Microsoft ups bug bounties 30% for cloud lines, pays more for ‘scenario-based’ exploits

April 18, 2022 TH Author

In Brief Microsoft will pay more — up to $26,000 more — for “high-impact” bugs in its Office 365 products via its bug bounty program.

The new “scenario-based” payouts to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program aim to incentivize bug hunters to focus on finding vulnerabilities with “the highest potential impact on customer privacy and security,” Microsoft said late last week.

Awards will increase as much as 30 percent in some cases, according to the Redmond software goliath.

For example: discovering a remote code execution (RCE) vuln exploitable from untrusted input — this is what Mitre deems CWE-94, or a code-injection weakness — would be eligible for a 30 percent bonus on top of the existing M365 bounty award. Same for finding a vuln that deserializes untrusted data, also leading to potential RCE.

Microsoft made a similar move with its Azure bug bounty program in the fall and now pays up to $60,000 for high-impact cloud vulnerabilities.

And considering the massive Patch Tuesday earlier this week, it’s tough to argue against bigger awards to catch critical security flaws before the criminals do.

During Microsoft’s April monthly patching bonanza, the software giant addressed more than 100 vulnerabilities including ten critical RCEs. One of the bugs was already under attack, and a second had its exploit publicly disclosed before Patch Tuesday; Microsoft says no malicious exploitation has happened with that latter programming blunder … yet.

HP fixes critical Teradici PCoIP bugs

HP issued two security alerts covering ten vulnerabilities in its Teradici PCoIP product, with three bugs receiving a 9.8 “critical” severity score. Teradici, which HP acquired last year, created a PC-over-IP remote desktop protocol, which has more than 15 million endpoints deployed globally, according to HP.

These include government agencies, media companies, production studios, and financial institutions — in other words, these bugs could do some serious damage if cybercriminals exploit them before organizations patch the holes.

In addition to the three critical vulns, five others are considered “high” severity, scoring between 8.8 and 7.7, and one medium at 5.9.

Eight of the vulnerabilities, including the three critical ones (CVE-2022-22822, CVE-2022-22823 and CVE-2022-22824) stem from now-patched bugs in the open-source libexpat XML parser library on Windows, macOS, and Linux.

The security impact, according to HP, involves “potential uncontrolled resource consumption due to an unrestricted size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended” and “potential integer overflow error that can introduce weaknesses when the calculation is used for resource management or execution control.”

Is Karakurt a Conti side hustle?

Karakurt, an cyber-extortion gang named after the highly venomous widow spider, is likely linked to the notorious Conti ransomware group, according to analysis.

This data-theft-and-extortion crew emerged from the dark underside of the internet last summer. Since its first-observed attacks in August, Karakurt has infiltrated more than 70 organizations across multiple industries in at least eight countries, according to Tetra Defense, an incident response team that SecOps provider Arctic Wolf acquired in February.

Rather than just encrypting files and demanding payment for a decryption key, Karakurt takes the more modern approach of engaging “in extortion by stealing and threatening to release data without any attempt to encrypt,” Tetra Defense noted.

In research published on Friday by the biz, in partnership with blockchain firm Chainalysis and threat intel company Northwave, the IR firm detailed being called in to work with a customer seemingly hit by the Karakurt crooks.

This client had previously been a Conti victim and had paid the ransom. In this second attack, however, the company received a note saying sensitive data had been stolen and demanding that they pay up — and no encryption occurred.

Investigators noted that the second extortion gang used the exact same Cobalt Strike backdoor that Conti had used to access the victim’s network. This means the second intruder had access to the Conti Cobalt Strike to use its persistence mechanism. “Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure,” the threat researchers explained.

After conducting further analysis, and responding to more than a dozen Karakut heists, the white-hat team said they have a “high degree of confidence that the Karakurt extortion group is operationally linked” to Conti. The security shops also linked Karakut to the Diavol ransomware group.

Other indicators include a common point of initial intrusion for Karakurt and Conti attacks (Fortinet SSL VPNs), and overlapping tools used for exfiltration: “a unique adversary choice to create and leave behind a file listing of exfiltrated data named “file-tree.txt” in the victim’s environment as well as the repeated use of the same attacker hostname when remotely accessing victims’ networks.”

Tetra Defense then called in Chainalysis, which helped analyze cryptocurrency transactions carried out by Conti and Karakurt and did, indeed, find a financial connection between the two.

Free info-stealing malware set loose

A new information stealer dubbed ZingoStealer has been set loose on Telegram and Discord, and is being used by multiple cyber-criminals, according to Cisco Talos.

The threat intel team discovered the information-stealing Windows malware last month. Now, a criminal group called the Haskers Gang is releasing ZingoStealer for free and using platforms like Telegram and Discord to “distribute updates, share tooling and otherwise coordinate activities,” Cisco’s security mavens Talos wrote in a threat spotlight this month.

“The malware uses Telegram chat features to facilitate malware executable build delivery and data exfiltration,” according to the Talos researchers. In many cases, cyber-criminals use ZingoStealer to deliver additional malware such as RedLine Stealer and XMRig crypto mining malware, they said.

And while anyone can use the information stealer — it is free, after all — Talos noted its users tend to infect Russian speakers “under the guise of game cheats, key generators and pirated software, which likely indicates a current focus on home users.” That is to say, ZingoStealer is dressed up to be a sought-after application that people are tricked into downloading and running; after that, it harvests sensitive info from the PC, such as browser login cookies, cryptocurrency wallet data, and more.

For a very small fee (300 Rubles or about $3.70, for the moment), the Haskers Gang also offers a pre-built option. This one uses their crypter, called ExoCrypt, which essentially builds in antivirus evasion so that would-be cybercriminals don’t need a third-party builder to package the malware prior to distribution.

Critical RCE in WordPress plugin patched

A critical RCE vulnerability in popular WordPress plugin Elementor has been patched.

Security researchers at Plugin Vulnerabilities discovered the bug in the WordPress website builder, which has more than five million installations.

The bug was introduced in a new on-boarding module that was part of the 3.6.0 version of the plugin, released last month, that was missing some capability checks. This means that it wasn’t checking the user’s permission level, and as such could allow any authenticated users to make changes to the website, upload arbitrary files, or even completely take over the site.

It’s worth noting that Plugin Vulnerabilities said “it is possible that the vulnerability might be exploitable by someone not logged in to WordPress.”

WordPress security shop Patchstack, however, noted it is “still determining if unauthenticated users are able to leak the nonce token as well (and thus are able to exploit the vulnerability).”

Either way, it’s safe to say that updating immediately is the best bet. ®