The new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. The RFI and hearings precede a Notice of Proposed Rulemaking (NPRM) that CISA must publish sooner than 24 months from the enactment of CIRCIA, which the President signed into law in March. The sessions and

Incident Reporting / Password Policy

The new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. The RFI and hearings precede a Notice of Proposed Rulemaking (NPRM) that CISA must publish sooner than 24 months from the enactment of CIRCIA, which the President signed into law in March. The sessions and NPRM are steps toward creating the new rule.

CISA is soliciting expert opinion on what to include in a report but is taking steps to implement the change soon. Here's what that change means for businesses in the US and what you can do about it now.

**Overview of the CISA reporting rule**

Owners and operators of critical infrastructure must file cyber incident reports with CISA within 72 hours. They must report ransom payments for ransomware attacks within 24 hours. Other businesses can take part voluntarily.

The CISA Director can subpoena organizations in noncompliance to compel them to provide information necessary to determine whether a cyber incident happened. The CISA Director can refer the matter to the Attorney General to bring civil action to enforce the subpoena when necessary.

CISA will share data from cyber incident reports, including defensive measures and anonymized cyber threat indicators, with other organizations. The data will inform businesses to adjust security infrastructure, monitor for specific attack PPTs, and block or remediate attacks.

**What CISA's rule means for critical infrastructure businesses**

CISA's rule will enforce fast reporting, which will probably move organizations to speed up investigation and response, so initial reports are timely while showing mitigating actions. The rule will likely result in frequent reporting as the broader list of incidents includes scans and attempted incidents, not just successful intrusions. Unreported incidents and slow reporting can trigger enforcement action from the CISA Director. Organizations will require incident investigation and response to yield more results than in the past.

The rule will force organizations to use every means to tighten and enforce security protocols to reduce the frequency of cyber incidents. Organizations will need additional security rules and policies to reign in attacks; additional steps to enforce those protocols will follow.

Increasing demand for effective cybersecurity will elevate cyber industry competition. Cybersecurity vendors must keep pace with their customers and the new 72-hour timetable as they aid in the investigation, response, and reporting of incidents the rule covers. The market for security analysts and related specialists will grow.

**Getting ahead of CISA's reporting rules now**

CISA emphasizes taking action to mitigate cyber incidents. Response actions include triggering a disaster recovery plan and hunting for network intrusions.

Response actions are challenging even without stringent time constraints. It is common practice for organizations to reset employee passwords after a cyber incident. Password resets are expensive and time-consuming.

Organizations need solutions that ease the process. After an attack, IT can run a free copy of the Specops Password Auditor to generate a password age report to see who changed their passwords. IT can use this information to force a password reset as needed for those who have not manually changed their passwords.

**Password security is essential to protecting critical infrastructure**

Securing passwords with policies and resets safeguards accounts and stops the spread of breaches. For example, unauthorized access to accounts enables criminal hackers to move laterally across the network. Lateral movement lets them take control of additional accounts, including admin accounts, and breach and exfiltrate customer databases and intellectual property. Check out Specops Password Policy if you're looking to beef up your Active Directory password security in order to safeguard against a breach.

Password security is essential to defending critical infrastructure against ransomware attacks. Cybercriminals infected Colonial Pipeline with ransomware in 2021 using a single compromised password.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

What the CISA Reporting Rule Means for Your IT Security Protocol

Categories: News
Categories: Ransomware
Tags: Cuba ransomware

Tags:  ransomware

Tags:  double extortion

Tags:  Cybersecurity Advisory

Tags:  CSA

Tags:  CISA

Tags:  FBI

Cuba ransomware is spotlighted in a recent cybersecurity advisory (CSA) in the ongoing #StopRansomware campaign spearheaded by CISA and the FBI.



(Read more...)




The post CISA and the FBI issue alert about Cuba ransomware appeared first on Malwarebytes Labs.

In the latest #StopRansomware effort of publicizing ransomware information for network defenders, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint Cybersecurity Advisory (CSA) on the ransomware known as "Cuba." Though named "Cuba," the ransomware and its operators have no known link to the country. The recent advisory is reportedly an update from an FBI Flash notice on December 2021. As such, updated tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) are included in this advisory.

Since the aforementioned FBI Flash notice, CISA and the FBI have noted that US-based organizations victimized by Cuba ransomware have doubled. Third-party and open-source reports have also discovered a possible connection between Cuba ransomware actors, RomCom RAT (remote access Trojan) actors, and Industrial Spy ransomware actors. 

