June 20, 2023

Happy Tuesday! Welcome back to Codebook.

Today's newsletter is 1,382 words, a 5.5-minute read.

1 big thing: Democratic tech vendors go under the cyber microscope

Illustration: Aïda Amer/Axios

A new program is ramping up to help Democratic Party technology providers discover bugs in their systems before malicious hackers do.

Why it matters: Political organizations are often wary of participating in bug bounty programs — where researchers poke at an organization's systems to see if there are vulnerabilities — over fears that the findings would be weaponized against them by their opponents.

  • But avoiding these programs also leaves highly targeted political organizations uninformed about the ways hackers can breach their systems.

Driving the news: Three political tech organizations — Higher Ground Labs, Trestle Collaborative and Zinc Collective — have opened applications for the third edition of The Good Catch, a bug bounty program dedicated to Democratic tech vendors.

  • The program ran during the 2020 and 2022 election cycles, and this cycle's program will run up until next year's U.S. presidential election, Matt Hodges, executive director at Zinc Collective's Democrat-focused political tech lab, told Axios.
  • Ideal tech vendors for the program include a range of companies, such as those that facilitate email marketing campaigns or those that let campaigns text voters with updates or donation requests.

What they're saying: "There's a lot of hesitation within all political technology to talk about security work, but we know from industry that things like bug bounty programs are common activities," Hodges said.

  • "Being a little bit out front that we're doing this work can encourage other entities within this space to make similar types of investments," he added.

Flashback: In 2016, Russian hackers succeeded in stealing and publishing archives of emails from Hillary Clinton's campaign, putting Democrats on alert ever since.

How it works: Participating tech vendors will create an account on Federacy, an online program that manages bug bounty programs for organizations.

  • Each company that signs up will keep its program private by default, meaning only vetted researchers will be invited to participate. But participating vendors can also decide to open up their bug bounty programs to the entire platform, Hodges said.
  • Once their programs are up and running, vendors will start to receive reports of potentially exploitable security flaws on their systems, which they'll need to verify on their own.
  • "There were a number of reports that came in that either simply were a misunderstanding of how the tool was supposed to work or just could not be replicated based on what the researcher reported," Hodges said of past years' reports.

Between the lines: To help amplify the effort in its third iteration, the program has hired a new manager: Will Rogers, former chief information security officer at Democratic political tech organization ActBlue.

  • "This gave the opportunity to have impact across the spectrum of the Dem ecosystem from a tech perspective," Rogers told Axios.
  • Rogers has helped run the bug bounty programs in his past roles, including at ActBlue, software company mParticle and Etsy.

The intrigue: The Good Catch will also help vendors figure out how to best remedy the vulnerabilities researchers uncover, Rogers said.

  • If requested, the program can provide vendors with some general advice about how to stand up their security programs and can recommend other consultancy firms to help with more nuanced questions, Rogers added.

Zoom in: During the 2022 election cycle's program, researchers reported 118 vulnerabilities as part of The Good Catch, and 82% of those were confirmed and resolved, according to figures shared with Axios.

  • Six tech vendors also participated in the program during the most recent cycle.

Yes, but: A bug bounty program is just one part of any organization's entire cybersecurity strategy, Rogers said.

2. MOVEit vulnerabilities keep piling up

Illustration: Lindsey Bailey/Axios

A third security flaw has been discovered in a highly targeted file-transfer tool, adding to vulnerable organizations' growing to-do list.

Why it matters: Russian ransomware gang Cl0p has been using security holes in file-transfer tool MOVEit to target federal agencies, state governments and corporate entities for weeks.

Details: Progress, the developer of MOVEit, disclosed a third security vulnerability last week that affects the cloud version of the tool.

  • If they exploit the vulnerability, malicious actors could gain access to MOVEit's database, steal what's there or even alter the contents. Progress responded by taking the MOVEit Cloud tool offline for a few days until a patch was available.
  • On Sunday, Progress said it had "not seen any evidence" that hackers had exploited the newest vulnerability.

The big picture: The latest vulnerability discovery underscores how challenging resolving an active supply chain attack can be.

  • Many organizations might not know they're affected yet, and it can take weeks to figure out how exactly the attackers broke in.

Of note: News of the third vulnerability comes as more organizations say they're responding to MOVEit-related breaches and the Cl0p ransomware gang goes into damage-control mode.

Catch up quick: Originally, MOVEit customers were only responding to two recently discovered "zero-day" vulnerabilities — both of which could give hackers the ability to access their sensitive data and gain network access.

Be smart: Progress says organizations will need to apply the patches for the first two vulnerabilities before installing the third fix.

3. Ransomware gang threatens to leak Reddit data

Illustration: Aïda Amer/Axios

The BlackCat ransomware gang is claiming responsibility for a data breach at Reddit in February and is threatening to leak stolen data if the company doesn't pay a $4.5 million ransom and reverse its recent API pricing.

Why it matters: It's rare for a ransomware gang to publicly target such a well-known consumer brand and make a nonmonetary demand of its victim.

Catch up quick: In February, Reddit said it experienced a data breach after an employee fell for a phishing campaign in which hackers were ultimately able to steal that employee's login credentials.

  • From there, hackers seemingly stole parts of Reddit's code, employee information and some advertiser information.
  • Meanwhile, Reddit has also been facing backlash over a new policy to charge developers for access to its back-end interface.

Details: Now, BlackCat is claiming responsibility for the attack, according to a screenshot of the dark web listing.

  • BlackCat claimed that it stole 80 gigabytes of data and that its operators contacted Reddit in April and last week before going public.

Between the lines: BlackCat has been on the radar of law enforcement and cybersecurity firms for years as it has ramped up operations.

What they're saying: BlackCat "likely do not care about the API pricing," Brett Callow, threat researcher at Emsisoft, said in a tweet. "Their intention is simply to demonstrate to other victims that they can cause ongoing harm to a business long after an attack, so payment is the least painful option."

  • A Reddit spokesperson declined to comment on the gang's demands.

Yes, but: Many ransomware gangs tend to inflate the details of their attacks, and BlackCat has yet to provide any evidence that it was behind the February incident.

4. Catch up quick

@ D.C.

🇨🇳 U.S. Secretary of State Antony Blinken said he had a "robust conversation" with Chinese President Xi Jinping. (Axios)

⚡️ The U.S. Department of Energy received two ransom notices from ransomware gang Cl0p related to MOVEit breaches. (Reuters)

🧬 The Federal Trade Commission has accused genetic health testing firm 1health.io of failing to protect sensitive genetic and health data. (CyberScoop)

@ Industry

📈 The global cybersecurity market reached $18.6 billion in the first quarter of this year, growing 12.5% compared to the same period last year despite tight macroeconomic conditions. (Canalys)

@ Hackers and hacks

💻 Microsoft confirmed that hacktivist group Anonymous Sudan took down some of its flagship products in a series of distributed denial-of-service attacks. (Associated Press)

🍎 Des Moines Public Schools, Iowa's largest school district, confirmed it suffered a ransomware attack in January that took down its networks. (BleepingComputer)

👀 School-aged kids are seizing control of Discord servers and using them to carry out phishing attacks and steal users' NFTs. (The Block)

5. 1 fun thing

Lola the cat. Photo: Sam Sabin/Axios

My black cat, Lola, would like to remind everyone that not all black cats are bad — just the ones that are extorting people for money 🐈‍⬛ ❤️.

☀️ See y'all on Friday!

Thanks to Scott Rosenberg for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.