Discretionary disclosure

When organizations opt to enable coordinated disclosure, they signal their openness to considering the public disclosure of remediated vulnerabilities, in full or in redacted form, on a case-by-case basis. Ultimately, while disclosure may be requested by the finder of the vulnerability, this decision remains the sole discretion of the organization. Removing a vulnerability from consideration for coordinated disclosure is sometimes necessary when disclosing it would result in significant risk to customers. This is the case with pacemakers, vehicles, and other IoT devices that are difficult to recall quickly or update remotely.

Coordinated disclosure

For more mature organizations, setting a “timer” for resolving and publishing every vulnerability can further encourage more active discovery, although this protocol often requires a dedicated team responsible for rapid remediation and communication. This approach is often taken by organizations that deem security to be a strategic priority and need to invest in building the best possible relationship with the security community.

Coordinated disclosure is based on good faith and is considered a best practice for all parties involved, as it encourages rapid remediation while demonstrating commitment to and appreciation of the hacker community. 66% of organizations allow coordinated disclosure for virtually all vulnerabilities.

Full disclosure

Unlike the other approaches, full disclosure is not a program policy. Rather, it is an individual instance of public communication wherein a finder discloses a vulnerability before it has been fixed. Bruce Schneier defended the merits of full disclosure in 2007, suggesting that the threat of this act is sometimes necessary to force owners to fix vulnerabilities when they are unresponsive to hackers’ well-intended communications.

However, both hackers and organizations often prefer to avoid this type of disclosure at all costs.

In fact, both nondisclosure and full disclosure are discouraged because of the asymmetric cost to only one party; either the finder is not given recognition for their effort to improve security, or the owner is not given an opportunity to fix a vulnerability before it becomes public in a way that makes it more likely to be maliciously exploited. Disclosure should be undertaken in a way that protects the owner, rewards the finder, incentivizes further research, and enhances relationships between owners and the security community.

Nondisclosure

When programs are marked as “nondisclosure,” it is understood that the finder is not permitted to communicate any portion of a vulnerability beyond the confines of the organization itself, even after it has been resolved. For nondisclosure programs, no vulnerability, regardless of type or severity, can be shared. While these programs still receive submissions, they do not encourage them.

Learn more about vulnerability disclosure

• Vulnerability Disclosure 101 Guide
• Vulnerability 101 Infographic
• Vulnerability Disclosure Program Data Sheet
• Vulnerability Disclosure Programs: From Luxury to Necessity Infographic
• Vulnerability Disclosure Policy: What is it and Why is it Important?
• Vulnerability Disclosure Program or Managed Bug Bounty: How to Determine which Program is Best for you

The post Vulnerability Disclosure appeared first on Bugcrowd.

For over a decade, penetration testing (aka pen testing) has been a critical tool in the security leader’s toolbox. However, not all pen tests were made the same, and not all en testes are equally qualified, so the implementation details matter. For too long, the industry has relied on a cumbersome, consulting-heavy approach that does little to mitigate risks. For this reason, traditional approaches to pen testing have become part of the problem rather than the solution. 

In this article, you will learn:

• Why pen testing is done today.
• Current approaches to pen testing, with pros and cons.
• Why the traditional approach comes up short.
• The rise of Pen Testing as a Service (PTaaS).
• What crowdsourcing brings to pen testing.
• How the Bugcrowd Platform enables crowdsourced PTaaS and other security testing strategies.

The Basics of Pen Testing

Pen testing, in one form or the other, has been with us for a long time, but adoption has been accelerating as of late, with Gartner estimating a total market size of $4.5B by 2025 (and that’s just for commercial tools; use of open source tools is also becoming increasingly significant).

What is Pen Testing?

According to the National Institute of Standards and Technology (NIST), pen testing is defined as “security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network.” 

In other words, pen testing is a simulated cyberattack carried out by an authorized third party (known as pen testers) who tests and evaluates the security vulnerabilities of a target organization’s computer systems, networks, and application infrastructure. 

Human pen testers attempt to find vulnerabilities and exploit them using various tools and manual procedures. Pen testers execute a variety of tests designed to exploit known vulnerabilities and leverage misconfigurations in software and security controls. Their goal is to identify real-world security weaknesses in an organization’s security posture that an attacker can exploit. Pen testers often mimic the behaviors of real threat actors by using techniques such as social engineering. Once these security weaknesses are identified, they can be prioritized for remediation. Pen testing is an iterative process, and over time, it helps reduce the risk of a successful cyberattack.

The Phases of a Pen Test

Pen testing is often broken down into several phases. The first phase is the pre-engagement activity. During this phase, the pen testing team reviews the goals and objectives that the target enterprise aims to achieve. Pen testers begin this process by looking for the best pen testing strategy for your organization.

The next phase is reconnaissance and planning. In this phase, pen testers gather as much information as possible about the targeted enterprise to learn more about potential vulnerabilities. This helps them plan their simulated attacks and define the mix of tools, both software and hardware, as well as the social engineering techniques they will use. 

All of this information comes together in the vulnerability mapping phase, when the pen testers select the attack vectors and the techniques they will use. Vulnerability mapping depends on a good assessment of the vulnerabilities that may be targeted. 

The fourth phase, exploitation, leverages the plans to find and use the exploits. In this phase, the ethical hacker seeks to penetrate the environment while avoiding detection.

When the testing is complete, the pen tester removes artifacts, including their testing tools, intermediate datasets, and special hardware modules. They will also remove anything else they have modified or used during the pen test. Everything in the environment will be returned to the original state before the test begins.

From there, the pen tester will provide a written report that details their findings. This report is often accompanied by a scheduled briefing to review the findings. The in-house teams, both purple and blue, as well as others, will then identify near-term areas that require improvement, assign priorities, and then build and initiate a plan for implementation. The same is done for longer-term areas requiring improvement. Correlating the results of pen testing with an organization’s assessment of risk is essential, as pen testing results can provide important inputs and help to drive tool rationalization decisions.

Finally, the enterprise should schedule the pen test again to validate that the vulnerabilities identified were corrected and that the improved defenses now mitigate the pen tester techniques previously tested.

Pen Test Reports

Let’s dive deeper into the written report submitted by the pen testing team. Pen test reports should include an explanation of the test methodologies used and how they were applied, technical findings, procedural findings, reproducibility, description of risks discovered, recommendations, and conclusions. Reports can also be done with respect to compliance requirements to meet the needs of ISO 27001, SOC2 Type 2, PCI, HITRUST, FISMA, and other compliance regulations. These pen testing reports can often support risk assessments, such as those required to ensure HIPAA compliance.

Pen Test Tools

You may be wondering more about the types of tools pen testers use during a pen testing engagement. Pen testing tools encompass a wide range of special tools developed by hackers and other software tools commonly found within the targeted enterprise. Many of the tools that ethical hackers use are available on an open source basis. Examples of widely used tools include Kali Linux, Metasploit, Wireshark, and MimiKatz.

The practice of using tools commonly found in the enterprise by both pen testers and threat actors is referred to as “living off the land.” This enables threat actors to become part of the target enterprise’s network and to hide among normal day-to-day activities. Even when malicious activity is detected, attribution becomes difficult or impossible, since everyone uses similar tools.

Why Pen Test?