**Cuba ransomware 101**

Despite its name, threat actors behind Cuba ransomware haven't indicated a connection or affiliation with the Republic of Cuba.

Cuba ransomware is a Windows malware written in C++ that surfaced in late 2019. Like other ransomware groups, its threat actors use double extortion tactics, predominantly targeting organizations in the US in five critical infrastructure sectors: critical manufacturing, financial services, government facilities, healthcare and public health, and information technology. All stolen sensitive information is posted to their leak site, accessible only via Tor, the online tool that allows for anonymous browsing and internet connections.

Overview of Cuba ransomware’s leak page, ransom note, and a trove of encrypted files.  
(Source: Malwarebytes Threat Intelligence Team)

This ransomware arrives on target networks via spam campaigns, meaning emails are sent out to organizations with no particular target. In more recent campaigns, the Cuba ransomware has been seen being dropped by the malware downloader Hancitor (also known as Chancitor).

The spam email contains a download link where a Word document with malicious macros can be downloaded and opened. If users enable the macro when prompted, this document extracts and executes Hancitor. This malware then communicates with its command-and-control (C2) server to download several tools, facilitate lateral movement, and extract data.

It then drops and installs Cuba ransomware using PowerShell or PsExec.

Cuba ransomware has already been involved in several noteworthy attacks. In February 2021, it hit the widely used payment processor Automatic Funds Transfer Services (AFTS), affecting cities and agencies in Washington and California. In October 2022, Cuba ransomware threat actors impersonated the press office of the General Staff of the Armed Forces of Ukraine in a phishing campaign. According to Profero, a company specializing in rapid incident response involved in negotiations between Cuba ransomware victims and attackers, the threat actors speak Russian.

**Mitigating Cuba ransomware attacks**

CISA and the FBI issued mitigations for network defenders to follow to reduce attack risks from Cuba ransomware. Some of these are as follows:

*   Create and implement a recovery plan (if you don’t have one yet) to maintain and retain copies of pertinent and proprietary data.
*   All accounts that use passwords must at least comply with National Institute for Standards and Technology (NIST) standards.
*   Enable multi-factor authentication (MFA) on all accounts, especially those that access critical systems.
*   Ensure all software you use are updated to their latest versions and fully patched.
*   Audit accounts, paying particular attention to those with administrator privileges, and configure control accordingly.

You can read the complete and detailed list of recommended mitigations on this page. Various IOCs (associated files, email addresses, a Jabber address, IP addresses, Bitcoin wallets, and ransom notes) and MITRE ATT&CK techniques are also found on that page.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

CISA and the FBI issue alert about Cuba ransomware

The threat actor behind an August intrusion used data from that incident to access customer data stored with a third-party cloud service provider, and affiliate GoTo reports breach of development environment.

An attacker who breached the software development environment at LastPass this August and stole source code and other proprietary data from the company appears to have struck the password management firm again.

On Wednesday, LastPass disclosed it is investigating a recent incident where someone using information obtained during the August intrusion managed to access source code and unspecified customer data stored within an unnamed third-party cloud storage service. LastPass did not disclose what kind of customer data the attacker might have accessed but maintained that its products and services remained fully functional.

**Unusual Activity**

"We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," LastPass said. "We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement."

LastPass' statement coincided with one from GoTo, also on Wednesday, that referred to what appeared to be the same unusual activity within the third-party cloud storage-service. In addition, GoTo's statement described the activity as impacting its development environment but offered no other details. Like LastPass, GoTo said its videoconferencing and collaboration services remained fully functional while it investigates the incident.

It is unclear if the apparent breach of GoTo's development environment is related in any way to the August intrusion at LastPass or if the two incidents are entirely separate. Both companies declined to answer a Dark Reading question on whether the two incidents might be related.

The new breach at LastPass suggests that attackers may have accessed more data from the company in August than previously thought. LastPass has previously noted the intruder in the August breach gained access to its development environment by stealing the credentials of a software developer and impersonating that individual. The company has maintained since then that the threat actor did not gain access to any customer data or encrypted password vaults because of the design of its system and the controls it has in place.

**Were LastPass' Security Controls Strong Enough?**

Those controls include a complete physical and network separation of the development environment from the production environment and ensuring the development environment contains no customer data or encrypted vaults. LastPass has also noted that it does not have any access to the master passwords to customer vaults, thereby ensuring that only the customer can access it.

