Sometimes, trying to be a good person brings on more pain than you might imagine. I was recently contacted by Oliver, a software developer who works in the security team for TYPO3, an open-source web content management system that is popular in Europe.
24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service. Going beyond simply notifying you of attacks or suspicious behaviors, Sophos takes targeted actions on your behalf to neutralize even the most sophisticated. .One raffle entry per attendee for attending 3 or more live or on-demand sessions - one Sophos Rewards Voucher (worth £250) will be provided to the winner. Incentive and prizes available to. A Sophos Whitepaper July 2013 3 BYOD isks and ewards One in four devices used for work are either smartphones or tablets. What BYOD means for security It’s risky to assume that prohibiting personal devices solves the problem, because employees end up using their own devices anyway, unmonitored and undeterred by your security policies. The US on Wednesday said that it’s got up to $5 million in Rewards for Justice money if you cough up useful details. And response delivered by Sophos experts.
Oliver, like most open-source developers, works part-time on the project. Together with five others he makes up the security team for TYPO3. They typically receive about five security reports a week. Considering TYPO3 is a PHP application of some complexity, this is what we might expect.
Around July 2020 they noticed they were receiving higher volumes of submissions similar to the ones I have written about previously. At this point the number of weekly tickets had risen to between 10 and 15. In February 2021 there was an explosive increase in submissions, but we will get to that in a moment.
As a precursor to the February ramp up, one of Oliver’s colleagues fielded a bug report pointing out that you could coax a version string from an Apache Tomcat server hosting their Jira instance. This is by no means a vulnerability, but it is good practice not to disclose exact versions, as it may lead an attacker to know you are out of date and susceptible to a known exploit.
As a kind gesture, TYPO3 thought it would send the submitter some branded swag as a thank you for pointing out the weakness. The team hadn’t noticed that this person had accumulated more than 13,000 followers on Twitter who were looking for him to mentor them on how to make money from bug hunting.
Upon receipt of the gifts, he immediately tweeted to his followers: “Received beautiful swag from @typo3 Instant response ”. Later the same day he also tweeted: “How I developed my self in bounties ? Just 2 months challenge 1st month: Daily reporting 20 bugs , no matter what severity. Whatever I’ll find . I’ll report 2nd month: Reporting 5 bugs daily with quality report”.
Immediately, a few of the people who had “liked” the tweet submitted bug reports claiming to have found more server version strings on various web servers and internet facing assets. Funnily enough, some people even submitted vulnerability reports pointing out that the source code for TYPO3 was downloadable from their website. Of course the source code is downloadable, it’s an open-source project!After the tweet thanking them the number of submissions to TYPO3’s security team accelerated from 5 a week to more than 10 to 15 per day.
Another tactic we suspect this flurry of reporters used, but cannot prove, is reporting the same issue multiple times, but using different false identities in an attempt to get multiple rewards.
The first example appears to be someone who launched aggressive penetration testing scripts against some old unmaintained infrastructure causing a denial-of-service attack. As a result, the Nginx web server on that host reported an error message containing the version string. This person submitted a report containing a screenshot from an Android phone, not a desktop computer, which is unusual for bug hunters.
This reporter’s email address appeared to be named after a popular Bangladeshi film (“দেয়র কথা”). The time zone and IP address confirmed it appeared to originate from Bangladesh.
Approximately 60 minutes later another almost identical report was fielded, also containing a screenshot from the same version of Android. This person’s name claimed to be Royel, had the time zone set to BDT and contained an identical odd phrase as the first, “Version is disclosing 😊”
The TYPO3 team responded by resolving some of the issues causing the version information to be displayed and requested more information from the reporter to discover how they had crashed the application causing the errors. They were interested in the claims of “critical issues” and wanted to know more. The response from the beggar? “Give me bounty for my bug”
Oliver responded explaining how the team assesses the severity of threats, primarily on the facts presented about the risk to the platform and once again asked for more details. This seemed to anger the “beggar” who then turned to threats. This is no longer a nuisance, but a crime in most jurisdictions.
“Dear Sir, If you don’t pay me for the bug I am giving you, I will leak your company information on Facebook.Instagram, Telegram LinkedIn tweets on Youtube.
I will post so that no one else reports this program to you. Understand?
I will be very happy if you give me a bounty, and I will leak your information without seeing the bounty”
That’s textbook extortion. After it became clear that this wasn’t going to work, they returned to begging.
Sadly, the only conclusion I can draw from Oliver’s experience is that no good deed goes unpunished. What started out as a kind gesture towards a bug hunter who hadn’t really followed any guidelines and reported a throwaway concern, snowballed into a 5x to 10x increase in bug reports of little to no value.
There are groups of people actively encouraging this kind of behavior and it appears to have gotten out of hand. I recommend only paying or rewarding security reports submitted through officially sanctioned programs.
