Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Bug Bounty Programs. Show all posts
Ransomware Attacks.
API Bug Bounty Programs Crypto Data Breach GDPR LockBit Ransomware Attacks.

Here's How BlackMatter Ransomware is Linked With LockBit 3.0

 

LockBit 3.0, the most recent version of LockBit ransomware, and BlackMatter contain similarities discovered by cybersecurity researchers. 

In addition to introducing a brand-new leak site, the first ransomware bug bounty program, LockBit 3.0, was released in June 2022. Zcash was also made available as a cryptocurrency payment method.

"The encrypted filenames are appended with the extensions 'HLJkNskOq' or '19MqZqZ0s' by the ransomware, and its icon is replaced with a.ico file icon. The ransom note then appears, referencing 'Ilon Musk'and the General Data Protection Regulation of the European Union (GDPR)," researchers from Trend Micro stated.

The ransomware alters the machine's wallpaper when the infection process is finished to alert the user of the attack. Several LockBit 3.0's code snippets were found to be lifted from the BlackMatter ransomware by Trend Micro researchers when they were debugging the Lockbit 3.0 sample.

Identical ransomware threats

The researchers draw attention to the similarities between BlackMatter's privilege escalation and API harvesting techniques. By hashing a DLL's API names and comparing them to a list of the APIs the ransomware requires, LockBit 3.0 executes API harvesting. As the publically accessible script for renaming BlackMatter's APIs also functions for LockBit 3.0, this procedure is the same as that of BlackMatter.

The most recent version of LockBit also examines the UI language of the victim machine to prevent infection of machines that speak these languages in the Commonwealth of Independent States (CIS) member states.

Windows Management Instrumentation (WMI) via COM objects is used by Lockbit 3.0 and BlackMatter to delete shadow copies. Experts draw attention to the fact that LockBit 2.0 deletes using vssadmin.exe.

The findings coincide with LockBit attacks becoming the most active ransomware-as-a-service (RaaS) gangs in 2022, with the Italian Internal Revenue Service (L'Agenzia delle Entrate) being the most recent target.

The ransomware family contributed to 14% of intrusions, second only to Conti at 22%, according to Palo Alto Networks' 2022 Unit 42 Incident Response Report, which was released and is based on 600 instances handled between May 2021 and April 2022.


Read more »
Vulnerability and Exploits
Bug Bounty Bug Bounty Hunts Bug Bounty Programs Gmail iOS Macbook Vulnerability and Exploits

Apple Awards Bounty of $100,500 for Finding Flaws in MacBook

In 2021, Apple patched a set of MacOs vulnerabilities exposing the Safari browser to attack and letting threat actors hack users' online accounts, cameras, and mic. Cybersecurity expert Ryan Pickren, who found these vulnerabilities and reported back to company Apple, was given a $100,500 bug bounty, considering the critical scale of the vulnerabilities. These bugs exploit a set of security issues with iCloud sharing and Safari 15. 

It allows the hacker to control multimedia permissions and gain full access to all sites that the user has opened using the Safari browser. It also includes Gmail, iCloud, PayPal, and Facebook accounts. The problem is primarily concerned with ShareBear, it is an iCloud file-sharing platform that prompts users to open a shared document. Pickren noticed that the prompt doesn't ask the user to open a file after a user opened it once. 

Pickren concluded that this can allow a threat actor to play with the file's components if he has access to the files. "ShareBear will then download and update the file on the victim's machine without any user interaction or notification. 

In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment," explains Pickren in his writeup. In simpler terms, a .PNG format image file can have all its content and extension converted into an executable binary ("evil.dmg") once the user has opened the file. 

After this, one can launch the binary, which triggers exploit chain vulnerabilities that influence extra bugs found in Safari to control a system's mic and camera and steal local files stored in the device. It is not the first time Pickren disclosed bugs in iOS and macOS that allows a threat actor to gain access to a system and control its commands. 

The unauthorized access is gained when the victim opens a certain file type. He says "this project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous."
Read more »
Vulnerabilities and Exploits
Bug Bounty Bug Bounty Hunter Bug Bounty Programs Security flaw Vulnerabilities and Exploits

Hacker Spotlight: Interview with 'Cyberboy', Bug Bounty Hunter who Won $3000

A few days ago Indian bug bounty hunter, Shashank aka Cyberboy came up with a creative hack that led him from multiple errors to Django admin takeover. The bug was about a private target he had been hunting for a while, he passed all the subdomains to FFUF, the most recent and fastest fuzzing open-source tool written in GoLang. The tool is used to brute force directories and files. You can read about the bug in detail in his blog post. I was impressed by the determination and creativity required to discover this exploit; being curious as I was, I decided to interview the innovative mind behind the process involved in discovering this hack and I'm sharing his answers with you all!


