Research uncovered an operation named EMERALDWHALE that compromised over 15,000 cloud service credentials by exploiting exposed Git configurations and other misconfigured web services. The attack aimed to steal credentials from private Git repositories and cloud environments, storing them in a publicly accessible S3 bucket from a previous victim. EMERALDWHALE targeted credentials for major cloud service providers, email providers, and various other services, aiming primarily to facilitate phishing and spam campaigns.
EMERALDWHALE leveraged multiple custom tools, including "MZR V2 (MIZARU)" and "Seyzo-v2," to identify and exploit exposed Git configurations. The attack initiated with large-scale scans of IP address ranges, looking specifically for publicly accessible .git/config files, which store sensitive configuration details. Attackers then extracted, validated, and stored credentials in a compromised S3 bucket. Tools like httpx and git-dumper facilitated high-volume scanning and data extraction, allowing attackers to quickly identify and exploit misconfigured servers. Additionally, the operation targeted exposed Laravel .env files, another common source of sensitive information, including API keys and cloud credentials.
The researchers honeypot observed unusual S3 access calls, revealing over a terabyte of compromised data. The attack employed regex scripts to search for recognizable credential patterns, like AWS keys, within extracted repository files. This approach allowed EMERALDWHALE to collect a wide range of credentials, usable for creating accounts, sending spam, or conducting further reconnaissance. Attackers exploited both Git configuration files and Laravel .env files, combining web scraping techniques with targeted scans of exposed servers to identify valuable credentials across public-facing resources.