Satori Cyber raises $5.25M to help businesses protect their data flows

The amount of data that most companies now store — and the places they store it — continues to increase rapidly. With that, the risk of the wrong people managing to get access to this data also increases, so it’s no surprise that we’re now seeing a number of startups that focus on protecting this data and how it flows between clouds and on-premises servers. Satori Cyber, which focuses on data protecting and governance, today announced that it has raised a $5.25 million seed round led by YL Ventures.

“We believe in the transformative power of data to drive innovation and competitive advantage for businesses,” the company says. “We are also aware of the security, privacy and operational challenges data-driven organizations face in their journey to enable broad and optimized data access for their teams, partners and customers. This is especially true for companies leveraging cloud data technologies.”

Satori is officially coming out of stealth mode today and launching its first product, the Satori Cyber Secure Data Access Cloud. This service provides enterprises with the tools to provide access controls for their data, but maybe just as importantly, it also offers these companies and their security teams visibility into their data flows across cloud and hybrid environments. The company argues that data is “a moving target” because it’s often hard to know how exactly it moves between services and who actually has access to it. With most companies now splitting their data between lots of different data stores, that problem only becomes more prevalent over time and continuous visibility becomes harder to come by.

“Until now, security teams have relied on a combination of highly segregated and restrictive data access and one-off technology-specific access controls within each data store, which has only slowed enterprises down,” said Satori Cyber CEO and co-founder Eldad Chai. “The Satori Cyber platform streamlines this process, accelerates data access and provides a holistic view across all organizational data flows, data stores and access, as well as granular access controls, to accelerate an organization’s data strategy without those constraints.”

Both co-founders (Chai and CTO Yoav Cohen) previously spent nine years building security solutions at Imperva and Incapsula (which acquired Imperva in 2014). Based on this experience, they understood that onboarding had to be as easy as possible and that operations would have to be transparent to the users. “We built Satori’s Secure Data Access Cloud with that in mind, and have designed the onboarding process to be just as quick, easy and painless. On-boarding Satori involves a simple host name change and does not require any changes in how your organizational data is accessed or used,” they explain.

Odoo grabs $90M to sell more SMEs on its business app suite

Belgium-based all-in-one business software maker Odoo, which offers an open source version as well as subscription-based enterprise software and SaaS, has taken in $90 million led by a new investor: Global growth equity investor Summit Partners.

The funds have been raised via a secondary share sale. Odoo’s executive management team and existing investor SRIW and its affiliate Noshaq also participated in the share sale by buying stock — with VC firms Sofinnova and XAnge selling part of their shares to Summit Partners and others.

Odoo is largely profitable and grows at 60% per year with an 83% gross margin product; so, we don’t need to raise money,” a spokeswoman told us. “Our bottleneck is not the cash but the recruitment of new developers, and the development of the partner network.

“What’s unusual in the deal is that existing managers, instead of cashing out, purchased part of the shares using a loan with banks.”

The 2005-founded company — which used to go by the name of OpenERP before transitioning to its current open core model in 2015 — last took in a $10M Series B back in 2014, per Crunchbase.

Odoo offers some 30 applications via its Enterprise platform — including ERP, accounting, stock, manufacturing, CRM, project management, marketing, human resources, website, eCommerce and point-of-sale apps — while a community of ~20,000 active members has contributed 16,000+ apps to the open source version of its software, addressing a broader swathe of business needs.

It focuses on the SME business apps segment, competing with the likes of Oracle, SAP and Zoho, to name a few. Odoo says it has in excess of 4.5 million users worldwide at this point, and touts revenue growth “consistently above 50% over the last ten years”.

Summit Partners told us funds from the secondary sale will be used to accelerate product development — and for continued global expansion.

“In our experience, traditional ERP is expensive and frequently fails to adapt to the unique needs of dynamic businesses. With its flexible suite of applications and a relentless focus on product, we believe Odoo is ideally positioned to capture this large and compelling market opportunity,” said Antony Clavel, a Summit Partners principal who has joined the Odoo board, in a supporting statement.

Odoo’s spokeswoman added that part of the expansion plan includes opening an office in Mexico in January, and another in Antwerpen, Belgium, in Q3.

This report was updated with additional comment

Google details its approach to cloud-native security

Over the years, Google’s various whitepapers, detailing how the company solves specific problems at scale, have regularly spawned new startup ecosystems and changed how other enterprises think about scaling their own tools. Today, the company is publishing a new security whitepaper that details how it keeps its cloud-native architecture safe.

