Global operation EMERALDWHALE steals 15K cloud credentials

Research has determined that a global operation targeting exposed Git configurations. The operation, known as EMERALDWHALE, has resulted in the theft of more than 15,000 cloud service credentials. 

EMERALDWHALE leveraged a range of private tools to exploit several misconfigured web services. This allowed malicious actors to steal credentials, copy sensitive repositories and retrieve cloud credentials from the source code. The research discovered more than 10,000 repositories were stolen during the operation, including credentials belonging to Cloud Service Providers (CSP), email providers and other services. 

Security leaders weigh in 

Mr. Elad Luz, Head of Research at Oasis Security:

This attack highlights the critical need for a comprehensive strategy to secure and manage non-human identities (NHIs), such as secrets, keys and tokens. Implementing automated security protocols, including continuous scanning and credential rotation, can help reduce the risk of similar incidents. Additionally, proactive monitoring of NHIs and learning from previous breaches are essential for organizations operating in cloud and hybrid ecosystems.

Here are key actions to consider in response to such incidents:

  1. Regularly scan code repositories — both public and private — for exposed secrets. Although most organizations avoid hard-coding credentials in public repositories, attackers may still target private repositories for the same purpose. Consider using AI-based scanning tools that go beyond simple regular expressions to identify a broader range of secrets.
  2. Enable GitHub’s audit logs and IP logging to track account activity. Since IP logging is off by default, enabling it can help trace any suspicious activity back to its source.
  3. Rotate credentials and other sensitive data regularly to minimize the window of exposure if a secret becomes compromised.
  4. Avoid storing GitHub tokens in the .git directory to prevent accidental exposure. Use .gitignore to exclude sensitive files, and verify configuration settings to avoid inadvertently committing sensitive information.
  5. Incorporate continuous lifecycle management and governance for NHIs in your security and identity programs. Avoid hardcoding secrets in code. Instead, store sensitive credentials in a secret manager, rather than within code repositories or local files. Secret managers offer secure storage, controlled access and automated rotation options, reducing the risk of accidental exposure and enhancing security across your environment.

Rom Carmel, Co-Founder and CEO at Apono:

This is yet another example of how credentials continue to be a top target for hackers who adhere to the old adage of “teach a man to phish and he’ll have access for a lifetime.”  According to the 2024 Verizon Data Breach Investigations Report (DBIR), credentials were the target of 50% of social engineering attacks, beating out personal and financial data. With the right set of credentials, an attacker can compromise an identity and gain access to all of the resources that they have privileges to, offering malicious actors a potentially unending list of enticing targets.

With so many credentials finding their way onto illicit marketplaces, and in this case a poorly protected bucket, organizations today need to adopt an “assumed breach” posture. The addition to the widespread availability of effective phishing kits for leapfrogging over MFA protections, has proven that we need to do more to protect our resources. 

While MFA is a crucial first step in protecting identities after stolen credentials fall into the wrong hands, we’ve seen the steady stream of credential stuffing attacks as proof that we need to do more. Implementing Just-in-Time access security removes the opportunity for attackers to abuse credentials by simply ensuring that access is only available when it is needed. This, along with right-sizing excessive privileges, goes a long way in reducing the blast radius in an event like this where such a sensitive stash of credentials have been compromised.

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

The EMERALDWHALE incident, despite the attacker’s apparent carelessness, underscores the critical need to secure development environments and tools. The exposure of credentials poses a significant threat, as attackers can use them to compromise various cloud services. Furthermore, exploiting exposed Git repositories highlights the importance of securing development infrastructure. Security teams must prioritize the protection of development environments by safeguarding API keys and tokens, implementing continuous monitoring, and conducting regular security assessments. These measures are essential to preventing similar incidents and safeguarding critical assets.