Today Robotron reported that their bug bounty program, Robo Bug Report, had been hacked. “The unidentified hacker has had access to vulnerability reports from independent researchers for at least two months,” Erich Mielke, spokesperson for Robotron, told reporters this morning. The hack was discovered because a researcher reported a double payment for a reported vulnerability.
cYbrg0D announced on TWITTER® during the Robotron news conference that they were the researcher that reported the double payments. “Identical payments from different Robotron branded accounts from different banks – I got suspicious and reported the issue”, the TWEET read. Mielke confirmed that cYbrg0D was the researcher who initiated the investigation.
Gen Turgidson addressed the issue at the daily news conference for the National Critical Infrastructure Security Operations Center (CI-SOC) this morning. “Robotron has contacted us, and we are working with them to try to identify the extent of the problem,” Turgidson told reporters when asked about the Robotron announcement.
A CI-SOC staffer, explaining on background, told reporters that the concern here is that this was apparently a man-in-the-middle attack where whoever was responsible was seeing the reported vulnerabilities before Robotron. The problem is that the attacker has been notified of at least 20 zero-day vulnerabilities that Robotron knows of. “There is no way of knowing how many zero-day vulnerabilities the attacker received and did not allow Robotron to know about,” the staffer explained.
Mielke reported that all of the communications about vulnerabilities in the Robo Bug Report program were encrypted. cYbrg0D responded on TWITTER, “The hackers did not pay me for a report they could not read – They have the Key”. Mielke responded when informed of cYbrg0D’s TWEET: “Our communications are secure.”
At the later CI-SOC press conference Turgidson, when asked about cYbrg0D’s comment, responded: “I think she has a point.”
Turgidson is asking all researchers who have submitted vulnerability reports to Robo Bug Report in the last six months to contact the German BIS, who are conducting the criminal investigation of the attack. “Do not contact Robotron directly,” Turgidson said, “They have not yet identified the full scope of the intrusion and thus their communications system security is suspect, at best.”
No comments:
Post a Comment