BleepingComputer reports that more than 15,000 cloud account credentials belonging to private repositories have been exfiltrated by the EmeraldWhale threat operation from exposed Git configuration files, which are leveraged for repository paths and authentication details.
Attacks by EmeraldWhale involved the utilization of the 'httpx' and 'Masscan' open-source tools to scan websites and determine exposure of the /.git/config file and environment files in Laravel apps, according to a Sysdig report. Verification of the exposed tokens would then be followed by the download of the private repositories, which have been subjected to another scan aimed at uncovering AWS, cloud, and email service authentication secrets, said researchers. Such stolen data — which had been exfiltrated to another victim's S3 bucket — was obtained from 67,000 URLs, more than a third of which were Git repositories, with GitHub accounting for most of the compromised credentials. Attackers also engaged in the trade of exposed Git configuration file URL lists on Telegram, researchers added.