A massive cyberattack known as "EmeraldWhale" has compromised more than 15,000 cloud credentials by exploiting exposed Git configuration files in thousands of private repositories. Sysdig, the company that uncovered this operation, reports that EmeraldWhale uses automated tools to scan IP ranges for these exposed files, often containing sensitive authentication tokens.
These tokens are exploited to access and download repositories from platforms such as GitHub, GitLab, and BitBucket. The stolen information is then examined for further credentials and uploaded to Amazon S3 buckets, which were later leveraged in phishing and spam campaigns or sold directly to other cybercriminals.
Exposed Git configuration files, such as /.git/config or .gitlab-ci.yml, contain essential repository data, including potentially sensitive API keys, access tokens, and passwords. Developers sometimes include these tokens within private repositories for convenience in managing API interactions without repeated authentication, which is secure as long as the files remain private. However, if the Git directory is accidentally exposed, attackers can easily locate and misuse the data.
EmeraldWhale operators utilize open-source tools, including ‘httpx’ and ‘Masscan,’ to scan websites across 500 million IP addresses spanning over 12,000 IP ranges. The attackers also created files containing over 4.2 billion IPv4 addresses to streamline future scans. They specifically target exposed /.git/config files and Laravel application files, which may hold additional credentials like API keys and cloud account information.
Once vulnerabilities are detected, tokens are validated using ‘curl’ commands. If they’re confirmed as active, attackers download the associated private repositories and scan for secrets related to AWS, cloud platforms, and email services. Exposed email credentials are exploited to conduct spam and phishing campaigns.
Sysdig observed that the operation used automated toolsets such as MZR V2 (Mizaru) and Seyzo-v2, along with Multigrabber v8.5, to target and extract information from exposed Laravel .env files. An analysis of one exposed S3 bucket revealed around one terabyte of data, including sensitive credentials and log data.
EmeraldWhale reportedly stole credentials from over 67,000 URLs with exposed configuration files, including 28,000 Git repositories and 6,000 GitHub tokens. Sysdig’s analysis indicates that around 2,000 of these tokens were verified as active. Small repositories belonging to individual developers were also targeted, with lists of URLs pointing to exposed Git configuration files being sold on Telegram for around $100.
Sysdig advises developers to adopt secret management tools and environment variables for sensitive data to reduce the risk of exposure.