Security Snacks #2 – The Godzilla of bugs, The OST debate & The bug bounty of the year

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

button

This week’s news are all about a frightening Windows vulnerability some call “The Godzilla of bugs”, an impressive $288,500 bug bounty from Apple, the world’s first bug bounty loyalty program and the latest cybercrime attacks and trends. Read on for all the details!

Notable Security News

Patch Tuesday: Microsoft remedies critical TCP/IP remote code execution bug

Microsoft released patches for 87 vulnerabilities. One of them, CVE-2020-16898, is a Remote Code Execution in the Windows IPv6 stack. It is considered critical with a 9.8/10 CVSS v3 score, and we haven’t heard the last of it as it will likely be weaponized by Advanced Persistent Threat (APT) actors.

Five bag $300,000 in bug bounties after finding 55 security holes in Apple’s web apps, IT infrastructure

A team of five seasoned bug bounty hunters hacked Apple for three months and discovered no less than 55 vulnerabilities. Apple rewarded them with payouts totaling $288,500. This news shook the bug bounty community as they shared many of these findings with a profusion of technical details.

Facebook launches bug bounty ‘loyalty program’

Facebook has launched the world’s first loyalty program for bug bounty. Security researchers will be placed into tiers based on their bug reports and will be rewarded with bonuses on top of bounty awards.

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

The FBI and CISA are alerting about threat actors chaining VPN and Windows vulnerabilities to attacks US government networks. Interestingly, they are combining legacy vulnerabilities with the newer ZeroLogon privilege escalation, which highlights the importance of keeping systems up to date.

Researchers map threat actors’ use of open source offensive security tools

There are ongoing disputes amongst security professionals about the ethics of publishing Offensive Security Tools (OST). Some consider that it does more harm than good since these tools are often used by both ethical hackers and criminals. While this research does not settle the argument, it helps understand how OSTs are leveraged by criminals, the ones that are most used and how they can be turned against them.

Other Interesting News

Cybercrime

Vulnerabilities

Reports

Responsible disclosure

Tech

Misc.

Intigriti Customer Story

MuuseLabs protects children’s IoT devices through Intigriti’s ethical hacking platform

“We sell a lot of Jooki in the run up to Christmas. An intigriti researcher found a critical bug in our webstore a few months before. We were very grateful that we could patch and fix that bug so that we didn’t lose sales over the Christmas period.”

– Will Moffat, CTO MuuseLabs. Read more