CINXE.COM
Emeraldwhale gobbles 15K credentials from clouds • The Register
<!doctype html> <html lang="en"> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <title>Emeraldwhale gobbles 15K credentials from clouds • The Register</title> <meta name="robots" content="max-snippet:-1, max-image-preview:standard, max-video-preview:0"> <meta name="viewport" content="initial-scale=1.0, width=device-width"/> <meta property="og:image" content="https://regmedia.co.uk/2024/10/31/leonardo_ai_cybercrime_whale_wearing_hoodie.jpg"/> <meta property="og:type" content="article" /> <meta property="og:url" content="https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/" /> <meta property="og:title" content="Emeraldwhale gobbles 15K credentials from clouds" /> <meta property="og:description" content="Emeraldwhale looked sharp – until it made a common S3 bucket mistake" /> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@TheRegister"> <script type="application/ld+json"> { "@context":"http://schema.org", "@type":"NewsArticle", "mainEntityOfPage":{"@type":"WebPage","@id":"https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/"}, "headline":"Gang gobbles 15K credentials from cloud and email providers' garbage Git configs", "datePublished":"2024-10-31T23:59:12Z", "dateModified":"2024-11-01T09:21:04Z", "image":{"@type":"ImageObject","url":"https://regmedia.co.uk/2024/10/31/leonardo_ai_cybercrime_whale_wearing_hoodie.jpg","width":"1200","height":"600"}, "author":{"@type":"Person","name":"Jessica Lyons"}, "publisher":{"@type":"Organization","name":"The Register","url":"https://www.theregister.com/","logo":{"@type":"ImageObject","url":"https://www.theregister.com/design_picker/1fea2ae01c5036112a295123c3cc9c56eb28836a/graphics/std/red_logo_sans_strapline.png","width":330,"height":55}} } </script> <script> var RegZoot = { }; var RegCC = [ ]; var RegPageType = 'Story'; var RegTruePageType = 'www story'; </script> <link rel="canonical" href="https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/"> <link rel="amphtml" href="https://www.theregister.com/AMP/2024/10/31/emeraldwhale_credential_theft/"> <script src="/Design/javascript/html5shiv.min.js"></script> <script> // IE8 only polyfilly for eventListener // source: https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener#Compatibility !function(){if(Event.prototype.preventDefault||(Event.prototype.preventDefault=function(){this.returnValue=!1}),Event.prototype.stopPropagation||(Event.prototype.stopPropagation=function(){this.cancelBubble=!0}),!Element.prototype.addEventListener){var e=[],t=function(t,n){var o=this,r=function(e){e.target=e.srcElement,e.currentTarget=o,void 0!==n.handleEvent?n.handleEvent(e):n.call(o,e)};if("DOMContentLoaded"==t){var a=function(e){"complete"==document.readyState&&r(e)};if(document.attachEvent("onreadystatechange",a),e.push({object:this,type:t,listener:n,wrapper:a}),"complete"==document.readyState){var p=new Event;p.srcElement=window,a(p)}}else this.attachEvent("on"+t,r),e.push({object:this,type:t,listener:n,wrapper:r})},n=function(t,n){for(var o=0;o<e.length;){var r=e[o];if(r.object==this&&r.type==t&&r.listener==n){"DOMContentLoaded"==t?this.detachEvent("onreadystatechange",r.wrapper):this.detachEvent("on"+t,r.wrapper),e.splice(o,1);break}++o}};Element.prototype.addEventListener=t,Element.prototype.removeEventListener=n,HTMLDocument&&(HTMLDocument.prototype.addEventListener=t,HTMLDocument.prototype.removeEventListener=n),Window&&(Window.prototype.addEventListener=t,Window.prototype.removeEventListener=n)}}(); document.attachEvent("onreadystatechange", function() { if (document.readyState === "complete") { // list of icons we want <= IE8 to replace with their png equivalents var svg_icons_png_equiv = [ // masthead icons (twitter + facebook are also shared for footer): 'reg_logo.svg', 'twitter.svg', 'facebook.svg', 'linkedin.svg', // navigation bar icons: 'vulture.svg', 'vulture_white.svg', 'search.svg', 'search_white.svg', // footer icons: 'sitpub_footer.svg', 'linkedin_white.svg', 'rss.svg', // lectures section icons: 'reglecture_logo.svg', // story template icons: 'reddit.svg', 'linkedin_alt.svg', 'linkedin.svg', 'calendar.svg', 'location.svg', 'rect_comment_bubble_white.svg', 'rect_comment_bubble_black.svg', 'envelope.svg', 'polls_unit_arrow.svg' ]; for (i = 0; i <= svg_icons_png_equiv.length - 1; i++) { var svg_icon = svg_icons_png_equiv[i]; var img_svg_icons = $('img[src$="' + svg_icon + '"]'); img_svg_icons.each(function() { $(this).attr('src', $(this).attr('src').replace('.svg','.png')); }); } var ad_params = { src: 'https://regmedia.co.uk/2018/06/15/gg2b_book.png', href: 'https://forms.theregister.com/gg2b/?td=iaomwtkie78' }; bird_alternative('ad_wp_top', ad_params); } }); </script> <script> var RegArticle={id:237044,pf:0,af:0,bms:0,sec:'security/research',cat:'update_me',ec:[],kw:[["cybercrime",'Cybercrime'],["security",'Security']],kwp:[],short_url:'https://reg.cx/4eUF',cp:0,noads:[],author:'Jessica Lyons'} </script> <link rel=stylesheet type="text/css" href="/css/e5c206ed408f082870465a2c478e657ff0db3937/scaffolding.css"> <link rel=stylesheet type="text/css" href="/css/e5c206ed408f082870465a2c478e657ff0db3937/design.css"> <style> #nav-security, #nav-security-research { text-decoration: underline !important; } </style> <link rel='stylesheet' type='text/css' href='/css/e5c206ed408f082870465a2c478e657ff0db3937/story_only.css'> <link rel=stylesheet type="text/css" href="/css/e5c206ed408f082870465a2c478e657ff0db3937/rows_basic.css"> <link rel=alternate type="application/atom+xml" href="/headlines.atom" title="The Register: whole site"> <link rel=alternate type="application/atom+xml" href="/security/research/headlines.atom" title="The Register: Research section"> <script> var RegCR = false; </script> <script src="/design_picker/14513432720673f1c1ee02761ba265b674b7bee1/javascript/_.js"></script> <script> RegGPT('reg_security/research','0df13fad2ea597c71ae99fa84c3f976d','0df13fad2ea597c71ae99fa84c3f976d'); </script> <script async src="https://www.googletagmanager.com/gtag/js"></script> <link rel=search href="https://search.theregister.com/"> <link rel=search type="application/opensearchdescription+xml" title="El Reg Search" href="/Design/page/search.osd"> <link rel="icon" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/favicon.ico" sizes="any"><!-- 32×32 --> <link rel="icon" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/favicon.svg" type="image/svg+xml"> <link rel="apple-touch-icon" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/apple-touch-icon.png"><!