The name, BeyondProd, already indicates that this is an extension of the BeyondCorp zero trust system the company first introduced a few years ago. While BeyondCorp is about shifting security away from VPNs and firewalls on the perimeter to the individual users and devices, BeyondProd focuses on Google’s zero trust approach to how it connects machines, workloads and services.

Unsurprisingly, BeyondProd is based on pretty much the same principles as BeyondCorp, including network protection at the end, no mutual trust between services, trusted machines running known code, automated and standardized change rollout and isolated workloads. All of this, of course, focuses on securing cloud-native applications that generally communicate over APIs and run on modern infrastructure.

“Altogether, these controls mean that containers and the microservices running inside can be deployed, communicate with each other, and run next to each other, securely; without burdening individual microservice developers with the security and implementation details of the underlying infrastructure,” Google explains.

Google, of course, notes that it is making all of these features available to developers through its own services like GKE and Anthos, its hybrid cloud platform. In addition, though, the company also stresses that a lot of its open-source tools also allow enterprises to build systems that adhere to the same platforms, including the likes of Envoy, Istio, gVisor and others.

“In the same way that BeyondCorp helped us to evolve beyond a perimeter-based security model, BeyondProd represents a similar leap forward in our approach to production security,” Google says. “By applying the security principles in the BeyondProd model to your own cloud-native infrastructure, you can benefit from our experience, to strengthen the deployment of your workloads, how your their communications are secured, and how they affect other workloads.”

You can read the full whitepaper here.

Nuclear Bot Author Arrested in Sextortion Case

Last summer, a wave of sextortion emails began flooding inboxes around the world. The spammers behind this scheme claimed they’d hacked your computer and recorded videos of you watching porn, and promised to release the embarrassing footage to all your contacts unless a bitcoin demand was paid. Now, French authorities say they’ve charged two men they believe are responsible for masterminding this scam. One of them is a 21-year-old hacker interviewed by KrebsOnSecurity in 2017 who openly admitted to authoring a banking trojan called “Nuclear Bot.”

On Dec. 15, the French news daily Le Parisien published a report stating that French authorities had arrested and charged two men in the sextortion scheme. The story doesn’t name either individual, but rather refers to one of the accused only by the pseudonym “Antoine I.,” noting that his first had been changed (presumably to protect his identity because he hasn’t yet been convicted of a crime).

“According to sources close to the investigation, Antoine I. surrendered to the French authorities at the beginning of the month, after being hunted down all over Europe,” the story notes. “The young Frenchman, who lived between Ukraine, Poland and the Baltic countries, was indicted on 6 December for ‘extortion by organized gang, fraudulent access to a data processing system and money laundering.’ He was placed in pre-trial detention.”

According to Le Parisien, Antoine I. admitted to being the inventor of the initial 2018 sextortion scam, which was subsequently imitated by countless other ne’er-do-wells. The story says the two men deployed malware to compromise at least 2,000 computers that were used to blast out the sextortion emails.

While that story is light on details about the identities of the accused, an earlier version of it published Dec. 14 includes more helpful clues. The Dec. 14 piece said Antoine I. had been interviewed by KrebsOnSecurity in April 2017, where he boasted about having created Nuclear Bot, a malware strain designed to steal banking credentials from victims.

My April 2017 exposé featured an interview with Augustin Inzirillo, a young man who came across as deeply conflicted about his chosen career path. That path became traceable after he released the computer code for Nuclear Bot on GitHub. Inzirillo outed himself by defending the sophistication of his malware after it was ridiculed by both security researchers and denizens of the cybercrime underground, where copies of the code wound up for sale. From that story:

“It was a big mistake, because now I know people will reuse my code to steal money from other people,” Inzirillo told KrebsOnSecurity in an online chat.

Inzirillo released the code on GitHub with a short note explaining his motivations, and included a contact email address at a domain (inzirillo.com) set up long ago by his father, Daniel Inzirillo.

KrebsOnSecurity also reached out to Daniel, and heard back from him roughly an hour before Augustin replied to requests for an interview. Inzirillo the elder said his son used the family domain name in his source code release as part of a misguided attempt to impress him.

“He didn’t do it for money,” said Daniel Inzirillo, whose CV shows he has built an impressive career in computer programming and working for various financial institutions. “He did it to spite all the cyber shitheads. The idea was that they wouldn’t be able to sell his software anymore because it was now free for grabs.”