Up until recently, compliance (e.g., for PCI-DSS) was the dominant driver of pen testing. Today, according to industry research, 69% of adopters do pen tests to assess security posture, and 67% do them for compliance purposes. This indicates a much more even split and signals that many organizations do pen tests for both reasons.

In a recent survey of security professionals around the globe, we found that 91% said that they’d like to raise their expectations of what a pen test could achieve. This demonstrates a desire for elevated pen tests that don’t just check the compliance box. 

Compliance can be an opportunity for organizations with less mature cybersecurity practices to secure investments for pen testing. However, annual or biannual compliance-driven testing alone is just table stakes for most companies; there are many other important reasons to invest in pen testing. 

For example, the continuous development cycles typical of cloud-based environments have highlighted the need for more frequent, if not continuous, testing. And the turmoil created by mergers and acquisitions, particularly in regulated industries, is a common reason for more rigorous testing than what checking a compliance checkbox will provide.

With the increasing complexity of the attack surface, which has expanded well beyond web apps, networks, and databases to include APIs, cloud infrastructure, and even physical devices, the reasons for conducting deep pen testing are certain to multiply. 

Satisfy Stakeholder Requirements with Pen Testing

Stakeholders, such as customers, suppliers, investors, and regulators, play a considerable role in an organization’s decision-making. The most obvious place where this occurs is in supply chain risk, where key stakeholders need to be reassured that a supply chain is sustainable, secure, and free of criminality. During the pandemic, supply chains were put under considerable pressure, and pen testing played a pivotal role in helping organizations adapt to these challenges and protect customer and partner data.

Stakeholders have also adapted to the changing needs for pen tests, such as in the UK, where the National Cybersecurity Centre added a home and remote-working exercise to its existing package of pen testing exercises. 

Pen Testing: Preserve the Organization’s Image and Reputation

Cyber incidents cause fundamental harm to an organization’s reputation, particularly when they put customer data at risk and result in prolonged legal proceedings. Breaches and attacks are becoming more prevalent in business reporting, and consumers are now more wary about their data and privacy. Pen tests represent a crucial part of the cybersecurity stack and help prevent these attacks and the resultant harm to reputation. 

According to IBM, the average cost of a breach for U.S. companies is $4.24 million. A huge portion of this cost comes from the impact breaches have on reputation. 

Pen Testing Options

Pros and Cons

Although the tools and tactics used by pen testers don’t vary much, the testing frameworks within which pen testers operate have significant differences. The framework you choose will have a major impact on the testing experience for everyone involved (e.g., testers and testing consumers alike).

Traditional (“Status Quo”) Pen Testing

In the next section, we’ll go into more detail about how the most common approach to pen testing has led to low expectations for pen testing, but at a high level, the pros and cons include the following: 

Traditional Pen Testing Pros

• Established budget line item
• A known quantity
• Usually low cost

Traditional Pen Testing Cons 

• Slow, cumbersome, and consulting-heavy service delivery
• Inflexible with questionable skill fit
• Low-intensity testing with low-impact results
• Multiple providers often required

Crowdsourced Pen Testing

The crowdsourced model implies the involvement of a bench of trusted pay-per-project testers who are crowdsourced from the massive hacker community. Crowdsourced testing is quickly becoming the top choice for organizations seeking more impact from pen testing. 

Crowdsourced Pen Testing Pros 

• Offers access to the massively diverse skillsets of a global community
• Option to “pay for impact” instead of time to incentivize better results
• Enables easy tester rotation

Crowdsourced Pen Testing Cons 

• Still unfamiliar to many AppSec decision makers
• New business case may be required

Internal Security Testing

While often infeasible for smaller organizations, some enterprises prefer to build and maintain in-house teams (“red teams”) of security testing. This approach allows the organization to set its own schedule and may reduce barriers in some areas (e.g., the provision of credentials). 

Internal Security Testing Pros 

• Best for extremely sensitive work
• Can be run as frequently as needed
• Low marginal cost 

Internal Security Testing Cons 

• Labor intensive to set up and maintain
• Impossible to retain all testing skills
• Hard to acquire new skills when needed

A Mixed-Testing Approach

Some organizations use a combination of traditional, crowdsourced, and internal testing to meet the specific needs of each project. 

Mixed Security Testing Pros

• Includes the best aspects of each method
• Potential for thorough security coverage
• Testing depth for each project is on an ad hoc basis

Mixed Security Testing Cons 

• Includes the worst aspects of each method
• Complex to arrange and maintain
• (Potentially) extremely costly

Problems with Traditional Pen Tests

Over the past five years, there has been a growing consensus that the most traditional approaches to testing have become dated, if not obsolete. These traditional pen tests adopt a “one-size-fits-all” approach; simulated attacks are carried out by one to two testers who offer box-ticking results according to narrowly defined compliance-based methodologies. 

These tests can be useful for confirming hypotheses or concerns within the organization, but they do not meaningfully reduce risks or address unknowns.

Since then, gaps and failings in the strict and narrow approach to pen testing have resulted in even lower expectations for pen testing from its adopters. Below are the most pressing concerns. 

Gaps in the Traditional Pen Testing Model

Slow Launches

Tests can take months to schedule due to resource constraints on the part of testing providers and their desire to reduce time on the “bench” for salaried employees.

This might seem fine to companies that consider these tests to be the equivalent of a routine dental check-up but not for the many organizations that worry that they may need an emergency root canal.

Many of these tests also come with strictly limited time windows for delivering a testing schedule. These can cause the exclusion of some crucial testing methods—for example, it is impossible to carry out a 10-day scan as part of an assignment where five days have been allocated for testing. Putting artificial time constraints on pen testing reduces the extent to which it can reduce risk. 

Delayed Results

Another way timing is a problem is the delay in receiving results. With a standard pen test, the customer doesn’t receive results until the engagement is concluded, often 14–24 days after testing begins. This leaves assets vulnerable for an unnecessarily long time, which can be a real issue when the pen test is being carried out to address a newly identified risk as quickly as possible. 

Most digital assets are only pen tested a maximum of one to two times per year. With modern agile development lifecycles, new codebase versions are released much more frequently. While an asset may be secure immediately following a test, new code releases could leave it vulnerable to attacks until the next scheduled test. 

Problems with Skill Fit and Application

A traditional pen test is carried out by one to two testers over a period of two weeks. Regardless of how experienced the testers are, they can’t be versed in every possible attack technique, and their skillsets may not be appropriate for the asset being tested. Furthermore, in these situations, customers don’t have the option of selecting which testers are assigned to their projects. Paying for these tests “off the shelf” adds a randomized element around what testers the organization has access to, which can have a profound effect on the results. 

There is also an issue of skills being applied too narrowly, with most pen tests being based on checklists. These provide minimal time or few incentives for testers to use their initiative or “dig deeper” to find complex vulnerabilities. This issue is exacerbated by a “pay-for-time” business model, where buyers pay for a certain number of tester hours and the testers are only required to finish the methodology within that time. The number and severity of vulnerabilities that surface during this time are irrelevant to the tester’s final pay. 

Low-Impact Findings

All the above-mentioned limitations contribute to the central problem of relying solely on traditional pen tests. The narrow nature of the timing, skillsets, compliance focus, and selection of participants reduces the effectiveness of a traditional pen test engagement in relation to alternatives. 

