EMERALDWHALE:Â 15k Cloud credentials stolen in operation targeting exposed Git config files

EMERALDWHALE, a global cyber operation uncovered by the Sysdig Threat Research Team, targeted exposed Git configuration files, leading to the theft of over 15,000 cloud service credentials. The operation exploited misconfigured web services to steal credentials, clone private repositories, and extract cloud credentials from source code, with the stolen data primarily used for phishing and spam. The credentials, which can be worth hundreds of dollars per account, were stored in an S3 bucket of a previous victim, highlighting the inadequacy of secret management alone in securing environments. The attack utilized tools like MZR V2 and Seyzo-v2 to scan the internet for exposed Git configurations, exploiting these files to access private repositories and extract sensitive information. This incident underscores the booming underground market for credentials, particularly those of cloud services, and emphasizes the need for comprehensive exposure management and vulnerability scanning to prevent similar breaches.