However, new research shows that some organizations are prioritizing defending against those trending, newsworthy threats at the expense of the threats actually facing their organization.

According to Mike DeNapoli, director of cybersecurity architecture at security posture management platform Cymulate, organizations are focusing on those headline-grabbing threats too often.

While staying current on new and emerging attack techniques is essential for any IT and security professional, organizations are doing so at the expense of the threats they are more likely to encounter on a daily basis, DeNapoli says.

Citing the company’s “2022 Cybersecurity Effectiveness Report,” DeNapoli says 40% of the exploits vulnerability managers are discovering are over two years old. New attacker tools and techniques such as AI-assisted polymorphic ransomware attacks should of course garner attention, but not at the expense of proven attack vectors.

“(Polymorphic ransomware) is not something we should be ignoring in any way, but at the same time, ProxyShell and ProxyNotShell vulnerabilities are still visible on Exchange Server,” DeNapoli says. “Attackers…are going to go for the low-hanging fruit when it’s available.”

What organizations are testing for vs. what is actually being exploited

According to Cymulate’s research, 40% of the top CVEs identified most by vulnerability management platforms were over two years old, and a significant number of organizations are not testing against more widely recognized threats such as those Exchange Server vulnerabilities and malware such as Emotet.

Other known vulnerabilities in organizations’ environments include poorly configured identity and access management and privileged access management, as well as reliance on legacy infrastructure.

However, the top 10 immediate threats simulated last year share many characteristics, including being carried out by known threat actors; using phishing, watering hole and supply chain attacks; using known attack tools; having a clear motive; and being highly sophisticated and evasive.

Another top characteristic is that they were all abundantly reported on in specialized and mainstream press.

According to Cymulate, the top 10 most tested threats include:

• Manjusaka: a cyber-attack framework of Chinese origin, likely created for criminal use, it includes Windows and Linux implants and a ready-made command and control server.
• Powerless Backdoor: a cyber threat popular among Iranian hackers, designed to avoid detection by PowerShell, and can download a browser info stealer, keylogger, encrypt and decrypt data, execute arbitrary commands, and kill processes.
• APT 41 targeting U.S. State Governments: a Chinese state-sponsored hacking group that has been targeting US state governments using various tools and techniques such as Acunetix, Nmap, and SQLmap, and attack methods like phishing, watering hole attacks, and supply-chain attacks.
• Lazarus Phishing Attack on DoD Industry: a phishing campaign carried out by the North Korean hacking group Lazarus, targeting job applicants in the US defense sector with malicious documents containing macros.
• Industroyer 2: An APT-style malware that specifically targets industrial control systems (ICS) and critical infrastructure. A spinoff of the 2016 attack on Ukraine power grid.
• Spring4Shell: Exploiting the Spring Framework vulnerability (CVE-2022-22965), it allows for remote code execution without authentication.
• Follina Office Attack: Weaponizing Microsoft vulnerability (CVE-2022-30190), it allows for remote code execution without authentication.
• Ransomexx: A ransomware-as-a-service (RaaS) model, financially motivated and believed to be related to the sprite Spider ransomware group based in Russia.
• Quantum Ransomware: One of the fastest cases of time-to-ransom ever observed with initial access to domain-wide ransomware in just 3 hours and 44 minutes. The initial access vector for this attack was an IcedID payload delivered via email.
• Mikubot: A new variant of bot malware that is being offered for sale in threat actor forums, written in C++ and works on Windows operating systems from Vista to Windows 11. The malware is standalone and is being sold for $1300 for 1.5 months of access or $2200 for a three-month subscription.

However, the company’s list of most detected vulnerabilities configured by vulnerability management tools includes bugs that keep making appearances in threat research, such as Exchange Server vulnerabilities, PrintNightmare, and others.

• CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability. Used in Follina attacks.
• CVE-2021-34527 – A remote code execution (RCE) vulnerability that allows threat actors to remotely inject DLLs. Used in conjunction with CVE-2021-1675 in PrintNightmare attacks
• CVE-2013-3900 – A WinVerifyTrust signature validation vulnerability that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.
• CVE-2022-2190 – Microsoft HTTP protocol stack remote code execution vulnerability
• CVE-2021-1675 – Allows an attacker with low access privileges to use a malicious DLL file to escalate privilege. Used in conjunction with CVE-2021-34527 in PrintNightmare Attacks.
• CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability
• CVE-2018-0798 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2018-0802 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2017-11882 – A Microsoft Office memory corruption vulnerability that allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory.
• CVE-2022-3786 – A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the character (decimal 46) on the stack and cause a denial of service.

Assess your environment first

When IT and security professionals see these new attacks making headlines, they should first assess whether they have the vulnerable assets in their environment, and if they would be a target of the threat actor, if one was identified.

According to DeNapoli, that means getting a handle on shadow IT and cloud sprawl, which is admittedly difficult to do.

“But, it’s necessary, because if there is something like a Log4J, you don’t know what is running within the environment and it becomes incredibly difficult to determine if you could be attacked by that type of technique,” DeNapoli says. “Having those sort of catalogs or inventories of what’s there and what could be a target is going to help a lot.”

However, organizations should not be ignoring the things that came before, as threat actors have proven that leveraging old vulnerabilities–some of which are more than a decade old–is still successful.

The U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog is a prime example of this issue, as 481 of the 914 vulnerabilities on the list are from before 2020.

“Nation-state actors are using this backlog to successfully attack organizations,” DeNapoli says. “Always compare what’s coming out in the news to what you’ve got running to determine if this is something you should deal with immediately, or if it can be put on the backburner in favor of something much more likely to happen.”

The post Is Your Organization Testing Against the Right Cyber Threats? appeared first on My TechDecisions.

The Columbia, M.D.-based provider of vulnerability management software finds in its 2022 Threat Landscape Report that the number one group of most frequently exploited vulnerabilities are a large pool of known vulnerabilities, including some that date back to 2017. Organizations repeatedly failed to apply the vendor’s patches for these bugs, resulting in increasing attacks throughout last year.

According to Tenable, the top exploited vulnerabilities within this group included several older high-severity flaws in Microsoft Exchange, Zoho ManageEngine products and VPN solutions from Fortinet, Citrix and Pulse Secure.

Of course, Log4Shell, the critical remote code execution bug in Java logger Log4j discovered in December 2021, was among the most frequently exploited vulnerabilities in 2022, according to Tenable. Others included Follina, a remote code execution bug in the Microsoft Support Diagnostic Tool; an Atlassian Confluence Server and Data Center vulnerability; and ProxyShell, a chain of three vulnerabilities in Microsoft Exchange Server.

In all of those cases, the vulnerabilities, mitigations and patches were highly publicized, and organizations had the ability to fix these issues immediately. In addition, four of the first five zero-day vulnerabilities exploited in the wild in 2022 were disclosed to the public on the same day the vendor released patches and mitigations, according to Tenable.

Bob Huber, chief security officer and head of research at Tenable, says in a statement that older, long-known vulnerabilities cause more destruction than new ones.

“Cyberattackers repeatedly find success exploiting these overlooked vulnerabilities to obtain access to sensitive information,” Huber says. “Numbers like these conclusively demonstrate that reactive post-event cybersecurity measures aren’t effective at mitigating risk. The only way to turn the tide is to shift to preventive security and exposure management.”

According to the report, older vulnerabilities in Fortinet FortiOS and Zoho ManageEngine were spotted in changed attacks with Log4Shell and various Exchange Server bugs. Tenable says it has been highlighting some of these bugs “for years,” and they are all listed in CISA’s catalog of Known Exploited Vulnerabilities.

The 2017 vulnerability listed in Tenable’s report is a memory corruption bug in Microsoft Office Equation Editor that has a CVSSv3 score of 7.8. Meanwhile, the report lists three 20178 bugs, a 3030 bug and three 2021 bugs as among the most actively exploited in 2022.

Read Tenable’s report for more information.

The post Older, Unpatched Vulnerabilities Are Still Wreaking Havoc appeared first on My TechDecisions.

According to the firm, this could allow sandbox escape on both macOS and iOS. The vulnerabilities range from medium to high severity, with CVSS scores between 5.1 and 7.1. Attackers could use these exploits–which have been fixed in recent updates–to gain access to sensitive information such as a user’s messages, location data, call history and photos.

In a research blog, Trellix details a 2021 bug that allowed for 0-click remote code execution that was used to infect a Saudi activist’s iPhone with the Pegasus malware. The exploits included the initial exploitation of PDF parsing code and sandbox escape.

“While much attention was given to the first exploit, we were much more interested in the second as it described a way to dynamically execute arbitrary code in another process which completely sidestepped code signing,” the company’s researchers say.

Trellix describes that exploit as such:

It involved NSPredicate, an innocent looking class that allows developers to filter lists of arbitrary objects. In reality the syntax of NSPredicate is a full scripting language. The ability to dynamically generate and run code on iOS had been an official feature this whole time. However, this was just the beginning, as this feature revealed an entirely new bug class that completely breaks inter-process security in macOS and iOS.

However, this was not the first example, as a researcher in 2019 discovered how to exploit the mechanics of NSPredicate to run arbitrary code.

The gist of this research was that NSExpression objects, the building blocks of an NSPredicate, could be used to call arbitrary methods on arbitrary classes and objects. Using existing classes in Apple’s private frameworks, it was possible to bypass pointer authentication (PAC) and every other mitigation to call any function. However, the post also describes ways in which Apple has mitigated the dangerousness of these objects, namely through a protocol called NSPredicateVisitor. Classes that implement this protocol can be used to check every expression to make sure they were safe to evaluate. CodeColorist notes at the end of his post that “Without a proper validation, it could be an inter-process attack surface to bypass TCC.”

This led to the discovery of a “large new class of bugs” that allow bypassing code signing to execute arbitrary code in the context of several applications, leading to escalation of privileges and sandbox escape on both operating systems.

Apple has removed features used in previous exploits and added new mitigations to restrict what could be done with NSPredicate using large denylist to prevent the use of certain classes and methods, but Trellix discovered that the new mitigations could be bypassed.

By using methods that had not been restricted it was possible to empty these lists, enabling all the same methods that had been available before. This bypass was assigned CVE-2023-23530 by Apple. Even more significantly we discovered that nearly every implementation of NSPredicateVisitor could be bypassed. There are many processes with XPC Services (the primary method of high-level inter-process communication on macOS and iOS) that accept NSPredicate arguments and use NSPredicateVisitor to ensure that the provided expression is safe to evaluate. While there is no single implementation as nearly every process has its own version, most use the “expressionType” property to filter out function expressions. The issues reside in the fact that this property can be set in the sending process and is trusted to be accurate by the receiver, rendering the checks useless. This bypass was assigned CVE-2023-23531. These two techniques opened a huge range of potential vulnerabilities that we are still exploring.

According to Trellix, an attacker could use the bugs to access a user’s calendar, address book and photos, as well as install arbitrary applications.

Other vulnerabilities could allow an attacker to read potentially sensitive information from the syslog, or exploit an NSPredicate vulnerability in UIKitCore on the iPad. Attackers could use to achieve code execution inside SpringBoard, a highly privileged app that can access location data, camera, microphone, call history, photos and other sensitive data, as well as wipe the device.

Apple addressed these issues with the release of macOS 13.2 and iOS 16.3, according to the Trellix blog.

The post These macOS, iOS Vulnerabilities Could Allow Attackers to Access Messages, Photos & Call History appeared first on My TechDecisions.

BlackByte ransomware group disables security products

Cybersecurity firm Sophos has released a new report that details how threat actors behind the BlackByte ransomware gang uses a sophisticated technique to bypass security products by abusing a known vulnerability in the legitimate vulnerable driver RTCore64.sys. This includes disabling over 1,000 drivers on which security products rely to provide protection.

The technique is growing in popularity, with at least two other known reports of threat actors using vulnerable drivers to kill antivirus and other software to bypass security products and deploy ransomware.

Read Sophos’ blog for more information.

Google to provide U.S. Army with Workspace

Google announced a new partnership with the U.S. Army that will see the company’s Public Sector division provide up to 250,000 personnel with the Google Workspace suite of productivity and collaboration solutions. This comes after the launch of Google Public Sector in June, which is focused on helping U.S. public sector entities in federal, state and local governments accelerate their digital transformations.

Read more about Google’s partnership with the U.S. Army and Google Public Sector here.

Infrastructure automation growth on the horizon

Gartner analysts predict that 85% of infrastructure and operations leaders currently without any full automation expect to become more automated within the next three years, and 70% of organizations will implement structured automation to deliver flexibility and efficiency by 2025.

The research and analysis firm’s survey found that automation is most used in application deployment, workload automation and end-user device deployment. However, just 22% are automating patching and vulnerability remediation despite 70% of those who are automating those functions find it impactful for the business.

Read more about Gartner’s survey of infrastructure and operations automation here.

These are the vulnerabilities Chinese hackers are exploiting

If your organization is at risk for targeted cyberattacks from Chinese-backed entities, you should review the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of top vulnerabilities being actively exploited by China state-sponsored hacking groups. The list of 20 vulnerabilities includes just bugs published from 2019 and on, and feature some of the most well-known bugs in recent memory.

The list includes the Log4j bug discovered at the end of last year, along with vulnerabilities from popular vendors such as Microsoft, Atlassian, VMware, Cisco and more.

Read CISA’s advisory for more information.

Google Cloud, HCLTech expand partnership to accelerate digital transformations

HCLTech and Google Cloud are expanding their partnership to scale HCLTech’s capacity to support digital transformation and deliver migration, system modernization and professional services for enterprise customers. The expanded relationship includes two new offerings: the new Google Cloud Global Migration and Modernization Factory ad the HCLTech Cloud Acceleration Team that both aim to help customers gain value from their cloud investments sooner.

Learn more about the Google Cloud, HCLTech partnership here.

The post This Week in IT: Sneaky Ransomware; Google, Army Partnership; Digital Transformation; Chinese Hackers appeared first on My TechDecisions.

The Santa Clara, Calif.-based security software provider’s Unit 42 Incident Response Report, an analysis of more than 600 incident response cases conducted over the past year found that software vulnerabilities were the initial access vector in 31% of cases, with phishing attacks remaining the top vector at 37% of cases.

Popular vulnerabilities leveraged

In cases where software vulnerabilities were exploited, ProxyShell—a chain of three vulnerabilities in Microsoft Exchange Server—was the most common vulnerability exploited by attackers in cases analyzed by Unit 42. The three bugs making up the ProxyShell exploit,  CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, were responsible for 55% of cases where vulnerabilities were leveraged.

Meanwhile, Log4Shell, the critical remote code execution flaw found in the popular Java logging tool Log4j late last year, was leveraged in 14% of such cases. Palo Alto notes in its report that by February 2, its researchers saw nearly 126 million hits triggering the Threat Prevention signature meant to protect against the exploit. Although just 14%, Palo Alto notes that the bug was public for just a few months of the time period studied in the report.

Attackers quick to exploit new bugs

That quick action by threat actors was also detailed in the report, with the company reporting a rise in exploits of new vulnerabilities and a quicker time-to-exploit once a bug is published. According to Palo Alto Networks, exploitation can sometimes coincide with the disclosure.

One vulnerability discovered by the company had 2,552 hits just 10 hours after publishing due to vulnerability scanning and active exploitation attempts, according to the report.

However, attackers start scanning for vulnerabilities with 15 minutes of a CVE being published, which places more emphasis on the need to immediately apply critical security updates when they become available.

Ransomware payouts, most attacked industries

Other key trends covered in the report include new findings on ransomware. According to the report, the median dwell time ransomware attackers spend in an environment before being detected was 28 days. Ransom demands also continue to rise, hitting an average of nearly $1 million, and some reported payouts as high as $8 million.

The report also highlights the most attacked industries observed in cases Palo Alto Networks has worked, with finance, professional and legal services, manufacturing, healthcare, high tech, wholesale and retail making up 63% of the company’s cases.

Read the company’s report for more information.

The post ProxyShell, Log4Shell Among Most Exploited Security Bugs appeared first on My TechDecisions.

Nessus Expert, an enhancement to the company’s flagship vulnerability assessment tool Nessus and building upon Nessus Professional, is designed to address emerging cyberthreats across cloud infrastructure by applying a “smarter and simplified approach to DevSecOps,” according to Tenable.

The company says this enables users to gain an understanding of an organization’s external attack surface that could be exposed to threat actors and to assess infrastructure-as-code (IaC) for vulnerabilities before runtime.

The launch of Nessus Expert comes after the integrations of Bit Discovery and Terrascan earlier this year, giving Nessus Expert external attack surface discovery and IaC security analysis capabilities.

Tenable: Ransomware-as-a-Service is Booming

The key capabilities of Nessus Expert are external attack surface discovery that allows IT and security professionals to discover internet-facing assets in domains and subdomains associated with an organization, the company says. In addition, Nessus Expert features IaC scanning that establishes guardrails in automated GitOps and CI/CD  processes to ensure secure deployments with minimal effort with up to 500 pre-built policies.

Nessus Expert is essentially a more advanced version of Nessus Professional, offering external attack surface scanning, the ability to add domains and scan cloud infrastructure, all of which are not available with Nessus Professional.

Glen Pendley, chief technology officer at Tenable, in a statement called Nessus the “gold standard” for vulnerability assessment. Nessus Expert is an enhanced version that addresses cloud instances that are constantly updating and connecting to various sources, he said.

“Nessus Expert delivers modern vulnerability assessment capabilities that cover everything from internal and external assets to code and cloud configurations before anything is ever deployed,” Pendley said. “This is a game changer for both assessing DevSecOps and infrastructure security.”

The post Tenable Releases Nessus Expert for External Attack Surface, Cloud Security appeared first on My TechDecisions.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), threat actors, likely sophisticated groups, are exploiting a pair of vulnerabilities in certain versions of VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

The first duo of bugs in question, CVE-2022-22954 and CVE-2022-22960, are a server-side template injection that could lead to remote code execution and escalation of privileges to root, respectively. VMware released the updates on April 6, but malicious cyber actors were able to reverse engineer the updates to develop an exploit within two days to begin exploiting the bugs in unpatched devices. CISA then added the two bugs to its catalog of Known Exploited Vulnerabilities about a week later.

In addition to those bugs, malicious actors are now expected to develop an exploit for a pair of other vulnerabilities, CVE-2022-22972 and CVE-2022-22973, that exist in the same VMware products that VMware disclosed on May 18. Because of this, CISA is requiring government agencies to immediately apply VMware’s patches or remove the impacted VMware systems rom their network.

According to VMware’s advisory on the newly discovered bugs, CVE-2022-22972 is an authentication bypass bug in VMware Workspace ONE Access, Identity Manager and vRealize Automation that could give an attacker with access to the UI administrative access without the need to authenticate. CVE-2022-22973, meanwhile, is a local privilege escalation flaw in Workspace ONE Access and Identity Manager that could give an attacker with local access privileges to “root.”

While that action covers the U.S. government, CISA’s alert notes that this has impacted multiple “large organizations,” one of which the agency sent an incident response team.

“CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information—including indicators of compromise (IOCs)—about observed exploitation at multiple other large organizations from trusted third parties.”

According to CISA, threat actors with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.

Post exploitation tools dropped in the environments at multiple organizations include Dingo J-spy webshell, which was dropped by leveraging CVE-2022-22954.

Administrators who discover system compromise are urged to immediately isolated affected systems, collect and review logs, ask a third-party incident response organization for help and report the incident to CISA.

In addition to patching, organizations with unpatched VMwae products that are accessible from the internet should assume compromise and conduct threat hunting activities, as per CISA’s advisory.

Read the advisories from VMware and CISA for more information, including detailed guides on remediation, indicators of compromise and threat hunting.

The post Patch These Four VMware Vulnerabilities Immediately appeared first on My TechDecisions.

Last year,  ransomware groups (Sodinokibi/REvil, BlackMatter, etc) made headlines and then suddenly disappeared only to rebrand under a different name, according to cybersecurity researchers and analyst in the information security community.

Red Canary’s report also notes trends in supply chain compromise, as witnessed in the SolarWinds, Kaseya and Log4j attacks. These types of attacks are not going away anytime soon, says the cybersecurity firm. The exploitation of Kaseya VSA appliance software led to ransomware deployments on thousands of organizations that used the software for remote administration of endpoints.