Given this, the traditional pen testing model is simply not suited to the needs and goals of most adopters today. 

What is Pen Testing as a Service (PTaaS)?

With the new dominance of the cloud in IT, recently, we’ve seen the emergence of Penetration Testing as a Service (PTaaS) options that have modernized pen testing by incorporating the agility, scale, and user experience of SaaS. This is a welcome development for buyers accustomed to the cumbersome, consulting-heavy approaches of traditional vendors. 

TechTarget defines PTaaS as a cloud service that provides IT professionals with the resources they need to conduct and act upon point-in-time and continuous pen tests. The goal of PTaaS is to help organizations build successful vulnerability management programs that can find, prioritize, and remediate security threats quickly and efficiently.

That being said, because most PTaaS options rely heavily on automation to achieve scale, such tools lack the depth and intensity that only human-driven testers can provide. As a result, adopters should be careful to validate that their PTaaS vendor offers more than a vulnerability scan with a pretty dashboard on top. 

Benefits of PTaaS

PTaaS delivers high-velocity, high-impact results to ensure both compliance and risk reduction at the speed of digital business. Some of the benefits are as follows:

• Brings modern SaaS sensibilities to pen testing, such as self-service dashboards, repeatability/scale, and a good user experience for pen testers and adopters alike
• Enables much faster launches (days instead of weeks) and report delivery than traditional approaches
• Integrates findings directly with DevSec workflows so remediation can begin quickly

Common PTaaS Tricks to Watch Out for

Many old-fashioned or traditional pen testing firms use language that indicates they provide PTaaS solutions. However, this is often not true. When evaluating vendors, organizations should watch out for the following:

• Excessive reliance on automation that leads to shallow/checkbox results
• Limited choice of target types
• Manual scoping
• Narrow, siloed solutions that don’t integrate with other programs
• “Crowd washing” or old-fashioned pen tester sourcing masquerading as crowdsourcing 

The existence of one or more of these indicators may mean that the firm you’re speaking to doesn’t actually provide PTaaS. 

The Future of Pen Testing

The most effective and convenient way to do pen testing is to bring the value of crowdsourcing to PTaaS.

Crowd-Powered PTaaS

While many organizations share a need for compliance, not all have the same testing requirements or capacity. Some seek continuous coverage to match increasingly rapid development cycles. Others need shorter testing windows throughout the year, as dictated by engineering workflows or budgetary and procurement cycles. Furthermore, an organization’s ability to provide tester incentives may be shaped by its bandwidth for addressing vulnerabilities and its ability to maintain an elastic pool of monetary rewards.

To address these varied needs, Bugcrowd provides crowd-powered PTaaS through our Security Knowledge PlatformTM—matching skillsets from the global hacker community (called the Crowd) to ensure high-velocity, high-impact results, while providing methodology-based coverage and compliance reporting. 

Only Bugcrowd PTaaS Offers…

• A trusted and expert team of pen testers selected for your specific needs.
• 24/7 visibility into timelines, analytics, prioritized findings, and pen tester progress through the methodology.
• Ability to “clone” pen tests at scale for repeatability and manage them all as a group.
• Easy rotation of the pen tester bench as needed.
• A choice of “pay-for-time” or “pay-for-impact” incentives.
• Crowd-powered pen tests to identify on average 7X more high-priority vulnerabilities than traditional pen tests.

Combining Pen Testing with Bug Bounty Programs

Bug bounty programs engage with specialized hackers to help organizations find vulnerabilities at scale. They use a pay-for-results model, which incentivizes impactful results. For example, P1 and P2 vulnerabilities, which are more critical, get paid out more reward money than P4 or P5 vulnerabilities.

Both bug bounty programs and pen testing take a focused, strategic approach to the discovery and assessment of vulnerabilities and greater security risks. Both solutions also rely on attacker tools, techniques, and mindsets for vulnerability discovery under a predefined scope. Although both solutions have similar goals, they differ with respect to the intensity of the assessments. For this reason, many organizations find that a layered strategy of using both provides the best results. 

By using both pen testing and bug bounty programs for compliance and risk reduction, organizations can build a strategy that combines the following:

• Ongoing vulnerability discovery and assessment

When the exploitability of vulnerabilities is confirmed, this is what some might consider a “basic” pen test. 

• Periodic, human-driven pen testing to find common flaws

This is what some might consider a “standard” pen test.

• A continuous bug bounty running “over the top”

This picks up emerging vulnerabilities that are not yet detectable using the prior two methodologies. 

The Dawn of a New Era in Pen Testing 

Some security leaders get nostalgic about the traditional approach to pen testing—it’s comfortable and familiar. But the adoption of Bugcrowd’s crowdsourced PTaaS shows that the trend is leaning toward the adoption of more modern, distributed testing that creates access to diverse skillsets and away from cumbersome, consulting-heavy approaches that depend on scanning or plain vanilla human testing.

Even for organizations that prioritize compliance over risk reduction in pen testing, crowdsourcing can be just as good, or better, at meeting compliance requirements than a small team.

Ultimately, pen testing is another piece of the security puzzle. Organizations should incorporate it into their arsenal of security tools and processes to find and remediate vulnerabilities in the software development lifecycle (SDLC).

Crowdsourced pen testers are a crucial piece of this dynamic security puzzle. As they continue to build out this industry, expect it to continue to grow in importance and adoption.

The post Penetration Testing appeared first on Bugcrowd.

The ultimate guide to proactive cybersecurity best practices 

This article provides an overview of the modern security landscape, current challenges associated with cybersecurity, and crowdsourced security.

For most organizations, cybersecurity has moved from a technical concern to being a central part of their operational strategies. An increase in the share of the global population with internet access has resulted in an increase in the number of points of attack. However, this has also meant an increase in the talent available to draw from for the establishment of the blue team—security experts focused on protecting organizations from attacks. To make the most of diverse talent, organizations need to align their security practices to draw from a global talent pool and position themselves as partners and allies of the broader security community.

What is crowdsourced security? 

Crowdsourced security is an approach to securing digital assets that draws from the collective skill and experience of the world’s community of security researchers, or ethical hackers. These highly capable individuals are given the direction, scope, and incentives they need to identify and report vulnerabilities, effectively simulating the varied techniques employed by threat actors.

Crowdsourced security relies on the wisdom of the crowd, a phenomenon in which large groups of people are collectively smarter than individual experts. Provided the sample size is large and diverse and each member of the crowd is acting independently, a group can make discoveries and identify opportunities more effectively than even the most capable and expert individuals. In nature, this phenomenon is reflected in herds of animals that are more effective at finding food and shelter than, say, the lone wolf, and in security, this means that crowds of hackers can identify and resolve security bugs faster than over-burdened internal teams and dynamic attackers.

Casey Ellis recognized the potential of this collective wisdom and harnessed it by founding Bugcrowd, the world’s first crowdsourced security platform, in 2012. Bugcrowd was built on the strong spirit of collaboration that is in the DNA of the hacking community, as identified by collaborative software legends like Linus Torvalds in his prologue to The Hacker Ethic. Just as Torvalds tapped into the open-source community to build a sophisticated operating system from the bottom up, Bugcrowd was founded to draw from the distributed intelligence of security experts to create a new and compelling security offering. 

