A bad actor identified as EmeraldWhale was observed running a global operation that targeted exposed Git configurations — a campaign that resulted in more than 15,000 cloud service credentials stolen.
The Sysdig Threat Research Team said Oct. 30 that the threat actor abused multiple misconfigured web services that let attackers steal credentials, clone private repositories, and extract cloud credentials from their source code.
Sysdig researchers said that while EmeraldWhale relied solely on misconfigurations rather than vulnerabilities — which isn’t unique — what was different was the target: exposed Git configuration files.
Here’s how the Sysdig researchers found the EmeraldWhale campaign: While monitoring the Sysdig cloud honeypot, the researchers observed an unusual ListBuckets call using a compromised account. The S3 bucket, s3simplisitter, that was referenced did not belong to Sysdig’s account. Instead, it belonged to an unknown account and was publicly exposed. While investigating this bucket, the researchers discovered malicious tools and over a terabyte of data, which included compromised credentials and logging data. In doing an analysis, the researchers discovered a multi-faceted attack, including web scraping GitHub config files, Laravel .env files, and raw web data.
These files and the credentials they contain offer access to private repositories that normally would be difficult to access, explained the Sysdig researchers. In a private repository, developers may be more prone to include secrets because it offers a false sense of security.