This list has always been kept away from the public eye. Now that it has been posted publicly and released, the U.S. government and TSA have all began investigation into the leak and into the threat actor behind the leak. The threat actor took their attack one step further by claiming to have pivoted from the AWS server into gaining access to more critical systems that would allow them to delay or cancel flights. Air Travel falls under one of the 16 most critical sectors within the United States, and this breach is receiving focused attention from the TSA and other federal investigators.
CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes. The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed, said the threat actor involved. It is highly recommended that organizations secure development infrastructure including github repositories as well as test machines. Dummy data, data that is entirely randomly generated or programmatically altered in records, can be used in order to provide additional layers of security. Finally, it is advisable to audit S3 bucket policies and access, disable access control lists, ensure they are not publicly accessible, implement principles of least access, and configure enforced encryption of data at rest and in transit. A reference link to S3 security best practices is included below.
https://www.bleepingcomputer.com/news/security/us-no-fly-list-shared-on-a-hacking-forum-government-investigating/
https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
