Git credentials and repository leakage
The Sysdig Threat Research Team (TRT) has uncovered the global operation dubbed EMERALDWHALE, which has resulted in the theft of 15,000 credentials from both public and private Git repositories. While the aim is to use these credentials for phishing and spam campaigns, a list of more than 67,000 URLs including exposed information from the /.git/config path has also been discovered and is being sold via Telegram, showing that there is an active market for this type of data.
Additionally, this investigation reported that EMERALDWHALE not only searched for misconfigured servers and exposed credentials, but also used web scraping followed by extraction of cloud credentials on the collected assets.
The stolen information was hosted in an AWS S3 bucket and belongs to various CSPs (cloud service providers), email providers and other services. EMERALDWHALE used the MZR V2 (MIZARU) and Seyzo-v2 tools, with which it obtained more than 500 million IP addresses distributed over 12,000 ranges, about 500,000 domains and around 1 million EC2 hostnames.
-
31/10/2024scworld.com
-
01/11/2024thehackernews.com
-
05/11/2024unaaldia.hispasec.com