{"id":57555,"date":"2024-11-01T14:34:08","date_gmt":"2024-11-01T14:34:08","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36547\/EmeraldWhale-Steals-15-000-Credentials-From-Exposed-Git-Configurations.html"},"modified":"2024-11-01T14:34:08","modified_gmt":"2024-11-01T14:34:08","slug":"emeraldwhale-steals-15000-credentials-from-exposed-git-configurations","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/emeraldwhale-steals-15000-credentials-from-exposed-git-configurations\/","title":{"rendered":"EmeraldWhale Steals 15,000 Credentials From Exposed Git Configurations"},"content":{"rendered":"
<\/div>\n

A bad actor identified as EmeraldWhale was observed running a global operation that targeted exposed Git configurations<\/a> \u2014 a campaign that resulted in more than 15,000 cloud service credentials stolen.<\/p>\n

The Sysdig Threat Research Team<\/a> said Oct. 30 that the threat actor abused multiple misconfigured web services that let attackers steal credentials, clone private repositories, and extract cloud credentials from their source code.<\/p>\n

The kicker: the stolen data was stored in an S3 bucket<\/a> of a previous victim. <\/p>\n

Sysdig researchers said that while EmeraldWhale relied solely on misconfigurations rather than vulnerabilities \u2014 which isn\u2019t unique \u2014 what was different was the target: exposed Git configuration files.<\/p>\n

Here\u2019s how the Sysdig researchers found the EmeraldWhale campaign: While monitoring the Sysdig cloud honeypot, the researchers observed an unusual ListBuckets call using a compromised account. The S3 bucket<\/a>, s3simplisitter, that was referenced did not belong to Sysdig\u2019s account. Instead, it belonged to an unknown account and was publicly exposed. While investigating this bucket, the researchers discovered malicious tools and over a terabyte of data, which included compromised credentials and logging data. In doing an analysis, the researchers discovered a multi-faceted attack, including web scraping GitHub config files, Laravel .env files, and raw web data.  <\/strong><\/p>\n

Sysdig then reached out to AWS to report the bucket \u2014 and AWS promptly took it down. <\/p>\n

These files and the credentials they contain offer access to private repositories that normally would be difficult to access, explained the Sysdig researchers. In a private repository, developers may be more prone to include secrets because it offers a false sense of security. <\/p>\n

\u201cThe underground market for credentials is booming, especially for cloud services,\u201d wrote the researchers. \u201cThis attack shows that secrets management alone is not enough to secure an environment. There are just too many places credentials could leak from. Monitoring the behavior of any identities associated with credentials has become a requirement to protect against these threats.”<\/p>\n

Attackers continue to steal credentials<\/h2>\n

This campaign is yet another example of how credentials continue to be a top target for hackers, said Rom Carmel, co-founder and CEO at Apono. Carmel said with the right set of credentials, an attacker can compromise an identity and gain access to all of the resources they have privileges to, offering malicious actors a potentially unending list of enticing targets.<\/p>\n

\u201cWhile MFA is a crucial first step in protecting identities after stolen credentials fall into the wrong hands, we\u2019ve seen the steady stream of credential-stuffing attacks as proof that we need to do more,\u201d said Carmel. \u201cImplementing \u2018just-in-time\u2019 access security removes the opportunity for attackers to abuse credentials by simply ensuring that access is only available when it is needed. This, along with right-sizing excessive privileges, goes a long way in reducing the blast radius in an event like this where such a sensitive stash of credentials have been compromised.\u201d<\/p>\n

Elad Luz, head of research at Oasis Security, added that the attack highlights the critical need for a comprehensive strategy to secure and manage non-human identities (NHIs), such as secrets, keys, and tokens. Luz said implementing automated security protocols, including continuous scanning and credential rotation, can help reduce the risk of similar incidents.<\/p>\n

Luz said teams should consider the following actions in response:<\/p>\n

\n