A massive cybersecurity campaign, codenamed EMERALDWHALE, has been uncovered targeting exposed Git configurations to steal credentials and sensitive information. The operation, which collected over 10,000 private repositories, was compromised from an Amazon S3 storage bucket belonging to a prior victim.
The attackers, who used broad IP address ranges to discover relevant hosts, leveraged tools like MZR V2 and Seyzo-v2 to scan exposed Git repositories for credentials. These stolen tokens were then cloned into public and private repositories, extracted from source code, and uploaded to an S3 bucket containing over 15,000 stolen credentials.
Sysdig researchers found that the attackers used legitimate search engines and scanning utilities like MASSCAN to compile lists of IP addresses for exploitation. The underground market for Git configuration files has been spotted, with a list of over 67,000 URLs offering sensitive information for sale via Telegram.
The EMERALDWHALE campaign highlights the importance of secret management in securing environments, as credentials alone are not enough to protect against such attacks. This operation demonstrates the growing threat landscape and the need for increased vigilance among developers and organizations.
Source: https://thehackernews.com/2024/11/massive-git-config-breach-exposes-15000.html?m=1