EmeraldWhales Massive Git Breach Highlights Config Gaps

  /     /     /  
Publicated : 23/11/2024   Category : security


EmeraldWhales Massive Git Breach Highlights Config Gaps


The large-scale operation took advantage of open repositories, hardcoded credentials in source code, and other cloud oversights.



Earlier this week, researchers uncovered a major cybercriminal operation, dubbed EmeraldWhale, after the attackers dumped more than 15,000 credentials into a stolen, open
AWS S3 bucket
in a massive Git repository theft campaign. The incident is a reminder to tighten up cloud configurations and review source code for mistakes like the inclusion of hardcoded credentials.
Over the course of the onslaught, EmeraldWhale targeted Git configurations in order to steal credentials, cloned more than 10,000 private repositories, and extracted cloud credentials from source code. 
The campaign used a variety of private tools to abuse misconfigured Web and cloud services,
according to the Sysdig Threat Research Team
, which discovered the global operation. Phishing is the primary tool the campaign used to steal the credentials, which can be worth hundreds of dollars per account on the Dark Web. The operation also makes money by selling its target lists on underground marketplaces for others to engage in the same activity.
The researchers were initially monitoring Sysdig TRT cloud honeypot when it observed a ListBuckets call using a compromised account — an S3 bucket dubbed s3simplisitter.
The bucket belonged to an unknown account and was publicly exposed. After launching an investigation, the researchers found evidence of a multifaceted attack, including Web scraping of Git files in open repositories. A massive scanning campaign occurred between August and September, according to the researchers, affecting servers with exposed Git repository configuration files, which can contain hardcoded credentials.
As security professionals, we cannot afford to be complacent, particularly when it comes to keeping sensitive secrets, API tokens, and authentication credentials out of our source code, Naomi Buckwalter, director of product security at Contrast Security, wrote in an emailed statement to Dark Reading. Not only should infosec professionals be on the front lines educating their development teams on how to securely store, manage, and access secrets, they should also regularly scan their source code for hard coded credentials and monitor credential usage for anomalous activity.
In general, Git directories contain all information required for version control, including the complete commit history, configuration files, branches, and references.
If the .git directory is exposed, attackers can retrieve valuable data about the repositorys history, structure, and sensitive project information, added the researchers. This includes commit messages, usernames, email addresses, and passwords or API keys if the repository requires them or if they were committed.
The incident is clear reminder that its critical for businesses and organizations to have visibility on all services and get a clear view on potential attack surfaces in order to consistently manage them and mitigate threats.
Many breaches occur because internal services are inadvertently exposed to the public Internet, making them easy targets for malicious actors, Victor Acin, head of threat intel at Outpost24, wrote in an emailed statement to Dark Reading.
Acin recommended that enterprises implement a proper external attack surface management
(EASM) platform
to keep track of potential misconfigurations and shadow IT.
And even when private repositories are supposedly secure, its worth adding additional protections and ensuring that information is locked down.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
EmeraldWhales Massive Git Breach Highlights Config Gaps