Is Lamb Chop a hacker? Vulnerability coordination and bug bounty platform HackerOne recently disclosed that a former employee at the firm improperly accessed security reports submitted to it for personal gain. "The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties," a spokesman said. "In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data."
The employee, who had access to HackerOne systems between 4 April and 23 June 2022, was triaging vulnerability disclosures associated with different customer programs and has since been terminated by the San Francisco-headquartered company as of 30 June 2022. Calling the incident as a "clear violation" of its values, culture, policies, and employment contracts, HackerOne said it was alerted to the breach on 22 June by an unnamed customer, which asked it to "investigate a suspicious vulnerability disclosure" through an off-platform communication from an individual with the handle "rzlr" using "aggressive" and "intimidating" language.
Further analysis of internal log data used to monitor employee access to customer disclosures traced the exposure to a rogue insider, whose goal, it noted, was to re-submit duplicate vulnerability reports to the same customers using the platform to receive monetary payouts. "The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures," HackerOne detailed in a post-mortem incident report, adding seven of its customers received direct communication from the threat actor.
A “sock puppet” is a fictitious online identity created for the purposes of deception. Sockpuppets are usually created in large numbers by a single controlling person or group. They are typically used for block evasion, creating false majority opinions, vote stacking, and other similar pursuits. "Following the money trail, we received confirmation that the threat actor's bounty was linked to an account that financially benefited a then HackerOne employee. Analysis of the threat actor's network traffic provided supplemental evidence connecting the threat actor's primary and sockpuppet accounts." A HackerOne spokesman said it has individually notified customers about the exact bug reports that were accessed by the malicious party along with the time of access while emphasizing it found no evidence of vulnerability data having been misused or other customer information accessed.
In addition, the company noted it aims to implement additional logging mechanisms to improve incident response, isolate data to reduce any damage and enhance processes in place to identify anomalous access and proactively detect insider threats.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments