Apple declines to pay Kaspersky vuln reward, Bug Bounty ‘extortion’ dispute, Microsoft Recall backlash – OffSec roundup for CISOs

July 2, 2024

Apple’s reported decision not to pay out for several significant zero-days was one of three Bug Bounty disclosures with unexpected twists we spotted in the media recently.

The quartet of iOS bugs were apparently linked to a zero-click exploit allegedly used to spy on employees of the company reporting the vulnerabilities, as well as diplomats from a particular country.

The plot thickens when that country turns out to be Russia and the reporter of the bugs is Kaspersky Lab, the Russian cybersecurity firm. As reported by Recorded Future News, Kaspersky said Apple cited “the dedicated policy” with no further explanation for not paying out for the firm's Bug Bounty submission.

The head of research at Kaspersky, whose antivirus software has been banned from sale in the US amid US-Russia geopolitical tensions, said the company would have donated the rewards to charity.

This, by the way, is our inaugural monthly roundup of offensive security insights curated for CISOs, security teams and security-conscious devs (this was first published on our CrowdSecWisdom LinkedIn newsletter).

Vulnerability or intended behaviour?

Another interesting Bug Bounty disclosure – but with no geopolitical dimension this time – is a ‘vulnerability’ in Microsoft Azure for which the tech giant paid a reward, but then decided did not quite meet the threshold qualifying it as a vulnerability after all.

The issue “allows an attacker to bypass firewall rules based on Azure Service Tags by forging requests from trusted services”, according to the Tenable researchers who unearthed the flaw.

According to The Register, Tenable said Microsoft initially developed a “comprehensive fix”, but later decided the issue centred on the “inherent risk in using Service Tags as a single mechanism for vetting secure network traffic” and was best resolved with an update to related documentation.

The third, and most bizarre, disclosure saw Web3 security outfit Certik returning $3 million worth of funds to Kraken after the cryptocurrency exchange’s CSO accused an unnamed “security researcher” of extortion, and said it was “coordinating with law enforcement agencies” over the issue.

After unmasking itself as the reporter of a related vulnerability to Kraken’s Bug Bounty Program, Certik insisted its researchers had acted as good-faith white hats and made several counter-accusations. Coin Telegraph providers a more in-depth account of events that left Kraken (named after a mythical giant octopus) apparently unhappy about Certik's conduct.

In other Bug Bounty news of note, Firefox developer Mozilla has launched a 0Din program focusing on large language models (LLMs) and other deep learning technologies. And Dark Reading has reported on the growing role of Chinese vulnerability researchers in capture-the-flag competitions and Bug Bounty Programs and how the Chinese government could leverage their endeavours.

What could possibly go wrong?

It’s surprising that Microsoft did not foresee the backlash to a new AI feature that constantly takes “screenshots” of your PC in order to create an instantly searchable database of everything you’ve ever done on your computer.

Redmond has now pulled its new Recall feature from the launch of its Copilot+ PCs – it will now only be rolled out for devs and techies to play with as part of its Windows Insiders Program. It’s a serious misstep by Microsoft, which has mostly outflanked its rivals in the LLM arms race since it unleashed ChatGPT in 2022.

On the vulnerability front, a security flaw in the MOVEit file transfer tool is worth paying attention to after its severity was elevated from ‘high’ to ‘critical’.

MOVEit developer Progress Software is urging customers to patch CVE-2024-5806 after a “newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue”.

The bug potentially enables attackers to exfiltrate, delete or change data on the MOVEit Transfer server. The bug has surfaced 12 months after a previous MOVEit vulnerability was blamed for a wave of data breaches.

Meanwhile, the National Institute of Standards and Technology (NIST) has revealed a potential solution to a CVE backlog in processing new vulnerability reports. NIST said it has hired an external vendor to help process soaring numbers of vulnerabilities added to the National Vulnerability Database (NVD), reports Recorded Future News.

Time to split the CISO role in two?

CSO Online has marshalled arguments in favour, as well as exploring the possible risks, of splitting the CISO role in two amid the ballooning responsibilities of the role. Jon Oltsik, analyst emeritus with Enterprise Strategy Group, suggested that one executive could work the board, regulators and insurers and must be “fluent in the language of the business and translate that into cyber risk”.

Another could oversee the increasingly complex technology side – most notably the rapid adoption of AI. “Having someone who really understands all of that technology and can put the right controls in place with guidance from the business, is a different type of role,” Oltsik told CSO Online.

One of the UK’s worst-ever cyber-attacks

One of the worst-ever cyber-attacks against a UK organisation saw massive disruption to London hospitals and publication to the darknet of a huge trance of sensitive personal data.

The attack on NHS pathology provider Synnovis disrupted more than 3,000 appointments at hospitals and medical practices using its services.

The Qilin ransomware gang, which is suspected of being Russia-based, has claimed responsibility. The BBC reported that a sample of data it saw included patient names, dates of birth, NHS numbers and descriptions of blood tests. Security experts have expressed concern that the stolen data gives cybercrooks ammunition to extort affected patients.

Another large-scale attack against the healthcare sector, this time in the US, could potentially involve the theft of highly sensitive personal data of more than a million patients.

Pennsylvania-based healthcare provider Geisinger blamed a November breach on Microsoft-owned speech recognition firm Nuance Communications after it failed to revoke corporate file access from an employee who had been sacked.

A problem with open source vulnerabilities?

Also noteworthy are comments about the security drawbacks of open source in relation to vulnerability disclosure in an article about Common Misconceptions about CVEs, NVD, KEV Catalog, and EPSS.

Security researcher Kyle Kelly wrote: “Many security tools use the NVD as their sole source of security advisories”, yet “open-source maintainers frequently publish security advisories on alternative platforms like the GitHub Advisory Database”. He added: “This is not good if you care about open-source vulnerabilities.”

In positive news for open source security, applications are open to join the Bug Resilience Program (BRP), which helps critical and under-resourced open source projects prevent and patch vulnerabilities through reducing technical debt, secure code audits and Bug Bounty. The impressive initiative is operated by the Sovereign Tech Fund, which runs four public programs through YesWeHack: for Sequoia PGP, systemd, CycloneDX Rust and OpenPGP.js.

We’ve also seen useful articles on best practices from reputable sources on preventing subdomain takeovers, on mastering the art of secure guardrails (a podcast interview with GitHub CISO Mike Hanley) and on the rise of secure defaults, with tips and useful resources for implementation.

Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.