The cybersecurity company Sysdig has uncovered a large-scale hacker operation by Emeraldwhale targeting unprotected GIT references. The hackers have successfully stolen more than 15,000 accounts for cloud services using covert methods to exploit configurations.
The cybercriminals managed to infiltrate repositories and retrieve passwords, API keys, and other sensitive information, which they then stored publicly on a cloud service. Emeraldwhale has gathered data from over 10,000 closed repositories and stored them in Amazon S3 belonging to one of their previous victims.
The hackers’ primary objective is to gain access to accounting data for cloud services, email accounts, and other web services. The main focus of the operation is on carrying out spam and phishing attacks, as accounts on such services can yield substantial profits. The stolen data is used to conduct spam and phishing attacks, while Emeraldwhale also profits from selling lists of stolen accounts on the black market for lucrative amounts.
The discovery of this operation began when Sysdig detected suspicious attempts to access one of their test storage facilities. Upon investigation, a repository containing stolen data and malicious tools was uncovered. This included scripts that scan the internet for vulnerable GIT references and automatically download their contents, enabling the hackers to identify unprotected files and extract information from them.
During the attacks, the hackers utilized popular tools like HTTPX for mass scanning of servers and Masscan for compiling active IP addresses. Additionally, the stolen accounting data was processed and organized for future exploitation.
Sysdig also identified the tools MZR V2 and Seyzo -V2 being used to hack GIT settings and search for data. The
- MZR V2 is a collection of scripts designed to automate scanning and analysis of data in Git configuration files;
- Seyzo-V2 focuses on gathering data from repositories, particularly targeting accounts for phishing and spam purposes.
This campaign underscores the issue of security in GIT repositories, highlighting the importance of implementing proper access controls. Experts have pointed out that while standard security tools like AWS and GitHub can track and restrict key usage, the potential leakage points for data continue to proliferate.