Full Report
Threat actors are intensifying internet-wide scanning for Git configuration files that can reveal sensitive secrets and authentication tokens used to compromise cloud services and source code repositories. [...]
Analysis Summary
# Tool/Technique: Mass Scanning for Exposed Git Configuration Files and Tokens
## Overview
This summary details the increased and large-scale reconnaissance activity targeting publicly accessible Git configuration files (`.git/` directories) on web servers. Threat actors exploit misconfigurations where developers fail to exclude the `.git/` directory from public access to steal sensitive information like access tokens, API keys, SSH private keys, and account credentials.
## Technical Details
- Type: Technique (Reconnaissance/Infiltration)
- Platform: Web Servers hosting Git repositories (Inadvertently exposed via web application deployment)
- Capabilities: Identifying and accessing exposed `.git/config` files and related files, stealing stored credentials and access tokens.
- First Seen: The article describes recent escalations involving specific waves noted in November, December (2024), March, and April (likely 2025, given the context of October 2024 references).
## MITRE ATT&CK Mapping
- TA0013 - Credential Access
- T1003 - OS Credential Dumping (Indirectly, by accessing configuration files containing cached/stored credentials)
- T1552 - Unsecured Credentials
- T1552.004 - Credentials in Files
- TA0001 - Initial Access
- T1190 - Exploit Repository (By leveraging exposed configuration files revealing access paths or credentials)
## Functionality
### Core Capabilities
- **Discovery and Enumeration:** Scanning web servers for URLs ending in or containing paths commonly associated with Git data structures (e.g., `.git/config`, `.git/index`).
- **Credential Harvesting:** Extracting stored secrets, including cloud account credentials, API keys, and SSH private keys directly from the exposed configuration files.
### Advanced Features
- **Targeted Scanning Waves:** Activity is observed in distinct, high-volume waves, indicating organized, automated scanning operations.
- **Geographic Targeting:** Activity is notably focused on specific regions, including Singapore, the US, Spain, Germany, the UK, and India (with the US and Germany being the most common destinations mentioned alongside Singapore).
- **Exploitation Linkage:** Stolen credentials are used for subsequent breaches, such as the noted attacks against the Internet Archive.
## Indicators of Compromise
- File Hashes: N/A (Focus is on the scanning process, not specific delivered malware)
- File Names: `.git/config`, other files within exposed `.git/` directories.
- Registry Keys: N/A
- Network Indicators: Wide-scale probing activity characterized by a high volume of requests targeting Git path exposure. (Specific scanner IPs noted via GreyNoise, but not listed here per instructions).
- Behavioral Indicators: High volume of HTTP GET requests directed at paths containing `.git/` segments on web servers globally.
## Associated Threat Actors
- The activity is linked to large-scale credential harvesting operations, such as the "EmeraldWhale" operation reported by Sysdig (responsible for stealing 15,000 cloud credentials).
- Actors involved in compromising the Internet Archive utilized tokens/credentials obtained via this method.
- Malicious actors broadly engaging in internet-wide reconnaissance.
## Detection Methods
- Signature-based detection: Signatures matching known scanner User-Agents or IP reputation lists (like those provided by GreyNoise).
- Behavioral detection: Monitoring web server access logs for repeated or high-volume requests for files/directories within `.git/`, especially requests originating from external IPs targeting configuration files.
- YARA rules: Not explicitly mentioned, though YARA could be developed for identifying content exfiltrated from exposed Git objects if the initial file access is successful.
## Mitigation Strategies
- **Block Access to .git/ Directories:** Configure web servers (Apache, Nginx, IIS) or application firewalls (WAFs) to explicitly deny access to the `.git/` directory and all its contents.
- **Prevent Exposure of Hidden Files:** Ensure web server configurations are set to prevent directory listing and access to standard hidden files (those starting with a dot, such as `.git`).
- **Credential Rotation:** Immediately rotate any SSH keys, API keys, or cloud credentials discovered within affected configuration files.
- **Log Monitoring:** Actively monitor server logs for suspicious access patterns related to Git directories.
## Related Tools/Techniques
- General automated web scanning tools (e.g., proprietary scanners or customized scripts).
- Techniques related to Unsecured Credentials (T1552).
- Operations like "EmeraldWhale" which utilize harvested Git secrets for follow-up compromise.