10,000 private repos were cloned in a massive Git configuration breach that exposed 15,000 credentials.

A "massive" campaign that targets vulnerable Git setups to clone private repositories, steal cloud credentials from the source code, and spoof credentials has been discovered by cybersecurity researchers.

10,000 private repos were cloned in a massive Git configuration breach that exposed 15,000 credentials.

A "massive" campaign that targets vulnerable Git setups to clone private repositories, steal cloud credentials from the source code, and spoof credentials has been discovered by cybersecurity researchers. Over 10,000 private repositories are thought to have been gathered by the activity, nicknamed EMERALDWHALE, and saved in an Amazon S3 storage bucket that belonged to a previous victim. Amazon has subsequently removed the bucket, which contained at least 15,000 credentials that were stolen.

"The stolen credentials belong to Cloud Service Providers (CSPs), Email providers, and other services," Sysdig stated in its study. "Phishing and spam seem to be the primary goal of stealing the credentials." Despite its lack of sophistication, the multifaceted criminal enterprise has been discovered to use a variety of proprietary tools to scrape raw site data, Laravel.env files, and Git configuration files in addition to stealing credentials. No known threat actor or group has been implicated.

By employing wide IP address ranges to target servers with exposed Git repository configuration files, EMERALDWHALE's toolkit enables the identification of pertinent hosts as well as the extraction and validation of credentials. More credentials hidden in the source code are then obtained by cloning public and private repositories using these stolen tokens. Finally, the information that was captured is uploaded to the S3 bucket.

MZR V2 and Seyzo-v2, two well-known tools that the threat actor uses to accomplish its objectives, are offered for sale on underground markets and may take a list of IP addresses as inputs for scanning and exploiting exposed Git repositories. Usually, scanning tools like MASSCAN and reputable search engines like Google Dorks and Shodan are used to generate these lists.

Furthermore, a list of over 67,000 URLs with the path "/.git/config" exposed is being sold on Telegram for $100, according to Sysdig's investigation, indicating that there is a market for Git configuration files. Miguel Hernández, a researcher at Sysdig, stated that "EMERALDWHALE not only targeted Git configuration files but also exposed Laravel environment files." "The .env files contain a wealth of credentials, including cloud service providers and databases."

"Especially for cloud services, the black market for credentials is flourishing. This exploit demonstrates that environment security requires more than just secret management.