Michael White, technical director and principal architect at Synopsys Software Integrity Group, says LastPass' practice of separating dev and test and making sure that no customer data is used in dev/test are certainly good practices and in line with recommendations.

However, the fact that a threat actor managed to gain access to its development environment means they potentially had the ability to do a lot of damage.

"The short answer is that we simply cannot know based on what has been said publicly," White says. "However, if the impacted dev systems have any access to common internal tools used for software build and release — for example, source code repositories, build systems, or binary artifact storage — it could allow an attack to insert a surreptitious back door into the code."

So, the mere fact that LastPass might have separated development and test from its production environment is not enough guarantee that customers were fully protected, he says.

LastPass itself has only confirmed the threat actor behind the August breach as accessing its source code and some other intellectual property. But it's unclear if the actor might have done other damage as well, researchers tell Dark Reading.

Joshua Crumbaugh, CEO at PhishFirewall, says development environments tend to present easy targets for threat actors to inject malicious code without being detected. "That malicious code is like finding a needle that you don't know to look for in a haystack of needles," he says.

Development environments are also known for having hardcoded credentials and for insecure storage of API keys, user credentials, and other sensitive information. "Our research continuously demonstrates that development teams are one of the least security aware departments at most organizations," Crumbaugh says. He adds that LastPass' breach sequel suggests they didn't completely trace the attackers' actions after the first breach.

LastPass Discloses Second Breach in Three Months

By Deeba Ahmed
The KmsdBot was known for targeting both Linux and Windows devices.
This is a post from HackRead.com Read the original post: A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet

KmsdBot was a newly discovered cryptocurrency mining botnet killed accidentally by Akamai’s team of researchers while researching on KmsdBot. According to researchers, a syntax error caused it to stop sending commands, which destroyed the botnet.

**What is KmsdBot?**

Named by Akamai Security Intelligence Response Team (SIRT) in November 2022, KmsdBot is was a **crypto mining botnet** equipped with command-and-control abilities. It infected victims by exploiting weak credentials and SSH via brute force.

The Akamai team assessed and **reported** on the botnet after one of its honeypots got infected. The botnet targeted both **Linux and Windows devices** using a range of microarchitectures to deploy mining software and include the compromised hosts in its DDoS bot army. Its main targets included gaming and tech firms and luxury vehicle makers.

1.  **Dangerous WireX Android DDoS Botnet Killed by Security Giants**
2.  **Andromeda Botnet that infected millions of devices is dismantled**
3.  **Mirai botnet resurfaces with MooBot variant against D-Link devices**
4.  **Russian Rsocks Botnet Powered by Millions of IoT Devices dismantled**
5.  **FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence agency**

**Incident Details**

In a **blog post**, Larry W. Cashdollar, a researcher at Akamai, the commands sent to the botnet while assessing its operational mechanism within a controlled environment mistakenly led to the malware’s neutralization.

After a single “improperly formatted command,” Cashdollar explains, the bot stopped sending any command. This could be possible because of the absence of an internal error-checking feature built into its source code to verify the incoming commands. 

So, any instruction given without a space between the port and the target website caused the Go binary on the infected device to crash entirely and stop communicating with its C2 server. Hence, this **killed the botnet**.

Since the botnet doesn’t feature a persistence mechanism, the malware operators will need to re-infect the devices once again and rebuild the entire infrastructure from scratch.

“This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue. This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it,” Cashdollar explained.

A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet

No longer the realm of lone wolves, the world of cybercrime is increasingly strategic, commoditized, and collaborative.

Just as you keep up with the latest news, tools, and thought leadership in order to protect and secure your organization from cybercriminals, your adversaries are doing the same thing. They are connecting on forums, evaluating new software tools, talking with potential buyers, and searching for new ways to outsmart your security stack.

A peek into their world shows they have advanced capabilities that often outmaneuver well-funded security teams and corporate security tools, especially when pitted against legacy solutions like signature-based antiviruses. Many security operations centers (SOCs) fail to prioritize real threats, while wasting time trying to solve others that they can realistically never scale to meet.

Security defenders need to move beyond the mental image of the lone hooded figure sitting in a dimly lit basement as cigarette smoke wisps up from a dirty ashtray. Let's take stock of the world of cybercrime as it exists today: strategic, commoditized, and collaborative (especially if the criminals have money to spend).

