OSINT blog: Watch the skies

-

Aviation is an interest of mine as some of my family worked on airlines and I enjoy volunteering my time to work with organisations such as the Aviation ISAC with vulnerability disclosure, threat intelligence, and security research. So when another interesting OSINT challenge with aviation-related attributes cropped up on my radar this week, shared by @fs0131y, I was keen to get stuck into it.

Let's begin.

Immediate analysis of this image can give us several clues and help us along.

From the initial tweet, there are multiple attributes that will help with the rest of the challenge, this includes the time of day and the date, as well as what the aircraft's engine looks like. Using these attributes we can pivot to the next stage of our investigation.

Some Googling of engines, as well as Boeing and Air Bus planes, using the grey circle around the front of the engine and the logo on the site, I found a similar looking plane belonging to Air France - an A318 to be precise. Some Googling of these planes' seating plans uncovered which seat the person of interest is potentially sitting in at the time of this flight:

FlightRadar24.com is a great tool for any OSINT investigations to do with aviation. So I checked Air France's fleet to see if I could find the schedules of Air France flights at 7:12 AM, Tuesday 11 May 2021.

Enumerating through the aircraft flight lights I came across one which seems like it could be a likely contender for the flight taken by our person of interest.

Following the enumeration, I came across one flight at 05:12 UTC which is 07:12 CEST. The plane is travelling North and the Sun is rising in the East as it is the morning. 

I did some further OSINT on the person of interest and uncovered they work in Toulouse via their public Twitter feed.

Conclusions:

  • The seat number was most likely 8F (next to the engine)
  • The flight number is potentially AF7529 - an A318 (or potentially AF6103 - an A320)
  • The person of interest works in Toulouse and was likely travelling to Paris
Workings:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more