New details connect police in India to a plot to plant evidence on victims' computers that led to their arrest.

police forces around the world have increasingly used hacking tools to identify and track protesters, expose political dissidents’ secrets, and turn activists’ computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India connect law enforcement to a hacking campaign that used those tools to go an appalling step further: planting false incriminating files on targets’ computers that the same police then used as grounds to arrest and jail them. 

More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom have languished in jail and, along with 13 others, face terrorism charges. Researchers at security firm Sentinel One and nonprofits Citizen Lab and Amnesty International have since linked that evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group. But only now have Sentinel One’s researchers revealed ties between the hackers and a government entity: none other than the very same Indian police agency in the city of Pune that arrested multiple activists based on the fabricated evidence.

“There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” says Juan Andres Guerrero-Saade, a security researcher at Sentinel One who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security conference in August. “This is beyond ethically compromised. It is beyond callous. So we’re trying to put as much data forward as we can in the hopes of helping these victims.”

Sentinel One’s new findings that link the Pune City Police to the long-running hacking campaign, which the company has called Modified Elephant, center on two particular targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018 as part of a group called the Bhima Koregaon 16, named for the village where violence between Hindus and Dalits—the group once known as “untouchables”—broke out earlier that year. (One of those 16 defendants, 84-year-old Jesuit priest Stan Swamy, died in jail last year after contracting Covid-19. Rao, who is 81 years old and in poor health, has been released on medical bail, which expires next month. Of the other 14, only one has been granted bail.)

Early last year, Arsenal Consulting, a digital forensics firm working on behalf of the defendants, analyzed the contents of Wilson’s laptop, along with that of another defendant, human rights lawyer Surendra Gadling. Arsenal analysts found that evidence had clearly been fabricated on both machines. In Wilson’s case, a piece of malware known as NetWire had added 32 files to a folder of the computer’s hard drive, including a letter in which Wilson appeared to be conspiring with a banned Maoist group to assassinate Indian prime minister Narendra Modi. The letter was, in fact, created with a version of Microsoft Word that Wilson had never used, and that had never even been installed on his computer. Arsenal also found that Wilson’s computer had been hacked to install the NetWire malware after he opened an attachment sent from Varvara Rao’s email account, which had itself been compromised by the same hackers. “This is one of the most serious cases involving evidence-tampering that Arsenal has ever encountered,” Arsenal’s president, Mark Spencer, wrote in his report to the Indian court.

In February, Sentinel One published a detailed report on Modified Elephant, analyzing the malware and server infrastructure used in the hacking campaign to show that the two cases of evidence fabrication Arsenal had analyzed were part of a much larger pattern: The hackers had targeted hundreds of activists, journalists, academics, and lawyers with phishing emails and malware since as early as 2012. But in that report, Sentinel One stopped short of identifying any individual or organization behind the Modified Elephant hackers, writing only that the “activity aligns sharply with Indian state interests.”

Now the researchers have gone further in nailing down the group’s affiliations. Working with a security analyst at a certain email provider—who also spoke to WIRED but asked that neither they nor their employer be named—Sentinel One learned that three of the victim email accounts compromised by the hackers in 2018 and 2019 had a recovery email address and phone number added as a backup mechanism. For those accounts, which belonged to Wilson, Rao, and an activist and professor at Delhi University named Hany Babu, the addition of a new recovery email and phone number appears to have been intended to allow the hacker to easily regain control of the accounts if their passwords were changed. To the researchers’ surprise, that recovery email on all three accounts included the full name of a police official in Pune who was closely involved in the Bhima Koregaon 16 case.

The three hacked accounts have other fingerprints that link them—and thus the Pune police—to the larger Modified Elephant hacking campaign: The email provider found that the hacked accounts were accessed from IP addresses that Sentinel One and Amnesty International had previously identified as those of Modified Elephant. In the case of Rona Wilson, the email provider security analyst says that Wilson’s email account received a phishing email in April 2018 and then appeared to be compromised by the hackers using those IPs, and at the same time the email and phone number linked to the Pune City Police were added as recovery contacts to the account. The analyst says Wilson’s email account was then itself used to send out other phishing emails to targets in the Bhima Koregaon case for at least two months before Wilson was arrested in June of 2018.