Ellis started a movement that has grown massively, providing organizations with access to the world’s best security minds to quickly identify and rectify security challenges. The sector also offers financial opportunities to people in exchange for nothing more than their creativity and knowledge, making it the purest form of meritocracy in the digital world.

What is ethical hacking? 

When discussing cybersecurity, one of the first terms that will come up is “hacking” or “hackers,” so it’s worth taking the time to define what hacking is. The Oxford definition of hacking is “the gaining of unauthorized access to data in a system or computer,” which sounds quite criminal. The implication that hacking is illicit and unauthorized persists across definitions, with even cybersecurity company Kaspersky conceding that while it is not always malicious, “the term has mostly negative connotations due to its association with cybercrime.”

Merriam-Webster defines a hacker as “an expert at programming and solving problems with a computer.” While attackers may lean into this definition, Bugcrowd is part of the movement to reclaim the word and reframe it in morally neutral terms. Hacking is not inherently bad, which is why Bugcrowd believes that a modifier is needed when discussing the motives and methods of hacking.

Security experts can be ethically motivated and use their skills to increase security standards (white hats), or they can have criminal intentions and use their skills to break the law (black hats). The terms “white hat” and “black hat” come from Westerns created a century ago, when directors used wardrobe choices to clearly indicate who the heroes and villains were. In a lawless place like the Wild West, those with the cutting-edge security skills of the time could use their abilities to rob banks and saloons or to support the local sheriff in fighting crime, and a similar choice faces security experts in today’s digital world.

White hat hackers can also be referred to as ethical hackers, security researchers, or just hackers. At Bugcrowd, our report Inside the Mind of a Hacker shows that 96% of hackers believe that they help companies fill their cybersecurity skills gap, so when we use the term “hacker,” we are talking about the good guys.

Hacker community collaboration 

Crowdsourced security leans into community and collaboration, which is why hacker-powered security can be so powerful. Working with a crowdsourced platform like Bugcrowd gives organizations access to the widest pool of talent and allows them to broker interactions with hackers and triage responses so that buyers only have to pay for results.

Thus, Bugcrowd acts as an agent for hacker talent, a consultant for companies looking to invest in their security, an auditor who vets the particular talent they require, a broker between organizations and the security community, and a clearing house for each transaction to ensure that bugs get squashed and hackers get paid—with everything implemented in a SaaS platform for scale, efficiency, and ROI visibility.

In terms of the types of collaboration on bug bounty programs, organizations can opt for public programs that are open to everyone on the platform, a middle tier that involves those with experience on the platform who have had their identity verified by Bugcrowd, or private programs open to specially selected hackers who have been fully vetted. While opening programs up to the wider Crowd can seem daunting, it’s worth bearing in mind that many companies’ assets are open to the full universe of threat actors 24/7, and anyone who has worked at a security operations center will testify to the level of scanning that ports and apps receive nonstop.

To find the crowdsourced security solutions that are right for you, remember to look for platforms with good working relationships with the hacking community, as well as third-party platforms that have the relationships and the experience to apply their skills to your security challenges.

What are common crowdsourced cybersecurity solutions? 

Crowdsourced security solutions are just like any other security solution in the sense that they dynamically change according to the needs of the industry. At present, the three most popular solutions that draw from distributed security talent are vulnerability disclosure programs (VDPs), bug bounty programs, and penetration testing/pen testing as a service (PTaaS). 

What is a vulnerability disclosure program (VDP)?

A VDP is a structured framework that allows and invites hackers to submit vulnerabilities they discover in an organization’s digital infrastructure to the organization directly. These programs offer clear guidance on how hackers can bring vulnerabilities to the attention of an organization, and if done correctly, organizations will disclose these vulnerabilities to give credit to the hackers who took the time to help them. 

Ignorance can be bliss for individuals, but it is a disaster for organizations aspiring to stay at the cutting edge of contemporary security. VDPs represent a first step toward tapping into crowdsourced security and building a relationship with the security community by acknowledging vulnerabilities that arise, remediating them quickly, and working with the hackers who found them to ensure responsible disclosure.  

Bugs discovered as part of private bounty programs need to be triaged and resolved quickly and effectively, but they are not necessarily publicly acknowledged. While prestige and status are important to hackers, they understand when working on private programs that they are rewarded financially and are expected to protect clients’ confidentiality.

When vulnerabilities are discovered and shared by a good Samaritan through a VDP, disclosure becomes more important. Companies that ignore submissions, dismiss legitimate concerns, or threaten legal action soon run out of friends in the security community, which in turn erodes their security posture. In contrast, having an open and generous policy that rewards submissions from the community, even if such a reward is no more than a public acknowledgement, can keep the important constituency of hackers on an organization’s side. Protecting their rights means providing clear communication that includes legal protection for hackers through safe harbor.

Responsible disclosure

Responsible disclosure refers to the best-practice interaction between a hacker submitting a vulnerability report and the company receiving it. For hackers, this means disclosing vulnerabilities to the affected organization in a responsible manner, allowing them time to fix the issue before making it public. For organizations, this means quickly acknowledging the submission and expressing recognition while maintaining communication with the hacker in question so that they can publicly take credit once the issue has been remediated.

Responsible disclosure is part monitoring, part hacker relations, and part building a culture of humility that intersects with high standards of security. If done correctly, responsible disclosure can create a flywheel of hacker community collaboration based on mutual respect.

What is a bug bounty program?

Bug bounty programs are result-focused security initiatives that incentivize hackers to uncover and report security vulnerabilities within an organization’s digital infrastructure. Bug bounties are attached to a financial reward based on the criticality of the vulnerabilities identified and remediated and are the original and most widely used crowdsourced cybersecurity solution. They can ensure the rapid evaluation and remediation of novel threats, such as when new zero-day vulnerabilities emerge. 

The first bug bounty program was run for Netscape Navigator back in 1995, but it wasn’t until 2012 that the service was offered by a third-party platform with the founding of Bugcrowd.

These programs provide hackers with access to digital assets and infrastructure that allows them to test their security and find vulnerabilities, offering prorated cash rewards based on the severity of the new bugs discovered. Such programs can be managed internally, with organizations’ employees responsible for reviewing and prioritizing submissions while engaging with hackers. Alternatively, they can be conducted in collaboration with a trusted partner such as Bugcrowd. 

Companies turn to bug bounty programs to supplement and strengthen their existing internal security processes. The crowdsourcing model allows for a wider pool of talent and diverse skill sets to be leveraged, often leading to the discovery of more critical vulnerabilities that may otherwise have gone unnoticed. By engaging hackers, companies can proactively find and fix issues before they can be exploited by malicious actors.

What is penetration testing? 

Pen tests are security tests in which security testers mimic real-world attacks to identify methods of circumventing the security features of an application, system, or network that are failing to protect vital assets. Pen testers operate as a team, working within a defined scope for a set time period and completing each engagement by offering a report of the vulnerabilities detected.

Crowdsourced pen tests are a new take on a longstanding security service, offering dynamic new functionalities that make the most of talent accessed and findings integrated to advance software development. They can provide targeted and detailed assessments of digital assets and infrastructure quickly and efficiently while meeting regulatory compliance needs, just as traditional pen testing does. 

