Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
Sysdig researchers have identified a massive EMERALDWHALE campaign targeting vulnerable Git configurations that allowed an attacker to steal more than 15,000 cloud service credentials by scanning misconfigured repositories.
The campaign was active from August to September and was discovered by Sysdig after researchers stumbled upon a misconfigured Amazon S3 container with 1.5 TB of stolen credentials, tools, and other interesting artifacts.
The attacker came to light when he used the ListBuckets call on the researchers' honeypot to list objects in his S3 storage with stolen data, and the container itself was public.
EmeraldWhale's method of operation is not advanced. Despite this, it was not possible to attribute the activity to any known actor or group of threats.
The attackers simply scan the Internet for servers that have revealed a route to the Git repository files. Based on the artifacts, EmeraldWhale was able to discover 67,000 URLs with the /.git/config path exposed.
EMERALDWHALE's toolkit, which targets servers with open Git repository configuration files using a wide range of IP addresses, allows for the discovery of relevant hosts as well as the extraction of credentials.
The two main scraping tools that Sysdig found in the vault are MZR V2 and Seyzo-v2. Two well-known programs on the dark web, both require a list of IP addresses to target.
These listings are usually compiled using legitimate search engines such as Google Dorks and Shodan, as well as crawling utilities such as MASSCAN.
MZR V2 uploads the repository for further analysis, extracts the credentials stored in the files, and then converts them into a format more usable by subsequent commands.
In turn, Seyzo-v2 uses OSS git-dumper to collect all information from the target repositories. In doing so, by gaining access to credentials, it implements the capabilities of spam and phishing campaigns.
EMERALDWHALE, in addition to the Git configuration files, also targeted the open files of the Laravel environment. .env files contain a variety of credentials, including cloud providers and databases.
The stolen tokens are subsequently used to clone public and private repositories and capture more credentials embedded in the source code. The captured information is eventually loaded into the S3 container.
According to Sysdig, EmeraldWhale is actually an access broker, and the campaign itself demonstrates another malicious method of obtaining credentials for further sale in the cyber underground.
Source
The campaign was active from August to September and was discovered by Sysdig after researchers stumbled upon a misconfigured Amazon S3 container with 1.5 TB of stolen credentials, tools, and other interesting artifacts.
The attacker came to light when he used the ListBuckets call on the researchers' honeypot to list objects in his S3 storage with stolen data, and the container itself was public.
EmeraldWhale's method of operation is not advanced. Despite this, it was not possible to attribute the activity to any known actor or group of threats.
The attackers simply scan the Internet for servers that have revealed a route to the Git repository files. Based on the artifacts, EmeraldWhale was able to discover 67,000 URLs with the /.git/config path exposed.
EMERALDWHALE's toolkit, which targets servers with open Git repository configuration files using a wide range of IP addresses, allows for the discovery of relevant hosts as well as the extraction of credentials.
The two main scraping tools that Sysdig found in the vault are MZR V2 and Seyzo-v2. Two well-known programs on the dark web, both require a list of IP addresses to target.
These listings are usually compiled using legitimate search engines such as Google Dorks and Shodan, as well as crawling utilities such as MASSCAN.
MZR V2 uploads the repository for further analysis, extracts the credentials stored in the files, and then converts them into a format more usable by subsequent commands.
In turn, Seyzo-v2 uses OSS git-dumper to collect all information from the target repositories. In doing so, by gaining access to credentials, it implements the capabilities of spam and phishing campaigns.
EMERALDWHALE, in addition to the Git configuration files, also targeted the open files of the Laravel environment. .env files contain a variety of credentials, including cloud providers and databases.
The stolen tokens are subsequently used to clone public and private repositories and capture more credentials embedded in the source code. The captured information is eventually loaded into the S3 container.
According to Sysdig, EmeraldWhale is actually an access broker, and the campaign itself demonstrates another malicious method of obtaining credentials for further sale in the cyber underground.
Source
