Hands on keyboard and person icon showing stolen credentials from Git config files

Hacking Campaign Scanned Exposed Git Config Files, Made Off With 15,000 Stolen Credentials

A hacking campaign being referred to as “EmeraldWhale” has gobbled up tens of thousands of stolen credentials from GitHub like so many krill and plankton. The hackers scanned exposed Git config files for authentication tokens used to access GitHub, GitLab, and BitBucket repositories, which sometimes in turn contain even more credentials.

The campaign was conducted by malicious hackers who sold the stolen credentials off to other cyber criminals, with much of the info being put to use in spam and phishing campaigns. The attack simply made use of open-source tools to scan IP ranges for potentially vulnerable Git config files, running through about 12,000 IP ranges and 500 million IP addresses and hitting over 10,000 private repositories in total.

Stolen credentials taken by for-profit criminals, but perpetrator remains unknown

The operation was discovered by the Sysdig Threat Research Team (TRT), which found that the attackers stole over 15,000 cloud service credentials from over 10,000 private repositories. The attackers zeroed in on misconfigured web services to pick out exposed Git config files as well as Laravel .env files and raw web data. The hackers were able to steal credentials, clone private repositories, and extract cloud credentials from their source code, extracting all of their stolen goodies to an Amazon AWS bucket used in a previous attack.

Though this is a relatively simple heist, it apparently is netting big money for whoever is behind it. Selling the credentials themselves can net a thief hundreds of dollars each, but first the credentials are often used to explore for even more salable credentials. They may also be put to use in phishing campaigns, which the hackers are able to sell target lists for in the low hundreds of dollars.

The Git config harvesting campaign took place over the course of August and September. Sysdig points out that exposed “.git” directories can provide usernames, email addresses, passwords, API keys and commit messages to attackers. This directory can sometimes be browsed right into if web server permissions are not properly set, and this is what EmeraldWhale honed in on using their own set of custom tools.

Sysdig says that not all of the stolen credentials were usable, however. The group sampled 6,000 Git config tokens found in the thieves’ Amazon AWS bucket and determined that only about 2,000 of these were valid.

Git config campaign required little technical skill, but was very profitable

The Git config scanning heist illustrates that attackers do not necessarily need high technical skill to penetrate organizations, merely a knowledge of how secrets are kept and where oversights in security tend to appear. Private repositories are sometimes laden with credentials placed there for convenience, even though everyone involved knows (or at least should know) it is a poor practice in terms of security hygiene.

While activities like ransomware still produce much more value for skilled hackers, coming up with well over $1 million in stolen credentials using freely available legitimate mapping tools and services is nothing to sneeze at for the aspiring cyber criminal. The attackers reportedly had ambitions beyond this haul, with plans found to more efficiently scan IP ranges and could have continued into perpetuity if not spotted. Other criminals will likely pick up where they left off, if they have not already.

The stolen credentials bucket that Sysdig found has since been reported to Amazon and taken down. The only clue thus far to the perpetrator’s identities is that two of the tools they deployed in Git config scanning are written in French, but both are widely available for purchase on underground forums. Sysdig also noted that it has seen similar French-language phishing scams run before, though not pegged to a particular known criminal outfit.

One of Sysdig’s key takeaways for other organizations is that the increasing popularity of these attacks means that secret management alone cannot be relied upon to secure an environment, as there are too many cracks through which they can leak. Approaches such as Git config scanning can be 100% automated, are easily masked to protect the attacker’s identity, rely largely on freely available resources, have a small learning curve, and yield credentials of a type that there is a “booming” market for. Sales can also be conducted quickly, anonymously and in a totally automated way via Telegram or underground websites.

Rom Carmel, Co-Founder and CEO at Apono, notes that the expected spike in popularity of this entry-level approach may force organizations to rethink how they protect themselves: “This is yet another example of how credentials continue to be a top target for hackers who adhere to the old adage of “teach a man to phish and he’ll have access for a lifetime.”  According to the 2024 Verizon Data Breach Investigations Report (DBIR), credentials were the target of 50% of social engineering attacks, beating out personal and financial data. With the right set of credentials, an attacker can compromise an identity and gain access to all of the resources that they have privileges to, offering malicious actors a potentially unending list of enticing targets.

With so many credentials finding their way onto illicit marketplaces, and in this case a poorly protected bucket, organizations today need to adopt an “assumed breach” posture.”

“The addition to the widespread availability of effective phishing kits for leapfrogging over MFA protections, has proven that we need to do more to protect our resources. While MFA is a crucial first step in protecting identities after stolen credentials fall into the wrong hands, we’ve seen the steady stream of credential stuffing attacks as proof that we need to do more. Implementing Just-in-Time access security removes the opportunity for attackers to abuse credentials by simply ensuring that access is only available when it is needed. This, along with right-sizing excessive privileges, goes a long way in reducing the blast radius in an event like this where such a sensitive stash of credentials have been compromised,” added Carmel.

Victor Acin, Head of Threat Intel at Outpost24, noted: “This incident highlights how critical it is to have full visibility over all services, especially those that should remain internal; many breaches occur because internal services are inadvertently exposed to the public internet, making them easy targets for malicious actors. Many companies have issues managing their attack surface, which is why the best recommended strategy is to have a proper EASM platform to keep track of any potential misconfigurations or any shadow IT in the organization.”

“This attack highlights the critical need for a comprehensive strategy to secure and manage non-human identities (NHIs), such as secrets, keys, and tokens. Implementing automated security protocols, including continuous scanning and credential rotation, can help reduce the risk of similar incidents. Additionally, proactive monitoring of NHIs and learning from previous breaches are essential for organizations operating in cloud and hybrid ecosystems,” recommended Elad Luz, Head of Research at Oasis Security.