16-12-25, 05:51 AM
(This post was last modified: 18-12-25, 05:39 PM by FulcrumSec.)
UPDATE: Our patience has run out. Here's the full leaked data set:
Files currently archiving and uploading, already ~100gb there.
And be sure to keep an eye on our Index of Shame, where we'll be posting leaks of 14 other companies with trash security in the next couple of weeks unless they work out a deal with us: https://fulcrumsec.net/shame/
Next up is CrediElite https://fulcrumsec.net/shame/credielite/ with 1k+ credit card numbers that were so simple to decrypt a child could do it -- because they served their .env file with the encryption key up to the whole world!
---
First of all, this was not a sophisticated hack. It was hardly a hack at all. Raptor Supplies left their entire multinational infrastructure exposed to the public internet via an open directory. We just walked right in and took everything they had.
---
When we at FulcrumSec aren't owning megacorps with 0-click 0days, we've been working on a project called the INDEX OF /SHAME, where we scour the internet for corporations that have left their backends open to the entire internet by way of an open directory (you've probably G Dorked for these yourselves with intext:"Index of /").
Then we breach them, exfil everything of value, and if their revenue is as high as Raptor's ($100+ million), we ask nicely for a reasonable fee.
Raptor's fee was a mere $250,000, but so far they have not paid it, so this is a preview of the data their complete incompetence exposed to the whole world.
To start, here's the full contents of the open directory we found:
There are multiple DBs, complete laravel backend, and hundreds of custom scripts exposing dozens of credentials -- all the code that runs their business and the services they use. We used these to move into their GCP, Zoho Workspace, and Exchange environments, dump more creds, and keep moving deeper.
Absurdly, there are a couple of exposed keys in those files that are STILL VALID in spite of our notifying them of the breach more than a week ago. Treasure hunt away if you'd like! The data also includes BCrypt hashes for admin passes that probably have not been changed, given their hilariously bad security posture!
We're also including a gigabyte chunk of the millions of invoices leaked, since Raptor is telling their customers that no "order level" data was exposed. This is such a baldfaced lie that we can't help but dump some of these right off the bat:
We'll keep adding to this post on a daily basis leading up until the full leak.
---
More dataset stats (and we are still finding more good stuff daily):
Total Size: 450GB+ (JSON/SQL/CSV)
As you can see, Raptor's negligence exposed active duty military personnel, diplomatic corps, and critical defense supply chains.
All will be posted here and on our onion site if Raptor doesn't pay up within a week.
To Raptor Supplies: Do the right thing for your customers and NEGOTIATE. Otherwise you'll be forcing our hand.
Currently, we're using reappropriated SMTP accounts to notify their clients of the breach and give them a chance to remove their data from the final leak package IF they send us a screenshot of them contacting Raptor to tell them to PAY UP and/or notify regulators in their country of Raptor's extraordinary incompetence.
We also are deleting the data of any concerned gov/military/NGO or other such org even if they do not send a screenshot, because the only mistake they made was trusting Raptor, and frankly, we might care more about protecting their data than Raptor does.
For those who are not gov/mil and don't contact Raptor on our behalf, we are going to continue to spam them, again, and again, and again, because we have more than a THOUSAND SendGrid, MailChimp, Brevo, and other mass mailing accounts in our armoury (thanks React2Shell!). And of course, we will eventually leak all of their company's data if Raptor does not comply.