**Strategic Intent Backs Every Attack**

Adversaries always have a business purpose; there’s a plan for every piece of malware. To begin, cybercriminals snoop around for access to your environment, looking for something they can steal and potentially resell to someone else. While an attacker may not know _exactly_ what they want to do once they gain access to your environment, they tend to recognize value when they see it.

They may perform reconnaissance by looking for misconfigurations or exposed ports to exploit, a process often made trivially easy by known CVE databases and free open-port scanners. Initial compromise can also be accomplished by stealing a user’s credentials to access the environment, a process that’s sometimes even easier, before moving laterally to identify key assets.

**The Cyber Weapons Black Market is Maturing**

Cybercriminals have developed a sophisticated underground marketplace. Tools have evolved from relatively inexpensive and low-tech products into those with advanced capabilities delivered via business models familiar to legitimate consumers, like software as a service (SaaS). Threat hunters are witnessing the commoditization of hacking tools.

Phishing kits, pre-packaged exploits, and website cloning tools used to be very common. Designed to mimic website login pages, such as Microsoft Office 365 or Netflix, these tools were quite effective at capturing users’ credentials for many years.

Over the past two decades, though, the security community responded to this type of activity with techniques like pattern recognition, URL crawling, and shared threat intelligence. Tools like VirusTotal have made it a common practice for the discovery of malicious files to be shared with the wider security community almost instantaneously. Naturally, adversaries are well aware of this and have adapted.

**A New Phishing Methodology**

Today’s adversaries have also learned to capitalize on the rise of multi-factor authentication (MFA) by hijacking the verification process.

One new type of phishing kit is called EvilProxy. Like kits of the past, it mimics website login pages to trick users into giving away their login credentials. Unlike phishing kits of the past that were sold as one-time purchases, this new methodology — sold by specialists in access compromise — operates via a rental model, whereby the seller rents out space on their own server for running phishing campaigns.

They host a proxy server that operates like a SaaS model. The service costs about $250 for 10 days of access. This allows the SaaS providers to make more money and enables them to collect statistics they can then publish on hacker forums to market their products and compete against other sellers.

New kits have built-in protections to defend their phishing environment from unexpected visitors. Since they obviously don’t want web crawlers indexing their sites, they use bot protection to block crawlers, nuanced virtualization detection technology to ward off security operations teams doing reconnaissance through a virtual machine (VM), and automation detection to prevent security researchers from crawling their kit websites from different angles.

**The “Adversary in the Middle” Scenario**

In the context of bypassing MFA, acting as a reverse proxy to the authentic login page content creates big problems for typical phishing detection. By sitting between the user and the target website, the reverse proxy server allows the adversary to gain access to the username, password, and session cookie that is set after MFA is completed. They can then replay the session back into a browser and act as the user on that destination.

To the user, everything looks normal. By using slight variations of names in the URLs, the cybercriminals can make the site seem completely legitimate, with everything working as it should. Meanwhile, they have gained unauthorized access through that user, which can then be exploited for their own purposes or auctioned off to the highest bidder.

**The Adversary’s Business Model**

In addition to new phishing methodologies, malware is sold openly on the Internet and operates in a sort of gray space, floating between legal and illegal. One such example is BreakingSecurity.net, which markets the software as a remote surveillance tool for enterprise.

Every piece of malware has a price point associated with it to drive an outcome. And these outcomes have a clear business intent, whether it’s to steal credentials, generate cryptocurrency, demand a ransom, or gain spy capabilities to snoop around a network infrastructure.

Nowadays the creators of these tools are partnering with the buyers through affiliate programs. Similar to a multi-level marketing scheme, they say to the affiliate buyer of the tool, “Come to me when you get in.” They even offer product guarantees and 24/7 support of the tool in exchange for splitting the profits. This allows them to scale and build a hierarchy. Other types of cybercriminal entrepreneurs sell pre-existing compromises to the highest bidder. There are multiple business models at play.

**Today’s Reality: Case for an Advanced Cloud Sandbox**

Security teams should understand what today’s adversaries do and how quickly their actions can play out. The advanced malware on the market now is even more severe than phishing. Whether it’s Maldocs that evade filters, ransomware, information stealers, remote access trojans (RATs), or post-exploitation tools that combine toolsets, threat actors are more advanced than ever before—and so are their business models.

Countermeasures based on standard sandboxes doesn’t provide much in the way of inline prevention. Detection that combines cloud and AI can stop the stealthiest threats inline, in real time, and at scale.