-- 180×180 --> <link rel="manifest" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/site.webmanifest"> <meta name="msapplication-TileColor" content="#ff0000"> <meta name="msapplication-config" content="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/browserconfig.xml"> <meta name="theme-color" content="#ff0000"> <script src="/Design/javascript/respond.min.js"></script> </head> <body class="fullwidth" data-pagetype='Story' data-iebrowser='7' data-pagenum="0"> <div id="page"> <div data-oop="1" data-pos="top" data-raptor="kite" aria-hidden="true" class="adun"></div> <div id="masthead"> <div class="los_amigos"> <div class="left_nav"> <a id="mob_user_link" href="https://account.theregister.com/register/" aria-label="Your Account"> <img class="account_icon" width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_white_extents_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_white_extents.svg" alt=""> <img class="filled_icon" width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_white_filled_extents_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_filled_white_extents.svg" alt=""> <span id="mob_user_text"><span>Sign in / up</span></span> </a> </div> <div class="center_nav"> <a href="https://www.theregister.com/" id="logo"> <img src="/design_picker/fa16d26efb42e6ba1052f1d387470f643c5aa18d/graphics/std/reg_logo_no_strapline.png" srcset="/design_picker/fa16d26efb42e6ba1052f1d387470f643c5aa18d/graphics/std/reg_logo_no_strapline.svg" width="190" height="35" alt="The Register® — Biting the hand that feeds IT"> </a> </div> <div class="right_nav"> <a href="https://search.theregister.com/" class="nav_search topnav_elem" data-name="Search" aria-label="Search"> <img width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/magnifying_glass_white_extents_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/magnifying_glass_white_extents.svg" alt=""> </a> <div id="site_nav_mobile"> <noscript><div id="site_nav_mobile_hiding_stamp"></div></noscript> <button id="mobile_menu_toggle" aria-label="Open menu" type="button"> <img width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_extents.svg" alt=""> <img width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_close_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_close_extents.svg" alt=""> </button> </div> </div> </div> <div id="top_panel_wrapper"> <div id="top_panel"> <div class="block_section nav"> <div class="nav_col first_col"> <div class="nav_top_group"> <div class="nav_topics"> <div class="nav_head_bk"> <h2 class="main_head">Topics</h2> </div> <div> <nav> <div class="nav_elem"> <div class="cat_header"> <div id="nav-security"> <a href="#subnav-box-nav-security" data-toggle-for="subnav-box-nav-security" class="topnav_elem mob_only">Security</a> <h2 class="desk_only section_nav-security"> <a href="#subnav-box-nav-security" data-toggle-for="subnav-box-nav-security" class="topnav_elem desk_only">Security</a> </h2> </div> </div><div id="subnav-box-nav-security" class="subnav_box"><a href="https://www.theregister.com/security/" class="subnav_elem" id="nav-security-all"><span class="prefix_all">All </span>Security</a><a href="https://www.theregister.com/security/cyber_crime/" class="subnav_elem" id="nav-security-cyber_crime">Cyber-crime</a><a href="https://www.theregister.com/security/patches/" class="subnav_elem" id="nav-security-patches">Patches</a><a href="https://www.theregister.com/security/research/" class="subnav_elem" id="nav-security-research">Research</a><a href="https://www.theregister.com/security/cso/" class="subnav_elem" id="nav-security-cso">CSO</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-off_prem"> <a href="#subnav-box-nav-off_prem" data-toggle-for="subnav-box-nav-off_prem" class="topnav_elem mob_only">Off-Prem</a> <h2 class="desk_only section_nav-off_prem"> <a href="#subnav-box-nav-off_prem" data-toggle-for="subnav-box-nav-off_prem" class="topnav_elem desk_only">Off-Prem</a> </h2> </div> </div><div id="subnav-box-nav-off_prem" class="subnav_box"><a href="https://www.theregister.com/off_prem/" class="subnav_elem" id="nav-off_prem-all"><span class="prefix_all">All </span>Off-Prem</a><a href="https://www.theregister.com/off_prem/edge_iot/" class="subnav_elem" id="nav-off_prem-edge_iot">Edge + IoT</a><a href="https://www.theregister.com/off_prem/channel/" class="subnav_elem" id="nav-off_prem-channel">Channel</a><a href="https://www.theregister.com/off_prem/paas_iaas/" class="subnav_elem" id="nav-off_prem-paas_iaas">PaaS + IaaS</a><a href="https://www.theregister.com/off_prem/saas/" class="subnav_elem" id="nav-off_prem-saas">SaaS</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-on_prem"> <a href="#subnav-box-nav-on_prem" data-toggle-for="subnav-box-nav-on_prem" class="topnav_elem mob_only">On-Prem</a> <h2 class="desk_only section_nav-on_prem"> <a href="#subnav-box-nav-on_prem" data-toggle-for="subnav-box-nav-on_prem" class="topnav_elem desk_only">On-Prem</a> </h2> </div> </div><div id="subnav-box-nav-on_prem" class="subnav_box"><a href="https://www.theregister.com/on_prem/" class="subnav_elem" id="nav-on_prem-all"><span class="prefix_all">All </span>On-Prem</a><a href="https://www.theregister.com/on_prem/systems/" class="subnav_elem" id="nav-on_prem-systems">Systems</a><a href="https://www.theregister.com/on_prem/storage/" class="subnav_elem" id="nav-on_prem-storage">Storage</a><a href="https://www.theregister.com/on_prem/networks/" class="subnav_elem" id="nav-on_prem-networks">Networks</a><a href="https://www.theregister.com/on_prem/hpc/" class="subnav_elem" id="nav-on_prem-hpc">HPC</a><a href="https://www.theregister.com/on_prem/personal_tech/" class="subnav_elem" id="nav-on_prem-personal_tech">Personal Tech</a><a href="https://www.theregister.com/on_prem/cxo/" class="subnav_elem" id="nav-on_prem-cxo">CxO</a><a href="https://www.theregister.com/on_prem/public_sector/" class="subnav_elem" id="nav-on_prem-public_sector">Public Sector</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-software"> <a href="#subnav-box-nav-software" data-toggle-for="subnav-box-nav-software" class="topnav_elem mob_only">Software</a> <h2 class="desk_only section_nav-software"> <a href="#subnav-box-nav-software" data-toggle-for="subnav-box-nav-software" class="topnav_elem desk_only">Software</a> </h2> </div> </div><div id="subnav-box-nav-software" class="subnav_box"><a href="https://www.theregister.com/software/" class="subnav_elem" id="nav-software-all"><span class="prefix_all">All </span>Software</a><a href="https://www.theregister.com/software/ai_ml/" class="subnav_elem" id="nav-software-ai_ml">AI + ML</a><a href="https://www.theregister.com/software/applications/" class="subnav_elem" id="nav-software-applications">Applications</a><a href="https://www.theregister.com/software/databases/" class="subnav_elem" id="nav-software-databases">Databases</a><a href="https://www.theregister.com/software/devops/" class="subnav_elem" id="nav-software-devops">DevOps</a><a href="https://www.theregister.com/software/oses/" class="subnav_elem" id="nav-software-oses">OSes</a><a href="https://www.theregister.com/software/virtualization/" class="subnav_elem" id="nav-software-virtualization">Virtualization</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-offbeat"> <a href="#subnav-box-nav-offbeat" data-toggle-for="subnav-box-nav-offbeat" class="topnav_elem mob_only">Offbeat</a> <h2 class="desk_only section_nav-offbeat"> <a href="#subnav-box-nav-offbeat" data-toggle-for="subnav-box-nav-offbeat" class="topnav_elem