If Augustin Inzirillo ever did truly desire to change his ways, it wasn’t clear from his apparent actions last summer: The Le Parisien story says the sextortion scams netted the Frenchman and his co-conspirator at least a million Euros.

In August 2018, KrebsOnSecurity was contacted by a researcher working with French authorities on the investigation who said he suspected the young man was bragging on Twitter that he used a custom version of Nuclear Bot dubbed “TinyNuke” to steal funds from customers of French and Polish banks.

The source said this individual used the now-defunct Twitter account @tiny_gang1 to taunt French authorities, while showing off a fan of 100-Euro notes allegedly gained from his illicit activities (see image above). It seemed to the source that Inzirillo wanted to get caught, because at one point @tiny_gang1 even privately shared a copy of Inzirillo’s French passport to prove his identity and accomplishments to the researcher.

“He modified the Tinynuke’s config several times, and we saw numerous modifications in the malware code too,” the source said. “We tried to compare his samples with the leaked code available on GitHub and we noticed that the guy actually was using a more advanced version with features that don’t exist in the publicly available repositories. As an example, custom samples have video recording functionality, socks proxy and other features. So the guy clearly improved the source code and recompiled a new version for every new campaign.”

The source said the person behind the @tiny_gang Twitter account attacked French targets with custom versions of TinyNuke in one to three campaigns per week earlier this year, harvesting French bank accounts and laundering the stolen funds via a money mule network based mostly in the United Kingdom.

“If the guy behind this campaign is the malware author, it could easily explain the modifications happening with the malware, and his French is pretty good,” the researcher told KrebsOnSecurity. “He’s really provocative and I think he wants to be arrested in France because it could be a good way to become famous and maybe prove that his malware works (to resell it after?).”

The source said the TinyNuke author threatened him with physical harm after the researcher insulted his intelligence while trying to goad him into disclosing more details about his cybercrime activities.

“The guy has a serious ego problem,” the researcher said. “He likes when we talk about him and he hates when we mock him. He got really angry as time went by and started personally threatening me. In the last [TinyNuke malware configuration file] targeting Poland we found a long message dedicated to me with clear physical threats.”

All of the above is consistent with the findings detailed in the Le Parisien report, which quoted French investigators saying Antoine I. in October 2019 used a now-deleted Twitter account to taunt the authorities into looking for him. In one such post, he included a picture of himself holding a beer, saying: “On the train to Naples. You should send me a registered letter instead of threatening guys informally.”

The Le Parisien story also said Antoine I. threatened a researcher working with French authorities on the investigation (the researcher is referred to pseudonymously as “Marc”).

“I make a lot more money than you, I am younger, more intelligent,” Antoine I. reportedly wrote in July 2018 to Marc. “If you do not stop playing with me, I will put a bullet in your head. ”

French authorities say the defendant managed his extortion operations while traveling throughout Ukraine and other parts of Eastern Europe. But at some point he decided to return home to France, despite knowing investigators there were hunting him. According to Le Parisien, he told the French authorities he wanted to cooperate in the investigation and that he no longer wished to live like a fugitive.

Ransomware as a Service | What are Cryptonite, Recoil and Ghostly Locker?

A short while back we posted a two-part blog series on a new RaaS (Ransomware as a Service) offering, “Project Root”. If you have not had a chance to peruse Part 1 and Part 2 of that series, we highly recommend doing so. That aside, “Project Root” happens to be just one of many in a recent uptick in “publicly” available RaaS offerings. In recent months, we have been tracking others as well and would like to take this opportunity to provide a high-level overview of three of the more notable examples, all of which market themselves with a style and pitch typical of legitimate consumer marketing. In this post, we will explore the following:

  • Recoil Ransomware
  • Cryptonite
  • Ghostly (aka Ghostly Locker)
    • image RaaS Cryptonite

      Recoil Ransomware

      Recoil popped up for sale in various forums in early November 2019. Like Project Root, the main draw is a low buy-in price and a fairly standard feature set.

      image recoil banner

      Early advertisements for Recoil touted the following:

      image recoil features

      image recoil discord forum

      All these features are fairly standard for a modern RaaS service and should be taken with a healthy dose of scepticism. Claims to be “fully undetectable” (aka FUD) are misleading and only indicate two possible anti-detection capabilities. First, the developers can provide the buyer with a uniquely compiled stub that has yet to be subjected to public testing sites like VirusTotal. That means legacy AV solutions that rely on reputation for detection, such as by checking the binary’s hash, can indeed be easily bypassed. Second, some ransomware vendors offer to frequently update their code/stubs in order to stay ahead of the ‘detection curve’ – signature rules like Yara and similar that rely on detecting particular sequences of bytes or strings in an executable. However, neither of these avoidance techniques give the ransomware true “FUD” capabilities if the security solution uses advanced behavioural detection.