If you’re not evolving with adversaries, you're falling behind. Because today’s cybercriminals are as professional and on their game as you.

Read more _Partner Perspectives_ from Zscaler.

Of Exploits and Experts: The Professionalization of Cybercrime

Market drivers include new regulations, increasing automobile complexity, and new vehicle types.

**BOULDER, Colo., Dec. 1, 2022 /PRNewswire/ —** A new report from Guidehouse Insights explores the global market for automotive cybersecurity solutions.

Automotive cybersecurity is the protection of connected vehicle systems, including software and communication networks, from tampering of any kind. Underlying the need for automotive cybersecurity is the increasingly complex technology of modern vehicles. According to a new report from Guidehouse Insights, paralleling increasing sales of connected vehicles, the market for automotive cybersecurity solutions is expected to grow steadily over the next 10 years, with revenue reaching more than $445.4 billion by 2031.

"The outlook for the automotive cybersecurity market over the next 10 years is strong. With vehicles becoming more reliant on electronic-based features and greater connectivity, the need for protection is high and growing," writes report author Karen Marcus, research analyst with Guidehouse Insights. "Interconnected systems involve small computers, or electronic control units for specific functions, multiple communication protocols, internal and third-party software, automation features, and cloud connectivity. Each of these components alone and working together creates potential attack vectors that must be protected."

Automotive manufacturers and their suppliers are increasingly driven by new regulations that require them to integrate cybersecurity solutions as a condition of approval for new designs; often, they are working to update their processes and systems before regulations go into effect. Other market drivers include increasing automobile complexity, new vehicle types, and shared vehicle services. Barriers to growth include resistance from research and development teams, high rates of employee resignation, and a chip shortage, all of which impact the industry's ability to provide service as quickly or thoroughly as its leaders would like, according to the report.

The report, "Automotive Cybersecurity Market Overview," analyzes the global market for automotive cybersecurity solutions, examines the key technologies in vehicles that require protection, and looks at the competitive landscape. It provides market outlooks for annual vehicle sales and revenue across six world regions—North America, Western Europe, Eastern Europe, Asia Pacific, Latin America, and Middle East & Africa—during the ten-year analysis period 2022 to 2031. An executive summary of the report is available for free download on the Guidehouse Insights website.

**About Guidehouse Insights**

Guidehouse Insights, the dedicated market intelligence arm of Guidehouse, provides research, data, and benchmarking services for today's rapidly changing and highly regulated industries. Our insights are built on in-depth analysis of global clean technology markets. The team's research methodology combines supply-side industry analysis, end-user primary research, and demand assessment, paired with a deep examination of technology trends, to provide a comprehensive view of emerging resilient infrastructure systems. Additional information about Guidehouse Insights can be found at www.guidehouseinsights.com.

**About Guidehouse**

Guidehouse is a leading global provider of consulting services to the public sector and commercial markets, with broad capabilities in management, technology, and risk consulting. By combining our public and private sector expertise, we help clients address their most complex challenges and navigate significant regulatory pressures focusing on transformational change, business resiliency, and technology-driven innovation. Across a range of advisory, consulting, outsourcing, and digital services, we create scalable, innovative solutions that help our clients outwit complexity and position them for future growth and success. The company has over 15,000 professionals in over 55 locations globally. Guidehouse is a Veritas Capital portfolio company, led by seasoned professionals with proven and diverse expertise in traditional and emerging technologies, markets, and agenda-setting issues driving national and global economies. For more information, please visit www.guidehouse.com.

Guidehouse Insights Anticipates Market for Automotive Cybersecurity Solutions Will Grow to More Than $445 Billion by 2031

Know what you need to fix today and what you don’t.

**EVERGREEN, Colo., December 1, 2022** **—** Phylum, The Software Supply Chain Security Company, today announced the addition of Automated Vulnerability Reachability to its software supply chain security platform capabilities. With the ability to focus only on fixing what matters_, s_ecurity pros can end the deluge of false positives and developers can innovate with greater speed and confidence. This new introduction, combined with Phylum’s ability to block and prioritize open-source code risks, provides organizations with the most comprehensive software supply chain security available in the market.

Vulnerabilities represent a clear and present danger to the integrity of the software supply chain, but the massive amount of noise and false positives that come with traditional detection methods drain resources and leave organizations overwhelmed.

