EmeraldWhale – Major Cyberattack Involving 15,000 Cloud Credentials and Exposed GitHub Configurations

A major cyberattack occurred just a few weeks ago, and is quite the serious wake-up call for organizations using cloud services. The attack, named “EmeraldWhale”, involved threat actors compromising over 15,000 credentials by dumping them into a stolen AWS S3 bucket as part of a massive Git repository theft campaign. This breach is one of many that reminds us that organizations must urgently reassess and monitor their cloud configurations to prevent future attacks. Additionally, source code should be thoroughly reviewed for any hardcoded credentials or sensitive data that could be easily exploited by cybercriminals if left unchecked.

How Did the Breach Occur?

The EmeraldWhale operation was relentless. The attackers targeted Git configurations, duplicated more than 10,000 private repositories, and exfiltrated business-critical and confidential cloud credentials embedded in the source code. They exploited misconfigured web and cloud services, using custom tools to carry out the attack.

How did they manage to steal credentials so easily? A combination of phishing – a tactic that nets the criminals hundreds of dollars per account on the Dark Web, and poorly configured cloud settings. In addition, the operation is profiting by selling target lists on underground marketplaces, enabling others to carry out the same attacks. The scale and sophistication of this campaign demand immediate action: review your cloud security, audit your Git repositories, and tighten up your defenses before you become the next target.

Gaps in Cloud and SaaS Security That Lead to Breaches

Organizations tend to overlook critical gaps in their cloud and SaaS security posture:

1. Exposed Information in Cloud/SaaS Repositories: Failing to regularly scan both public and private cloud and SaaS environments for exposed secrets or sensitive data.
2. Outdated Scanning Tools: Relying on basic or legacy scanning tools instead of advanced, AI-based scanning tools that can detect a wider range of misconfigurations.
3. Poor Activity Monitoring: Not enabling audit logs to detect suspicious account activity, especially when logs are off by default.
4. Credential Mismanagement: Failure to regularly rotate credentials and other sensitive data, increasing the risk of prolonged exposure if secrets become compromised.
5. Improper Token Storage: Storing tokens in an unprotected directory, which could lead to accidental exposure.
6. Weak Configuration Management: Inadequate verification of configuration settings, which can result in the inadvertent exposure of sensitive information to the public.
7. Lack of Secure Secret Management: Hardcoding secrets directly in source code or configuration files rather than using secure secret management systems (e.g., secret managers), which provide controlled access, secure storage, and automated rotation.
8. Insufficient Lifecycle Management for Sensitive Data: Failure to incorporate continuous lifecycle management and governance for sensitive information in security and identity programs, leading to potential gaps in security controls.

How Can Organizations Improve their Cloud and SaaS Security Posture?

Breaches and cyberattacks such as the EmeraldWhale one described highlight the growing difficulty of maintaining a strong security posture, handling cloud resources, identities, credentials, and more. Traditional, legacy models tend to rely on a top-down approach, and do not provide adequate tools to security teams. With the rapid rise in cloud adoption, organizations are increasingly vulnerable to misconfigurations such as excessive permissions, improperly configured access controls, and weak identity management practices, all of which can leave critical systems exposed and undermine security efforts. Here are some critical facets of modern cloud and SaaS security management tools that can help organizations:

1. Complete Visibility
   In modern cloud environments, complete visibility is crucial for effective security management. Without real-time, granular insights into every aspect of cloud infrastructure, applications, and user activity, organizations risk missing critical threats or misconfigurations. Tools that offer comprehensive monitoring and logging allow security teams to detect anomalies, identify potential vulnerabilities, and ensure that all assets—whether in the cloud or on-premises—are properly secured. This visibility is essential for tracking how resources are accessed and used, allowing for quicker detection of any unauthorized activity or misconfigurations before they escalate into major breaches.
2. Shared Responsibility
   As cloud adoption continues to rise, the concept of shared responsibility becomes more important. While cloud providers are responsible for securing the underlying infrastructure, organizations are tasked with securing their data, applications, and user access. This division of responsibility often leads to gaps in security when organizations misunderstand their obligations or fail to apply proper security controls. For example, while providers may offer tools for identity and access management, organizations still need to configure those tools correctly, manage credentials securely, and implement governance policies that align with security best practices.
3. Stringent Policies
   Stringent security policies are essential for ensuring that sensitive data, user credentials, and cloud resources are properly protected. Organizations must enforce policies that govern how data is stored, accessed, and transmitted across the cloud, ensuring that only authorized users and systems can interact with critical resources. This includes policies around strong authentication, regular credential rotation, and least privilege access. By clearly defining and consistently enforcing these policies, organizations can reduce the risk of misconfigurations and access breaches, while also ensuring compliance with industry regulations and standards.
4. Consolidated Tools
   As cloud and SaaS environments become more complex, organizations need integrated and consolidated security tools that can manage various aspects of security in one place. This includes CNAPP, SSPM, CSPM, CWPP, CIEM, compliance monitoring, and more. Using multiple disparate tools can lead to gaps in coverage and inefficiencies in responding to threats. A unified security platform provides a more streamlined approach to monitoring and managing cloud and SaaS resources, improving both efficiency and effectiveness in identifying and mitigating risks. By consolidating security operations, teams can better enforce policies, identify vulnerabilities, and respond more swiftly to emerging threats.

CheckRed – Your Partner in Security

If you are looking for a comprehensive, multi-tenant security solution, CheckRed has got you covered! Contact us to learn more.

See CheckRed in Action

Dive into the future with our interactive demo
and explore the possibilities.

Get a Demo