An summary of the hacking exercise on the HackerOne vulnerability coordination and bug bounty platform exhibits that misconfiguration of cloud assets is rapidly changing into a sizzling goal for moral hackers.
This kind of weak spot is among the many prime threats in a corporation as cybercriminals are fast to make the most of faults on this class to hold their assaults.
A big menace
In its report at present, HackerOne reveals that final 12 months, the variety of misconfiguration reviews submitted by means of the platform greater than tripled.
This kind of error didn’t make it into the highest ten checklist of vulnerabilities nevertheless it recorded a rise of 310%, the very best by far when in comparison with all others.
HackerOne says that the surge was attributable to the pandemic, which led many organizations to shift to cloud assets to maintain the enterprise working with workers working from house.
“New applied sciences and methodologies imply there are often misconfigurations alongside the way in which that result in vulnerabilities,” says Shubham Shah, internet app penetration tester and co-founder of Assetnote.
Cybercriminals have certainly capitalized on misconfiguration weaknesses, proof being all the info leaks supplied on the market or shared freely on underground boards.
A menace actor often called ShinyHunters is consistently dumping databases with consumer data from dozens of firms providing on-line providers [1, 2, 3, 4, 5, 6, 7]. Translated into numbers, the actor has already leaked tens of thousands and thousands of data.
Many of the information consists of e mail addresses, names, passwords (sometimes hashed), IP addresses, and different private info belonging to registered customers.
Cybercriminals aren’t the one ones displaying the danger of misconfigured assets. Tillie Kottmann, a developer and reverse engineer has collected and revealed supply code, a few of it proprietary, from tens of high-profile firms akin to Microsoft, Intel, Nissan, Sonarqube, Adobe, Lenovo, AMD, Qualcomm, Motorola, or Disney [1, 2, 3, 4, 5].
As Kottmann informed BleepingComputer on a couple of event, many of the repositories had been copied due to misconfigured assets (uncovered on the general public internet, weak credentials) that allowed quick access.
Hacking for giant cash
By way of bounties paid, HackerOne says that 2020 was the 12 months when hackers earned $40 million from disclosing vulnerabilities to firms on the platform.
This determine contributed considerably to the HackerOne reaching the milestone of 100 million milestone paid to hackers on the platform.
Nevertheless, some hackers had been extra prolific than others. Since 2019 when HackerOne had its first hacker millionaire, one other eight hackers earned that quantity and one of them passed the $2 million mark.
In two years, the group has grown to extra a million registered hackers unfold throughout the globe, most of them (82%) doing this job half time and greater than half (55%) being below 25.