"Vulnerability management has been a frustrating and persistent challenge for security teams for well over a decade. Phylum has automated the answer to the question, 'Do I actually call the code triggering this vulnerability?' Addressing this question reduces customer false positive vulnerability issues by 90% or more and enables security teams to engage their development teams with supply chain issues that truly matter," said Peter Morgan, co-founder and president of Phylum.

Most vulnerability management approaches do not account for the nuances of open-source libraries. In library code, the parts of the library used are just as important as the package name and version, and not accounting for this data results in an astronomically high false positive rate. For example, an organization might use a package for signing build packages that contains a known Heartbleed vulnerability. But since the organization is only using it for code signing and not using the part of OpenSSL where that vulnerability exists, it isn't reachable. The Phylum Platform recognizes this nuance and informs the user accordingly.

Organizations that use Phylum save precious developer time, make more critical fixes and improve overall security posture by leveraging:

1.  Deep source analysis and call tracing that identifies which vulnerabilities impact projects, and which ones don’t.
2.  Graph-powered analysis that identifies inter-package call paths to prioritize the most impactful bugs that need fixing.
3.  Automated, continuous policy enforcement that provides alerts if vulnerability functions change due to new development needs.

Since software projects are made up of anywhere from 70%-90% of open-source code, Phylum first blocks software supply chain attacks trying to enter environments from open-source packages. This alleviates the burden of having to do extensive remediation once source code is built. Automated Vulnerability Reachability then continuously monitors the code in the event any development, package or author changes result in new vulnerabilities.

The Phylum Software Supply Chain Security Platform is purpose-built to address persistent and evolving software supply chain security challenges. Regardless of the maturity stage of an appsec program, Phylum is designed to address immediate needs and scale with an organization to meet future needs.

Automated Vulnerability Reachability will be available in Q1 2023 via SaaS and On-Prem. Book a demo here.

**About Phylum**  
Phylum is on a mission to secure the universe of code. Its platform automates software supply chain security to block new risks, prioritize existing issues and allow users to only use open-source code that they trust. The company is built by a team of career security researchers and developers with decades of experience in U.S. Intelligence Community and commercial sectors. Phylum is the winner of the Black Hat 2022 Innovation Spotlight Competition and was named a Top Infosec Innovator by Cyber Defense Magazine. Learn more at https://phylum.io, read The Phylum Research Blog, and follow us on LinkedIn and Twitter.

Phylum Expands Its Software Supply Chain Security Capabilities, Introduces Automated Vulnerability Reachability

New web targets for the discerning hacker

New web targets for the discerning hacker

Bug bounty platform HackerOne has launched a scheme to encourage customers to adopt a standard policy geared towards protecting hackers from potential legal problems.

The Gold Standard Safe Harbor (GSSH) is designed to be “short, broad, \[and\] easily-understood”, according to HackerOne.

Many bug bounty and vulnerability disclosure programs offer safe harbor agreements that allow hackers acting in good faith to do their thing. HackerOne’s standard policy is designed to collate best practices while reducing the administrative burden for hackers, who will have no need to scrutinize the terms and conditions of targets before looking for in-scope vulnerabilities.

European crowdsourced security platform Intigriti, meanwhile, has launched Bug Bounty Calculator, a tool designed to help bug bounty program owners pitch their payout rates at the appropriate level.

To generate reward suggestions program providers select their industry and describe their assets in terms of risk level, maturity level, and incentive curve.

Inti de Ceukelaire, head of hackers at Intigriti, explained why he built the tool: “Anyone can set up a bug bounty program, but if you aren’t sure what you’re doing, you may pay too much for vulnerabilities. Even worse, set your bounties too low and you may not attract any researchers at all.”

The maximum payout awards under a growing number of programs have reached $1 million and more. Earlier this week The Daily Swig took a closer look into these high potential reward programs and discovered that market forces, in particular a scarcity of skilled talent, are driving up the value of rewards offered.

Web 3.0 and crypto platforms, in particular, are competing to offer dazzlingly high potential rewards. However, experts questioned by The Daily Swig pointed out the rarity of firms in this arena actually paying out seven-figure sums, which suggests some are offering enormous potential bounties in an attempt to court publicity.

Against this are several examples of six-figure payouts by more established tech vendors such as Apple and Intel. However, HackerOne reports that the median payouts for critical vulnerabilities comes in at $3,000 – a figure worth bearing in mind by anyone tempted to quit their day job in pursuit of greater riches on the bug bounty circuit.

