Sysdig Threat Research Team Uncovers Global Operation “Emeraldwhale” Targeting Misconfigured Git Repositories

The Sysdig Threat Research Team (TRT) today announced the discovery of a global operation called “Emeraldwhale” that has stolen over 15,000 cloud service credentials from misconfigured Git configurations.

According to the Sysdig TRT, the attackers used a blend of private tools to exploit misconfigured web services, gaining unauthorized access to cloud credentials, cloning private repositories, and extracting sensitive information. This large-scale campaign has impacted organizations across multiple industries, putting critical cloud infrastructure and sensitive data at risk.

“Misconfigured Git repositories represent a significant vulnerability that cybercriminals are actively exploiting,” said Sysdig. “Our analysis shows that the Emeraldwhale group has been systematically targeting these weaknesses, amassing a vast trove of stolen cloud credentials that could be used for further malicious activities.”

The Sysdig TRT has worked closely with affected organizations and law enforcement agencies to mitigate the impact of the Emeraldwhale operation. The team has also released detailed technical guidance to help organizations secure their Git configurations and protect against similar attacks.

“Securing cloud infrastructure is a top priority for organizations of all sizes,” added Sysdig. “The Emeraldwhale operation underscores the importance of proactive security measures, including regular security audits, access controls, and employee training to prevent such breaches.”

Additionally, the market for credential-harvesting tools, such as MZR V2 and Seyzo-v2, continues to flourish, enabling the automation of IP scanning and credential extraction for spam and phishing campaigns. These tools are readily available in underground markets, often bundled with instructional content on credential theft tactics.

Emeraldwhale is committed to developing robust solutions that empower organizations to address cybersecurity challenges and protect sensitive information proactively.

Sysdig is committed to ongoing research and collaboration to help organizations stay ahead of evolving cybersecurity threats. The Sysdig TRT will continue to monitor the Emeraldwhale operation and provide updates as new information becomes available.

About Sysdig

Sysdig is a secure DevOps company and the creator of Falco, the open-source standard for cloud-native threat detection. Sysdig combines cloud security, detection and response, and compliance into a single platform, empowering organizations to secure their cloud-native infrastructure from build to run. Sysdig is a SaaS company with offices worldwide.