Security bug hunters focus on misconfigured services, earn big rewards

An overview of the hacking activity on the HackerOne vulnerability coordination and bug bounty platform shows that misconfiguration of cloud resources is quickly becoming a hot target for ethical hackers.

This type of weakness is among the top threats in an organization as cybercriminals are quick to take advantage of faults in this category to carry their attacks.

A significant threat

In its report today, HackerOne reveals that last year, the number of misconfiguration reports submitted through the platform more than tripled.

This type of error did not make it into the top ten list of vulnerabilities but it recorded an increase of 310%, the highest by far when compared to all others.

HackerOne says that the surge was caused by the pandemic, which led many organizations to shift to cloud resources to keep the business running with employees working from home.

"New technologies and methodologies mean there are usually misconfigurations along the way that lead to vulnerabilities," says Shubham Shah, web app penetration tester and co-founder of Assetnote.

Cybercriminals have indeed capitalized on misconfiguration weaknesses, proof being all the data leaks offered for sale or shared freely on underground forums.

A threat actor known as ShinyHunters is constantly dumping databases with user records from dozens of companies offering online services [1, 2, 3, 4, 5, 6, 7]. Translated into numbers, the actor has already leaked tens of millions of records.

Most of the data consists of email addresses, names, passwords (typically hashed), IP addresses, and other personal information belonging to registered users.

Cybercriminals are not the only ones showing the risk of misconfigured resources. Tillie Kottmann, a developer and reverse engineer has collected and published source code, some of it proprietary, from tens of high-profile companies such as Microsoft, Intel, Nissan, Sonarqube, Adobe, Lenovo, AMD, Qualcomm, Motorola, or Disney [1, 2, 3, 4, 5].

As Kottmann told BleepingComputer on more than one occasion, most of the repositories had been copied because of misconfigured resources (exposed on the public web, weak credentials) that allowed easy access.

Hacking for big money

In terms of bounties paid, HackerOne says that 2020 was the year when hackers earned $40 million from disclosing vulnerabilities to companies on the platform.

This figure contributed significantly to the HackerOne reaching the milestone of 100 million milestone paid to hackers on the platform.

However, some hackers were more prolific than others. Since 2019 when HackerOne had its first hacker millionaire, another eight hackers earned that amount and one of them passed the $2 million mark.

In two years, the community has grown to more one million registered hackers spread across the globe, most of them (82%) doing this job part time and more than half (55%) being under 25.