$900K XSS Bounty, HybridPetya Attack, & Burger King Censorship

This week’s cybersecurity landscape reveals a series of significant developments, from record-breaking bug bounties to corporate attempts to suppress research and the emergence of novel malware threats. Staying informed on these issues is essential for professionals navigating an increasingly complex digital environment.

Burger King’s parent company, Restaurant Brands International (RBI), took the unusual step of issuing a DMCA takedown notice against security researchers who uncovered vulnerabilities in its systems. The flaws, which exposed sensitive employee and customer order data, were promptly patched after being privately reported. Despite RBI’s claim that the targeted platform was still in development, the legal complaint resulted in the removal of the researchers’ detailed blog post, even from archival services.

Google made headlines with its first-ever cloud-focused bugSWAT event, distributing $1.6 million in rewards to researchers who identified 91 vulnerabilities. This brings the company’s total cloud bug bounty payouts for the year to an impressive $2.5 million, underscoring its commitment to securing its infrastructure through crowdsourced expertise.

Even tech giants like Microsoft aren’t immune to long-standing threats. Since January 2024, nearly 1,000 cross-site scripting (XSS) vulnerabilities have been reported across Microsoft services. The company paid over $900,000 in bounties for these flaws in the past year alone, with one researcher receiving $20,000 for a single finding.

A recent blog post from security firm Huntress sparked concern after the company described monitoring a threat actor who had installed a trial version of its software. Critics questioned the level of access granted to trial users. Huntress later clarified that its visibility was limited to forensic artifacts related to malware alerts and emphasized that the agent does not permit remote screen access or unauthorized data collection.

FortiGuard Labs published an analysis of MostereRAT, a remote access trojan linked to earlier banking malware campaigns. The malware uses advanced evasion tactics, including blocking antivirus traffic and leveraging legitimate remote administration tools like AnyDesk and TightVNC to maintain control over compromised systems.

In legal news, Liridon Masurica, a Kosovo national, pleaded guilty in a U.S. court to operating the BlackDB cybercrime marketplace. The platform facilitated the trade of stolen credentials, payment card data, and personal information. Masurica was extradited to the U.S. and now faces up to a decade in prison.

California legislators passed AB 566, a bill that would require web browsers to include an opt-out mechanism for data sharing and sales. The legislation now awaits the governor’s signature before becoming law.

Researchers at ESET identified a new ransomware variant, HybridPetya, which exploits CVE‑2024‑7344 to bypass UEFI Secure Boot. Although the malware shares traits with the notorious NotPetya, there is no evidence of active attacks, leading experts to believe it may be a proof-of-concept.

Finally, a vulnerability was discovered in the AI-powered code editor Cursor, allowing malicious repositories to execute code automatically upon opening. While the software’s Workspace Trust feature can prevent such attacks, it is disabled by default, prompting the developers to update their security guidance.

(Source: Security Week)