Researchers found a misconfigured S3 bucket containing around 15,000 stolen cloud service credentials.
The discovery of a massive trove of stolen credentials was strange. An attacker used a ListBuckets call to target his own cloud storage of stolen credentials. This was caught in a Sysdig honeypot (the same honeypot that exposed RubyCarp in April 2024).
“The weird thing,” Michael Clark, senior director of threat research at Sysdig, told SecurityWeek, “was that the attacker was asking our honeypot to list objects in an S3 bucket we did not own or operate. Even more weird was that it wasn’t necessary, since the bucket in question is public and you can just go and look.”
That piqued Sysdig’s curiosity, so they did go and look. What they discovered was “a terabyte and a half of data, thousands upon thousands of credentials, tools and other interesting data.”
Sysdig has named the group or campaign that collected this data as EmeraldWhale; but doesn’t understand how the group could be so lax as to lead them straight to the spoils of the campaign. We could entertain a conspiracy theory suggesting a rival group trying to eliminate a competitor, but an accident coupled with incompetence is Clark’s best guess. After all, the group left its own S3 open to the public – or else the bucket itself may have been co-opted from the real owner and EmeraldWhale decided not to change the configuration because they just didn’t care.
EmeraldWhale’s modus operandi is not advanced. The group simply scans the internet looking for URLs to attack, concentrating on version control repositories. “They were going after Git config files,” explained Clark. “Git is the protocol that GitHub uses, that GitLab uses, and all these other code versioning repositories use. There’s a configuration file always in the same directory, and in it is the repository information – maybe it’s a GitHub address or a GitLab address, and the credentials needed to access it. These are all exposed on web servers, basically through misconfiguration.”
The attackers simply scanned the internet for servers that had exposed the route to Git repository files – and there are many. The data found by Sysdig within the stash suggested that EmeraldWhale discovered 67,000 URLs with the path /.git/config exposed. With this misconfiguration discovered, the attackers could access the Git repositories.
Sysdig has reported on the discovery. The researchers offered no attribution thoughts on EmeraldWhale, but Clark told SecurityWeek that the tools it discovered within the stash are usually provided from dark web marketplaces in encrypted format. What it found was unencrypted scripts with comments in French – so it is possible that EmeraldWhale pirated the tools and then added their own comments by French language speakers.
“We’ve had previous incidents that we haven’t published,” added Clark. “Now, the end goal of this EmeraldWhale attack, or one of the end goals, seems to be email abuse. We’ve seen a lot of email abuse coming out of France, whether that’s IP addresses, or the people doing the abuse, or simply other scripts that have French comments. There seems to be a community that is doing this; but that community isn’t necessarily in France – they’re just using the French language a lot.”
The primary targets were the main Git repositories: GitHub, GitBucket, and GitLab. CodeCommit, the AWS offering similar to Git was also targeted. Although this was deprecated by AWS in December 2022, existing repositories can still be accessed and used; and were also targeted by EmeraldWhale. Such repositories are a good source for credentials since developers readily assume that a private repository is a secure repository – and secrets contained within them are often not so secret.
The two main scraping tools that Sysdig found in the stash are MZR V2, and Seyzo-v2. Both require a list of IPs to target. RubyCarp used Masscan, while CrystalRay likely used Httpx for list creation.
MZR V2 comprises a collection of scripts, one of which uses Httpx to create the list of target IPs. Another script makes a query using wget and extracts the URL content, using simple regex. Ultimately, the tool will download the repository for further analysis, extract credentials stored in the files, and then parse the data into a format more usable by subsequent commands.
Seyzo-v2 is also a collection of scripts and also uses Httpx to create the target list. It uses the OSS git-dumper to gather all the info from the targeted repositories. “There are more searches to gather SMTP, SMS, and cloud mail provider credentials,” note the researchers. “Seyzo-v2 is not entirely focused on stealing CSP credentials like the [MZR V2] tool. Once it gains access to credentials, it uses the keys… to create users for SPAM and phishing campaigns.”
Clark believes that EmeraldWhale is effectively an access broker, and this campaign demonstrates one malicious method for obtaining credentials for sale. He notes that the list of URLs alone, admittedly 67,000 URLs, sells for $100 on the dark web – which itself demonstrates an active market for GIT configuration files.
The bottom line, he added, is that EmeraldWhale demonstrates that secrets management is not an easy task. “There are all sorts of ways in which credentials can get leaked. So, secrets management isn’t enough – you also need behavioral monitoring to detect if someone is using a credential in an inappropriate manner.”