The “as-a-service” models, such as, “phishing-as-a-service,” “ransomware-as-a-service,” “access-as-service,” are expected to continue. These types of services have led to a proliferation of partnering, making it challenging to identify and anticipate the progression of a compromise.

“It’s never been easier to find an adversary for hire,” says Red Canary, noting an upheaval in highly specialized malicious subscription-based software strategies.

User initiated access activity is also expected to continue, such as malicious emails, attempts to harvest victims’ credentials and breaches by way of a trusted party. Many threat actors will direct victims to download a malicious executable after engaging with content they purposely sought out, as observed on search engine results pages. Red Canary notes it is critical to respond to this type of activity as follow-on threats can include info-stealers and ransomware.

In addition, software vulnerabilities will continue to be problems for IT teams moving forward, the firm says.

Check out the complete list of 12 threat detection trends you should know in the slideshow.

The post 12 Threat Detection Trends IT Pros Should Know appeared first on My TechDecisions.

The list, published in a joint cybersecurity advisory between U.S., UK, Australian, Canadian and New Zealand agencies, includes many vulnerabilities IT professionals should already be familiar with, including Log4Shell, ProxyShell, ProxyLogon, ZeroLogon and other unnamed vulnerabilities impacting common IT products.

According to the advisory, agencies observed malicious actors routinely exploiting these vulnerabilities in 2021, and several of them were also routinely exploited in 2020, suggesting that the continued exploitation indicates that many organizations are still behind when it comes to patching software to protect against security vulnerabilities.

In fact, four of the top 15 most exploited vulnerabilities are at least two years old, including one each from 2019 and 2018.

Other bugs noted that didn’t make the top 15 include several from 2020 and prior, such as a pair of 2017 Microsoft Office remote code execution bugs and a remote arbitrary code execution bug in Cisco IOS and IOS XE. Others from 2021 include the Windows Print Spooler remote code execution bug known as PrintNightmare and flaws impacting products from VMWare, SonicWall, Accellion, Pulse Secure and others.

The advisory of the most exploited vulnerabilities from last year urges organizations to:

• Update their systems as soon as possible or implement vendor-approved workarounds.
• Use a centralized patch management system.
• Replace end-of-life software that is no longer supported by the vendor.
• Outsourcing patching and scanning to a cloud service provider or managed service provider in the case of limited IT manpower.
• Harden IT environments by introducing multi-factor authentication, regularly review privileged accounts, implement a policy of least privilege, configure networks securely, segment networks, monitor for malicious activity and more.

To learn about the 15 bugs listed, click “View slideshow” at the top left just above the main image, or here.

For more information on known exploited vulnerabilities, view CISA’s catalog of (as of April 28) more than 650 bugs that are being actively exploited.

The post Make Sure These 15 Most Exploited Vulnerabilities From 2021 Are Patched appeared first on My TechDecisions.

The Department of Homeland Security (DHS) launched the agency’s first bug bounty program in December 2021 in an attempt to find and report any instances of the Log4Shell bug, a critical remote code execution bug in the popular Java logger Log4j, across all public-facing information system assets.

The program was then expanded with the goal of developing a model that can be used by other organizations across every level of government to increase its own cybersecurity defenses ad resilience, the agency says.

The 122 vulnerabilities disclosed by more than 450 vetted security researchers was the first phase of the Hack DHS program, with the second of three phases allowing cybersecurity researchers and ethical hacker to participate in a live in-person hacking event. The third and final phase will include the department’s findings from the program to help inform future bug bounty programs.

Hack DHS leverages a platform created by the Cybersecurity and Infrastructure Security Agency (CISA), the DHS’s expert cybersecurity agency. The program is governed by several rules of engagement and is monitored by the DHS Office of the Chief Information Officer.

Participants must disclose their findings to DHS systems and owners and leadership, including the nature of the vulnerability and how it was exploited. However, the agency did not release any further details about the vulnerabilities disclosed.

DHS says it awarded a total of $125,6000 to participants for identifying the security bugs.

“The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” DHS Chief Information Officer Eric Hysen said in a statement. “We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses.”

The program builds on similar initiatives across the private and public sector, including the Department of Defense’s Hack the Pentagon program.

The post DHS’ First Bug Bounty Program Nets 122 Vulnerabilities appeared first on My TechDecisions.