Services like Bugcrowd and HackerOne can also help in formulating guidelines and offer services you can pay for to help sort through your reports to increase your signal to noise ratio. This can be a great choice if you would like help establishing a bug bounty and want to reward those who truly are motivated to improve the safety and security of your product or service.
Parallels desktop 15 activation. Know anything about North Korean hackers and their activities in cyberspace, past or ongoing?
The US on Wednesday said that it’s got up to $5 million in Rewards for Justice money if you cough up useful details, which you can do here.
The FBI and the Departments of State, Treasury, and Homeland Security (DHS) put out an advisory about the persistent threat from cybercriminals sponsored by the Democratic People’s Republic of Korea (DPRK).
Wednesday’s advisory is a 12-page list of resources and summary of the many cyber operations that have been traced to North Korea.
The advisory was based on a report, prepared for the United Nations Security Council last year, that claimed that North Korea has launched increasingly sophisticated cyberattacks targeting the financial industry, including banks and cryptocurrency exchanges.
The UN Security Council’s 2019 mid-term report said that dozens of suspected DPRK cyber-enabled heists were being investigated at the time. It said that the attacks had attempted to pull off about $2 billion in cyberheists. The US didn’t divulge how much of that money the cybercriminals actually got away with, though it did say that whatever money Pyongyang got its hands on has been used to develop weapons of mass destruction.
It’s got the talent to pull off those attacks and far more. In the advisory posted to US-CERT on Wednesday, the US said that the DPRK has a fully staffed set of state-sponsored cyber actors, including hackers, cryptologists, software developers who conduct espionage, and those who run politically motivated operations against foreign media companies.
Extortion
North Korean cyber actors are allegedly behind extortion campaigns, including both ransomware and mobster-like protection rackets.
In the report’s list of big, dreaded, infamous cyberattacks attributed to North Korea is one such devastating ransomware: WannaCry.
In September 2018, the Justice Department (DOJ) charged a North Korea regime-backed programmer, Park Jin Hyok, with being part of a team that launched multiple cyberattacks, including the global WannaCry 2.0 attack. The ransomware spread like wildfire in May 2017, infecting hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries.
The DOJ also charged him with being part of the 2014 attack on Sony Pictures and the 2016 $81m cyber heist that drained Bangladesh’s central bank.
Wednesday’s advisory also said that DPRK-sponsored cyber actors have gussied up their extortion demands by demanding protection money from victims, telling them that the “long-term paid consulting arrangements” would keep them from getting hacked. They’ve also been paid to hack websites and extort targets for third-party clients.
Cryptojacking
In its mid-term report, the UN’s Security Council said that its panel of experts was also investigating the DPRK’s use of cryptojacking: the practice of inflicting malware on gear you don’t own so you can use others’ computers and servers to mine cryptocurrency.
The experts have traced the mined assets – much of it being anonymity-enhanced digital currency, or what’s sometimes called privacy coins – to North Korean servers. The UN report says they traced some of those coins to Kim Il Sung University in Pyongyang.
These are all ways that DPRK is using cyber activities to raise money and thereby bypass sanctions, the US says.
Sophos Rewards Login
Hidden (and persistent) Cobra
The US has been after DPRK-sponsored cybercriminal groups for years. One such is Hidden Cobra, also known as Lazarus Group or Guardians of Peace. It’s a well-known cybercriminal group that has hacked pretty much anything and everything online.
In June 2017, US-CERT took what was then the highly unusual step of sending a stark public warning to businesses about the danger of North Korean cyberattacks and the urgent need to patch old software to defend against them.
It specifically called out Lazarus Group/Hidden Cobra/Guardians of Peace. The alert was unusual in that it gave details, asking organizations to report any detected activity from the threat actors to Homeland Security.
Specifically, in that 2017 alert, US-CERT told organizations to be on the lookout for DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as malware like WannaCry.
In September 2019, the Treasury targeted North Korean hacking groups by formally sanctioning the Lazarus Group, along with its offshoots, Bluenoroff and Andariel.
Cutting off the snake’s head
In Wednesday’s advisory, the US asked for help, giving out a list of measures to counter the DPRK’s cyber threat. Among them:
- Raise awareness in both the public and private sectors in order to foster preventive and risk mitigation measures.
- Share what you know. Share best practices with and between governments and the public.
- Use strong cyber security defenses. The financial industry should share threat information through government and/or industry channels, segment networks to minimize risks, keep regular backups, undertake awareness training on common social engineering tactics, implement policies governing information sharing and network access, and develop cyber incident response plans. Check the advisory’s Annex 1 for resources.
- Report it. Tell law enforcement if your organization may have been victimized – fast. Timely reporting will not only expedite investigation but may even increase chances of recovering what was stolen.
Latest Naked Security podcast
Sophos Rewards Portal
LISTEN NOW
My Sophos Portal
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.