Pen testing has a long history dating back to the 1990s, arguably evolving from the “tiger teams” that tested spacecraft in the 1960s. But it’s only in the last five years that crowdsourced security has unlocked the full potential of pen testing, with the most recent innovation being PTaaS. PTaaS modernized the pen testing experience, bringing scale and efficiency to what is traditionally a manual, consulting-heavy offering. 

Crowdsourced threat detection

Security services were traditionally provided in a manner similar to any other service; buyers would hire a professional based on their reputation, agree to a fee based on the going rate, and hope that the professional would get the job done. Companies might have security testers on staff to evaluate products and infrastructure as they would janitors to keep a building tidy, or they might hire pen testers for a software project like they would hire a plumber to fix a leak. Where the analogy breaks down is that dust and water do not behave like intelligent third parties, and facilities and pipes are not complex environments that are rapidly changing daily.

Vulnerabilities are weaknesses in IT systems or software that can be exploited by attackers. With digital systems and environments changing on an almost hourly basis, new vulnerabilities are a fact of life and will always grow with us. 

To address vulnerabilities, crowdsourced threat detection is a subset of crowdsourced cybersecurity that taps into the wisdom of the crowd to identify novel threats in close to real time. To paraphrase the crowdsourced security commandment Linus’s Law, with enough eyeballs, all emergent threats are definable. Investing in bounty programs and crowdsourced pen tests taps into community intelligence, and the diversity and breadth of experience in this community can reveal new risk vectors and remediate threats as they emerge.

Furthermore, crowdsourced programs will often incentivize creativity pivotal to innovation and the cutting edge by offering greater financial rewards for emergent and critical vulnerabilities. This creates a marketplace for quick responses that allows buyers to shield themselves against new threats based on the power of community intelligence.

How does crowdsourced security work? 

The lifecycle of a crowdsourced security program varies according to the needs of each buyer. If you plan to gradually upgrade your security mix, you are most likely to start by implementing a VDP. This is a framework that allows hackers to voluntarily and altruistically submit bugs that they uncover in a company’s infrastructure and products. For some organizations, limiting testing to a single asset (e.g., a website or mobile app) is a good way to get started to ensure remediation processes are in place. 

As companies become confident in their ability to review submissions, resolve vulnerabilities, and reward hackers by disclosing their inputs, they should consider adding tangible rewards by implementing their first bug bounty program.

A bug bounty program adds economic incentives to the VDP concept. These can be run in-house with employees reviewing and triaging submissions, as well as engaging with hackers, or they can be run with a partner like Bugcrowd. Buyers have the option to make their programs public and benefit from the wisdom of all the world’s hackers or to work privately with a handpicked group to allow for more vetting, targeted skill matching, and geographic selection.

Companies pay rewards based on the impact of vulnerabilities, meaning that with investment over time, bug bounty programs will surface more critical vulnerabilities. This dynamic pricing scheme allows buyers to ensure that the most harmful exploits are discovered first and allocate their budgets effectively to protect high-value assets. These data can also be used to identify the most frequently targeted assets and to direct additional resources to prioritize security investments.

Once a company has identified its most valuable assets—the “crown jewels”—the CISO will typically look to invest in maximizing their security. An effective way to rigorously test and evaluate security posture is by using pen tests. While historically delivered as standalone projects by small teams, crowdsourcing enables scale and access to skill sets that are key enablers of vision of PTaaS.

These crowdsourced pen tests can launch quickly, provide real-time reporting, and be integrated into the security development lifecycle (SDLC). They offer a bigger bench of testers to choose from, including deep-sector experts and those with security clearance.

Over time, buyers have generally increased their investment in crowdsourced security as part of their overall security mix. Investing in bug bounty programs means paying for results, and dynamic pricing gives valuable data to CISOs about what their budget should be and how they should allocate it. Crowdsourced security is a valuable way to support and enhance existing security measures.

Types of organizations that use crowdsourced security 

There is a misconception that only tech companies leverage crowdsourced security. However, our data show that this isn’t accurate. While crowdsourced security is heavily used in the tech space, organizations from a wide variety of industries use the Bugcrowd Platform. Here are some examples of industries using crowdsourced security in 2023:

Examples of Companies Leveraging Crowdsourced Security

ExpressVPN
ExpressVPN, a leader in privacy and security, works with Bugcrowd because it offers an unparalleled ability to match an exceptional team of skilled hackers to ExpressVPN’s highly technical needs. Bugcrowd enables ExpressVPN’s mission to embed privacy in users’ internet experiences through its bug bounty program, which protects the company’s reputation for having excellent security among hackers and users.

Rapyd
This UK fintech firm chose Bugcrowd because of its ability to rapidly scale security programs during a time of major acquisitions. Bugcrowd used CrowdMatch technology to provide Rapyd with access to hackers with fintech expertise. Within a year, these hackers surfaced 40 vulnerabilities, 15 of them deemed critical.

T-Mobile
This US telecom giant engaged Bugcrowd to manage a public bug bounty program for testing its applications and websites. Hackers’ vulnerability submissions and remediation efforts have helped to keep the country’s largest 5G network safe.

What are the benefits of crowdsourced security? 

Crowdsourced security offers companies more expert eyes in reviewing infrastructure in greater detail than is possible for an internal team or a select group of consultants. Tapping into the wisdom of the crowd helps to address security challenges and even flag issues and solutions that companies are unaware of, providing novel and actionable advice that cuts to the core of a company’s security posture.

On top of engaging more talent to aid in securing a company, tapping into the world’s hacker expertise ensures security support around the clock. Threats and malicious actors are geographically dispersed and do not operate during work hours for a given market, but using crowdsourced security reverses this advantage, as global talent can provide continuous coverage of assets.

Security professionals often struggle to justify budgets to non-technical colleagues, and the ROI in security tools and talent isn’t always easy to communicate. However, working with hackers in bug bounties means that buyers only pay for results rather than investing in products and services in advance and hoping that they live up to the billing of a smooth-talking sales team. By providing a liquid market for vulnerabilities, bug bounty programs provide a clear indication of each buyer’s security posture and priorities relative to their budgets.

Beyond the immediate security advantages of crowdsourced security, it also affords companies the opportunity to build strong relationships with the global hacker community. By engaging with these professionals, companies not only benefit from their expertise but also demonstrate a dedication to proactively addressing security concerns. This relationship fosters trust, enhances a company’s reputation, and sends a clear message to customers about the importance companies place in safeguarding their data. This can elevate the status of a company’s CISO and internal team and help with hiring or thought leadership in this space, thereby improving the overall security brand.

Risks associated with crowdsourced security

Hacker-powered security has not been around for long, so there are still some teething problems when it comes to its effective implementation. One risk when implementing a VDP for the first time is failing to clearly indicate legal liabilities and to reassure hackers that there will be no consequences to their security testing. By failing to resolve this legal ambiguity, companies may inadvertently create issues for the hackers who are trying to help them, as well as reduce the number of people willing to submit vulnerabilities.

Another risk that can reduce the effectiveness of VDPs is the failure to engage effectively with the cybersecurity community, particularly around disclosure. Companies that commit to implementing a VDP need to proactively monitor submissions and be responsive and respectful to those who put in the effort to submit a bug. Junior hackers, in particular, are often willing to contribute their time and skills to finding vulnerabilities free of charge. In exchange, they will look to have their hard work publicly recognized by the company that receives their submissions. Failing to offer and engage in clear disclosure can lead to strained relationships with the hacker community.

