Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets for storage, increasing the risks of phishing and cloud account breaches.
The Sysdig Threat Research Team discovered a global operation called EMERALDWHALE, which targeted Git configurations, resulting in over 15,000 cloud service credentials being stolen. The primary goal of stealing credentials was phishing and spam, with the credentials potentially worth hundreds of dollars per account.
The Attack Chain
The campaign used private tools to abuse misconfigured web services, allowing attackers to steal credentials, clone repositories, and extract cloud credentials from their source code. Over 10,000 private repositories were collected, and the stolen data was stored in a previous victim’s S3 bucket.
The Sysdig Threat Research Team reported that attackers used tools such as httpx and Masscan to scan large portions of the internet for servers with exposed Git configuration files (/.git/config
) and Laravel environment files (.env
). Upon finding exposed files, attackers leveraged tools like MZR V2 and Seyzo-v2 to extract sensitive information, including usernames, passwords, and API keys, using regular expressions to locate relevant data within the files.
The stolen credentials enabled attackers to clone private repositories, exposing additional sensitive data, such as source code. Verified credentials were then tested across various cloud services to find valid ones, which were afterwards used for malicious activities, including phishing, spam campaigns, or further compromises of cloud accounts. Ultimately, the attackers uploaded stolen data to compromised S3 buckets.
EMERALDWHALE’s Tools of Choice
The investigation identified two main tools used by EMERALDWHALE: MZR V2 (MIZARU) and Seyzo-v2. MZR V2, a suite of Python and shell scripts, supports target discovery, credential extraction, repository cloning, and credential validation. Similarly, Seyzo-v2 automates credential theft from exposed Git configurations through scripts, enabling attackers to locate and extract sensitive data efficiently.
In addition to Git configurations, EMERALDWHALE also targeted exposed Laravel environment files (.env). These files often contain sensitive information like database credentials and cloud service API keys. Multigrabber v8.5 is a popular tool used to exploit vulnerabilities in Laravel and steal this sensitive data.
Operation EMERALDWHALE is one of the examples of how the stolen credentials market has become a lucrative business for cybercriminals. For example, target lists of exposed Git configurations were found to be sold for around $100. Valid cloud service credentials can also be sold in bulk or through automated shops, fetching a huge profit for attackers.
The finding shows the importance of proper configuration management in securing sensitive information. Ensuring Git configuration files are not publicly accessible, limiting access to necessary variables, and conducting regular vulnerability scans are crucial to staying protected.
“This attack shows that secret management alone is not enough to secure an environment. There are just too many places credentials could leak from. Monitoring the behaviour of any identities associated with credentials is becoming a requirement to protect against these threats,” the report read.
Rom Carmel, Co-Founder and CEO at Apono, weighed in on the recent development stating “This is yet another example of how credentials remain a top target for hackers who follow the adage, ‘teach a man to phish, and he’ll have access for a lifetime.’“
“With the right credentials, attackers can access all resources an identity is privileged to, creating an endless list of potential targets. Given the rise in leaked credentials and the availability of phishing kits bypassing MFA, organizations must adopt an ‘assumed breach’ posture.”
RELATED TOPICS
- Best Practices for Cloud Computing Security
- Abandoned S3 Buckets Used for Malicious Payloads
- 350 million credentials exposed on misconfigured AWS S3 bucket
- iOS and Android Users at Risk as Popular Apps Expose Cloud Keys
- AI Firm’s Misconfigured Server Leaked 5.3TB of Mental Health Records