desk_only">Offbeat</a> </h2> </div> </div><div id="subnav-box-nav-offbeat" class="subnav_box"><a href="https://www.theregister.com/offbeat/" class="subnav_elem" id="nav-offbeat-all"><span class="prefix_all">All </span>Offbeat</a><a href="https://www.theregister.com/Debates/" class="subnav_elem" id="nav-offbeat-debates">Debates</a><a href="https://www.theregister.com/offbeat/columnists/" class="subnav_elem" id="nav-offbeat-columnists">Columnists</a><a href="https://www.theregister.com/offbeat/science/" class="subnav_elem" id="nav-offbeat-science">Science</a><a href="https://www.theregister.com/offbeat/geeks_guide/" class="subnav_elem" id="nav-offbeat-geeks_guide">Geek's Guide</a><a href="https://www.theregister.com/offbeat/bofh/" class="subnav_elem" id="nav-offbeat-bofh">BOFH</a><a href="https://www.theregister.com/offbeat/legal/" class="subnav_elem" id="nav-offbeat-legal">Legal</a><a href="https://www.theregister.com/offbeat/bootnotes/" class="subnav_elem" id="nav-offbeat-bootnotes">Bootnotes</a><a href="https://www.theregister.com/offbeat/site_news/" class="subnav_elem" id="nav-offbeat-site_news">Site News</a><a href="https://www.theregister.com/offbeat/about_us/" class="subnav_elem" id="nav-offbeat-about_us">About Us</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div> </nav> </div> </div> </div> <div class="nav_bottom_group"> <div class="nav_bottom_section nav_special_features"> <div class="nav_head_bk"> <a href="#subnav-box-nav-special_features" data-toggle-for="subnav-box-nav-special_features" id="nav-special_features" class="topnav_elem mob_only">Special Features</a> <h2 class="main_head"> <span class="topnav_elem desk_only">Special Features</span> </h2> </div> <nav> <div class="nav_elem"> <div id="subnav-box-nav-special_features" class="subnav_box"> <a href="https://www.theregister.com/special_features">All Special Features</a> <a href="https://www.theregister.com/special_features/cybersecurity_month">Cybersecurity Month</a> <a href="https://www.theregister.com/special_features/vmware_explore">VMware Explore</a> <a href="https://www.theregister.com/special_features/blackhat_and_defcon">Blackhat and DEF CON</a> <a href="https://www.theregister.com/special_features/cloud_infrastructure_month">Cloud Infrastructure Month</a> <a href="https://www.theregister.com/special_features/malware_month">Malware Month</a> <a href="https://www.theregister.com/special_features/the_reg_in_space">The Reg in Space</a> <a href="https://www.theregister.com/special_features/spotlight_on_rsa">Spotlight on RSA</a> </div> </div> </nav> </div> <div class="nav_bottom_section nav_elem nav_vendor_voice"> <div class="nav_head_bk"> <h2 class="main_head"> <span class="topnav_elem desk_only">Vendor Voice</span> </h2> </div> <nav> <div class="nav_elem"> <div class="cat_header"> <div id="nav-tag-vendor-voice"> <a href="#subnav-box-nav-tag-vendor-voice" data-toggle-for="subnav-box-nav-tag-vendor-voice" class="topnav_elem mob_only">Vendor Voice</a> <h2 class="desk_only section_nav-tag-vendor-voice"> <a href="#subnav-box-nav-tag-vendor-voice" data-toggle-for="subnav-box-nav-tag-vendor-voice" class="topnav_elem desk_only">Vendor Voice</a> </h2> </div> </div> <div id="subnav-box-nav-tag-vendor-voice" class="subnav_box"> <a href="https://www.theregister.com/VendorVoice/" class="subnav_elem" id="nav-tag-vendor-voice-all"> <span class="prefix_all">All </span>Vendor Voice </a> <a href="https://www.theregister.com/VendorVoice/aws_here/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_here"> HERE and AWS </a> <a href="https://www.theregister.com/VendorVoice/aws_vonage/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_vonage"> Vonage </a> <a href="https://www.theregister.com/VendorVoice/aws_amdocs/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_amdocs"> Amdocs </a> <a href="https://www.theregister.com/VendorVoice/aws_ge_vernova_manufacturing/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_ge_vernova_manufacturing"> GE Vernova with AWS </a> <a href="https://www.theregister.com/VendorVoice/aws_ge_vernova/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_ge_vernova"> GE Vernova with AWS </a> <a href="https://www.theregister.com/VendorVoice/siemens_aws/" class="subnav_elem" id="nav-tag-vendor-voice-vv_siemens_aws"> Siemens and AWS Gen AI </a> <a href="https://www.theregister.com/VendorVoice/siemens_aws_itot/" class="subnav_elem" id="nav-tag-vendor-voice-vv_siemens_aws_itot"> Siemens and AWS IT/OT </a> <a href="https://www.theregister.com/VendorVoice/aws_new_horizon_solutions/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_new_horizon_solutions"> Amazon Web Services (AWS) New Horizon in Cloud Computing </a> <a href="https://www.theregister.com/VendorVoice/ddn/" class="subnav_elem" id="nav-tag-vendor-voice-vv_ddn"> DDN </a> <a href="https://www.theregister.com/VendorVoice/google_cloud_data_transformation/" class="subnav_elem" id="nav-tag-vendor-voice-vv_google_cloud_data_transformation"> Google Cloud Data Transformation </a> <a href="https://www.theregister.com/VendorVoice/google_gemini/" class="subnav_elem" id="nav-tag-vendor-voice-vv_google_gemini"> Google Gemini </a> <a href="https://www.theregister.com/VendorVoice/hpe_greenlake/" class="subnav_elem" id="nav-tag-vendor-voice-vv_hpe_greenlake"> Hewlett Packard Enterprise: Edge-to-Cloud Platform </a> <a href="https://www.theregister.com/VendorVoice/intelvpro/" class="subnav_elem" id="nav-tag-vendor-voice-vv_intelvpro"> Intel vPro </a> <a href="https://www.theregister.com/VendorVoice/vmware/" class="subnav_elem" id="nav-tag-vendor-voice-vv_vmware"> VMware </a> <noscript> <a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a> </noscript> </div> </div> </nav> </div> <div class="nav_bottom_section nav_resources"> <div class="nav_head_bk"> <a href="#subnav-box-nav-resources" data-toggle-for="subnav-box-nav-resources" id="nav-resources" class="topnav_elem mob_only">Resources</a> <h2 class="main_head"> <span class="topnav_elem desk_only">Resources</span> </h2> </div> <nav id="top_nav"> <div class="nav_elem"> <div id="subnav-box-nav-resources" class="subnav_box"> <a href="https://whitepapers.theregister.com/">Whitepapers</a> <a href="https://whitepapers.theregister.com/events/list/">Webinars & Events</a> <a href="https://account.theregister.com/edit/newsletter/">Newsletters</a> </div> </div> </nav> </div> </div> </div> </div> </div> </div> </div> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="condor" data-xmd=",fluid,leaderboard," data-lg=",fluid,leaderboard," data-xlg=",fluid,superleaderboard,billboard,leaderboard," data-xxlg=",fluid,superleaderboard,billboard,brandwidth,leaderboard,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" alt=""> </a> </noscript> </div> <article> <div id=top-col-story> <div class="header_left"> <div class="cat_header"> <h4 class="dcl"> <a href="/security/research/" aria-label="Research">Research</a> </h4> </div> <div class="comments_wrap mobile_only"> <a class="comment_count" aria-label="Read comments