Getting scope right also presents a risk to buyers of crowdsourced security. For smaller companies starting out, this could mean implementing a VDP that covers every asset despite having limited internal resources. Failing to provide crowdsourced security programs with the appropriate internal resources can cause internal burnout while leading to frustration on the part of hackers, which can harm a company’s reputation in the community.

This same issue applies to mature companies operating on a larger scale. For example, CISOs need to be strategic when buying crowdsourced security by identifying where they can get the highest ROI for their budget before investing heavily in bug bounties. Pen tests and bug bounty programs are effective ways to protect crown jewel assets, but making the scope too broad can cause companies to boil the ocean, soliciting submissions from across a wide range of assets and infrastructure without resolving threats to the primary attack vectors.

There is also a risk that companies do not have the internal capacity to engage with hackers effectively. If the scope for bug bounties or pen tests is too wide, then a small team may find the number of inbound submissions and the need to triage and remediate overwhelming.

Finally, there is a risk that users will opt for the wrong solution when buying crowdsourced security. Companies looking to secure crown jewel assets in the technical industry may find that a VDP does not go far enough and should instead opt for a crowdsourced pen test.

All of these risks are manageable. Companies launching VDPs that are unsure of scope, liability, and disclosure can look to open-source templates, and savvy CISOs can quickly learn to invest strategically in their top assets and get the balance right between internal capacity and crowdsourced support. Understanding hackers’ strengths and capabilities and the benefits of working with them in advance significantly helps with this process.

Security challenges that crowdsourced security addresses

Crowdsourced security provides a fresh perspective on a company’s vulnerabilities and security challenges, drawing from the wisdom of the crowd to identify threats that might have been missed by employees used to viewing assets in a certain light. By involving a diverse range of experts, hacker-powered security can provide rapid feedback that helps gauge the overall strength of an organization or an asset’s security posture.

Security rewards programs also scale quickly and efficiently, allowing organizations to invest rapidly based on the urgency of a given problem or the criticality of an asset being tested. The ability to see high-quality results quickly sets crowdsourced security apart from other tools and services and makes it invaluable in providing discrete responses, whether ahead of product launches or in response to board-level concerns.

This same flexibility makes crowdsourced cybersecurity solutions particularly valuable when dealing with new and novel threats. If we look back at the historic Log4J vulnerability discovered on December 9, 2021, we see that activity on Bugcrowd’s platform spiked on the day of the announcement, peaking with nearly 300 submissions just two days later. Most of the P1s (the most critical vulnerability submissions) were handled in under three hours, a rate of production that no internal team could possibly manage. Identifying and neutralizing threats so soon after they emerge is a central strength of hacker-powered security.

Security testing platforms

What is a platform?

There are many definitions of a software platform, from theoretical to technical. Platforms are software mechanisms offered by technology companies that can be supplemented and enhanced by third parties. Bill Gates crucially added that a platform is when the economic value of everybody who uses it exceeds the value of the company that created it; therefore, security platforms should increase the security postures of buyers and remunerate hackers by a multiple of the value captured by the platform owner. Furthermore, they should provide a marketplace for buyers of crowdsourced solutions and a unified workspace for hackers that radically enhances the user experience relative to what companies can build themselves.

Traditional security tends to be an ad hoc administrative arrangement that is heavy on consultant hours. Platforms provide core services, such as bug bounty programs, PTaaS, vulnerability disclosure, and attack surface management. This suite of offerings brings efficiency at scale, consistency, and contextual intelligence to crowdsourced security.

The Bugcrowd Platform is an AI-powered, multi-solution platform built on the industry’s richest repository of vulnerabilities, assets, and hacker profiles curated over a decade. This allows us to find the perfect hacker talent for goals like pen testing, bug bounty, and vulnerability intake and disclosure, as well as to ensure the scalability and adaptability that come with a functional talent platform.

What to look for in a crowdsourced security platform

Crowdsourced security platforms live and die by the number and quality of hackers that they can draw from, but attracting and retaining this talent means offering a seamless technical solution that rewards and respects this talent while offering the best possible customer experience.

Hackers want to know that their submissions will be validated and triaged quickly so that they are rewarded for their hard work, particularly when handling new and novel vulnerabilities where time is a factor. Some platforms will use third parties to handle submissions, but remediating bugs effectively means validating and triaging them quickly on the platform side, with critical ones handled within hours.

Buyers also want the process to be smooth and efficient, ideally to integrate the platform’s outputs into DevSec tools that they use in their technology stack. This helps to ensure that remediation is done as early as possible in the development cycle, building a culture of continuously testing apps and APIs before they ship. Platforms that provide dashboard reports offering insights on severity, payments, bug types, and trends in discovery also help CISOs determine ROI and the value of a program.

Separating signal from noise is a top priority for security teams dealing with third parties, especially where automated tools are involved. Scanners are notoriously noisy and are becoming more prominent in today’s AI-driven world, so separating signal from noise on the submission front takes time and expertise.

Therefore, the top platforms are those that proactively address noise and provide a high signal-to-noise ratio. Higher submission numbers shouldn’t create spikes in false positives that suck up company resources, and good platforms should reduce the internal team’s workload rather than increase it.

About the Bugcrowd Platform

The Bugcrowd Platform brings the right crowd into your security workflows at the right time, allowing you to run bug bounties, pen tests, VDPs, and more at scale and in an integrated, coordinated way. Bugcrowd uses proprietary CrowdMatch AI to match qualified, trusted hackers to your individual security needs, as well as rich reports and analytics to offer continuous insights about trends in findings, payments, criticality, and more. 

By seamlessly integrating with your SDLC, the Bugcrowd Platform resolves issues from the ground up so that you see results instantly. A team of global security engineers works as an extension to the platform, validating and triaging submissions so that the most critical vulnerabilities can be resolved within hours. 

After over a decade spent at the forefront of crowdsourced cybersecurity crafting solutions for thousands of customers, Bugcrowd brings an extensive repository of data to discovery and remediation, as well as intangible knowledge around the mindset and attitudes of the world’s security community. 

Learn more about crowdsourced security

• Expanding Risk Reduction with a Crowdsourced Security Platform eBook
• 10 Essentials to Look for in a Crowdsourced Security Platform Checklist
• Inside the Mind of a Hacker
• What’s a Vulnerability Worth? 
• Bugcrowd Platform Tour

The post Crowdsourced Security appeared first on Bugcrowd.

Kimsuky is a cyber espionage group operating from North Korea that has been active since at least 2012 and is known to target organizations across South Korea, the US, and Japan. In addition, Kimsuky may be linked with North Korean government intelligence-gathering activities through Reconnaissance General Bureau (RGB).

Kimsuky uses spear-phishing as its primary method of attack, sending targeted emails containing malicious attachments or links to infect victims’ computers with malware. They have also employed watering hole attacks – targeting websites frequented by targets to infiltrate them with malware – to infect them further.