      Recoil also offers the ability to function (i.e. encrypt) offline, which is attractive to criminals for a few reasons, not the least of which is that it can make the payloads less ‘noisy’. That is, if there is no anomalous traffic reaching out to obviously suspicious .onion sites, then simple security controls that would be triggered by that sort of thing (IPS/IDS/Firewalls, etc.) can fail to generate alerts. Beyond that, staying offline may offer some improvement in speed by forgoing network status checks or delays while reaching out to an attacker’s server each time the payload executes. 

      As stated, Recoil’s feature set is rather standard. The deletion of shadow copies is very common and can greatly impact a victim’s ability to recover from such an attack if they are not able to restore from another form of known-good backup or if they lack a modern security solution that blocks that behavour at source.

      Current data indicates that Recoil supports Windows (x86 / x64) as well as Android. The developers are hoping to net $500.00 USD per sale, which – they say – includes support for Windows and Android platforms.

      Cryptonite Ransomware

      image cryptonite banner

      Cryptonite began advertising in forums (.onion based) a little later than Recoil, in early December 2019. They tout a fairly robust feature set, as well as a ‘deal’ to preview the system before committing to purchasing a full subscription package. By creating an account on their system, would-be ransomware criminals are able to get ‘preview’ builds which are fully functional. The idea here seems to be to offer the ability to generate income from the preview that the “buyers” would in turn use to pay for the full package.

      image cryptonite features

      The developers behind Cryptonite also appear to be offering a special deal to the first 1000 customers. The marketing is somewhat fascinating (from a security research perspective) in that they are highlighting “features” which very much focus on the exact points that security professionals recognize as the most dangerous.

      Specifically, they repeatedly highlight the point that “No Coding Skill” is required. That particular aspect is one of the main reasons we call attention to these. The barrier to entry is almost zero, meaning anyone tempted by criminal gains can rapidly cause a great deal of damage in very little time (seconds). The greatest danger with these kind of RaaS offerings is that an attacker only needs to know how to download files to start the infectious ball rolling.

      Cryptonite is currently advertising the following core features:

      • Zero ransom fees – Packages are based on “infection credits”
      • Fully Undetectable – AV Evasion
      • Unique Encryption Keys – Unique encryption keys for each infection. This aims to prevent decryption tools or use of leaked keys
      • No Coding Skills Needed – Buyers build and download payloads from the portal. No programming / coding required
      • Increasing Ransom – Ransom increases over time or per defined criteria
      • Custom File infection (append your own binaries)
      • VSS / Shadow Copy Disabling / Deletion – Attempts to delete Volume Shadow Copies to prevent OS-based remediation
      • Network Infection Option – Worm’esque feature. Attempts to identify open network shares to spread to and infect.
      • Windows Only (x86/x64)

      image cryptonite abilities

      Cryptonite offers a full management and tracking portal and a number of features which put it ahead of Recoil in terms of attractiveness to a criminal audience. The pricing model is a little different with Cryptonite as well.  Rather than taking a cut from each received ransom or charging an “entry fee”, they sell packages of what they refer to as “infection credits”. Each infected victim equals one credit. Would-be threat actors pay more for a package that allows them to infect more victims.

      Cryptonite pricing currently ranges from $195.00 to $895.00 USD and sets a limit on the amount of ransom that can be demanded per victim in each tier, from $150 to $250. For that, would-be criminals can infect between 50 and 200 victims and potentially make between $7,500 – $50,000 in total.

      The network infection and “advanced tracking” features are only included in the highest-price tier.

      image cryptonite pricing

      Along with all this, Cryptonite claims to offer 24×7 “support” via email, web-form, or even chat (when the admins are online).

      image cryptonite support

      Ghostly Locker Ransomware

      Rounding out our overview of RaaS projects is Ghostly, aka Ghostly Locker, ransomware.

      image Ghostly Locker banner

      Ghostly first appeared for sale in mid-November 2019. Similar to Recoil and Cryptonite, it is presented as a very slick and full-featured offering.

      image Ghostly Locker features

      Currently, Ghostly Locker claims to provide the following primary feature set:

      • Silent, Multi-Threaded Encryption
      • Customizable Disk Encryption (full or partial)
      • Customizable Target Extension List
      • Automation of Client Payments
      • Ransom Amount Doubling (after 72 hours)
      • TOR Portal-based Infection Tracking and Management
      • Detailed Campaign Statistics
      • Windows Only Support (x86/x64)
      • Purchase via Direct Payment (BTC) or Escrow via specific advertised forums.