on this article, currently there are 2 comments" title="View comments on this article" href="https://forums.theregister.com/forum/all/2024/10/31/emeraldwhale_credential_theft/"> <strong aria-hidden="true">2</strong> <img aria-hidden="true" width="18" height="16" alt="comment bubble on white" src="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.png" srcset="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.svg"> </a> </div> </div> <div class="header_right"> <h1>Gang gobbles 15K credentials from cloud and email providers' garbage Git configs</h1> </div> <div class="header_left"> <div class="comments_wrap desktop_only"> <a class="comment_count" aria-label="Read comments on this article, currently there are 2 comments" title="View comments on this article" href="https://forums.theregister.com/forum/all/2024/10/31/emeraldwhale_credential_theft/"> <strong aria-hidden="true">2</strong> <img aria-hidden="true" width="18" height="16" alt="comment bubble on white" src="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.png" srcset="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.svg"> </a> </div> </div> <div class="header_right"> <h2>Emeraldwhale looked sharp – until it made a common S3 bucket mistake</h2> <div class="byline_and_dateline_and_share_and_comments"> <div class="byline_wrap"> <img class="vulture_icon" src="/design_picker/d518b499f8a6e2c65d4d8c49aca8299d54b03012/graphics/icon/vulture_red.svg" alt="icon"> <a class="byline" href="/Author/Jessica-Lyons" title="Read more by this author"> Jessica Lyons </a> </div> <div class="dateline_wrap"> <span class="dateline"> Thu 31 Oct 2024 <span class="slashes"> // </span> 23:59 UTC </span> </div> </div> </div> </div> <div id=main-col> <div id="article-wrapper" class="article_wrap"> <div class="left_col"> <div class="floating_bar"> <div class="sharing_widget_story_desktop uses_overlay"> <button class="top_blob" aria-label="Share this story" title="Share this story"> <img width="25" height="25" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icons/social_share_icon.svg" alt=""> </button> <div class="sharing_widget_overlay" id="sharing_widget_overlay_2"> <div class="sharing_box"> <a data-social="reddit" href="https://www.reddit.com/submit?url=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Gang%20gobbles%2015K%20credentials%20from%20cloud%20and%20email%20providers%27%20garbage%20Git%20configs" target="_blank"> </a> <a data-social="twitter" class="twit" href="https://twitter.com/intent/tweet?text=Gang%20gobbles%2015K%20credentials%20from%20cloud%20and%20email%20providers%27%20garbage%20Git%20configs&url=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister" target="_blank"> </a> <a data-social="facebook" class="faceb_dialog" href="https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook" target="_blank"> </a> <br class="hide_after_sm"> <a data-social="linkedin" class="linkedin_social" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Gang%20gobbles%2015K%20credentials%20from%20cloud%20and%20email%20providers%27%20garbage%20Git%20configs&summary=Emeraldwhale%20looked%20sharp%20%e2%80%93%20until%20it%20made%20a%20common%20S3%20bucket%20mistake" target="_blank"> </a> <a data-social="whatsapp" href="https://api.whatsapp.com/send?text=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp" target="_blank"> </a> </div> </div> </div> </div> <div class="promo_advert"> </div> </div> <div class="centre_col"> <div id="article"> <div id="body"> <p>A criminal operation dubbed Emeraldwhale has been discovered after it dumped more than 15,000 credentials belonging to cloud service and email providers in an open AWS S3 bucket, according to security researchers.</p> <p>The unknown data thieves embarked on a "massive scanning campaign" between August and September, looking for servers with exposed Git configuration and Laravel environment files, we're told.</p> <p>"This campaign used multiple private tools that abused multiple misconfigured web services, allowing attackers to steal credentials, clone private repositories, and extract cloud credentials from their source code," <a target="_blank" rel="nofollow" href="https://sysdig.com/blog/emeraldwhale/">wrote</a> Miguel Hernandez, a senior engineer in container security vendor Sysdig's Threat Research Team.</p> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="condor" data-xsm=",fluid,mpu," data-sm=",fluid,mpu," data-md=",fluid,mpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" alt=""> </a> </noscript> </div> <p>These stolen credentials provided access to more than 10,000 private repositories, he added.</p> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="falcon" data-xmd=",fluid,mpu,leaderboard," data-lg=",fluid,mpu,leaderboard," data-xlg=",fluid,billboard,superleaderboard,mpu,leaderboard," data-xxlg=",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> <div class="adun_eagle_desktop_story_wrapper"> <div aria-hidden="true" class="adun" data-pos="mid" data-raptor="eagle" data-xxlg=",mpu,dmpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> </div> <p>Exposed Git directories make an especially attractive target for data thieves because they contain all sorts of valuable information – including commit history and messages, usernames, email addresses, and passwords or API keys.</p> <p>While spam and phishing campaigns appear to be the criminals' ultimate goal, the stolen credentials themselves can be sold for hundreds of dollars per account, Sysdig senior research director Michael Clark told <em>The Register</em>.</p> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="falcon" data-xsm=",fluid,mpu," data-sm=",fluid,mpu," data-md=",fluid,mpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> <p>"There's a lot of value – $500, $600, $700 – to these credentials," Clark explained.</p> <h3 class="crosshead">Something smells fishy about this S3 bucket</h3> <p>The threat research team "accidentally" uncovered this treasure trove of stolen data – more than a terabyte of compromised credentials and logging info – in an AWS S3 bucket while monitoring the Sysdig cloud honeypot network, Clark revealed.</p> <p>The S3 bucket didn't belong to Sysdig's account; the crooks were storing the stolen goods in a bucket belonging to a previous victim of the same campaign.</p> <p>After the exposed bucket was reported to AWS, the cloud giant promptly took it down, we're told.</p> <p>While the security firm hasn't linked Emeraldwhale to an existing criminal gang, Clark thinks it's likely associated with an established group "due to the complexity" of its activities. "They knew what to look for, they knew what tools were being used by other groups."</p> <div aria-hidden="true" class="adun" id="story_eagle_xsm_sm_md_xmd_lg_xlg" data-pos="mid" data-raptor="eagle" data-xsm=",mpu,dmpu," data-sm=",mpu,dmpu," data-md=",mpu,dmpu," data-xmd=",mpu,dmpu," data-lg=",mpu,dmpu," data-xlg=",mpu,dmpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> <p>Although the threat hunters can't definitively say where the miscreants are located, two of the malware strains tools used in the attack were primarily written in French, Clark observed. Those tools of evil – MZR V2 and Seyzo-v2 – can be bought and sold in underground marketplaces, and they enable scanning for vulnerabilities in exposed Git repositories for exploitation.