscan’ to scan websites hosted on an estimated 500 million IP addresses divided into 12,000 IP ranges.

Sysdig says the hackers even created files listing every possible IPv4 address, spanning over 4.2 billion entries, to streamline future scans.

The scans simply check if the /.git/config file and environment files (.env) in Laravel applications are exposed, which may also contain API keys and cloud credentials.

Once an exposure is identified, the tokens are verified using ‘curl’ commands to various APIs and, if valid, are used to download private repositories. Read the full story.

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.