Summary:
The "EmeraldWhale" campaign, a large-scale malicious operation, has reportedly scanned for exposed Git configuration files, compromising over 15,000 cloud account credentials across thousands of private repositories.

Sysdig, the security firm that uncovered the campaign, explained that EmeraldWhale utilizes automated tools to scan IP ranges for Git configuration files that may contain sensitive authentication tokens. These tokens are then used to access and download repositories from GitHub, GitLab, and BitBucket, where the attackers conduct further scans for additional credentials.

The stolen data was exfiltrated to Amazon S3 buckets, which belong to other compromised victims, and has been used in phishing and spam campaigns or sold to other cybercriminals. While exposed Git authentication tokens present a risk of data theft, they also open the door to extensive data breaches, as seen recently with the Internet Archive.

Security Officer Comments:
Git configuration files, such as /.git/config or .gitlab-ci[.]yml, help define repository settings, branches, remotes, and occasionally contain sensitive information like API keys, access tokens, or passwords. Developers might store these credentials in private repositories for ease of access in authentication and data transmission tasks.

This practice remains relatively secure as long as repositories are restricted from public access. However, if the / .git directory is mistakenly exposed, attackers using scanners can locate and retrieve sensitive data easily.

If these configuration files contain authentication tokens, attackers could download source code, databases, and other sensitive resources that are intended to be private.

The attackers behind EmeraldWhale employ open-source tools, such as "httpx" and "Masscan," to scan over 500 million IP addresses across 12,000 IP ranges. Sysdig reports that the attackers even created a file listing all possible IPv4 addresses (over 4.2 billion entries) to streamline future scans.

These scans specifically look for exposed /.git/config files and environment files (e.g., .env in Laravel applications) which often contain API keys and cloud credentials.

When exposed credentials are identified, the attackers use 'curl' commands to validate tokens through various APIs. Valid tokens are then used to download private repositories, which are further analyzed for authentication information related to AWS, other cloud platforms, and email services. The attackers use these exposed email credentials to conduct phishing and spam campaigns.

Two primary toolsets, MZR V2 (Mizaru) and Seyzo-v2, were observed to support this large-scale operation. For Laravel applications, the Multigrabber v8.5 tool was used to scan domains for .env files, steal them, and classify the data based on its usability.

Suggested Corrections:
Sysdig found that one compromised S3 bucket contained over a terabyte of sensitive data, including stolen credentials and logging information. Data collected indicates that EmeraldWhale accessed 67,000 URLs with exposed configuration files, stealing 15,000 cloud credentials in the process.

Among these URLs, 28,000 corresponded to Git repositories, including 6,000 GitHub tokens and 2,000 active credentials. In addition to large platforms like GitHub, GitLab, and BitBucket, the attackers also targeted 3,500 smaller repositories belonging to individual developers and small teams.

According to Sysdig, lists of URLs pointing to exposed Git configuration files sell for around $100 on platforms like Telegram. Those who exfiltrate and validate credentials, however, have more lucrative options for monetization.

Though the campaign relies on automated and readily available tools, its reach is considerable, posing serious security threats to the developers affected.

To mitigate these risks, software developers should use dedicated secret management tools to store sensitive data and employ environment variables for runtime configuration, rather than embedding secrets within Git configuration files.

Link(s):
https://sysdig.com/blog/emeraldwhale/