- GreyNoise saw a significant increase in scanning activity
- IPs from Singapore are looking for exposed Git config files, also in Singapore
- The files could contain sensitive information such as login credentials and access tokens
Singaporean threat actors are on the hunt for organizations in the country that can be broken into and exploited, according to cybersecurity researchers GreyNoise, who recently observed a significant spike in reconnaissance activity.
In a new analysis, published earlier this week, GreyNoise said that on April 20-21, it witnessed a significant increase in IP addresses scanning for exposed Git configuration files. In that timeframe, it saw 4,800 unique IP addresses doing the scanning, which is a “substantial increase compared to typical levels”.
Most of the IPs originated in Singapore, although some were in the US, Germany, UK, and the Netherlands. They were mostly scanning through IPs in Singapore, as well, but also in the US, UK, Germany, and India.
Hunting for Git secrets
Git configuration files usually include sensitive information such as user email addresses, access tokens, authentication credentials, and remote repository URLs that embed usernames or tokens. As such, they are useful to cybercriminals in the reconnaissance and preparation stages of cyberattacks.
Software developers will sometimes forget to prevent public access to these files, exposing the secrets to anyone who knows where to look. As BleepingComputer reminds, this is exactly what happened in October 2024, when Sysdig reported a large-scale operation that scanned for exposed Git config files and grabbed 15,000 cloud account credentials from thousands of private repositories.
“In some cases, if the full .git directory is also exposed, attackers may be able to reconstruct the entire codebase — including commit history, which may contain confidential information, credentials, or sensitive logic,” GreyNoise explained.
To mitigate the risk, the researchers advise software devs make sure .git/ directories are not accessible via public web servers, and to block access to hidden files and folders in web server configurations. Furthermore, they suggest devs monitor logs for repeated requests to .git/config and similar paths, and to rotate any credentials exposed in version control history.
Via BleepingComputer
