Gang gobbles 15K credentials from cloud and email providers' garbage Git configs

Emeraldwhale looked sharp – until it made a common S3 bucket mistake

A criminal operation dubbed Emeraldwhale has been discovered after it dumped more than 15,000 credentials belonging to cloud service and email providers in an open AWS S3 bucket, according to security researchers.

The unknown data thieves embarked on a "massive scanning campaign" between August and September, looking for servers with exposed Git configuration and Laravel environment files, we're told.

"This campaign used multiple private tools that abused multiple misconfigured web services, allowing attackers to steal credentials, clone private repositories, and extract cloud credentials from their source code," wrote Miguel Hernandez, a senior engineer in container security vendor Sysdig's Threat Research Team.

These stolen credentials provided access to more than 10,000 private repositories, he added.

Exposed Git directories make an especially attractive target for data thieves because they contain all sorts of valuable information – including commit history and messages, usernames, email addresses, and passwords or API keys.

While spam and phishing campaigns appear to be the criminals' ultimate goal, the stolen credentials themselves can be sold for hundreds of dollars per account, Sysdig senior research director Michael Clark told The Register.

"There's a lot of value – $500, $600, $700 – to these credentials," Clark explained.

Something smells fishy about this S3 bucket

The threat research team "accidentally" uncovered this treasure trove of stolen data – more than a terabyte of compromised credentials and logging info – in an AWS S3 bucket while monitoring the Sysdig cloud honeypot network, Clark revealed.

The S3 bucket didn't belong to Sysdig's account; the crooks were storing the stolen goods in a bucket belonging to a previous victim of the same campaign.

After the exposed bucket was reported to AWS, the cloud giant promptly took it down, we're told.

While the security firm hasn't linked Emeraldwhale to an existing criminal gang, Clark thinks it's likely associated with an established group "due to the complexity" of its activities. "They knew what to look for, they knew what tools were being used by other groups."

Although the threat hunters can't definitively say where the miscreants are located, two of the malware strains tools used in the attack were primarily written in French, Clark observed. Those tools of evil – MZR V2 and Seyzo-v2 – can be bought and sold in underground marketplaces, and they enable scanning for vulnerabilities in exposed Git repositories for exploitation.

"Whether they are the original authors, it's hard to tell, but in the past we have seen this kind of email use, and phishing, traced back to French speakers," Clark noted.

MZR V2, a collection of Python scripts and shell scripts, can scan target lists of IPs using the open source httpx tool, and extract URLs for further analysis. It also validates GitHub credentials, and stores them in a new file.

Finally, the malware checks the credentials' permissions and capabilities, and then verifies that they can be used to send email messages for spam and phishing attacks.

Seyzo-v2 is also a collection of scripts for finding and stealing SMTP, SMS, and cloud mail provider credentials. Similar to MZR V2, this malware uses the compromised credentials to create fraudulent users for spam and phishing campaigns.

These tools both use lists of targets to start the attack chain.

"Using one of these target lists, the attackers used the MZR V2 tool and were able to discover more than 67,000 URLs with the path /.git/config exposed," Hernandez wrote – adding that this list alone sells for $100 on Telegram. ®

More about

TIP US OFF

Send us news


Other stories you might like