Kimsuky is best known for its espionage campaigns in South Korea against government agencies, defense contractors, research organizations, and think tanks. Additionally, the group has targeted organizations across North Korea’s border, including universities, think tanks, and financial institutions in Japan and America. Kimsuky seeks to acquire sensitive data that could help advance North Korean military and economic goals.

Kimsuky was linked to an attack against the Korean National Defense University that resulted in the theft of confidential military documents in 2016. Furthermore, in 2018 this group conducted a spear-phishing campaign that specifically targeted researchers working on North Korean issues within the US.

Kimsuky uses sophisticated spear-phishing campaigns and has strong ties to the North Korean government, making them a persistent and credible threat to organizations worldwide.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

The post Kimsuky appeared first on Bugcrowd.

ALPHV is a cybersecurity threat actor, active since 2015, well known for conducting high-level attacks against financial institutions, government agencies, and critical infrastructure entities targets.

ALPHV is believed to be a well-organized and sophisticated group employing advanced techniques and tools for their attacks. ALPHV relies heavily on social engineering techniques, spear-phishing emails, malware infections, and social engineering tactics in their attacks against targets. Once inside, they can take control and steal vital data like login credentials, financial details, or intellectual property from those targeted.

ALPHV became well-known for being the first threat actor group to create malware written in Rust. This cross-platform language enables malware to easily be customized for different platforms, such as Windows and Linux, making it easy to expand their attack surfaces aggressively.

ALPHV’s ransomware has frequently made the headlines for its successive attacks on high-profile targets and its use of triple extortion. In a triple extortion attack, the attacker also threatens to launch DDoS attacks to coerce attacked organizations to pay the ransomware demands.

ALPHV has been linked with several high-profile attacks, including the 2021 BlackCat ransomware attack. Their motives appear to be financial gain and intelligence gathering; ALPHV has been known to sell stolen data on the dark web to raise capital and use this intelligence for further intelligence gathering. Based on their advanced capabilities and impressive track record, ALPHV is widely considered one of the greatest cyber threats facing international communities today.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

The post ALPHV appeared first on Bugcrowd.

BlackOasis is a middle eastern threat group that has targeted prominent leadership in the United Nations, as well as Turkish bloggers, activists, journalists, consultancies, and think tanks. It has been purported that Neodymium, another threat actor, is closely aligned with BlackOasis’s malicious activity. However, the exact nature of their relationship and any overlap in threat group actors remains unknown. Once again, both BlackOasis and Neodymium are heavily targeting Turkish victims. Another threat actor group, Promethium, has also targeted many of the same Turkish victims. Promethium has demonstrated many of the same campaign characteristics as evidenced by its tactics, techniques, and procedures (TTPs). Over time, it may well be the conclusion of the threat researcher community that Promethium, Neodymium, and BlackOasis have more than a few members in common and may be the same threat group.

BlackOasis has exploited a vulnerability in the Adobe Flash Player (CVE-2017-11292). Adobe Flash Player version 27.0.0.159 (and earlier versions) has a flawed byte code verification procedure. This flaw, in turn, allows an untrusted value to be used to calculate an array index. This error can lead to type confusion such that successful exploitation could lead to arbitrary code execution. The impact is possible in most major operating systems, including Windows, Mac, Chrome OS, and Linux.

BlackOasis continues to run multiple campaigns across a broad swath of the global geography. They have targeted victims in Russia, Iraq, Afghanistan, Iran, the Netherlands, Bahrain, the United Kingdom, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, and Angola.

A more recently discovered Flash zero-day exploit is one of several zero-days that the BlackOasis group has successfully exploited over the past few years. This zero-day exploit is delivered through Microsoft Office documents attached to a spam email. The malicious Word document includes an ActiveX object which contains the Flash exploit.

BlackOasis has utilized many zero-day exploits; some of them are:

• CVE-2015-5119 – June 2015. A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh, and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
• CVE-2016-0984 – June 2015. Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK & Compiler before 20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors
• CVE-2016-4117 – May 2016. Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.
• CVE-2017-8759 – Sept 2017. Microsoft .NET Frameworks 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka “.NET Framework Remote Code Execution Vulnerability.”
• CVE-2017-11292 – Oct 2017 – discussed earlier. Adobe Flash Player version 27.0.0.159 and earlier has a flawed byte code verification procedure, which allows for an untrusted value to be used in calculating an array index. This flaw can lead to type confusion, and successful exploitation could lead to arbitrary code execution.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

The post BlackOasis appeared first on Bugcrowd.

APT33 is an Iranian threat group that has been actively running malicious industrial espionage campaigns since 2013. APT33 has been targeting private-sector petrochemical, energy, and aviation organizations to identify and exfiltrate confidential information. In addition, APT33 has been targeting organizations within Saudi Arabia, South Korea, the United States, and other countries in Europe, the Middle East, and Asia.

Other suspected group names have also known as APT33, including Elfin Team, Refined Kitten, Magnallium, and Holmium. At times, it appears to have been hard to disambiguate the various names associated with APT33. Depending on the threat researcher, other suspected group names may be viewed as entirely different threat groups.

APT33 became an entity of high interest to threat researchers when APT33 launched the Shamoon wiper malware attacks on both the Middle East and Europe. Shamoon is a highly malicious and destructive malware designed by APT33 to destroy all data on infected systems.

During these campaigns, compromised systems also displayed graphic propaganda. This propaganda included images of a drowned Syrian child, burning American flags, and more. In addition, APT33 was also observed targeting a European politician’s website and, in turn, using that website to send out phishing emails to targeted supply chain companies in the oil industry.

More recently, APT33 appears to have been using approximately a dozen active Command and Control (C&C) servers. Additionally, APT33 uses multiple techniques to camouflage and obfuscate these C&C servers in support of highly targeted malware campaigns. These botnets are comprised of perhaps 10 to 20 infected compute and provide persistence within targeted organizations’ networks.

APT33 also uses several types of custom backdoors, some of which are believed to have been developed internally. APT33 has been observed using two different attack vectors: watering hole attacks and targeted email spear phishing. The spear phishing attacks used malware-laden Microsoft Documents (macros had to be enabled by a cooperative user!). Additionally, APT33 has recently been observed using open-source tools with stolen authentication credentials to exploit mail clients further to disburse and deploy malware. Finally, APT33 uses publicly available exploits and instruments whenever possible.

Over time, APT33’s malware tools have grown quite large. Some malware is off-the-shelf and more of a commodity, but they have been observed building and deploying customizations on multiple occasions. These customized tool sets include a variety of backdoors, droppers, and a data wiper. You will recall that a dropper is a type of Trojan designed to install malware on a target system. Commodity malware used by APT33 includes PoshC2, Remcos, DarkComet, Quasar RAT, and Pupy RAT. These malware tools include password stealing, C2 command execution, data exfiltration, and more. APT33 also uses widely available tools such as Mimikatz, Procdump, and Ruler.

APT33 has developed several custom tools: TurnedUp is a backdoor that can download/upload files, report information on the targeted system, and create a reverse shell. ShapeShift (also known as Stonedrill) is a specialized backdoor that can download additional files and contains a data wiper that can effectively hit the MBR. DropShot is a dropper that can drop and launch tools such as TurnedUp and ShapeShift. Finally, Powerton is a PowerShell-based implant used recently by APT33 and uses encrypted C2, a complete ensemble of persistence mechanisms.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

The post APT33 appeared first on Bugcrowd.

