Emerald Whale Breach

NHI Mgmt Group

2 - Exploitation

The attackers used specific key tools that are commonly traded in underground markets. Two such tools revealed during the investigation are MZR V2 (MIZARU) and Seyzov2.

These tools allowed them to quickly scan IP addresses, validate exposed Git paths, and retrieve configuration data. The tools could discover exposed repositories, compile lists of target URLs, and isolate critical details like access tokens.

Overview

In October 2024, a significant cybersecurity incident known as Emerald Whale shocked the DevOps community. This incident revolved around exposed Git configuration files, an apparently simple misconfiguration that resulted in the theft of over 15,000 sensitive data and unauthorized access to over 10,000 private repositories.

The attackers obtained access to crucial cloud environments and other platforms by compromising public Git Configurations which lead to a huge vulnerability exposure in enterprise development pipelines. Despite the simple methodology of this incident, it highlighted the potential impact of mismanagement configurations on the security posture and operational stability.

Incident Timeline

1 - Reconnaissance

The Emerald Whale operation most likely began with information gathering, in which the attackers applied web-crawling and used scanning tools to look for repositories with poorly secured Git configurations.

Source: BleepingComputer

3 - Credential Validation

After the information gathering phase, the attackers proceeded to validate the gathered information. They used tools such as AWS CLI to validate passwords and group them according to usability and privilege levels. Once verified, these credentials were either retained for future operations or sold on dark web marketplaces.

Incident Detection and Response

The Sysdig TRT discovered the incident while monitoring a cloud honeypot system and noticed an abnormal ListBuckets call made by a compromised account. This activity pointed to an S3 bucket called ‘s3simplisitter’, which did not belong to Sysdig but was publicly available.

Affected companies implemented security countermeasures, including revoking access tokens, GitHub repositories reconfiguration and conducted extensive vulnerability assessments to eliminate any remaining vulnerabilities

Lessons Learned

1 - Automated Secrets Management

  • Avoid keeping credentials in repositories. Instead, use secure secret management solutions.

2 - Conduct Regular Secrets Rotation

  • Use an automated secret manager to rotate your secrets periodically to avoid any data breaches or leaks.

3 - Conduct Regular Auditing and Monitoring

  • Regularly audit repositories for misconfigured or exposed configuration files.

  • Use monitoring technologies that can detect abnormal access patterns.

Source: BleepingComputer

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is a community focussed solely on helping solve the huge industry challenge around helping organisations manage and secure Non-Human / Machine Identity Risks

Subscribe to our Newsletter

Subscribe

© 2024