Hackers have stolen tens of thousands of cloud account credentials, by abusing exposed Git configuration files, experts have claimed.
Git configuration files are where Git saves different preferences and settings, such as names, email, or which files to ignore. They help Git know how to behave for different projects and can be set up globally (for all projects) or just for specific ones. Sometimes, developers will include valuable secrets in private repositories, since it’s faster, and more convenient. It generally isn’t a problem, as long as the repositories are properly secured.
However, when they are exposed on the internet, hackers can find and grab them, a report from cybersecurity researchers Sysdig, who dubbed the operation “EmeraldWhale”, has revealed.
Active credentials
The threat actors behind EmeraldWhale used multiple scanning tools, such as ‘httpx’, and ‘Masscan’ to scan websites hosted on some 500 million IP addresses. They divided them into 12,000 IP ranges, and looked for exposed Git configuration files.
Once found, the files were first downloaded, and then scanned for the second time, for things like passwords. Sysdig says that more than 15,000 cloud account credentials were stolen this way, and later used either in phishing and spam campaigns, or sold directly to other cybercriminals. Apparently, there’s plenty of money to be made with this discovery, since just a list of URLs pointing to exposed Git configuration files go for roughly $100 on Telegram groups.
In total, the stolen archives were 1TB in size, and included 15,000 credentials from 67,000 URLs. Of all of the exposed URLs, 28,000 corresponded to Git repositories, 6,000 to GitHub tokens, and 2,000 were confirmed as active credentials.
Defending against this type of attack isn’t difficult, just make sure to use a dedicated secret management tool to store the secrets.
Via BleepingComputer