An example of an interesting flaw on the lower end of the scale dropped early in November when a researcher revealed that they had earned a $250 bug bounty payout after discovering a code injection flaw in Acronis’ cloud management console that could be abused for data theft.

On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the client-side path traversal flaw, which they described as the “favorite bug” they’d ever found.

**The latest bug bounty programs for December 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Abraxas (enhanced)**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Public

**Max reward:  
**CHF 30,000 ($26,167)

**Outline:  
**Abraxas, which provides IT services for the government and public sector in Switzerland, has tripled maximum payouts from 10,000 Swiss francs to 30,000 francs.

**Notes:  
**Program has a particular focus on vulnerabilities that could enable attackers to manipulate the outcome of Swiss elections.

Check out the Abraxas bug bounty page for more details

**Amber AI**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**AMBER AI, a “crypto-finance service provider”, is offering between $2,500 and $5,000 for the submission of valid critical bugs.

**Notes:  
**Vulnerabilities in AMBER AI’s core business services qualify for the highest payout tier but the web 3.0 business is also interested in a wide range of web security vulnerabilities such as SQL injection, CSRF, and denial-of-service issues.

Check out the AMBER AI bug bounty page for more details

**Expedia Group**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Expedia runs a portfolio of travel websites that offer hotel, flight booking, and more.

**Notes:  
**A range of targets are in scope including hotels.com. orbitz.com, and expedia.com.

Check out the Expedia Group bug bounty page for more details

**Magic Eden**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**Magic Eden styles itself as a community-centric NFT marketplace.

**Notes:  
**The bug bounty program is focused on smart contracts and on guarding against the freezing of funds, direct theft, denial of business function, or other attacks that interfere with the smooth operation of the marketplace.

Check out the Magic Eden bug bounty page for more details

**Teleport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:**

Teleport offers open source technology based around the zero trust model and designed for the administration of servers and cloud-based applications.

**Notes:  
**Vulnerabilities in both the on-premises software and cloud-based versions of Teleport’s technologies fall within the scope of the program.

Check out the Teleport bug bounty page for more details

**ThousandEyes**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,500

**Outline:  
**ThousandEyes, which offers network intelligence software, has invited elite hackers to probe five targets for security flaws.

**Notes:  
**In-scope targets include ThousandEyes' website, application platform, customer-accessible API, and enterprise and agent software. The firm reopened its previously dormant bug bounty program in late November.

Check out the ThousandEyes bug bounty page for more details

**ZeroBounce**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**ZeroBounce offers email marketing services, targeted towards the needs of enterprise customers.

**Notes:  
**A broad array of web security vulnerability (such as XSS) on the zerobounce.in domain and flaws in the associated API library (api.zerobounce.in) are within scope.

Check out the ThousandEyes bug bounty page for more details

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for November 2022

Bug Bounty Radar // The latest bug bounty programs for December 2022

More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the Schoolyard Bully Trojan.
Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them.
The apps, which were available for download from the official Google Play Store, have now been

More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the **Schoolyard Bully Trojan**.

Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them.

The apps, which were available for download from the official Google Play Store, have now been taken down. That said, they still continue to be available on third-party app stores.

"This trojan uses JavaScript injection to steal the Facebook credentials," Zimperium researchers Nipun Gupta and Aazim Bill SE Yaswant said in a report shared with The Hacker News.

It achieves this by launching Facebook's login page in a WebView, which also embeds within it malicious JavasCript code to exfiltrate the user's phone number, email address, and password to a configured command-and-control (C2) server.

The Schoolyard Bully Trojan further makes use of native libraries such as "libabc.so" so as to avoid detection by antivirus solutions.

While the malware singles out Vietnamese language applications, it has also been discovered in several other apps available in over 70 countries, underscoring the scale of the attacks.

The findings come more than a year after Zimperium unearthed similar activity aimed at compromising Facebook accounts through rogue Android apps as part of a campaign codenamed FlyTrap.

"Attackers can cause a lot of havoc by stealing Facebook passwords," Richard Melick, director of mobile threat intelligence at Zimperium, said. "If they can impersonate someone from their legitimate Facebook account, it becomes extremely easy to phish friends and other contacts into sending money or sensitive information."

"It's also very concerning how many people reuse the same passwords. If an attacker steals someone's Facebook password, there's a high probability that same email and password will work with banking or financial apps, corporate accounts and so much more."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel