Git credentials and repository leakage

Updated on 30/10/2024

30/10/2024

The Sysdig Threat Research Team (TRT) has uncovered the global operation dubbed EMERALDWHALE, which has resulted in the theft of 15,000 credentials from both public and private Git repositories. While the aim is to use these credentials for phishing and spam campaigns, a list of more than 67,000 URLs including exposed information from the /.git/config path has also been discovered and is being sold via Telegram, showing that there is an active market for this type of data.

Additionally, this investigation reported that EMERALDWHALE not only searched for misconfigured servers and exposed credentials, but also used web scraping followed by extraction of cloud credentials on the collected assets.

The stolen information was hosted in an AWS S3 bucket and belongs to various CSPs (cloud service providers), email providers and other services. EMERALDWHALE used the MZR V2 (MIZARU) and Seyzo-v2 tools, with which it obtained more than 500 million IP addresses distributed over 12,000 ranges, about 500,000 domains and around 1 million EC2 hostnames.

References

30/10/2024

sysdig.com

EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files
31/10/2024

scworld.com

Massive cloud credential theft conducted via exposed Git configuration breach
01/11/2024

thehackernews.com

Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned
05/11/2024

unaaldia.hispasec.com

Brecha masiva en Git: 15,000 Credenciales Robadas y 10,000 Repositorios Privados en Riesgo

Etiquetas