1) Hello Shashank, can you briefly introduce yourself to EHackingNews readers? 

Hi, I am Shashank. I am a security analyst at HackerOne, team lead at Cobalt (part-time), and a bug bounty hunter. I started bug bounties when I was 15 years old. I still do it in my free time after my regular job and part-time jobs. This all started in 2012-2013 when I heard that companies like Facebook and google pay hackers for finding a valid security issue on their website. I have been rewarded/recognized by Facebook, google, apple, Microsoft, PayPal, and 100+ top companies for reporting a valid security issue. 
 
2) A few days back, I read your blog post on the Django admin takeover and I was impressed by your persistence despite multiple errors you encountered, can you please share how did the final idea that led to the discovery of this exploit occur to you? 

Going back to my first bounty from google. It took me four months to find my first bug back in 2013. And I concluded that I need persistence in this field. 
 
The vulnerable endpoint where I found the bug. I had that endpoint in my suspicion notes from a week. After a week, when I managed to bypass the 500 error to access the endpoint, I started reviewing all API endpoints. Then I chained all the bugs to make the final exploit. I have tested countless APIs. With the experience of common patterns I see in all APIs, and I was able to construct the right API call to execute the privilege escalation. 
 
3) How did you discover hacking? Anything you can recall from your initial days as a bug bounty hunter? 

Yes, and I can never forget that incident because that changed my life forever. I studied at Sainik School. It was a boarding school. During my summer vacation, I was using Orkut, and I used to chat with one of my seniors. You know, way back then, social media was gaining popularity, and Orkut was a new thing. I used to chat with my senior every day after dinner. One day he was not online, and later, he informed me that his account was hacked. I was amazed at how this is even possible. So we together started digging and looking for clues about how it could have happened. After weeks of searching, we realized that his account was phished. 

After that, I wanted to learn it as well. Since I had zero programming experience, I had to spend months learning to phish. Later next year, while I was in school, I read in the library that hackers hack websites as well. After class 10th, I dropped out of Sainik school to pursue my career in IT and went to Delhi for JEE preparations. There I had my own computer, so I taught myself web hacking. I heard about the bug-bounty program during those days, and after my first bounty, I never stopped. Even today, in my free time. I love to participate in bug bounty programs. 
   
4) What was the most exciting bug you ever discovered? 

My most exciting bug was in blockchain.com. I have always been a crypto enthusiast. I believe that blockchain will be the next big thing. Blockchain.com is an online bitcoin wallet that I use. I found a bug that allowed me to steal anyone’s bitcoin wallet backup file. This could be exploited to steal money from the user’s account with a single click. 

Besides, I found a bug in Apple iOS in 2017, which allowed me to permanently crash an iOS user’s WhatsApp by sharing a contact. 
 
5) What motivates you to hunt exploits? 

Finding security issues in big and popular platforms is challenging and thrilling. It gives me immense happiness when I am able to chain all pieces of information and small bugs to make it a bigger exploit. Apart from that, we can get financial rewards, swags, and recognition for every valid submission, which adds motivation to do it again and again. 
  
6) How did you feel about the response from the affected organizations? 

Honestly, I stick with programs that appreciate hackers and are responsive irrespective of how much they pay. If I notice a program is not very responsive. I tend to move to other targets. 
 
7) How do you see the bug bounty space evolving over 5 years? 

Bug bounty has already boomed in 8 years. When I started, there were a few companies that had a bug-bounty program. Now it is almost countless. Millions have been paid out to hackers, and in the next five years, I am sure we will see more companies starting bug bounties. Even a government project like arogya setu has started bug-bounty programs. We are going to see more in the coming future. More companies and better rewards. 
  
8) What would you advise to the upcoming bounty hunters, any reading recommendations? 

I strongly believe in 2 things. One is reading, and the other is persistence. Even today, after eight years, I still read writeups of bugs published by other hackers on a daily basis. Software upgrades their security each day, and as a hacker, we need to be ahead and more creative to remain in the game. In this field of ethical hacking and bug-bounty, the day you stop learning is the end of the career. 

Apart from that hacking requires patience and persistence. It is not easy to find a bug when so many people are looking into the same application. It's all about never giving up and keep looking for bugs until you find one. This has always worked for me. 
  
