Sakura Samurai (group)

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.

History
Sakura Samurai was founded in 2020 by John Jackson, also known as "Mr. Hacking". Active members of the group include Jackson, Robert "rej_ex" Willis, Jackson "Kanshi" Henry, Kelly Kaoudis, and Higinio "w0rmer" Ochoa. Ali "ShÄde" Diamond, Aubrey "Kirtaner" Cottle, Sick.Codes, and Arctic are all former members of the group.

In October 2022, Sakura Samurai announced on their Twitter page that they are now inactive due to "various other commitments" the members have individually.

United Nations
Sakura Samurai discovered exposed git directories and git credential files on domains belonging to the United Nations Environmental Programme (UNEP) and United Nations International Labour Organization (UNILO). These provided access to WordPress administrator database credentials and the UNEP source code, and exposed more than 100,000 private employee records to the researchers. Employee data included details about U.N. staff travel, human resources data including personally identifiable information, project funding resource records, generalized employee records, and employment evaluation reports. Sakura Samurai publicly reported the breach in January 2021, after first disclosing it through the U.N.'s vulnerability disclosure program.

India
In March 2021, Sakura Samurai publicly disclosed vulnerabilities that affected 27 groups within the Indian government. After finding exposed git and configuration directories, Sakura Samurai were able to access credentials for critical applications, more than 13,000 personal records, police reports, and other data. The group also discovered vulnerabilities relating to session hijacking and arbitrary code execution on finance-related governmental systems. After the issues reported to India's National Critical Information Infrastructure Protection Centre went unaddressed for several weeks, Sakura Samurai involved the U.S. Department of Defense Vulnerability Disclosure Program, and the issues were remediated.

Apache Velocity Tools
Sakura Samurai discovered and reported a cross site scripting (XSS) vulnerability with Apache Velocity Tools in October 2020. Sophisticated variations of the exploit, when combined with social engineering, could allow attackers to collect the logged-in user's session cookies, potentially allowing them to hijack their sessions. The vulnerable Apache Velocity Tools class was included in more than 2,600 unique binaries of various prominent software applications. Apache acknowledged the report and patched the flaw in November 2020, although Apache did not formally disclose the vulnerability.

Keybase
The group discovered that Keybase, a security-focused chat application owned by Zoom, was insecurely storing images, even after users had ostensibly deleted them. They reported the vulnerability in January 2021, and disclosed it publicly in February after the bug had been patched and updates had been widely distributed.

Pega Infinity and related breaches
Sakura Samurai found a vulnerability in Pegasystems' Pega Infinity enterprise software suite, which is used for customer engagement and digital process automation. The vulnerability, which was first reported to Pegasystems in February 2021, involved a possible misconfiguration that would enable data exposure.

The vulnerability led to Sakura Samurai breaching systems belonging to both Ford Motor Company and John Deere, incidents which were publicly disclosed in August 2021. These breaches were the subject of a 2021 DEF CON presentation by Sick.Codes, which was titled "The Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities in the Global Food Supply Chain (in good faith)".

Fermilab
In May 2021, Sakura Samurai reported vulnerabilities they had discovered and disclosed to Fermilab, a particle physics and accelerator laboratory. The group was able to gain access to a project ticketing system, server credentials, and employee information.