Exposed Git configuration file scanning escalates

BleepingComputer reports that internet-exposed Git configuration files which could contain account credentials, access tokens, branch information, remote repository URLs, and automation scripts have been scanned by almost 4,800 unique IP addresses daily between April 20 and 21, amounting to the highest volume attack wave recorded since late last year. Most targeted by the Git configuration file scanning activity common in reconnaissance efforts was Singapore, followed by the U.S. and Germany, with the same countries also being the top sources of scanning sessions, according to a report from GreyNoise. Such findings come months after over 15,000 cloud account credentials were exfiltrated from exposed Git configuration files as part of the widespread EmeraldWhale operation. Internet Archive's The Wayback Machine has also been compromised through Git configuration file scanning in October. Increasingly prevalent exploitation of Git configuration files should prompt restricted .git/ directories access, more robust web server configurations, server log monitoring, and credential rotation, said GreyNoise.