Exposed Git Configurations: The Rising Threat to MSP Cloud Security

By: Bryson Medlock

Quick Summary 

Threat actors are actively scanning for exposed Git configuration files to harvest cloud service credentials, with a recent campaign stealing over 15,000 credentials from thousands of repositories. 

Threat Overview 

A wide-scale campaign known as "EMERALDWHALE" has been targeting internet-facing Git repositories with exposed configuration files to steal cloud service credentials. This operation scanned approximately 500 million IP addresses, targeting misconfigured web services that inadvertently exposed sensitive Git files, ultimately compromising 28,000 Git repositories and harvesting thousands of valid credentials. 

Though technically unsophisticated, this attack demonstrates how even basic automation and open-source tooling can yield significant compromises when targeting common misconfigurations. The stolen credentials have primarily been used to fuel phishing and spam campaigns or sold directly in underground markets, where individual cloud credentials can fetch hundreds of dollars. 

This credential harvesting approach is becoming increasingly common as attackers can achieve their goals with minimal effort through automation while maintaining anonymity. The attack chain begins with scanning for exposed Git configuration files, extracting embedded credentials, validating them against various cloud services, and then using those credentials to access private repositories which often contain additional secrets. 

Technical Observations 

Attack Vectors: 

Exposed .git/config files containing authentication tokens 

Laravel application .env files with hardcoded API keys 

Use of scanning tools such as httpx and Masscan to identify vulnerable targets 

Commodity toolsets like MZR V2 (Mizaru) and Seyzo-v2 to automate credential extraction 

Scope of Impact: 

15,000+ cloud credentials stolen from 67,000 exposed URLs 

28,000 Git repositories compromised 

6,000 GitHub tokens harvested 

2,000 validated as active credentials 

MITRE TTPs: 

T1190: Exploit Public-Facing Application - Initial Access 

T1555: Credentials from Password Stores - Credential Access 

T1602: Data from Configuration Repository - Collection 

T1567.002: Exfiltration to Cloud Storage - Exfiltration 

Mitigation Guidance 

Environment Hardening: 

Configure web servers to block access to hidden directories and files, especially .git/ paths 

Implement strict file permissions on Git repositories and configuration files 

Secret Management: 

Use dedicated secret management tools (like AWS Secrets Manager or Azure Key Vault) rather than embedding credentials in code 

Regularly scan repositories for sensitive information using tools like git-secrets or TruffleHog 

Implement short-lived credentials with automatic rotation schedules 

Monitoring & Detection: 

Monitor web server logs for repeated requests to .git/config and similar paths 

Review GitHub audit logs for any suspicious activity 

Set up alerts for unusual API usage patterns that could indicate compromised credentials 

Policy Implementation: 

Enforce multi-factor authentication for both Git hosting platforms and cloud services 

Configure branch protection rules to prevent unauthorized changes to critical branches 

Establish least privilege access control for all development and cloud resources 

What This Means for MSPs 

For MSPs supporting small to mid-sized clients, this threat presents several operational considerations: 

Client Environment Review: Perform targeted scans for internet-exposed Git configurations across client environments, particularly for those with in-house or contracted development teams. 

Toolchain Security: Assess development pipelines and CI/CD workflows that might inadvertently expose credentials during automated processes. 

Alert Pattern Recognition: Abnormal cloud service API usage, particularly from unexpected IP ranges, could indicate compromised credentials from this attack vector. 

Communication Strategy: Position this as an opportunity to strengthen overall security posture rather than highlighting a new threat, focusing on the intersection of development practices and infrastructure security. 

This threat underscores the growing trend of attackers targeting the intersection of development tools and cloud infrastructure—a domain where security responsibilities are often divided between development teams and IT operations. By addressing these specific misconfigurations, MSPs can demonstrate concrete value in an evolving threat landscape where even simple attacks can lead to significant compromises.