</p> <ul class="listinks"> <li><a href="https://www.theregister.com/2024/10/30/russia_wrangles_rdp_files_in/">Russian spies use remote desktop protocol files in unusual mass phishing drive</a></li> <li><a href="https://www.theregister.com/2024/10/28/crims_selling_credit_cards_threads/">Brazen crims selling stolen credit cards on Meta's Threads</a></li> <li><a href="https://www.theregister.com/2024/10/30/zeroday_windows_themes/">Windows Themes zero-day bug exposes users to NTLM credential theft</a></li> <li><a href="https://www.theregister.com/2024/10/29/chatgpt_hex_encoded_jailbreak/">Cast a hex on ChatGPT to trick the AI into writing exploit code</a></li> </ul> <p>"Whether they are the original authors, it's hard to tell, but in the past we have seen this kind of email use, and phishing, traced back to French speakers," Clark noted.</p> <p>MZR V2, a collection of Python scripts and shell scripts, can scan target lists of IPs using the open source httpx tool, and extract URLs for further analysis. It also validates GitHub credentials, and stores them in a new file.</p> <p>Finally, the malware checks the credentials' permissions and capabilities, and then verifies that they can be used to send email messages for spam and phishing attacks.</p> <p>Seyzo-v2 is also a collection of scripts for finding and stealing SMTP, SMS, and cloud mail provider credentials. Similar to MZR V2, this malware uses the compromised credentials to create fraudulent users for spam and phishing campaigns.</p> <p>These tools both use lists of targets to start the attack chain.</p> <p>"Using one of these target lists, the attackers used the MZR V2 tool and were able to discover more than 67,000 URLs with the path <code>/.git/config</code> exposed," Hernandez wrote – adding that this list alone sells for $100 on Telegram. ®</p> <div class="wptl btm"> <noscript><strong>Get our</strong> <a href="https://whitepapers.theregister.com/" style="text-transform:uppercase">Tech Resources</a></noscript> </div> </div> <div class="article_body_btm mobile_only"> <div class="sharing_widget_story_desktop uses_overlay"> <button class="top_blob" aria-label="Share this story" title="Share this story"> <img width="25" height="25" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icons/social_share_icon.svg" alt=""> <span>Share</span> </button> <div class="sharing_widget_overlay" id="sharing_widget_overlay_3"> <div class="sharing_box"> <a data-social="reddit" href="https://www.reddit.com/submit?url=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Gang%20gobbles%2015K%20credentials%20from%20cloud%20and%20email%20providers%27%20garbage%20Git%20configs" target="_blank"> </a> <a data-social="twitter" class="twit" href="https://twitter.com/intent/tweet?text=Gang%20gobbles%2015K%20credentials%20from%20cloud%20and%20email%20providers%27%20garbage%20Git%20configs&url=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister" target="_blank"> </a> <a data-social="facebook" class="faceb_dialog" href="https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook" target="_blank"> </a> <br class="hide_after_sm"> <a data-social="linkedin" class="linkedin_social" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Gang%20gobbles%2015K%20credentials%20from%20cloud%20and%20email%20providers%27%20garbage%20Git%20configs&summary=Emeraldwhale%20looked%20sharp%20%e2%80%93%20until%20it%20made%20a%20common%20S3%20bucket%20mistake" target="_blank"> </a> <a data-social="whatsapp" href="https://api.whatsapp.com/send?text=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp" target="_blank"> </a> </div> </div> </div> </div> </div> </div> <div class="right_col desktop_only"> <div class="similar_topics"> <div class="similar_topics"> <h4>More about</h4> <ul class="keywords"> <li> <a href="/Tag/Cybercrime/" > <span class="keyword_name"> Cybercrime </span> </a> </li> <li> <a href="/Tag/Security/" > <span class="keyword_name"> Security </span> </a> </li> </ul> </div> <div class="keyword_wrap" style="display: none;"> <div class="keyword_trigger">More like these</div> </div> <div class="lightbox_overlay"> <div class="keyword_popup more_topics"> <div class="close">×</div> <div class="keyword_group similar_topics"> <h3>More about</h3> <ul class="keywords"> <li> <a href="/Tag/Cybercrime/" > <span class="keyword_name"> Cybercrime </span> </a> </li> <li> <a href="/Tag/Security/" > <span class="keyword_name"> Security </span> </a> </li> </ul> </div> <div class="keyword_group child_topics"> <h3>Narrower topics</h3> <ul class="keywords"> <li> <a href="/Tag/2FA/" > <span class="keyword_name"> 2FA </span> </a> </li> <li> <a href="/Tag/Advanced%20persistent%20threat/" > <span class="keyword_name"> Advanced persistent threat </span> </a> </li> <li> <a href="/Tag/Application%20Delivery%20Controller/" > <span class="keyword_name"> Application Delivery Controller </span> </a> </li> <li> <a href="/Tag/Authentication/" > <span class="keyword_name"> Authentication </span> </a> </li> <li> <a href="/Tag/BEC/" > <span class="keyword_name"> BEC </span> </a> </li> <li> <a href="/Tag/Black%20Hat/" > <span class="keyword_name"> Black Hat </span> </a> </li> <li> <a href="/Tag/BSides/" > <span class="keyword_name"> BSides </span> </a> </li> <li> <a href="/Tag/Bug%20Bounty/" > <span class="keyword_name"> Bug Bounty </span> </a> </li> <li> <a href="/Tag/CHERI/" > <span class="keyword_name"> CHERI </span> </a> </li> <li> <a href="/Tag/CISO/" > <span class="keyword_name"> CISO </span> </a> </li> <li> <a href="/Tag/Common%20Vulnerability%20Scoring%20System/" > <span class="keyword_name"> Common Vulnerability Scoring System </span> </a> </li> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/" > <span class="keyword_name"> Cybersecurity and Infrastructure Security Agency </span> </a> </li> <li> <a href="/Tag/Cybersecurity%20Information%20Sharing%20Act/" > <span class="keyword_name"> Cybersecurity Information Sharing Act </span> </a> </li> <li> <a href="/Tag/Data%20Breach/" > <span class="keyword_name"> Data Breach </span> </a> </li> <li> <a href="/Tag/Data%20Protection/" > <span class="keyword_name"> Data Protection </span> </a> </li> <li> <a href="/Tag/Data%20Theft/" > <span class="keyword_name"> Data Theft </span> </a> </li> <li> <a href="/Tag/DDoS/" > <span class="keyword_name"> DDoS </span> </a> </li> <li> <a href="/Tag/DEF%20CON/" > <span class="keyword_name"> DEF CON </span> </a> </li> <li> <a href="/Tag/Digital%20certificate/" > <span class="keyword_name"> Digital certificate </span> </a> </li> <li> <a href="/Tag/Encryption/" > <span class="keyword_name"> Encryption </span> </a> </li> <li> <a href="/Tag/Exploit/" > <span class="keyword_name"> Exploit </span> </a> </li> <li> <a