9) What are your thoughts about E Hacking News? 

I know about E hacking news from the time I got into security. It is one of the few blogs that started long back when ethical hacking and bug bounties were not very popular. I would like to thank the people behind every such blog who are trying to make this world understand that hacking is not a criminal activity. It is a profession now.

Thank you very much for your time Cyberboy, Goodluck hunting in the future!
Read more »
Vulnerabilities and Exploits
API Bug Bug Bounty Programs Security flaw Vulnerabilities and Exploits

Indian Security Researcher Finds Starbucks API Key Exposed on GitHub



Developers at Starbucks left an API (Application Programming Interface) key exposed to hackers with no password protection that could have been used by them to gain access to internal systems and consequently manipulate the list of authorized users. Hackers could have exploited the vulnerability in several ways which allowed them to execute commands on systems, add or remove the listed users and AWS account takeover.

The key was discovered by Vinoth Kumar who is an India security researcher, he happened to locate the open key in a public GitHub repository and responsibly reported it to Starbucks on 17th October via HackerOne vulnerability coordination and bug bounty platform. While reporting the same, HackerOne told, “Vinoth Kumar discovered a publicly available Github repository containing a Starbucks JumpCloud API Key which provided access to internal system information.”

“While going through Github search I discovered a public repository which contains JumpCloud API Key of Starbucks.” the expert himself told.

The key would have allowed an attacker to access a Starbucks JumpCloud API and hence the severity of the flaw was all the way up to critical. Colorado-based JumpCloud is an Active Directory management platform that offers a directory-as-a-service (DaaS) solution that customers employ to authorize, authenticate and manage users, devices, and applications. Other services it provides include web app single-on (SSO) and Lightweight Directory Access Protocol (LDAP) service.

The issue had been taken into consideration by Starbucks very early on, however, Kumar tends to take note of the same on October 21 and told that the repository had been taken down and the API key had been revoked. As soon as the company examined Kumar's proof-of-concept of the flaw and approved of the same, the expert was rewarded with a bounty worth US$4,000 for responsibly disclosing the vulnerability.

While commenting on the matter, Starbucks said, “Thank you for your patience! We have determined that this report demonstrates “significant information disclosure and is therefore eligible for a bounty,”

“At this time, we are satisfied with the remediation of the issue and are ready to move to closure. Thank you again for the report! We hope to see more submissions from you in the future.”
Read more »
Technology
Bug Bounty Programs Huawei Technology

Huawei to Reward Hackers for Discovering Any ‘Secret Backdoors’ In Its Smartphone Technology


With the hopes of outdoing Google, Huawei announced in a "big bounty launch" to reward hackers for exhibiting a "critical" weakness in one of its Android devices.

Revealing the program at a private event for a few of the world's top Android hackers at Munich, Germany, a week ago, so much so that it even gave an example as to how the hackers could bag the first prize, as they would need to get remote access to the device without the target 'having to click anything'.

A high-severity hack would even see that the hacker could assume control over a phone when they had direct access to it.

The company is said to have been following Apple's lead in keeping the 'bug bounty invite-only'. As revealed on Twitter by Forbes 30 Under 30 alum Maria Markstedter, who was one of the invited guests, the researchers who were welcomed would likewise be offered tokens to invite other altruistic hackers too.

The bug bounty was at first announced by TechCrunch recently, yet no subtleties on payments or logistics have been uncovered.

Huawei additionally announced that for a "high"- severity issue, hackers can procure up to $110,000 (€100,000), while Google, in the interim, presents to $200,000 and $100,000 for exhibits of comparative attacks on its Pixel phones.

While bug bounties are very basic among major smartphone makers, it's Apple and Google fundamentally who are behind two of the most well-known.

Anyway, one significant explanation suspected as to why Huawei did this might be on the grounds that could provide solid evidence that it isn't concealing any 'secret backdoors' in its most prevalent phones that the Chinese government could use.

Read more »
Himanshu Sharma
Bug Bounty Programs BugsBounty.com Himanshu Sharma

Interview with BugsBounty.com founder Himanshu Sharma

We had a chance to interview Himanshu Sharma, Founder of BugsBounty.com he has found security bugs in top organizations including Google, Facebook, Apple etc.

How did you get interested in the field of information security?
When I was in school, I had an interest in computers. Physics, mathematics went over my head - Computers were the only one thing which I could understand. Since then I started playing around with computers, breaking them, fixing them. One day my blog got hacked, I did not get angry at the Hacker. Instead, I was very fascinated and curious about how he did it. After that incident, I started to do research in this field and now here I am.