Here's a sample of the gov/mil accounts whose communications, payment data, ip and physical addresses Raptor decided to leave loose on the internet. Just a tiny sample of the NEARLY 3K OF THEM THEY EXPOSED:
claudette.fricot@defence.gov.au
claudia.lawrence@health.nsw.gov.au
clayton.petrie@us.af.mil
clayton.whitehead@infrastructure.gov.au
clement.groepies@capetown.gov.za
cliff.brown@blackburn.gov.uk
clive.williams160@mod.gov.uk
clive.williams@deca.mod.uk
clive.zhu@transport.nsw.gov.au
coco_chew@bca.gov.sg
colin.esnouf@sa.gov.au
con.skrepetos@health.tas.gov.au
connor.marshall1@defence.gov.au
connor.moran@infrastructure.gov.au
connor@deeca.vic.gov.au
connornicholls@merseyfire.gov.uk
conor.p.grace.civ@us.navy.mil
conrad.ellerby@esb5.navy.mil
cooper.woods1@fleet.defence.gov.au
cortez.jenkins@us.af.mil
council@charlessturt.sa.gov.au
cowl1ric@police.nsw.gov.au
cqiuping@dsta.gov.sg
craig.wintle@ga.gov.au
cridenou@capecoral.gov
critchlj@ansto.gov.au
crna_code10b_arp@us.navy.mil
croydon.sds@education.vic.gov.au
crystal.cabrera3.mil@us.navy.mil
csvspo.procurement@defence.gov.au
cumulus_admin@psd.gov.sg
curtis.dean422@d101o101.mnd.r.mil.uk
cwaldron@mail.dstl.gov.uk
cynthia.morton@sbrc.qld.gov.au
cynthia.wernick.civ@army.mil
cyril.viale@intradef.gouv.fr
da-gdansk@piorin.gov.pl
dale.lapham@fire.tas.gov.au
dale.wilson.5@us.af.mil
dallas.roderick1@defence.gov.au
dalton.barath@forces.gc.ca
damani.toudle@durhamnc.gov
damar.k.green.civ@us.navy
Stay tuned for the data leaks from the other 14 companies (and growing!) listed in our index of shame:
https://fulcrumsec.net/shame/
Their data too will be posted if they refuse to do the right thing and safeguard their users' data -- and their own.
Files currently archiving and uploading, already ~100gb there.
And be sure to keep an eye on our Index of Shame, where we'll be posting leaks of 14 other companies with trash security in the next couple of weeks unless they work out a deal with us: https://fulcrumsec.net/shame/
Next up is CrediElite https://fulcrumsec.net/shame/credielite/ with 1k+ credit card numbers that were so simple to decrypt a child could do it -- because they served their .env file with the encryption key up to the whole world!
---
First of all, this was not a sophisticated hack. It was hardly a hack at all. Raptor Supplies left their entire multinational infrastructure exposed to the public internet via an open directory. We just walked right in and took everything they had.
---
When we at FulcrumSec aren't owning megacorps with 0-click 0days, we've been working on a project called the INDEX OF /SHAME, where we scour the internet for corporations that have left their backends open to the entire internet by way of an open directory (you've probably G Dorked for these yourselves with intext:"Index of /").
Then we breach them, exfil everything of value, and if their revenue is as high as Raptor's ($100+ million), we ask nicely for a reasonable fee.
Raptor's fee was a mere $250,000, but so far they have not paid it, so this is a preview of the data their complete incompetence exposed to the whole world.
To start, here's the full contents of the open directory we found:
There are multiple DBs, complete laravel backend, and hundreds of custom scripts exposing dozens of credentials -- all the code that runs their business and the services they use. We used these to move into their GCP, Zoho Workspace, and Exchange environments, dump more creds, and keep moving deeper.
Absurdly, there are a couple of exposed keys in those files that are STILL VALID in spite of our notifying them of the breach more than a week ago. Treasure hunt away if you'd like! The data also includes BCrypt hashes for admin passes that probably have not been changed, given their hilariously bad security posture!
We're also including a gigabyte chunk of the millions of invoices leaked, since Raptor is telling their customers that no "order level" data was exposed. This is such a baldfaced lie that we can't help but dump some of these right off the bat:
We'll keep adding to this post on a daily basis leading up until the full leak.
---
More dataset stats (and we are still finding more good stuff daily):
Total Size: 450GB+ (JSON/SQL/CSV)
- Identities Exposed: 298,425 Unique email addresses + associated data
- 2,811 Military/Government contacts (20+ countries) + associated data
- Deal Records: 428,531 with complete procurement history
- Financial Records: Transaction data, payment methods, billing addresses
- Google Ads: Full advertising strategy, transaction history, campaign performance
- Zoho CRM: MILLIONS of CASES, ORDERS, REFUNDS, CONTACTS, etc.
- Outlook email backup: 68 MILLION email messages, complete conversations with customers, issues with equipment (INCLUDING MILITARY ORDERS), troubleshooting, customer PASSPORTS, customer IBANs + OTHER BANKING data.
- Gmail: 13.3 MILLION emails, also with the above data and attachments
- Order Tracking: Granular order tracking through UPS, Ship24, FedEx (their API key is still active, incredibly) for MILLIONS of order (including to military bases)
As you can see, Raptor's negligence exposed active duty military personnel, diplomatic corps, and critical defense supply chains.
- US Air Force: More than 100 Air Force emails, military base addresses, procurement, supply line, etc.
- US Navy: Logistics data for USS Santa Barbara (LCS-32) (Sourivanh.Sakdarak@lcs32.navy.mil) + base shipping data, supply line, phone numbers, ip addresses, invoices
- UK Ministry of Defence: Procurement contacts (Anthony.Furnival235@mod.gov.uk).
- Australian Defence Force: Invoices for DSTG and RAAF Base Amberley, ip addresses, addresses.
- NATO: Confirmed orders linked to natopart.com.
- US Dept. of State: 50+ email addresses, ips, addresses, payment info, at least one PASSPORT SCAN.
All will be posted here and on our onion site if Raptor doesn't pay up within a week.
To Raptor Supplies: Do the right thing for your customers and NEGOTIATE. Otherwise you'll be forcing our hand.
Currently, we're using reappropriated SMTP accounts to notify their clients of the breach and give them a chance to remove their data from the final leak package IF they send us a screenshot of them contacting Raptor to tell them to PAY UP and/or notify regulators in their country of Raptor's extraordinary incompetence.
We also are deleting the data of any concerned gov/military/NGO or other such org even if they do not send a screenshot, because the only mistake they made was trusting Raptor, and frankly, we might care more about protecting their data than Raptor does.
For those who are not gov/mil and don't contact Raptor on our behalf, we are going to continue to spam them, again, and again, and again, because we have more than a THOUSAND SendGrid, MailChimp, Brevo, and other mass mailing accounts in our armoury (thanks React2Shell!). And of course, we will eventually leak all of their company's data if Raptor does not comply.
Here's a sample of the gov/mil accounts whose communications, payment data, ip and physical addresses Raptor decided to leave loose on the internet. Just a tiny sample of the NEARLY 3K OF THEM THEY EXPOSED:
claudette.fricot@defence.gov.au
claudia.lawrence@health.nsw.gov.au
clayton.petrie@us.af.mil
clayton.whitehead@infrastructure.gov.au
clement.groepies@capetown.gov.za
cliff.brown@blackburn.gov.uk
clive.williams160@mod.gov.uk
clive.williams@deca.mod.uk
clive.zhu@transport.nsw.gov.au
coco_chew@bca.gov.sg
colin.esnouf@sa.gov.au
con.skrepetos@health.tas.gov.au
connor.marshall1@defence.gov.au
connor.moran@infrastructure.gov.au
connor@deeca.vic.gov.au
connornicholls@merseyfire.gov.uk
conor.p.grace.civ@us.navy.mil
conrad.ellerby@esb5.navy.mil
cooper.woods1@fleet.defence.gov.au
cortez.jenkins@us.af.mil
council@charlessturt.sa.gov.au
cowl1ric@police.nsw.gov.au
cqiuping@dsta.gov.sg
craig.wintle@ga.gov.au
cridenou@capecoral.gov
critchlj@ansto.gov.au
crna_code10b_arp@us.navy.mil
croydon.sds@education.vic.gov.au
crystal.cabrera3.mil@us.navy.mil
csvspo.procurement@defence.gov.au
cumulus_admin@psd.gov.sg
curtis.dean422@d101o101.mnd.r.mil.uk
cwaldron@mail.dstl.gov.uk
cynthia.morton@sbrc.qld.gov.au
cynthia.wernick.civ@army.mil
cyril.viale@intradef.gouv.fr
da-gdansk@piorin.gov.pl
dale.lapham@fire.tas.gov.au
dale.wilson.5@us.af.mil
dallas.roderick1@defence.gov.au
dalton.barath@forces.gc.ca
damani.toudle@durhamnc.gov
damar.k.green.civ@us.navy
Stay tuned for the data leaks from the other 14 companies (and growing!) listed in our index of shame:
https://fulcrumsec.net/shame/
Their data too will be posted if they refuse to do the right thing and safeguard their users' data -- and their own.