href="/Tag/Firewall/" > <span class="keyword_name"> Firewall </span> </a> </li> <li> <a href="/Tag/Hacker/" > <span class="keyword_name"> Hacker </span> </a> </li> <li> <a href="/Tag/Hacking/" > <span class="keyword_name"> Hacking </span> </a> </li> <li> <a href="/Tag/Hacktivism/" > <span class="keyword_name"> Hacktivism </span> </a> </li> <li> <a href="/Tag/Identity%20Theft/" > <span class="keyword_name"> Identity Theft </span> </a> </li> <li> <a href="/Tag/Incident%20response/" > <span class="keyword_name"> Incident response </span> </a> </li> <li> <a href="/Tag/Infosec/" > <span class="keyword_name"> Infosec </span> </a> </li> <li> <a href="/Tag/Infrastructure%20Security/" > <span class="keyword_name"> Infrastructure Security </span> </a> </li> <li> <a href="/Tag/Kenna%20Security/" > <span class="keyword_name"> Kenna Security </span> </a> </li> <li> <a href="/Tag/NCSAM/" > <span class="keyword_name"> NCSAM </span> </a> </li> <li> <a href="/Tag/NCSC/" > <span class="keyword_name"> NCSC </span> </a> </li> <li> <a href="/Tag/Palo%20Alto%20Networks/" > <span class="keyword_name"> Palo Alto Networks </span> </a> </li> <li> <a href="/Tag/Password/" > <span class="keyword_name"> Password </span> </a> </li> <li> <a href="/Tag/Phishing/" > <span class="keyword_name"> Phishing </span> </a> </li> <li> <a href="/Tag/Quantum%20key%20distribution/" > <span class="keyword_name"> Quantum key distribution </span> </a> </li> <li> <a href="/Tag/Ransomware/" > <span class="keyword_name"> Ransomware </span> </a> </li> <li> <a href="/Tag/Remote%20Access%20Trojan/" > <span class="keyword_name"> Remote Access Trojan </span> </a> </li> <li> <a href="/Tag/REvil/" > <span class="keyword_name"> REvil </span> </a> </li> <li> <a href="/Tag/RSA%20Conference/" > <span class="keyword_name"> RSA Conference </span> </a> </li> <li> <a href="/Tag/Spamming/" > <span class="keyword_name"> Spamming </span> </a> </li> <li> <a href="/Tag/Spyware/" > <span class="keyword_name"> Spyware </span> </a> </li> <li> <a href="/Tag/Surveillance/" > <span class="keyword_name"> Surveillance </span> </a> </li> <li> <a href="/Tag/TLS/" > <span class="keyword_name"> TLS </span> </a> </li> <li> <a href="/Tag/Trojan/" > <span class="keyword_name"> Trojan </span> </a> </li> <li> <a href="/Tag/Trusted%20Platform%20Module/" > <span class="keyword_name"> Trusted Platform Module </span> </a> </li> <li> <a href="/Tag/Vulnerability/" > <span class="keyword_name"> Vulnerability </span> </a> </li> <li> <a href="/Tag/Wannacry/" > <span class="keyword_name"> Wannacry </span> </a> </li> <li> <a href="/Tag/Zero%20trust/" > <span class="keyword_name"> Zero trust </span> </a> </li> </ul> </div> </div> </div> </div> </div> <div class="right_col mobile_only"> <div class="similar_topics"> <h4>More about</h4> </div> </div> <div class="left_col main_content"> <div class="sharing_block"> <div class=article_body_btm> <div class="sharing_widget_story_desktop uses_overlay"> <button class="top_blob" aria-label="Share this story" title="Share this story"> <img width="25" height="25" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icons/social_share_icon.svg" alt=""> <span>Share</span> </button> <div class="sharing_widget_overlay" id="sharing_widget_overlay_4"> <div class="sharing_box"> <a data-social="reddit" href="https://www.reddit.com/submit?url=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Gang%20gobbles%2015K%20credentials%20from%20cloud%20and%20email%20providers%27%20garbage%20Git%20configs" target="_blank"> </a> <a data-social="twitter" class="twit" href="https://twitter.com/intent/tweet?text=Gang%20gobbles%2015K%20credentials%20from%20cloud%20and%20email%20providers%27%20garbage%20Git%20configs&url=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister" target="_blank"> </a> <a data-social="facebook" class="faceb_dialog" href="https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook" target="_blank"> </a> <br class="hide_after_sm"> <a data-social="linkedin" class="linkedin_social" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Gang%20gobbles%2015K%20credentials%20from%20cloud%20and%20email%20providers%27%20garbage%20Git%20configs&summary=Emeraldwhale%20looked%20sharp%20%e2%80%93%20until%20it%20made%20a%20common%20S3%20bucket%20mistake" target="_blank"> </a> <a data-social="whatsapp" href="https://api.whatsapp.com/send?text=https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp" target="_blank"> </a> </div> </div> </div> </div> </div> </div> <div class="centre_col main_content"> <div class="comments "> <a class="comment_count" aria-label="Read comments on this article, currently there are 2 comments" title="View comments on this article" href="https://forums.theregister.com/forum/all/2024/10/31/emeraldwhale_credential_theft/"> <strong aria-hidden="true">2</strong> <img aria-hidden="true" width="18" height="16" alt="comment bubble on white" src="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.png" srcset="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.svg"> COMMENTS </a> </div> </div> <div class="hidden_col mobile_only"> <div class="similar_topics"> <h4>More about</h4> <ul class="keywords"> <li> <a href="/Tag/Cybercrime/" > <span class="keyword_name"> Cybercrime </span> </a> </li> <li> <a href="/Tag/Security/" > <span class="keyword_name"> Security </span> </a> </li> </ul> </div> <div class="keyword_wrap" style="display: none;"> <div class="keyword_trigger">More like these</div> </div> <div class="lightbox_overlay"> <div class="keyword_popup more_topics"> <div class="close">×</div> <div class="keyword_group similar_topics"> <h3>More about</h3> <ul class="keywords"> <li> <a href="/Tag/Cybercrime/" > <span class="keyword_name"> Cybercrime </span> </a> </li> <li> <a href="/Tag/Security/" > <span class="keyword_name"> Security </span> </a> </li> </ul> </div> <div class="keyword_group child_topics"> <h3>Narrower topics</h3> <ul class="keywords"> <li> <a href="/Tag/2FA/" > <span class="keyword_name"> 2FA </span> </a> </li> <li> <a href="/Tag/Advanced%20persistent%20threat/" > <span class="keyword_name"> Advanced persistent threat </span> </a> </li> <li> <a href="/Tag/Application%20Delivery%20Controller/" > <span class="keyword_name"> Application Delivery Controller </span> </a> </li> <li> <a href="/Tag/Authentication/" > <span class="keyword_name"> Authentication </span> </a> </li> <li> <a href="/Tag/BEC/" > <span class="keyword_name"> BEC </span> </a> </li> <li> <a href="/Tag/Black%20Hat/" > <span class="keyword_name"> Black Hat </span> </a> </li> <li> <a href="/Tag/BSides/" > <span class="keyword_name"> BSides </span> </a> </li> <li> <a href="/Tag/Bug%20Bounty/" > <span class="keyword_name"> Bug Bounty </span> </a> </li> <li> <a href="/Tag/CHERI/" > <span class="keyword_name"> CHERI </span> </a> </li> <li> <a href="/Tag/CISO/" > <span class="keyword_name"> CISO </span> </a> </li> <li> <a href="/Tag/Common%20Vulnerability%20Scoring%20System/" > <span class="keyword_name"> Common Vulnerability Scoring System </span> </a> </li> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/" > <span class="keyword_name"> Cybersecurity and Infrastructure Security Agency </span> </a> </li> <li> <a href="/Tag/Cybersecurity%20Information%20Sharing%20Act/" > <span class="keyword_name"> Cybersecurity Information Sharing Act </span> </a> </li> <li> <a href="/Tag/Data%20Breach/" > <span class="keyword_name"> Data Breach </span> </a> </li> <li> <a href="/Tag/Data%20Protection/" > <span class="keyword_name"> Data Protection </span> </a> </li> <li> <a href="/Tag/Data%20Theft/" > <span class="keyword_name"> Data Theft </span> </a> </li> <li> <a href="/Tag/DDoS/" > <span class="keyword_name"> DDoS </span> </a> </li> <li> <a href="/Tag/DEF%20CON/" > <span class="keyword_name"> DEF CON </span> </a> </li> <li> <a href="/Tag/Digital%20certificate/" > <span class="keyword_name"> Digital certificate </span> </a> </li> <li> <a href="/Tag/Encryption/" > <span class="keyword_name"> Encryption </span> </a> </li> <li> <a href="/Tag/Exploit/" > <span class="keyword_name"> Exploit </span> </a> </li> <li> <a href="/Tag/Firewall/" > <span class="keyword_name"> Firewall </span> </a> </li> <li> <a href="/Tag/Hacker/" > <span class="keyword_name"> Hacker </span> </a> </li> <li> <a href="/Tag/Hacking/" > <span class="keyword_name"> Hacking </span> </a> </li> <li> <a href="/Tag/Hacktivism/" > <span class="keyword_name"> Hacktivism </span> </a> </li> <li> <a href="/Tag/Identity%20Theft/" > <span class="keyword_name"> Identity Theft </span> </a> </li> <li> <a href="/Tag/Incident%20response/" > <span class="keyword_name"> Incident response </span> </a> </li> <li> <a href="/Tag/Infosec/" > <span class="keyword_name"> Infosec </span> </a> </li> <li> <a href="/Tag/Infrastructure%20Security/" > <span class="keyword_name"> Infrastructure Security </span> </a> </li> <li> <a href="/Tag/Kenna%20Security/" > <span class="keyword_name"> Kenna Security </span> </a> </li> <li> <a href="/Tag/NCSAM/" > <span class="keyword_name"> NCSAM </span> </a> </li> <li> <a href="/Tag/NCSC/" > <span class="keyword_name"> NCSC </span> </a> </li> <li> <a href="/Tag/Palo%20Alto%20Networks/" > <span class="keyword_name"> Palo Alto Networks </span> </a> </li> <li> <a href="/Tag/Password/" > <span class="keyword_name"> Password </span> </a> </li> <li> <a href="/Tag/Phishing/" > <span class="keyword_name"> Phishing </span> </a> </li> <li> <a href="/Tag/Quantum%20key%20distribution/" > <span class="keyword_name"> Quantum key distribution </span> </a> </li> <li> <a href="/Tag/Ransomware/" > <span class="keyword_name"> Ransomware </span> </a> </li> <li> <a href="/Tag/Remote%20Access%20Trojan/" > <span class="keyword_name"> Remote Access Trojan </span> </a> </li> <li> <a href="/Tag/REvil/" > <span class="keyword_name"> REvil </span> </a> </li> <li> <a href="/Tag/RSA%20Conference/" > <span class="keyword_name"> RSA Conference </span> </a> </li> <li> <a href="/Tag/Spamming/" > <span class="keyword_name"> Spamming </span> </a> </li> <li> <a href="/Tag/Spyware/" > <span class="keyword_name"> Spyware </span> </a> </li> <li> <a href="/Tag/Surveillance/" > <span class="keyword_name"> Surveillance </span> </a> </li> <li> <a href="/Tag/TLS/" > <span class="keyword_name"> TLS </span> </a> </li> <li> <a href="/Tag/Trojan/" > <span class="keyword_name"> Trojan </span> </a> </li> <li> <a href="/Tag/Trusted%20Platform%20Module/" > <span class="keyword_name"> Trusted Platform Module </span> </a> </li> <li> <a href="/Tag/Vulnerability/" > <span class="keyword_name"> Vulnerability </span> </a> </li> <li> <a href="/Tag/Wannacry/" > <span class="keyword_name"> Wannacry </span> </a> </li> <li> <a href="/Tag/Zero%20trust/" > <span class="keyword_name"> Zero trust </span> </a> </li> </ul> </div> </div> </div> </div> <div class="right_col main_content"> <div class="tip_off_widget"> <h4>TIP US OFF</h4> <p><a href="https://www.theregister.com/Profile/contact/" target="_blank">Send us news</a></p> </div> </div> </div> </div> </article> <hr id=story_section_break> <div id=story-bot-col> <h3 style="position:absolute;color:transparent;z-index:-1;">Other stories you might like</h3> <div id="aua" data-unit-type="aua" class="keepreading"> <div class=headlines> <div class="img_lite_srow img_lite_rt-1b"> <article> <a href="/2024/11/20/equinox_patients_employees_data/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Healthcare org Equinox notifies 21K patients and staff of data theft</h4> <div class=standfirst>Ransomware scum LockBit claims it did the dirty deed</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="20 Nov 2024 0:30" data-epoch="1732062607">20 Nov 2024</span> | <span class="comment light_bg_comments">1</span></div> </div> </a> </article> <article> <a href="/2024/11/22/palo_alto_firewalls_under_exploit/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>1,000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole</h4> <div class=standfirst> <span class="label">Updated</span> PAN-PAN! Intruders inject web shell backdoors, crypto-coin miners, more</div> <div class=time_comments> <span class="section_name">CSO</span><span class="time_stamp" title="22 Nov 2024 21:27" data-epoch="1732310829">22 Nov 2024</span> | <span class="comment light_bg_comments">22</span></div> </div> </a> </article> <article> <a href="/2024/11/18/tmobile_us_attack_salt_typhoon/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>T-Mobile US 'monitoring' China's 'industry-wide attack' amid fresh security breach fears</h4> <div class=standfirst> <span class="label">updated</span> Un-carrier said to be among those hit by Salt Typhoon, including AT&T, Verizon</div> <div class=time_comments> <span class="section_name">Networks</span><span class="time_stamp" title="18 Nov 2024 20:43" data-epoch="1731962602">18 Nov 2024</span> | <span class="comment light_bg_comments">2</span></div> </div> </a> </article> <article> <a href="/2024/10/07/an_easy_route_to_aienhanced/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>An easy route to AI-enhanced productivity</h4> <div class=standfirst>How the integration of Google Gemini across Google Workspace turbo charges existing apps with AI power</div> <div class=time_comments><span class="section_name">Sponsored Feature</span></div> </div> </a> </article> </div> <div aria-hidden="true" class="adun" data-pos="btm" data-raptor="hawk" data-xsm=",fluid,mpu," data-sm=",fluid,mpu," data-md=",fluid,mpu," data-xmd=",fluid,leaderboard,mpu," data-lg=",fluid,mpu,leaderboard," data-xlg=",fluid,billboard,superleaderboard,mpu,leaderboard," data-xxlg=",fluid,billboard,superleaderboard,brandwidth,brandimpact,mpu,leaderboard,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=6&c=66Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D6%26raptor%3Dhawk%26pos%3Dbtm%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=6&c=66Z0hJLTK4FuHbq-6fef50agAAANc&t=ct%3Dns%26unitnum%3D6%26raptor%3Dhawk%26pos%3Dbtm%26test%3D0" alt=""> </a> </noscript> </div> <div class="img_lite_srow img_lite_rt-1b"> <article> <a