“We generally don’t tell people who targeted them, but I’m kind of tired of watching shit burn,” the security analyst at the email provider told WIRED of their decision to reveal the identifying evidence from the hacked accounts. “These guys are not going after terrorists. They’re going after human rights defenders and journalists. And it’s not right.”

To further confirm the link between the recovery email and phone number on the hacked accounts and the Pune City Police, WIRED turned to Citizen Lab security researcher John Scott-Railton, who along with researchers at Amnesty International had earlier revealed the extent of the hacking campaign against the Bhima Koregaon 16 and shown that the NSO hacking tool Pegasus had been used to target some of their smartphones. To prove that the Pune City Police controlled the recovery contacts on the hacked accounts, Scott-Railton dug up entries in open source databases of Indian mobile phone numbers and emails for the recovery phone number that linked it to an email address ending in pune@ic.in, a suffix for other email addresses used by police in Pune. Scott-Railton found that the number is also linked in the database to the recovery email address connected to the hacked accounts for the same Pune police official.

Separately, security researcher Zeshan Aziz found the recovery email address and phone number tied to the Pune police official’s name in the leaked database of TrueCaller, a caller ID and call-blocking app, and found the phone number linked to his name in the leaked database of iimjobs.com, an Indian job recruitment website. Finally, Aziz found the recovery phone number listed with the official’s name on multiple archived web directories for Indian police, including on the website of the Pune City Police. (WIRED also verified that at the time the accounts were compromised, the email provider would have sent a confirmation link or text message to any recovery contact information added to an email account, which suggests that the police did, in fact, control that email address and phone number.)

Scott-Railton further found that the WhatsApp profile photo for the recovery phone number added to the hacked accounts displays a selfie photo of the police official—a man who appears to be the same officer at police press conferences and even in one news photograph taken at the arrest of Varvara Rao.

WIRED reached out in multiple emails and phone calls to the Pune City Police and the Pune police official whose personal details were linked to the hacked accounts and received no reply.

One Mumbai-based defense attorney representing several of the Bhima Koregaon 16, Mihir Desai, says he would need to independently corroborate the new evidence of the Pune police’s links to the hacking campaign. But taken at face value, he says, it appears “very damning.” He adds that he is hopeful it could help his clients, including Anand Teltumbde, who has been accused of terrorist connections based in part on an apparently fabricated document found on Rona Wilson’s computer. “We’ve known things have been planted, but the police could have always said, ‘we are not involved in all this,’” says Desai. “By showing the police did this, it would mean there was a conspiracy to arrest these people. It would show the police have acted in a vicious and deliberate manner knowing fully well this was false evidence.”

The conclusion that Pune police are tied to a hacking campaign that appears to have framed and jailed human rights activists presents a disturbing new example of the dangers of hacking tools in the hands of law enforcement—even in an ostensible democracy like India. Sentinel One’s Guerrero-Saade argues that it also raises questions about the validity of any evidence pulled from a computer that’s been hacked by a law enforcement surveillance operation. “This should invite a conversation about whether we can trust law enforcement with these sorts of malware operations at all,” says Guerrero-Saade. “What does it mean to have evidentiary integrity when you have a compromised device? What does it mean for somebody to hack a device for fact-finding in a law enforcement operation when they can also alter the contents of the device in question?”

Beyond any larger questions, Guerrero-Saade and his fellow Sentinel One researcher Tom Hegel say they’re focused on the fate of the victims in the Bhima Koregaon case, almost all of whom have remained in jail even as the evidence against them proves to be more corrupt with every year. Ultimately, the researchers hope their findings can not only demonstrate police wrongdoing in the case, but win those activists and human rights defenders their freedom. “The real concern here is the folks languishing in prison,” says Guerrero-Saade. “We’re hoping this leads to some form of justice.”

Police Linked to Hacking Campaign to Frame Indian Activists

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

According to a new advisory from Radware, a hacktivist group called DragonForce Malaysia, “with the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.” In addition to DDoS, their targeted campaign – dubbed “OpsPatuk” – involves advanced threat actors “leveraging current exploits, breaching networks and leaking data.”

DragonForce Malaysia – best known for their hacktivism in support of the Palestinian cause – have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.

According to the advisory, OpsPatuk remains ongoing today.

**The Casus Belli**

In a televised debate last month, Nupur Sharma – a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) – made controversial remarks regarding the age of the Prophet Mohammed’s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.

Then, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a tweet:

_Greetings The Government of India._ _We Are DragonForce Malaysia._ _This is a special operation on the insult of our Prophet Muhammad S.A.W._ _India Government website hacked by DragonForce Malaysia. We will never remain silent._ _Come Join This Operation !_ _#OpsPatuk Engaged_

(image from @DragonForceIO on Twitter)

The new advisory confirms that the group has used DDoS to perform “numerous defacements across India,” pasting their logo and messaging to targeted websites.

The group also “claimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.”

The researchers also observed other hacktivists – ‘Localhost’, ‘M4NGTX’, ‘1887’, and ‘RzkyO’ – joining the party, “defacing multiple websites across India in the name of their religion.”

**Who are DragonForce Malaysia?**

DragonForce Malaysia is a hacktivist group in the vein of Anonymous. They’re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums – used for everything “ranging from running an eSports team to launching cyberattacks” – are visited by tens of thousands of users.

In the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations – #OpsBedil, #OpsBedilReloaded and #OpsRWM – against the nation and its citizens.

According to the authors of the advisory, DragonForce are “not considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.” Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools –  Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more – in choreographed, flashy website defacements.

Some members, “over the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.” Among other things, that’s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they’ve been working with the recently discovered CVE-2022-26134.

“DragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,” concluded the authors. With no signs of slowing down, “Radware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.”

DragonForce Gang Unleash Hacks Against Govt. of India

Health plan provider plays down ID theft fears after breach at Washington state division

Health plan provider plays down ID theft fears after breach at Washington state division

The healthcare and personal information of up to 70,000 Kaiser Permanente patients in Washington state may have been exposed following unauthorized access to the US healthcare giant’s email system.

The data breach incident, which took place in early April, potentially exposed patients’ first and last name, medical record number, dates of service, and laboratory test result information of the health plan provider.

Catch up with the latest healthcare breaches and security news

Financially sensitive information (Social Security number and credit card numbers) were not exposed by the breach, according to the healthcare provider.

In a breach notice (PDF) issued earlier this month, Kaiser sought to reassure potentially affected members by stating that the security incident was promptly contained.

The organization said:

On April 5, 2022, Kaiser Permanente discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident.

We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.

Although there’s no evidence of identity theft or misuse of protected health information as a result of the security breach, Kaiser Permanente has nonetheless advised affected parties to be on the lookout for potential fraud.

Although not specified in Kaiser’s breach notice, regulators from the US Department of Health and Human Services Office for Civil Rights reports that 69,589 records were potentially exposed as a result of the email security slip-up at Kaiser’s Washington unit.

DON’T MISS Unpatched bug chain poses ‘mass account takeover’ threat to Yunmai weight monitoring app

In response to the incident, Kaiser said it promptly reset the employee’s password for the email account where unauthorized activity was detected.

“The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future,” Kaiser Permanente concluded.

The Daily Swig asked Kaiser to confirm that only one of its email accounts was affected by the breach and invited it to explain the root cause of the incident.

We also asked the healthcare provider to shed light on why it had decided against offering a year’s credit monitoring services at no charge to those impacted by the incident – a standard but by no means universal courtesy to victims of data breach incidents.

RELATED Turkish flight operator Pegasus Airlines suffers data breach

Kaiser Permanente data breach exposed healthcare records of 70,000 patients

Data protection regulator confirms sensitive information was leaked

Data protection regulator confirms sensitive information was leaked

  

Turkish flight operator Pegasus Airlines has suffered a data breach after an AWS cloud storage bucket was reportedly left unprotected.

The Electronic Flight Bag (EFB) information belonging to an unknown number of customers was reportedly stored in the open bucket, allowing access to sensitive information.

Turkey’s data protection agency has since confirmed that a leak has happened after it received a data breach notification from the company.

**Unauthorized access**

The statement from Kişisel Verileri Koruma Kurumu (Turkey’s Personal Data Protection Authority) confirmed that there was unauthorized access to certain information held by Pegasus.

A vulnerability that allowed the access was discovered on March 21, according to regulators, and was resolved on March 24.

According to the regulator, leaked information includes the names, surnames, phone numbers, e-mail addresses, titles, flight information of past journeys, flight locations, and photographs and signature images of some employees.

**Leaky bucket**

According to Safety Detectives, which disclosed the breach, almost 23 million files were found on the bucket, totaling around 6.5 TB of data.

A blog post reads: “The bucket’s information was linked to an EFB software developed by PegasusEFB that pilots use for aircraft navigation, takeoff/landing, refueling, safety procedures, and various other in-flight processes.

“PegasusEFB’s open bucket left data including flight charts, navigation materials, and crew PII accessible to anyone.

“The bucket also exposed the EFB software’s source code, which contained plain-text passwords and secret keys that someone could use to tamper with extra-sensitive files.”

Read more of the latest news about data breaches

“This exposure could impact the safety of every Pegasus passenger and crew member around the world,” according to researchers. “Affiliated airlines that are using PegasusEFB could also be affected.”

According to regulator, an investigation into the incident is ongoing. The Daily Swig has reached out to Pegasus Airlines for more information and will update this article accordingly.

YOU MAY LIKE India to introduce six-hour data breach notification rule

Turkish flight operator Pegasus Airlines suffers data breach

The innovative ransomware targets NAS devices, has a multitiered payment and extortion scheme as well as a flexible configuration, and takes a heavily automated approach.

The DeadBolt ransomware family is targeting QNAP and Asustor network-attached storage (NAS) devices by deploying a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.  

These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an analysis from Trend Micro this week.

The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.

The payment schemes allow either the victim to pay for a decryption key, or for the vendor to pay for a decryption master key. This master key would theoretically work to decrypt data for all victims; however, the report notes less than 10% of DeadBolt victims actually paid the ransom.

"Even though the vendor master decryption key did not work in DeadBolt's campaigns, the concept of holding both the victim and the vendors ransom is an interesting approach," according to the report. "It's possible that this approach will be used in future attacks, especially since this tactic requires a low amount of effort on the part of a ransomware group."

Fernando Mercês, senior threat researcher at Trend Micro, points out that the actors also created a functional, nicely designed Web app to deal with ransom payments.

"They also know about the internals of QNAP and Asustor," he says. "Overall, it's an impressive job from a technical standpoint."

Mercês adds that ransomware actors in general are targeting NAS devices due to a combination of factors: low security, high availability, the high value of data, modern hardware, and common OS (Linux).

"It's like targeting Internet-facing Linux servers with all kinds of applications installed and no professional security in place," he says. “Additionally, these servers contain high-value data for the user. It sounds like the perfect target for ransomware."

For organizations to protect against attacks targeting internet-facing NAS devices, he says, they could use a VPN service, although the configuration may require a few technical skills.

"Suppose there's no other way other than exposing the NAS on the Internet," he says. "In that case, I'd recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and configuring a firewall in front of it to only allow the ports you want to access. This can be done in a router, for example."

Mercês notes that while it doesn't seem effective, it's interesting to see criminals trying to put some pressure on vendors to "fix the problem" for their customers.

"I think criminals thought the vendors would be worried about their image in front of their customers and maybe pay to get free decryptors for all of them," he says. "It could be interesting if customers started pushing vendors to pay on their behalf, but that didn't happen."

In May, QNAP warned its NAS devices are under active attack by DeadBolt ransomware, and in January, a report from attack surface solutions provider Censys.io noted that out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection.

Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is interesting for several reasons, including the fact that victims do not need to contact the threat actors at any time.

"With most ransomware groups, victims need to negotiate with the threat actors, who are often in different time zones," she says. “These interactions can add a significant amount of time to the recovery process and a level of uncertainty because the outcome could rely on the success of the interaction."

However, she notes that from a technical perspective, DeadBolt ransomware attacks are different from ransomware attacks that target many enterprise devices, as initial access is gained by exploiting vulnerabilities in unpatched Internet-facing NAS devices.

"There are no social engineering or lateral movement techniques required to carry out their objectives," Hoffman says. "The threat actors do not need a lot of time, tools, or money to carry out these opportunistic attacks."

Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices

Government has sought to allay misgivings of cybersecurity industry

Government has sought to allay misgivings of cybersecurity industry

As concern mounts about the security risks posed by overseas hackers, the US Commerce Department’s Bureau of Industry and Security (BIS) has published revisions to its ban on certain cybersecurity exports.

The prohibition – first announced last October – effectively bans the export of hacking software and equipment to China, Russia, and a number of other countries without a license from the BIS.

**Disrupt, deny, degrade**

“These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” reads the new and final rule, published in the Federal Register and effective from May 26.

The export ban would therefore likely cover spyware such as Pegasus, developed by Israeli firm NSO Group and controversially used by authoritarian governments to surveil journalists, activists, politicians, and business executives.

RELATED Pegasus mobile spyware used zero-click exploits to snoop on Catalan politicians

The move brings the US into line with 42 other nations that are members of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.

An earlier version of the rule, published last year, introduced a new license exception for Authorized Cybersecurity Exports (ACE). This, included in response to cybersecurity industry concern, allowed the export, re-export, and in-country transfer of ‘cybersecurity items’ to most destinations.

As a result, under last year’s draft, it was agreed that a license would only be required for exports to countries where there are concerns about national security or weapons of mass destruction, as well as countries subject to a US arms embargo.

This final version, produced following a public consultation, includes some changes to this section. These include clarifying the definition of ‘government end user’, rewriting some of the text to make it clearer, and correcting wording that, says BIS, “inadvertently” widened the scope of exceptions.

**Strong opposition**

There had previously been strong opposition from the cybersecurity industry, worried that the controls covered too broad a range of tools and technologies, that the red tape involved would hamper the work of good-faith hackers and bug bounty hunters, and that the restrictions on the development of intrusion software would hold back international cybersecurity research.

“This rule is meant to be a framework to understand and deter the export of cyber capability – mostly exploits, but also potentially TTPs, IOCs, et cetera – to governments in Country Group D,” Casey Ellis, founder and CTO of Bugcrowd, tells The Daily Swig.

Read more of the latest hacking tools news and analysis

“Export control is difficult enough with physical weapons – cryptographic export controls have already illustrated the idea that regulating export in the cyber domain is difficult, and the implementation of the Wassenaar Agreement to include cyber in the USA has been no exception.”

**Compliance difficulties**

There are still some concerns about the rule, with a number of commenters on the draft suggesting that it presents compliance difficulties and isn't necessarily always clear – for example, on the question as to whether it would control cybersecurity incident detection and monitoring software.

BIS is attempting to deal with this through the regular publication of FAQs, and says it plans to provide more guidance over time.

“The good and clear thing here is that the BIS has listened to and actively worked to consider feedback from the security, research, and bounty hunter communities,” says Ellis.

“An important section to keep an eye on will be the scope of license requirements, which they’ve committed to outlining and maintaining through FAQs. These FAQs will ultimately dictate who is required to pursue licensing under the ruling, and who is carved out.”

RECOMMENDED US revises policy regarding Computer Fraud and Abuse Act, will not prosecute good faith research

US export ban on hacking tools tweaked after public consultation

By Waqas
Pegasus Airlines is a Turkey-based low-cost airline that exposed Electronic Flight Bag (EFB) data to the public including…
This is a post from HackRead.com Read the original post: Pegasus Airlines Leaked 6.5TB of Data in AWS S3 Bucket Mess Up

**Pegasus Airlines is a Turkey-based low-cost airline that exposed Electronic Flight Bag (EFB) data to the public including sensitive information such as source code, crew and staff data, and flight details.**

A team of security researchers at SafetyDetectives have shared details of an unprotected cloud data storage discovered on February 28th, 2022. The details of the incident have only been shared this week.

According to researchers, the data belonged to a low-cost domestic and international flight operator known as Pegasus Airlines. Part of the data leak is the personal information of the airline’s flight crew, source code, and flight data. The database was left open in an AWS S3 bucket.

**Details of Leaked Data**

In a blog post published by SafetyDetectives, around 23 million documents were stored in the unprotected AWS S3 bucket, which equated to about 6.5TB of data. The exposed data included more than 3 million sensitive flight data files, including flight charts/revisions, pre-flight checks-related issues’ details, insurance documents, and crew shift information.

Furthermore, more than 1.6 million files contained the airline crew’s PII (personally identifiable information). This included their photos and signatures.

**Pegasus Airlines’ EFB Software Leaked the Data**

Reportedly, parts of the leaked data were tracked to the EFB (Electronic Flight Bag) software. This software, PegasusEFB, is developed by Pegasus Airlines and acts as an information management tool for the airline. EFBs help optimize the crew’s productivity by offering vital reference materials for the flight.

According to the SafetyDetectives research team, the source code of the EFB software was also included in the exposed database, including secret keys and plain text passwords. Pilots use PegasusEFB for various functions like take-off/landing, aircraft navigation, refueling, safety procedures, and other in-flight operations.

Image 1: PegasusEFB’s admin panel – Image 2: .CSV files with flight and crew data – Image 3: Flight charts featuring navigation data – Image 4: Photo of one of the Pegasus Airline’s crew members (Images Provided by SafetyDetectives)

**Possible Dangers**

The data leak has jeopardized the safety and privacy of the Pegasus Airline’s crew members. Researchers noted that the leak would allow threat actors to access sensitive flight details. Organized crime groups can coerce crew members, and bad actors may identify security loopholes in the airline and airport security.

Cybercriminals can tamper with “sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB bucket.” Though researchers further claimed that there’s no certainty that pilots would use this bucket’s files for future flights, their contents may block vital EFB data from reaching the airline staff and risk the passengers and crew members.

> “With millions of files containing recent and possibly relevant flight data, unfortunately, an attacker could have numerous options to cause harm if they found PegasusEFB’s bucket.”
> 
> SafetyDetectives Cybersecurity Team

SafetyDetectives researchers stated that at the moment, there’s no evidence threat actors detected the trove before they did. The team notified Pegasus Airlines on 1 March 2022, and three weeks later, the leak was remediated.

**More AWS S3 Bucket Mess Up**

*   Misconfigured AWS bucket exposed 421GB of Artwork Archive data
*   Unprotected S3 Cloud Bucket Exposed 100GB of Classified NSA Data
*   350 million email addresses exposed on misconfigured AWS S3 bucket
*   Amazon S3 Buckets Exposed US Military’s Social Media Spying Campaign
*   S3 bucket mess up exposed 182GB of senior US, and Canada citizens’ data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Pegasus Airlines Leaked 6.5TB of Data in AWS S3 Bucket Mess Up

During the protests in Hong Kong, young people carried laser pointers, umbrellas, and plastic ties—objects that sometimes led to their arrest, and years of legal limbo.

‘How Are They Weapons? That’s Only a Flashlight!’

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more. Configuration of the platform is possible through TCP/58727 by default.

By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to upload an arbitrary file to any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.

Once the required Security Group and User Account credentials have been obtained, a file of choice can be uploaded to the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. A valid SecureTransferFiles command resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   02 b6 00 00 40 00 40 06 a2 4f c0 a8 0a 6a c0 a8   ....@.@..O...j..
    0020   0a 38 c4 ea e5 67 18 9e 24 8a 19 e0 9f df 80 18   .8...g..$.......
    0030   08 0a b5 4d 00 00 01 01 08 0a 36 5a a0 6d d6 19   ...M......6Z.m..
    0040   2e 41 00 00 00 00 00 d0 83 40 00 01 00 00 00 ff   .A.......@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 04 00 00 00 08 08 01 00   ................
    00f0   00 00 06 08 00 00 00 13 2f 68 6f 6d 65 2f 6f 61   ......../home/oa
    0100   73 75 73 65 72 2f 2e 73 73 68 2f 06 09 00 00 00   suser/.ssh/.....
    

When a successful SecureTransferFiles command is received, a response similar to the following will be returned:

    0000   00 00 00 00 00 80 44 40 00 01 00 00 00 ff ff ff   ......D@........
    0010   ff 01 00 00 00 00 00 00 00 10 01 00 00 00 02 00   ................
    0020   00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a   ........Success.
    0030   0b                                                .
    

With file upload functionality successful, various approaches can be taken to get access to the system. The proof-of-concept here uploads a new authorized_keys file to the oasuser’s .ssh directory, after which it is possible to gain access to the system via a ssh command like the following: ssh -i id_rsa oasuser@192.168.1.10

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Vendor Response**

released as version 16.00.0113

https://openautomationsoftware.com/downloads/

**Timeline**

2022-03-15 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

Tag

#asus