Hackers Demonstrates Gathering Stolen Credentials Is as Easy as Scanning for Git Config Files

by | Nov 11, 2024

A cautionary tale has emerged from security firm Sysdig, who have documented a recent campaign called “EmeraldWhale” that snapped up over 15,000 stolen credentials simply by mass scanning for errant web configurations exposing Git config files to the public.

The hackers, who remain unknown, put together a package of tools that allowed them to scan IP ranges for exposed Git config files that should be private. After scanning tens of thousands of IP ranges and hundreds of millions of IP addresses, the attackers breached about 10,000 repositories in total in this way. The Git config files yielded authentication tokens for GitHub, GitLab, and BitBucket repositories, which in turn sometimes contain other credentials stored there for convenience.

Exposed Git configs could undo network security

The incident illustrates how simple oversights can undo the best-laid security plans, with secret data found using readily available web scanning and open source tools. The attackers do not need to be experienced hackers to take advantage of openings like these and can automate the entire process, from discovery to posting stolen credentials to underground sales outlets.

The information taken from the Git config files could potentially net the hackers millions of dollars, between sale of stolen credentials and “target lists” provided to phishing and scamming specialists. Each of these can go for around $100 USD individually if they are enticing enough.

And what the EmeraldWhale hackers stole is a relatively small drop in the ocean of the entire internet. The attackers were only detected due to dumping their stolen credentials to an Amazon AWS bucket that was already being monitored due to use in a prior caper. There are likely numerous other parties out there using the same approach to pick off vulnerable Git configs and similar elements, perhaps with better operational security to avoid detection.

Though the attackers in this case were somewhat sloppy they did not identify themselves, save for leaving some clues indicating that they might speak French.

Web server misconfigurations can lead to stolen credentials

The Git config scraping took place in August and September. While the perpetrators came up with their own combination of tools to streamline and speed up the process, essentially anyone can just surf right in to a “.git” directory that is exposed by incorrect web server permissions. The attackers simply automated the process with open source and easily available free tools, something that one does not need any special hacking knowledge to do. They also automated the sales process through a Telegram channel and other dark web forums devoted to trading stolen credentials.

The majority of criminal for-profit hackers are now seeking stolen credentials first and foremost, rather than pieces of personal or financial data. Credentials are essentially the “keys to the kingdom” in getting everything they need for identity theft or phishing schemes, or they can simply minimize their risk by selling them off to other attackers for a quick payday. This highlights a few things, the most obvious being once again reinforcing the need for MFA implementation. But it also points to remaining common deficiencies in internal attack surface visibility. It also demonstrates that “shadow IT” rises as a threat concern as hackers put more of their focus on obtaining credentials, and that privileges should be carefully and regularly reviewed.

Recent Posts

How can we help?

9 + 2 =

× How can I help you?