Tag Archive for: bounty

‘Hack DHS’ Bug Bounty Program to Begin Second Phase with New Contract Request

/in


The Department of Homeland Security has issued a solicitation for companies to provide crowdsourced vulnerability assessment services—including for competitions and live events—for phase two of the agency’s “Hack DHS” bug bounty program. 

The request for proposals says that the contract “will be used to conduct crowdsourced vulnerability discovery and disclosure activities across the full range of networks, systems and information, including web applications, software, source code, software-embedded devices and other technologies as solicited across the whole Department of Homeland Security, or other assets as deemed appropriate by the program office.”

DHS established the “Hack DHS” bug bounty program following passage of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, or the SECURE Technology Act, in 2018. Under the law, DHS is required to establish a multi-year bug bounty program allowing eligible individuals, organizations and companies to receive compensation for identifying and reporting vulnerabilities in the agency’s systems. 

The agency announced in April that it has completed the first phase of its bug bounty program, in which 450 vetted security researchers identified 122 vulnerabilities in “select external DHS systems.” 27 of these vulnerabilities were considered “critical” by DHS. Researchers and ethical hackers who participated in the first phase of the program had the opportunity to receive up to $5,000 for identifying verified vulnerabilities, and DHS reported that it awarded a total of $125,600 to participants. 

Under the second phase of the program, researchers and ethical hackers will participate in live hacking events, while the third and final phase will allow DHS to identify and review the lessons learned from the program, as well as plan for additional bug bounty initiatives. 

The RFP calls for six time-boxed challenges and two continuous challenges during the first year of the contract, and then up to 12 time-boxed and five continuous challenges in the optional contract years. The contractors are also expected to conduct live, U.S.-based events with between 15 to 50 researchers, as…

Source…

Ransomware Gang Offers Bug Bounty, Promises Payouts Up to $1 Million

/in


In what might be a first, a ransomware gang has launched a bug bounty program designed to reward anyone who submits details on previously unknown website vulnerabilities to the group.  

The program comes from the LockBit, one of the most prolific ransomware gangs on the scene today. On Sunday, malware-repository site VX-Underground noticed(Opens in a new window) the LockBit gang had launched the bug bounty program at a dark web address. 

“We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program,” the hacking group wrote. “The amount of remuneration varies from $1000 to $1 million.”

Bug Bounty Lockbit site

Specifically, LockBit is looking for website vulnerabilities it can manipulate and use to steal data. The group is also interested in learning about bugs in its own ransomware encryption programs and in the Tox messenger and Tor network. 

However, the biggest payout has nothing to do with uncovering software flaws. LockBit is offering $1 million to anyone—including FBI agents—who can “dox” or uncover personal details about the gang’s leader. 

Bug Bounty Lockbit info

The bug bounty program suggests LockBit is rich enough to buy zero-day exploits, or attacks capable of leveraging unknown software flaws to hack a computer system. Zero-day exploits can be particularly devastating because there’s no software patch a user can install to thwart the attack. In addition, LockBit is promising payouts that can rival the rewards from legitimate bug bounty programs.

Recommended by Our Editors

LockBit’s program is certainly a worrying sign. Its own ransomware site claims the gang has hacked dozens of companies and organizations across the globe. Victims who refuse to pay the ransom have had their internal files leaked on LockBit’s website. 

According(Opens in a new window) to Trend Micro, the gang also previously recruited company insiders to help them hack a target’s network. “LockBit has been detected all over the globe, with the US seeing most of the attack attempts from June 2021 to January 20, 2022, followed by India and Brazil,” the security firm wrote in a February report. “We saw the most LockBit-related detections in the healthcare industry…

Source…

Two-thirds of ethical hackers considering bug bounty hunting as a full-time career

/in


Pictured: A computer keyboard is seen in this cropped image with Javascript in the background. (“Coding Javascript” by Christiaan Colen is marked with CC BY-SA 2.0.)

Research from Intigriti on Tuesday found that 96% of ethical hackers would like to dedicate more time to bug bounty hunting in the future, and 66% are considering it as a full-time career.

The report, based on responses from 1,700 part-time and full-time ethical hackers, found that they are attracted to the money, as 48% said good pay was their No. 1 attraction point. The ethical hackers also cited the desire to be their own boss and the ability to work their own hours as 45% listed both points as appealing.

“The work-from-home culture has made employees desire more independence and has further encouraged digital nomads to pursue a remote working career, said Inti De Ceukelaire, head of hackers at Intigriti. “Bug bounty platforms can not only facilitate this, but they also allow people to work wherever they want, whenever they want, and without having to rely on a boss to match their talents with customers or be part of a corporate hierarchy.” 

Davis McCarthy, principal security researcher at Valtix, said hacking has turned into a full-blown industry, adding that data has become the new commodity, whether on Wall Street or in the underground — cybercriminals monetize passwords, remote access to corporate networks, exploits and botnets.

“Bug bounty hunting is a great career path for cybersecurity professionals,” McCarthy said. “For people getting into bug bounty hunting, it’s good to make sure the target organization has a bug bounty program, and to check if there are any limitations on what’s acceptable to test. There’s a lot of technical debt in the cloud, and the enterprise shift to using the cloud means there are a lot of opportunities for bug bounty hunters to do some good: find exposed S3 buckets, instances with default passwords, and poorly configured databases. If I was getting into bug bounty hunting now, I’d jump headfirst into cloud security.”

Casey Ellis, founder and CTO at Bugcrowd, said bug bounty hunters are ultimately entrepreneurs in their own right. Ellis said every bug is a…

Source…

US offers bounty for Sandworm, the Russian hackers blamed for destructive cyberattacks

/in


The U.S. government has stepped up its hunt for six Russian intelligence officers, best known as the state-backed hacking group dubbed “Sandworm,” by offering a $10 million bounty for information that identifies or locates its members.

The Sandworm hackers — who work for a division of Russia’s GRU, the country’s military intelligence division — are known for launching damaging and destructive cyberattacks against critical infrastructure, including food supplies and the energy sector.

Sandworm may be best known for the NotPetya ransomware attack in 2017, which primarily hit computer systems in Ukraine and disrupted the country’s power grid, leaving hundreds of thousands of residents without electricity during the depths of winter. In 2020, U.S. prosecutors indicted the same six Sandworm hackers, who are believed to still be in Russia, for the NotPetya attack, as well as several other attacks that targeted the 2018 PyeongChang Winter Olympics in South Korea and for running a hack-and-leak operation to discredit France’s then-presidential frontrunner Emmanuel Macron.

In a statement this week, the U.S. State Department said the NotPetya attack spilled outside of Ukraine across the wider internet, resulting in close to $1 billion in losses to the U.S. private sector, including medical facilities and hospitals.

Read more

The timing of the bounty comes as U.S. officials warn that Russia-backed hackers, including Sandworm, could be preparing damaging cyberattacks that target businesses and organizations in the United States following Russia’s invasion of Ukraine.

Since the start of the invasion in February, security researchers have attributed several cyberattacks to Sandworm, including the use of “wiper” malware to degrade Viasat’s satellite network that the Ukrainian military heavily relies on. Ukraine’s government said earlier this month it had disrupted another Sandworm attempt to target a Ukrainian energy provider using malware it repurposed from cyberattacks it launched against Ukraine in 2016.

The FBI also this month said it conducted an operation to disrupt a massive botnet that infected thousands of compromised routers, including many located in the U.S., by locking…

Source…