href="/2024/11/15/palo_alto_networks_firewall_zeroday/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit</h4> <div class=standfirst>Yank access to management interface, stat</div> <div class=time_comments> <span class="section_name">CSO</span><span class="time_stamp" title="15 Nov 2024 21:7" data-epoch="1731704823">15 Nov 2024</span> | <span class="comment light_bg_comments">28</span></div> </div> </a> </article> <article> <a href="/2024/11/13/china_volt_typhoon_back/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>China's Volt Typhoon crew and its botnet surge back with a vengeance</h4> <div class=standfirst>Ohm, for flux sake</div> <div class=time_comments> <span class="section_name">Public Sector</span><span class="time_stamp" title="13 Nov 2024 0:58" data-epoch="1731459490">13 Nov 2024</span> | <span class="comment light_bg_comments">4</span></div> </div> </a> </article> <article> <a href="/2024/11/13/demandscience_data/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Data broker amasses 100M+ records on people – then someone snatches, sells it</h4> <div class=standfirst>We call this lead degeneration</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="13 Nov 2024 21:44" data-epoch="1731534250">13 Nov 2024</span> | <span class="comment light_bg_comments">18</span></div> </div> </a> </article> <article> <a href="/2024/11/19/china_brazenbamboo_fortinet_0day/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer</h4> <div class=standfirst>No word on when or if the issue will be fixed</div> <div class=time_comments> <span class="section_name">Security</span><span class="time_stamp" title="19 Nov 2024 23:2" data-epoch="1732057333">19 Nov 2024</span> | <span class="comment light_bg_comments">2</span></div> </div> </a> </article> </div> <div class="img_lite_srow img_lite_rt-1b"> <article> <a href="/2024/11/18/ford_actively_investigating_breach/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Ford 'actively investigating' after employee data allegedly parked on leak site</h4> <div class=standfirst> <span class="label">Updated</span> Plus: Maxar Space Systems confirms employee info stolen in digital intrusion</div> <div class=time_comments> <span class="section_name">Security</span><span class="time_stamp" title="18 Nov 2024 23:58" data-epoch="1731974288">18 Nov 2024</span> | <span class="comment light_bg_comments">3</span></div> </div> </a> </article> <article> <a href="/2024/11/18/vmware_vcenter_rce_exploited/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble</h4> <div class=standfirst>If you didn't fix this a month ago, your to-do list probably needs a reshuffle</div> <div class=time_comments> <span class="section_name">Virtualization</span><span class="time_stamp" title="18 Nov 2024 22:29" data-epoch="1731968949">18 Nov 2024</span> | <span class="comment light_bg_comments">4</span></div> </div> </a> </article> <article> <a href="/2024/11/14/salt_typhoon_hacked_multiple_telecom/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Reminder: China-backed crews compromised 'multiple' US telcos in 'significant cyber espionage campaign'</h4> <div class=standfirst> <span class="label">Updated</span> Feds don't name Salt Typhoon, but describe Beijing band's alleged deeds</div> <div class=time_comments> <span class="section_name">Research</span><span class="time_stamp" title="14 Nov 2024 1:54" data-epoch="1731549251">14 Nov 2024</span> | <span class="comment light_bg_comments">5</span></div> </div> </a> </article> <article> <a href="/2024/11/12/snowflake_hackers_indictment/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Here's what we know about the suspected Snowflake data extortionists</h4> <div class=standfirst>A Canadian and an American living in Turkey 'walk into' cloud storage environments…</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="12 Nov 2024 21:10" data-epoch="1731445815">12 Nov 2024</span> | <span class="comment light_bg_comments">5</span></div> </div> </a> </article> </div> </div> <div aria-hidden="true" class="adun" data-pos="btm" data-raptor="owl" data-xsm=",fluid,mpu,dmpu," data-sm=",fluid,mpu,dmpu," data-md=",fluid,mpu,dmpu," data-xmd=",fluid,leaderboard,mpu," data-lg=",fluid,mpu,leaderboard," data-xlg=",fluid,billboard,superleaderboard,mpu,leaderboard," data-xxlg=",fluid,billboard,superleaderboard,brandwidth,brandimpact,mpu,leaderboard,"></div> </div> </div><div id=footer> <div class="footer_slogan"> <div class="footer_wrapper"> <p>The Register <img class="vulture_icon" src="/design_picker/d518b499f8a6e2c65d4d8c49aca8299d54b03012/graphics/icon/vulture_white.png" alt="icon"> Biting the hand that feeds IT</p> </div> </div> <div class="footer_wrapper"> <div class=foot_wrapper> <div class="left_block"> <div class="foot_list"> <h4>About Us<img loading="lazy" width="7" height="11" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/footer_mob_nav_arrow_black.svg" class="expand_arrow"></h4> <ul> <li><a href="https://www.theregister.com/Profile/contact/">Contact us</a></li> <li><a target=_blank rel=noopener href="https://www.theregister.com/AdvertiseWithUs/">Advertise with us</a></li> <li><a href="https://www.theregister.com/Profile/about_the_register/">Who we are</a></li> </ul> </div> <div class="foot_list more_us"> <h4>Our Websites<img loading="lazy" width="7" height="11" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/footer_mob_nav_arrow_black.svg" class="expand_arrow"></h4> <ul> <li><a href="https://www.nextplatform.com/">The Next Platform</a></li> <li><a href="https://devclass.com/">DevClass</a></li> <li><a href="https://blocksandfiles.com/">Blocks and Files</a></li> </ul> </div> <div class="foot_list privacy"> <h4>Your Privacy<img loading="lazy" width="7" height="11" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/footer_mob_nav_arrow_black.svg" class="expand_arrow"></h4> <ul> <li><a href="https://www.theregister.com/Profile/cookies/">Cookies Policy</a></li> <li><a href="https://www.theregister.com/Profile/privacy/">Privacy Policy</a></li> <li><a href="https://www.theregister.com/Profile/terms_and_conditions_of_use/">Ts & Cs</a></li> </ul> </div> </div> <div class="right_block"> <div class="foot_list"> <a href="https://situationpublishing.com/" id="sitpub_logo"> <img loading="lazy" width="250" alt="Situation Publishing" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/std/sitpublogo_2022.png"> </a> <p> Copyright. All rights reserved © 1998–2024 </p> </div> </div> <noscript><img width="1" height="1" src="/Design/graphics/std/transparent_pixel.png" alt="no-js"></noscript> </div> </div> </div> <div id=end_scripts> <script> if (typeof(ElReg.Ga.sendPageView) === 'function') { ElReg.Ga.sendPageView('reg_security/research','0df13fad2ea597c71ae99fa84c3f976d','0df13fad2ea597c71ae99fa84c3f976d'); } </script> <script> $(function() { RegUtils.set_bucket_group(74) }); </script> </div> <!--[if IE]> <p id=unsupported_browser>The Register does not support such an old IE version. Please upgrade your browser. <img src="https://go.theregister.com/k/abb_oldie> </p> <![endif]--></div> </body> </html>