Saturday, 20 July 2019

Russian FSB Intel Agency Contractor Hacked, Secret Projects Exposed

A contractor for the Russian Federal Security Service (FSB) has been hacked and secret projects that were being developed for the intelligence agency were leaked to Russian Media. These projects detail Russia's attempt to de-anonymize users on the Tor network, collect data from social networks, and how to isolate the Russian portion of the Internet from the rest of the world.
On July 13th, 2019, a contactor for the Russia FSB named "Sytech" was claimed to be hacked by a hacking group named 0v1ru$. As part of this hack, the group defaced the contactor's site to show an image of "Yoba-face", which they posted an image of on their Twitter feed.
Yoba-face on Sytech's site
Yoba-face on Sytech's site
In addition, BBC Russia reports that the hackers stole 7.5TB of data from the contractor's network. This data includes information about numerous non-public projects that were being developed by Sytech on behalf of the Russian government and its intelligence agency.
To prove they gained access to Sytech's servers, 0v1ru$ posted images of internal pages of Sytech's web site and of server drives and users in their Windows domain controller.
This stolen data was then passed on to another hacking group named DigitalRevolution, who shared the data with Russian media.  Digital Revolution claimed to have hacked the Russian research institute "Kvant" in 2018.
Tweet from DigitalRevoluion
The stolen data seen by BBC Russia outlines a variety of projects being developed by Sytech. These projects include:
Mentor was allegedly being developed for the Russian military unit No. 71330, which is reportedly the radio-electronic intelligence of the FSB of Russia. This project would monitor selected email accounts at specified intervals in order to collect information related to certain phrases.
Nadezhda, or Hope in English, is a project designed to visualize how Russia is connected to the rest of the Internet. This research is part of Russia's attempts to create a "sovereign Internet" where Russia can isolate itself from the rest of the Internet.
Nautilus is a project developed between 2009 and 2010 to collect information about users on social networks such as Facebook, LinkedIn, and MySpace.
Nautilus-S is research into de-anonymizing users on the Tor network by creating exit nodes that were controlled by the Russian government. This project was allegedly started at the request of the Russian Research Institute "Kvant".
Reward was being designed to penetrate and perform covert operations on peer-to-peer networks. This includes BitTorrent, Jabber, OpenFT, and ED2K
Tax-3 is the most recent project and was commissioned by "Chief Scientific Innovation Innovation Center JSC, reporting to the Federal Tax Service.".  This project would provide the ability to manually remove information from the Federal Tax Service about people under state protection.
The site for Sytech (www.sytech.ru) has since been shut down and have not responded to inquiries by the BBC.
While this data breach is not nearly as concerning as the Vault 7 WikiLeaks leak of NSA exploits, the BBC has stated that this is the largest data leak in the history of Russian special services.

ever, warn police Microsoft opens Dynamics 365 bug bounty with $20k top prize

Microsoft has launched one more bug bounty to its security rewards lineup. Now researchers will for the first time be able to hunt for bugs in Dynamics 365 ERP and CRM software and get rewards of up to $20,000. 
The Dynamics 365 Bounty program opened two , inviting researchers to find and report vulnerabilities in Microsoft's Dynamics 365 applications with incentive rewards of between $500 and $20,000 for valid bugs. 
There are dozens of online and on-premise Dynamics 365 applications: online apps include Dynamics 365 for sales, customer service, field service, talent, finance and operations, retail and more. The latest releases of on-premise Dynamics 365 apps are also in scope, including Dynamics AX, CRM, GP, NAV, and SL.
Microsoft has also updated its main Microsoft Bug Bounty Program with simplified high-level requirements for them and extra links and resources. 
And it's reorganized its bug bounties into three main categories: Cloud Programs; Platform Programs; and Defense Programs. 
Dynamics 365 is the newest under the Cloud Programs section, which also includes Microsoft Identity services, such as Azure Active Directory. Also in this group are Azure DevOps Services, .NET Core and ASP.NET Core, andthe Microsoft Cloud Bounty. 
The Platform Programs cover Microsoft Hyper-V, the Windows Insider Preview, Windows Defender Application Guard, the Edge on Windows Insider Preview, and Office Insider. 


The Defense Programs currently only includes the 'Mitigation Bypass and Bounty for Defense', which offers the highest rewards of up to $100,000.
The extra resources include links to frequently asked questions, examples of low and high quality reportsthe Windows security servicing criteria, a directory of Azure ServicesMicrosoft product documentation, and a link to the Microsoft Security Research & Defense blog.    


The Dynamics 365 top payout is in line with the top reward for the Microsoft Cloud Bounty, which recently got bumped up to $20,000 from $15,000
Earlier this year Microsoft handed off payment-processing responsibilities to third-party bug bounty platform HackerOne and has since added Bugcrowd to its payment roster. Microsoft continues to handle triage of bug reports and deciding on the value of rewards, but moved to HackerOne and Bugcrowd in order to speed up payments to researchers offer different payment options, including in cryptocurrency.