Hackers find 15,000 credentials by scanning for git configuration
More than 15,000 stolen cloud service credentials were discovered in an open Amazon Web Services bucket by the cybersecurity firm Sysdig.
In a report released Wednesday, Sysdig researchers revealed that a global operation called EMERALDWHALE stole credentials belonging to cloud service and email providers, as well as other services, by targeting exposed git configurations. The credentials, which researchers say contained more than 10,000 private repositories, were discovered on a publicly accessible AWS S3 bucket.
“EMERALDWHALE isn’t the most sophisticated operation, but it still managed to collect over 15,000 credentials,” the report said. “What was different was the target: exposed Git configuration files. These files and the credentials they contain offer access to private repositories that normally would be difficult to access.”
Citing the S3 bucket’s log data, researchers said the operation appears to have been active from August to September and is collecting the information for spam and phishing campaigns.
The bucket contained more than a terabyte of data, which included malicious tools, valuable stolen credentials, git configuration files and other sensitive configuration files tied to web application settings, among others. While Sysdig noted that credentials can be sold for a decent price, lists of internet-facing git repositories can also go up to $100 each. Sysdig researchers noted that the “underground market for credentials is booming, especially for cloud services.”
Exposed git directories can contain sensitive project information, including messages, user names, email addresses, passwords or API keys, which can be used for further attacks or to sell on the market, Sysdig said.
“The credentials themselves can be worth hundreds of dollars per account. The accounts themselves are not the only way EMERALDWHALE make money; the target lists they develop can also be sold on various marketplaces,” Sysdig researchers wrote.
The hackers used multiple tool sets sold on underground marketplaces that automatically find and validate credentials before uploading them to the S3 bucket, many of which belonged to major services like GitHub, BitBucket, and GitLab. Although abusing credentials from repositories has become harder for criminal hackers due to more frequent scans that flag discovered credentials, the campaign shows just how difficult it can be to fully secure sensitive data.
Sysdig researchers also noted that campaigns such as these require minimal effort, as nearly everything can be automated and tools run on temporary systems makes attribution harder. Not only that, but would-be attackers can easily find the tools on GitHub or purchase a course if interested enough.
“It’s fast income for the attackers. They confirm valid keys and sell them in packs or autoshops, websites, and Telegram bots that do not require any interaction,” the report notes.
Sysdig said that the campaign highlights the fact that “secret management alone is not enough to secure an environment. There are just too many places credentials could leak from.”