EMERALDWHALE Steals 15,000+ Cloud Credentials, Stores Data in S3 Bucket

EMERALDWHALE operation compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets for storage, increasing the risks of phishing and cloud account breaches.

The Sysdig Threat Research Team discovered a global operation called EMERALDWHALE, which targeted Git configurations, resulting in over 15,000 cloud service credentials being stolen. The primary goal of stealing credentials was phishing and spam, with the credentials potentially worth hundreds of dollars per account.

The Attack Chain

The campaign used private tools to abuse misconfigured web services, allowing attackers to steal credentials, clone repositories, and extract cloud credentials from their source code. Over 10,000 private repositories were collected, and the stolen data was stored in a previous victim’s S3 bucket.

The Sysdig Threat Research Team reported that attackers used tools such as httpx and Masscan to scan large portions of the internet for servers with exposed Git configuration files (/.git/config) and Laravel environment files (.env). Upon finding exposed files, attackers leveraged tools like MZR V2 and Seyzo-v2 to extract sensitive information, including usernames, passwords, and API keys, using regular expressions to locate relevant data within the files.

The stolen credentials enabled attackers to clone private repositories, potentially exposing additional sensitive data, such as source code. Verified credentials were then tested across various cloud services to find valid ones, which were subsequently used for malicious activities, including phishing, spam campaigns, or further compromises of cloud accounts. Finally, the attackers uploaded stolen credentials and, potentially, source code to a compromised S3 bucket, which served as temporary storage.

EMERALDWHALE’s Tools of Choice

The investigation identified two main tools used by EMERALDWHALE: MZR V2 (MIZARU) and Seyzo-v2. MZR V2, a suite of Python and shell scripts, supports target discovery, credential extraction, repository cloning, and credential validation. Similarly, Seyzo-v2 automates credential theft from exposed Git configurations through scripts, enabling attackers to locate and extract sensitive data efficiently.

In addition to Git configurations, EMERALDWHALE also targeted exposed Laravel environment files (.env). These files often contain sensitive information like database credentials and cloud service API keys. Multigrabber v8.5 is a popular tool used to exploit vulnerabilities in Laravel and steal this sensitive data.

EMERALDWHALE highlights the growing market for stolen credentials. Target lists of exposed Git configurations were found to be sold for around $100, demonstrating the value attackers place on this type of information. Valid cloud service credentials can also be sold in bulk or through automated shops, fetching a significant profit for attackers.

Tools being sold on Telegram (Via Sysdig Threat Research Team)

The discovery emphasizes the importance of proper configuration management in securing sensitive information.

“This attack shows that secret management alone is not enough to secure an environment. There are just too many places credentials could leak from. Monitoring the behaviour of any identities associated with credentials is becoming a requirement to protect against these threats,” the report read.

Ensuring Git configuration files are not publicly accessible, limiting access to necessary variables, and conducting regular vulnerability scans are crucial to staying protected.

Rom Carmel, Co-Founder and CEO at Apono, weighed in on the recent development stating “This is yet another example of how credentials remain a top target for hackers who follow the adage, ‘teach a man to phish, and he’ll have access for a lifetime.’“

“With the right credentials, attackers can access all resources an identity is privileged to, creating an endless list of potential targets. Given the rise in leaked credentials and the availability of phishing kits bypassing MFA, organizations must adopt an ‘assumed breach’ posture.”

RELATED TOPICS