Can you tell us about your company?
BugsBounty.com basically is providing crowd sourced security solutions to corporate organizations. We host public and private programs but not all companies, especially in India, are ready to allow external people do testing. They believe it is risky. So in such cases, we can offer what we call "crowd simulation", which is unlike any other company is doing.

Crowd simulation - We have internal team, top hackers who we chosen from the crowd, we call them - "crowd hackers", they will simulate the crowd. So, for example, if we have a crowd about 10000 peoples, we will choose top 20 who are performing well. Currently, we have about 30 chosen hackers. "Crowd Simulation" is one of the thing that gives advantages over other companies as it gives them the power of the crowd yet trust of an internal team.

We have raised about 5 Millions from LLoyds ventures.

Is this company unique to India ?
Yes. It was very difficult and so risky to open company like this. it wasnt easy to take this risk. In our company the confidence is the most important thing. We trust each other and we know everything about every singe person in the team, who is working for us in a private group.

I might add, that we need to accept the fact that crowd security is the best form of security, which one can get. Even the Pentagon has accepted it already. Its time for you now.

 How did you come up with the idea?
One day I realized that I need to show Indian companies that security is very important thing and so we suggested to use crowd security inplace or concurrent to a typical VAPT company! I believe 1000 brains in the crowd are better than 10 in your office.

What do yo think about the bug bounty market in India?
Actually, people now are more opening up. We have worked with over 80 clients in the past year, and a lot of them are from India - So it's pretty big of a market.

 Do you think Indian corporates have enough security?
Indian corporates do have quite some security in place. However, to ensure a better state of security, the power of the crowd has to be utilized. "The security of your website is as good as the best hacker that has tested you."


Read more »
Featured
Bug Bounty Programs Featured

Zerodium offers $1 million for iOS 9 jailbreak


Here comes a time when companies are offering money to hackers who can provide a way of infecting the iPhones and iPads of individuals.

Zerodium, a company that acquires exploits, has announced to pay $1 million USD to those that can provide a good enough iOS 9 jailbreak.

The company launched "The Million Dollar iOS 9 Bug Bounty" program which aimed to buy an "exclusive, browser-based, and untethered jailbreak" for Apple's latest mobile operating system.

The company explained the reason behind the program in a blog, “Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here's where the Million Dollar iOS 9 Bug Bounty comes into play.”

According to the post, the Million Dollar iOS 9 Bug Bounty is tailored for experienced security researchers, reverse engineers, and jailbreak developers, and is an offer made by ZERODIUM to pay out a total of three million U.S. dollars ($3,000,000.00) in rewards for iOS exploits/jailbreaks.

“ZERODIUM will pay out one million U.S. dollars ($1,000,000.00) to each individual or team who creates and submits to ZERODIUM an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices,” the company added.

The company has given some rules which a hacker need to follow the jailbreak must be reliable, silent, and doesn't require any actions to be taken by the user, save for visiting a web page or reading a text/MMS message. Similarly, they must work on a wide range of Apple hardware, including the iPhone 6S and 6S Plus. The pair of phones doesn't go on sale until September 25, while the bounty program expires on October 31, giving people a little over a month to get their potential exploits working on the new phones.

“Partial or incomplete exploits/jailbreaks will not be eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such partial exploits. All submissions must be made exclusively to ZERODIUM and must include the fully functioning exploit and its source code (if any), and a detailed whitepaper describing all the zero-day vulnerabilities and techniques used in the jailbreak,” the post added.
Read more »
Vulnerability report
Breaking News Bug Bounty Programs Cyber Security News Vulnerability report

Flaw in Sync photos feature on Facebook mobile app


A new flaw has been detected by a hacker in Facebook, which allows any malicious application to view your synced mobile photos.

Sync photos feature allow users to sync their mobile photos with their Facebook account, and it remains private until you publish it. But by default this feature is turned on  in many mobile phones.

Laxman Muthiyah, found that "vaultimages" endpoint of Facebook Graph API is handling these synced photos, and this endpoint is vulnerable.

Facebook app would  retrieve the synced photos using a top level access token making  an HTTP GET request to a specific URL enabling a malicious app to read all your private photos in seconds.

Laxman Muthiyah, reported this flaw to Facebook Security Team, they pushed a fix in less than 30 minutes, and rewarded him $10,000 USD as a part of their bug bounty program.
Read more »
Subscribe to: Posts (Atom)