Threat Intel Solutions

* [Сloud Security](/cloud-security)* [Cyber Risk](/cyber-risk)* [Data Privacy](/cyber-risk/data-privacy)* [Cyberattacks -& Data Breaches](/cyberattacks-data-breaches)EmeraldWhale’s Massive Git Breach Highlights Config Gaps EmeraldWhale’s Massive Git Breach Highlights Config Gaps=================================================================================================================The large-scale operation took advantage of open repositories, hardcoded credentials in source code, and other cloud oversights.  [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)November 1, 2024 3 Min Read  Source: Tithi Luadthong via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cloud-security/emeraldwhale-massive-git-breach-config-gaps)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cloud-security/emeraldwhale-massive-git-breach-config-gaps)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cloud-security/emeraldwhale-massive-git-breach-config-gaps)[](/cdn-cgi/l/email-protection#645b1711060e0107105921090116050800330c05080142471c56535f1744290517170d120144230d104426160105070c442c0d030c080d030c101744270b0a020d034423051417420509145f060b001d592d415654100c0b11030c10415654100c01415654020b08080b130d0a0341565402160b094156542005160f415654360105000d0a03415654090d030c104156540d0a1001160117104156541d0b114a41542041542541542041542541565421090116050800330c05080142471c56535f17415654290517170d1201415654230d1041565426160105070c4156542c0d030c080d030c1017415654270b0a020d03415654230514174154204154250c101014174157254156224156221313134a0005160f160105000d0a034a070b0941562207080b11004917010711160d101d41562201090116050800130c05080149090517170d120149030d104906160105070c49070b0a020d034903051417)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cloud-security/emeraldwhale-massive-git-breach-config-gaps&title=EmeraldWhale’s%20Massive%20Git%20Breach%20Highlights%20Config%20Gaps) Earlier this week, researchers uncovered a major cybercriminal operation, dubbed EmeraldWhale, after the attackers dumped more than 15,000 credentials into a stolen, open [AWS S3 bucket](https://www.darkreading.com/remote-workforce/critical-aws-vulnerabilities-allow-s3-attack-bonanza) in a massive Git repository theft campaign. The incident is a reminder to tighten up cloud configurations and review source code for mistakes like the inclusion of hardcoded credentials.Over the course of the onslaught, EmeraldWhale targeted Git configurations in order to steal credentials, cloned more than 10,000 private repositories, and extracted cloud credentials from source code.The campaign used a variety of private tools to abuse misconfigured Web and cloud services, [according to the Sysdig Threat Research Team](https://sysdig.com/blog/emeraldwhale/), which discovered the global operation. Phishing is the primary tool the campaign used to steal the credentials, which can be worth hundreds of dollars per account on the Dark Web. The operation also makes money by selling its target lists on underground marketplaces for others to engage in the same activity.EmeraldWhale’s First Breach—————————The researchers were initially monitoring Sysdig TRT cloud honeypot when it observed a ListBuckets call using a compromised account — an S3 bucket dubbed s3simplisitter.The bucket belonged to an unknown account and was publicly exposed. After launching an investigation, the researchers found evidence of a multifaceted attack, including Web scraping of Git files in open repositories. A massive scanning campaign occurred between August and September, according to the researchers, affecting servers with exposed Git repository configuration files, which can contain hardcoded credentials.’As security professionals, we cannot afford to be complacent, particularly when it comes to keeping sensitive secrets, API tokens, and authentication credentials out of our source code,’ Naomi Buckwalter, director of product security at Contrast Security, wrote in an emailed statement to Dark Reading. ‘Not only should infosec professionals be on the front lines educating their development teams on how to securely store, manage, and access secrets, they should also regularly scan their source code for hard coded credentials and monitor credential usage for anomalous activity.’Always Have Your Guard Up————————-In general, Git directories contain ‘all information required for version control, including the complete commit history, configuration files, branches, and references.”If the .git directory is exposed, attackers can retrieve valuable data about the repository’s history, structure, and sensitive project information,’ added the researchers. ‘This includes commit messages, usernames, email addresses, and passwords or API keys if the repository requires them or if they were committed.’The incident is clear reminder that it’s critical for businesses and organizations to have visibility on all services and get a clear view on potential attack surfaces in order to consistently manage them and mitigate threats.’Many breaches occur because internal services are inadvertently exposed to the public Internet, making them easy targets for malicious actors,’ Victor Acin, head of threat intel at Outpost24, wrote in an emailed statement to Dark Reading.Acin recommended that enterprises implement a ‘proper external attack surface management [(EASM) platform](https://www.darkreading.com/cloud-security/see-your-attack-surface-as-threat-actors-do-with-easm-and-cnapp)’ to keep track of potential misconfigurations and shadow IT.And even when private repositories are supposedly secure, it’s worth adding additional protections and ensuring that information is locked down.
[](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cloud-security/emeraldwhale-massive-git-breach-config-gaps)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cloud-security/emeraldwhale-massive-git-breach-config-gaps)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cloud-security/emeraldwhale-massive-git-breach-config-gaps)[](/cdn-cgi/l/email-protection#67581412050d0204135a220a0215060b03300f060b0241441f55505c14472a0614140e110247200e134725150206040f472f0e000f0b0e000f131447240809010e00472006171441060a175c0508031e5a2e425557130f0812000f13425557130f0242555701080b0b08100e09004255570115080a4255572306150c425557350206030e09004255570a0e000f134255570e091302150214134255571e081249425723425726425723425726425557220a0215060b03300f060b0241441f55505c144255572a0614140e1102425557200e1342555725150206040f4255572f0e000f0b0e000f1314425557240809010e00425557200617144257234257260f13131714425426425521425521101010490306150c150206030e09004904080a425521040b0812034a14020412150e131e425521020a0215060b03100f060b024a0a0614140e11024a000e134a05150206040f4a040809010e004a00061714)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cloud-security/emeraldwhale-massive-git-breach-config-gaps&title=EmeraldWhale’s%20Massive%20Git%20Breach%20Highlights%20Config%20Gaps) About the Author—————- [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)
[See more from Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Webinars* [Transform Your Security Operations And Move Beyond Legacy SIEM](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo243&ch=SBX&cid=_upcoming_webinars_8.500001500&_mc=_upcoming_webinars_8.500001500)Nov 6, 2024* [Unleashing AI to Assess Cyber Security Risk](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dark71&ch=SBX&cid=_upcoming_webinars_8.500001492&_mc=_upcoming_webinars_8.500001492)Nov 12, 2024* [Securing Tomorrow, Today: How to Navigate Zero Trust](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7186&ch=SBX&cid=_upcoming_webinars_8.500001490&_mc=_upcoming_webinars_8.500001490)Nov 13, 2024* [The State of Attack Surface Management (ASM), Featuring Forrester](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7317&ch=SBX&cid=_upcoming_webinars_8.500001501&_mc=_upcoming_webinars_8.500001501)Nov 15, 2024* [Applying the Principle of Least Privilege to the Cloud](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&pc=w_wiza60&ch=SBX&cid=_upcoming_webinars_8.500001499&_mc=_upcoming_webinars_8.500001499)Nov 18, 2024[More Webinars](/resources?types=Webinar) ### Editor’s Choice[A job classifieds newspaper ](/application-security/cybersecurity-job-market-stagnates-dissatisfaction-abounds)[Application Security](/application-security) [Cybersecurity Job Market Stagnates, Dissatisfaction Abounds](/application-security/cybersecurity-job-market-stagnates-dissatisfaction-abounds)[Cybersecurity Job Market Stagnates, Dissatisfaction Abounds](/application-security/cybersecurity-job-market-stagnates-dissatisfaction-abounds) by[Tara Seals, Managing Editor, News, Dark Reading](/author/tara-seals) Oct 31, 2024 4 Min Read [CrowdStrike logo on a cellphone screen _SOPA_Images_Limited_Alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)](/vulnerabilities-threats/case-against-abandoning-crowdstrike-post-outage)[Vulnerabilities -& Threats](/vulnerabilities-threats) [The Case Against Abandoning CrowdStrike Post-Outage](/vulnerabilities-threats/case-against-abandoning-crowdstrike-post-outage)[The Case Against Abandoning CrowdStrike Post-Outage](/vulnerabilities-threats/case-against-abandoning-crowdstrike-post-outage) by[Vishaal ‘V8’ Hariprasad](/author/vishaal-v8-hariprasad) Oct 31, 2024 5 Min Read [Chinese Navy guided-missile destroyer Xian steams ahead ](/cyberattacks-data-breaches/china-seabed-sentinels-spying-trump-taps)[Cyberattacks -& Data Breaches](/cyberattacks-data-breaches) [China Says Seabed Sentinels Are Spying, After Trump Taps](/cyberattacks-data-breaches/china-seabed-sentinels-spying-trump-taps)[China Says Seabed Sentinels Are Spying, After Trump Taps](/cyberattacks-data-breaches/china-seabed-sentinels-spying-trump-taps) by[Tara Seals, Managing Editor, News, Dark Reading](/author/tara-seals) Oct 31, 2024 4 Min Read Reports* [Managing Third-Party Risk Through Situational Awareness](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo171&ch=&cid=_analytics_7.300006016&_mc=_analytics_7.300006016)Jul 31, 2024* [2024 InformationWeek US IT Salary Report](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg253&ch=sbx&cid=_analytics_7.300006014&_mc=_analytics_7.300006014)May 29, 2024[More Reports](/resources?types=Report) Webinars* [Transform Your Security Operations And Move Beyond Legacy SIEM](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo243&ch=SBX&cid=_upcoming_webinars_8.500001500&_mc=_upcoming_webinars_8.500001500)Nov 6, 2024* [Unleashing AI to Assess Cyber Security Risk](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dark71&ch=SBX&cid=_upcoming_webinars_8.500001492&_mc=_upcoming_webinars_8.500001492)Nov 12, 2024* [Securing Tomorrow, Today: How to Navigate Zero Trust](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7186&ch=SBX&cid=_upcoming_webinars_8.500001490&_mc=_upcoming_webinars_8.500001490)Nov 13, 2024* [The State of Attack Surface Management (ASM), Featuring Forrester](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7317&ch=SBX&cid=_upcoming_webinars_8.500001501&_mc=_upcoming_webinars_8.500001501)Nov 15, 2024* [Applying the Principle of Least Privilege to the Cloud](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&pc=w_wiza60&ch=SBX&cid=_upcoming_webinars_8.500001499&_mc=_upcoming_webinars_8.500001499)Nov 18, 2024[More Webinars](/resources?types=Webinar) White Papers* [Insider Risk Programs: 3 Truths and a Lie](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7106&ch=SBX&cid=_whitepaper_14.500005800&_mc=_whitepaper_14.500005800)* [2024 Cloud Security Report](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tren83&ch=SBX&cid=_whitepaper_14.500005795&_mc=_whitepaper_14.500005795)* [A CISO’s Guide to Geopolitics and CyberSecurity](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6908&ch=SBX&cid=_whitepaper_14.500005778&_mc=_whitepaper_14.500005778)* [5 Essential Insights into Generative AI for Security Leaders](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu26&ch=SBX&cid=_whitepaper_14.500005772&_mc=_whitepaper_14.500005772)* [How to Use Threat Intelligence to Mitigate Third-Party Risk](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo172&ch=&cid=_whitepaper_14.500005744&_mc=_whitepaper_14.500005744)[More Whitepapers](/resources?types=Whitepaper)

Related Tags:
NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Blog: Dark Reading

Phishing

Software Discovery: Security Software Discovery

Software Discovery

Associated Indicators: