Sakura Samurai (group)
   HOME

TheInfoList



OR:

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.


History

Sakura Samurai was founded in 2020 by John Jackson, also known as "Mr. Hacking". Notable former members include Jackson, Robert "rej_ex" Willis, Higinio "w0rmer" Ochoa, and Aubrey "Kirtaner" Cottle. In October 2022, Sakura Samurai announced on their Twitter page that they are now inactive due to "various other commitments" the members have individually.


Notable work


Governmental groups


United Nations

Sakura Samurai discovered exposed
git Git () is a distributed version control system that tracks versions of files. It is often used to control source code by programmers who are developing software collaboratively. Design goals of Git include speed, data integrity, and suppor ...
directories and git credential files on domains belonging to the
United Nations Environmental Programme The United Nations Environment Programme (UNEP) is responsible for coordinating responses to environmental issues within the United Nations system. It was established by Maurice Strong, its first director, after the United Nations Conference on ...
(UNEP) and United Nations International Labour Organization (UNILO). These provided access to WordPress administrator database credentials and the UNEP source code, and exposed more than 100,000 private employee records to the researchers. Employee data included details about U.N. staff travel, human resources data including
personally identifiable information Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely used in the United States, but the phrase it abbreviates has fou ...
, project funding resource records, generalized employee records, and employment evaluation reports. Sakura Samurai publicly reported the breach in January 2021, after first disclosing it through the U.N.'s vulnerability disclosure program.


India

In March 2021, Sakura Samurai publicly disclosed vulnerabilities that affected 27 groups within the Indian government. After finding exposed git and configuration directories, Sakura Samurai were able to access credentials for critical applications, more than 13,000 personal records, police reports, and other data. The group also discovered vulnerabilities relating to
session hijacking In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a ''session key''—to gain unauthorized access to information or services in a computer s ...
and
arbitrary code execution In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwa ...
on finance-related governmental systems. After the issues reported to India's
National Critical Information Infrastructure Protection Centre National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government of India created under Section 70A of the Information Technology Act, 2000 (amended 2008), through a gazette notification on 16 January ...
went unaddressed for several weeks, Sakura Samurai involved the
U.S. Department of Defense The United States Department of Defense (DoD, USDOD, or DOD) is an executive department of the U.S. federal government charged with coordinating and supervising the six U.S. armed services: the Army, Navy, Marines, Air Force, Space Force, t ...
Vulnerability Disclosure Program, and the issues were remediated.


Corporations


Apache Velocity Tools

Sakura Samurai discovered and reported a
cross site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be ...
(XSS) vulnerability with Apache Velocity Tools in October 2020. Sophisticated variations of the exploit, when combined with social engineering, could allow attackers to collect the logged-in user's session cookies, potentially allowing them to hijack their sessions. The vulnerable Apache Velocity Tools class was included in more than 2,600 unique binaries of various prominent software applications. Apache acknowledged the report and patched the flaw in November 2020, although Apache did not formally disclose the vulnerability.


Keybase

The group discovered that Keybase, a security-focused chat application owned by
Zoom Zoom may refer to: Arts, entertainment and media Film * ''Zoom'' (2006 film), starring Tim Allen * ''Zoom'' (2015 film), a Canada-Brazil film by Pedro Morelli * ''Zoom'' (2016 Kannada film), a Kannada film * ''Zoom'' (2016 Sinhala film), a Sr ...
, was insecurely storing images, even after users had ostensibly deleted them. They reported the vulnerability in January 2021, and disclosed it publicly in February after the bug had been patched and updates had been widely distributed.


Pega Infinity and related breaches

Sakura Samurai found a vulnerability in Pegasystems' Pega Infinity
enterprise software Enterprise software, also known as enterprise application software (EAS), is computer software used to satisfy the needs of an organization rather than its individual users. Enterprise software is an integral part of a computer-based information ...
suite, which is used for customer engagement and digital process automation. The vulnerability, which was first reported to Pegasystems in February 2021, involved a possible misconfiguration that would enable data exposure. The vulnerability led to Sakura Samurai breaching systems belonging to both
Ford Motor Company Ford Motor Company (commonly known as Ford) is an American multinational corporation, multinational automobile manufacturer headquartered in Dearborn, Michigan, United States. It was founded by Henry Ford and incorporated on June 16, 1903. T ...
and
John Deere Deere & Company, Trade name, doing business as John Deere (), is an American corporation that manufactures agricultural machinery, heavy equipment, forestry machinery, diesel engines, drivetrains (axles, Transmission (mechanical device), transmi ...
, incidents which were publicly disclosed in August 2021. These breaches were the subject of a 2021
DEF CON DEF CON (also written as DEFCON, Defcon, or DC) is a Computer security conference, hacker convention held annually in Las Vegas Valley, Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include comp ...
presentation by Sick.Codes, which was titled "The Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities in the Global Food Supply Chain (in good faith)".


Fermilab

In May 2021, Sakura Samurai reported vulnerabilities they had discovered and disclosed to
Fermilab Fermi National Accelerator Laboratory (Fermilab), located in Batavia, Illinois, near Chicago, is a United States Department of Energy United States Department of Energy National Labs, national laboratory specializing in high-energy particle phys ...
, a
particle physics Particle physics or high-energy physics is the study of Elementary particle, fundamental particles and fundamental interaction, forces that constitute matter and radiation. The field also studies combinations of elementary particles up to the s ...
and accelerator laboratory. The group was able to gain access to a project ticketing system, server credentials, and employee information.


References


External links

* {{Hacking in the 2020s 2020 establishments in the United States White hat (computer security) Defunct organizations 2022 disestablishments in the United States