Source URL: https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/
Source: The Register
Title: Gang gobbles 15K credentials from cloud and email providers’ garbage Git configs
Feedly Summary: Emeraldwhale gang looked sharp – until it made a common S3 bucket mistake
A criminal operation dubbed Emeraldwhale has been discovered after it dumped more than 15,000 credentials belonging to cloud service and email providers in an open AWS S3 bucket, according to security researchers.…
AI Summary and Description: Yes
Summary: The text details a security incident involving the criminal organization Emeraldwhale, which compromised over 15,000 cloud service and email credentials through a significant scanning campaign targeting exposed Git repositories. The revelation highlights the vulnerabilities in cloud service configurations and the potential risks associated with misconfigured environments.
Detailed Description:
The incident described revolves around the discovery of a criminal operation known as Emeraldwhale. Here are the major points related to this cybersecurity event:
– **Incident Overview**: Over 15,000 credentials from various cloud service and email providers were found in an insecure AWS S3 bucket.
– **Campaign Tactics**: The attackers executed a large-scale scanning campaign, specifically targeting servers with misconfigured Git settings and Laravel environment files between August and September.
– Utilized private tools to exploit weaknesses in web services.
– Successfully cloned private repositories and extracted cloud credentials from them.
– **Types of Data Exposed**: Exposed Git directories were particularly enticing for criminals because they house sensitive information such as:
– Commit history and messages
– Usernames and email addresses
– Passwords and API keys
– **Monetary Value**: Stolen credentials were reported to have high resale value, ranging from $500 to $700 per account.
– **Discovery of Stolen Data**: A significant amount of compromised data (over a terabyte) was discovered by Sysdig’s threat research team while monitoring their cloud honeypot network. The materials stored in the AWS bucket belonged to a previous victim of the attack.
– **Technical Depth of Attackers**: Senior researchers indicated that the complexity and sophistication of the attacks suggest a connection to an established criminal syndicate.
– **Malware Utilization**: Two specific malware tools used in the operations, MZR V2 and Seyzo-v2, were identified as being pivotal in conducting the scanning and credential theft:
– MZR V2: A collection of Python and shell scripts designed to scan IP addresses and verify GitHub credentials.
– Seyzo-v2: A set of scripts focused on extracting credentials from email providers, which could facilitate spam and phishing operations.
– **Indicators of the Attackers’ Location**: Suggestive linguistic cues in the malware pointed toward French-speaking origins, but concrete geographical ties remained uncertain.
This incident serves as a critical reminder of the vulnerabilities present in cloud configurations and the importance of robust security measures, particularly regarding credential management and secure code practices. Security professionals should be vigilant with their defenses against such targeted campaigns and understand the significant risks posed by exposed repositories and misconfigured services.