New Threat Research: Analyzing CryptoJS Encrypted Phishing Attempt 

Read Threat Research


United States No Fly List Shared on Hacking Forum

A United States no fly list was recently shared on a hacking forum; the two lists included over 1.5 million records of individuals prohibited to fly and as well as a second list of over 250,000 individuals deemed “selectees,” which are individuals subject to secondary screening. Both spreadsheets contain a person’s first name, last name, potential aliases, and date of birth. The lists, according to the hacker, are from the year 2019. The list was obtained by a threat actor after they found a misconfigured AWS server that belonged to an Ohio based company, CommuteAir. Steps were taken by the company after the leak was made public to secure the server. The list is publicly accessible on the hacking forum and has been verified by researchers to be the same list that was included on the CommuteAir server.

Analyst Notes

This list has always been kept away from the public eye. Now that it has been posted publicly and released, the U.S. government and TSA have all began investigation into the leak and into the threat actor behind the leak. The threat actor took their attack one step further by claiming to have pivoted from the AWS server into gaining access to more critical systems that would allow them to delay or cancel flights. Air Travel falls under one of the 16 most critical sectors within the United States, and this breach is receiving focused attention from the TSA and other federal investigators.

CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes. The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed, said the threat actor involved. It is highly recommended that organizations secure development infrastructure including github repositories as well as test machines. Dummy data, data that is entirely randomly generated or programmatically altered in records, can be used in order to provide additional layers of security. Finally, it is advisable to audit S3 bucket policies and access, disable access control lists, ensure they are not publicly accessible, implement principles of least access, and configure enforced encryption of data at rest and in transit. A reference link to S3 security best practices is included below.