The Syrian Electronic Army (SEA) is a threat actor group directly aligned with President Bashar al-Assad’s regime in Syria. Known initially for its hacktivism, the SEA has, over time, apparently compromised many media targets. One of many examples was their attack on the Financial Times. While this attack vector initially involved only email, their goal was to steal and compromise additional account credentials. The F.T. responded promptly and warned employees and stakeholders immediately of the ongoing threat. The Syrian Electronic Army, in response, sent phishing emails that appeared to mimic the Financial Times I.T. internal communications and thus were able to compromise even more users!

It is worth noting that Russia has been similarly aligned in its support of the administration of President Bashar al-Assad of Syria since the beginning of the Syrian conflict in approximately 2011. In September 2015, Russia supported al-Assad with military aid and direct military involvement. So, threat researchers may be well rewarded by maintaining vigilance on cyber activities related to the SEA and other al-Assad-aligned threat groups, as they may ultimately link to Russian state entities or state-sponsored threat actors.

The origin of the Syrian Electronic Amry is murky, but some of their organization’s members are based within universities within Syria. The SEA also appears to have equally obscure links to the militant group Hezbollah. Most revealing is that by tracking SEA’s financial statements, it is now believed that they have direct backing from Syrian government organizations.

Hezbollah is a Shiite Muslim political party and militant group based in Lebanon. Hezbollah has extensive security resources, a highly active political organization, and a widespread social services network designed to gain the support of the Lebanese populace. In addition, Hezbollah often works in coordination with Iranian threat actors.

The rabbit hole may go deeper than we know. All of this makes the resources, connections, and future activity of the SEA challenging to forecast. The SEA maintains that it is not taking orders or direction from Syrian government entities. However, the SEA does appear to forward information obtained during hacking activities to the Syrian government. To make the issue even more complex, several years ago, unnamed intelligence officials in the west commented that threat actors and government entities within Iran might back SEA.

The Syrian Electronic Army generally targets media organizations in the United States and other western countries. SEA also targets people working in foreign government organizations and military branches. In many cases, this personnel is a target for espionage. This cyber espionage is mainly disavowed by SEA. An example of their activity included an attack on Reuters, during which SEA redirected a page that read, “Hacked by the Syrian Electronic Army.” This desire for attribution and recognition is most typical of hacktivist activity. They want to self-proclaim their fame and capabilities to the public at large. Almost nine years ago, SEA malicious activity included targets such as The Washing Post, CNN, Time, and the New York Times.

The goals of activists such as the Syrian Electronic Army are to proclaim their beliefs on issues involving Syria. SEA activity primarily attempts to scare or intimate government officials and journalists that take a position against the al-Assad regime.

Although years ago, the threat group got the U.S. government’s attention such that official charges were filed against three individuals central to SEA’s malicious activity. They were charged with hacking, creating a hoax about a terrorist attack, and attempting to cause a mutiny within the U.S. armed forces. As a result, two individuals were placed on the FBI’s “Cyber” Most Wanted List with $100,000 rewards. The third suspect was in Germany.

In terms of cyber tools and malicious code, SEA has invested over time in malware called SilverHawk. SilverHawk is being built into fake updates for various security and privacy-focused communications apps, including WhatsApp and Telegram. The SEA also created Microsoft Word, and YouTube fakes filled with the SilverHawk spyware in their attempts to hack into Google Android devices.

More recently, the Syrian Electronic Army was potentially linked to a Syrian government-backed hacking campaign that distributed spyware coronavirus-themed applications. The hacking campaign unsurprisingly targeted critics of the Syrian government. Not always directly attributable to SEA, many malicious Android spyware applications are linked to coronavirus lures that Syrian-linked hackers have released.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

The post Syrian Electronic Army appeared first on Bugcrowd.

APT17 is a Chinese-based threat actor group (also known as Deputy Dog) sponsored by the Chinese Ministry of State Security. APT17 has conducted malicious attacks against government and industry within the United States and targeted various industry sectors, including mining, legal, information technology, the defense industry, and many more.

It has been purported that at one time, APT17 used Microsoft’s TechNet blog for its command-and-control operation. However, rather than directly compromise TechNet, the threat actors created bogus profiles and posted the encoded CNC within these technical forums. The goal was to obfuscate their identity and make detection less likely. This tactic is called “hiding in plain sight.”

Other threat groups use legitimate websites to host CnC IP addresses. For example, APT17 was embedding the encoded CnC IP address for BLACKCOFFEE malware in valid Microsoft TechNet profiles pages and forum threads. Threat researchers refer to this method as a drop-dead resolver.

Threat actors will post content, known as a dead drop resolver, on specific Web services with obfuscated IP addresses or domains. Once infected, the victims will reach out to these resolvers for redirection. Encoding the IP address makes it much more difficult for threat researchers to determine the actual CnC address.

BLACKCOFFEE’s functionality is quite diverse. It includes a variety of file operations, process operations, creating a reverse shell, and recently expanding its functionality by adding new backdoor commands. APT17 has been using this technique to camouflage its communications activity since approximately 2013.

Once again, let’s be clear about what the threat actors are trying to accomplish. First, they use well-known websites to host CnC IP addresses. Then they post legitimate forum threads and responses, create profile pages, and more. APT17 then embeds a string that the malware would decode to find and communicate with the real but obfuscated CnC IP address. This additional camouflage puts another layer between APT17 and the security researchers hunting them down.

APT17 has used two MITRE ATT&CK enterprise techniques, including T1583 (Acquire Infrastructure: Web Services) and T1585 (Establish Accounts). They have also shown the discussed affinity for BlackCoffee malware.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

The post APT17 appeared first on Bugcrowd.

APT18 is a Chinese nation-state-aligned threat group that has been active since approximately 2009. Security researchers generally agree that APT18 is directly supported by, and aligned with, the Chinese People’s Liberation Navy. APT18 has been actively targeting a broad mix of industry sectors, including manufacturing, technology, government, healthcare, defense, telecommunications, and human rights groups. Most of APT18’s malicious activities have focused on organizations in North America, specifically the United States.

APT18 threat actors have been closely associated with espionage and information theft from the targeted entities. Closely associated threat actor groups, or perhaps alternate names for APT18, include Dynamite Panda, Threat Group-0416, Wekby, and Scandium.

APT18 has been very visible in healthcare sector attacks. At one point, APT18 carried out a community health systems campaign, resulting in a data breach. They have also been involved in medical espionage while finding and exfiltrating patient data from medical device databases. APT18 has exfiltrated PHI data from vulnerable health systems. This data exfiltration has included patient information, medical device operational data believed to be used for industrial espionage, and intellectual property rights, including advanced proprietary designs. The goal was clearly to advance China’s industries at the expense of U.S. industries that have spent billions of dollars on research and development. At one point, data breaches were announced that disclosed the stolen medical data of over 4.5 million patients.

In one APT18 campaign, the threat actors targeted a zero-day vulnerability (CVE-2015-5119) which had been inadvertently leaked. Before a patch was released, APT18 launched phishing campaigns against many industry sectors, including defense, construction, engineering, energy, health, education, biotechnology, aerospace, high technology, non-profit, telecommunications, and transportation.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

The post APT18 appeared first on Bugcrowd.