A bad actor identified as EmeraldWhale was observed running a global operation that targeted exposed Git configurations — a campaign that resulted in more than 15,000 cloud service credentials stolen.
The Sysdig Threat Research Team said Oct. 30 that the threat actor abused multiple misconfigured web services that let attackers steal credentials, clone private repositories, and extract cloud credentials from their source code.
The kicker: the stolen data was stored in an S3 bucket of a previous victim.
Sysdig researchers said that while EmeraldWhale relied solely on misconfigurations rather than vulnerabilities — which isn’t unique — what was different was the target: exposed Git configuration files.
Here’s how the Sysdig researchers found the EmeraldWhale campaign: While monitoring the Sysdig cloud honeypot, the researchers observed an unusual ListBuckets call using a compromised account. The S3 bucket, s3simplisitter, that was referenced did not belong to Sysdig’s account. Instead, it belonged to an unknown account and was publicly exposed. While investigating this bucket, the researchers discovered malicious tools and over a terabyte of data, which included compromised credentials and logging data. In doing an analysis, the researchers discovered a multi-faceted attack, including web scraping GitHub config files, Laravel .env files, and raw web data.
Sysdig then reached out to AWS to report the bucket — and AWS promptly took it down.
These files and the credentials they contain offer access to private repositories that normally would be difficult to access, explained the Sysdig researchers. In a private repository, developers may be more prone to include secrets because it offers a false sense of security.
“The underground market for credentials is booming, especially for cloud services,” wrote the researchers. “This attack shows that secrets management alone is not enough to secure an environment. There are just too many places credentials could leak from. Monitoring the behavior of any identities associated with credentials has become a requirement to protect against these threats."
Attackers continue to steal credentials
This campaign is yet another example of how credentials continue to be a top target for hackers, said Rom Carmel, co-founder and CEO at Apono. Carmel said with the right set of credentials, an attacker can compromise an identity and gain access to all of the resources they have privileges to, offering malicious actors a potentially unending list of enticing targets.
“While MFA is a crucial first step in protecting identities after stolen credentials fall into the wrong hands, we’ve seen the steady stream of credential-stuffing attacks as proof that we need to do more,” said Carmel. “Implementing ‘just-in-time’ access security removes the opportunity for attackers to abuse credentials by simply ensuring that access is only available when it is needed. This, along with right-sizing excessive privileges, goes a long way in reducing the blast radius in an event like this where such a sensitive stash of credentials have been compromised.”
Elad Luz, head of research at Oasis Security, added that the attack highlights the critical need for a comprehensive strategy to secure and manage non-human identities (NHIs), such as secrets, keys, and tokens. Luz said implementing automated security protocols, including continuous scanning and credential rotation, can help reduce the risk of similar incidents.
Luz said teams should consider the following actions in response:
