Full Report
Research uncovered an operation named EMERALDWHALE that compromised over 15,000 cloud service credentials by exploiting exposed Git configurations and other misconfigured web services. The attack aimed to steal credentials from private Git repositories and cloud environments, ...
Analysis Summary
# Threat Actor: EMERALDWHALE
## Attribution & Identity
* **Identification:** Threat operation named EMERALDWHALE.
* **Aliases/Groups:** No specific threat actor group affiliation is mentioned beyond the operation name itself.
## Activity Summary
EMERALDWHALE is an ongoing operation focused on large-scale credential harvesting from compromised cloud environments and private Git repositories. The operation successfully compromised over 15,000 cloud service credentials. The ultimate aim appears to be using these stolen credentials to facilitate phishing and spam campaigns. Data was exfiltrated and stored in a publicly accessible S3 bucket originating from a previous victim.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting exposed Git configurations (specifically `.git/config` files) and misconfigured web services, including exposed Laravel `.env` files.
- **Discovery/Scanning:** Large-scale scanning of IP address ranges to locate publicly accessible `.git/config` files.
- **Collection:** Leveraging custom tools and scripts (including regex) to search extracted repository/configuration files for recognizable credential patterns (e.g., AWS keys).
- **Exfiltration/Staging:** Storing harvested credentials in a compromised, publicly accessible S3 bucket.
- **Observed Techniques:** Abuse of exposed Git configuration files, web scraping techniques combined with targeted server scanning.
## Targeting
* **Sectors:** Not explicitly detailed beyond cloud service providers and email providers. The actors targeted any organization with misconfigured public-facing resources that exposed Git configurations or `.env` files.
* **Geography:** Not specified.
* **Victims:** Over 15,000 cloud service credentials compromised, targeting major cloud service providers and email providers.
## Tools & Infrastructure
- **Malware families used:** MIZARU (referred to as "MZR V2"), Seyzo-v2.
- **Observed tools:** httpx, git-dumper.
- **Infrastructure:** Compromised and publicly accessible S3 bucket utilized for data staging.
## Implications
EMERALDWHALE represents a significant risk stemming from basic cloud and web misconfigurations (exposed Git history, `.env` files). The successful harvesting of 15,000+ credentials indicates a high-volume, high-impact automated operation capable of enabling subsequent large-scale phishing or account takeover activities.
## Mitigations
- Immediately audit public-facing web servers and repositories for exposed `.git/config` files and `.env` files.
- Ensure sensitive configuration files (like Laravel's `.env`) are not publicly accessible and that proper security headers/access controls are enforced.
- Implement strict credential hygiene and rotation policies, especially for cloud access keys.
- Monitor cloud storage buckets (like S3) for unexpected, high-volume external PUT/POST access, as observed via honeypot alerts in this campaign.