      Ghostly’s pricing model is more ‘traditional’ in that they require an up-front entry fee from those looking to buy ransomware. The more a buyer is willing to pay, the more features they are offered, as well as more time and greater volume of potential infections.

      image Ghostly Locker pricing

      The Ghostly Locker FAQ provides further detail on specific features as well as information around their pricing plans and payment processing.

      image Ghostly Locker FAQ

      The Ghostly Locker dashboard is bloat-free and functional.

      image Ghostly Locker Dashboard

      The ‘Build’ section is where the magic happens. Short and to the point, it does the job. The user has options to enter or update the payment bitcoin address, as well as the payment amount. 

      It is also possible to toggle between full or partial disk encryption. Full disk encryption is slower, and according to the RaaS developer, should be used “when you want to make sure that the files are never recovered.” They notably also state that Full Disk Encryption is “ideal for targeted campaigns”. Ghostly Locker claims to run though encryption on a disk in 1 minute, on average. This is common with most modern ransomware families. It takes very little time to do a great deal of damage. If you think you have a minute of two to adjust and avoid encryption, or if your EDR solution relies on cloud-lookups to convict bad behavior, that can become a problem, very quickly.

      image Ghostly Locker download

      We will cover details on the payloads generated from Ghostly Locker in a separate, upcoming, blog post.

      Conclusion

      What is particularly concerning about this latest rash of ransomware projects is the way they borrow ideas from modern marketing practice in a clear effort to attract first-time buyers and to increase confidence among individuals who might otherwise have only been curious. When highly-skilled criminals are broadening their appeal to zero-skill, would-be villains with slick and seductive marketing tricks, it is a worrying sign that 2019’s wave of ransomware attacks looks likely not only to continue, but – if these kinds of RaaS campaigns are successful – threaten to become worse in 2020.

      Whether the highly-skilled actors behind these kinds of projects are just themselves ordinary criminals or also have a vested interest in encouraging an increase in ransomware attacks for other purposes is an interesting question in light of our recent discovery of links between APTs and crimeware.

      However that may be, SentinelOne’s on-device, endpoint protection is fully capable of preventing infection from Ghostly Locker, Recoil, Cryptonite and other forms of ransomware without reliance on cloud detection. Organizations that have moved beyond depending on legacy AV suites can avoid falling victim to the ransomware plague, but those that haven’t need to catch up quick. As this review shows, the criminals sense a “goldrush” and some of them are only too happy to sell the shovels.


      Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

      Read more about Cyber Security

OneConnect’s drastic IPO value cut underscores the risk of high-growth, high-burn companies

OneConnect’s U.S.-listed IPO flew under our radar last week, which won’t do. The company’s public offering is both interesting and important, so let’s take a few minutes this morning to understand what we missed and why we care.

The now-public company sells financial technology that banks in China and select foreign countries can use to bring their services into the modern era. OneConnect charges mostly for usage of its products, driving over three-quarters of its revenue from transactions, including API calls.

After pricing its shares at $10 apiece, the SoftBank Vision Fund-backed company wrapped last week worth the same: $10 per share.

One one hand, OneConnect is merely another China-based IPO listing domestically here in the United States, making it merely one member of a crowd. So, why do we care about its listing?

A few reasons. We care because the listing is another liquidity event for SoftBank and its Vision Fund. As the Japanese conglomerate revs up its second Vision Fund cycle (Vision Fund 2, more here), returns and proof of its ability to pick winners and fuel them with capital are key. OneConnect’s success as a public company, therefore, matters.

And for us market observers, the debut is doubly exciting from a financial perspective. No, OneConnect doesn’t make money (very much the opposite). What’s curious about the company is that it brought huge losses to sale when it was pitching its equity. Which, in a post-WeWork world, are supposed to be out of style. Let’s see how well it priced.

What’s it worth?

OneConnect targeted a $9 to $10 per-share IPO price. That makes its final, $10 per-share pricing the top of its range. That said, given how narrow its range was, the result doesn’t look like much of a coup for the company. That’s doubly true when we recall that OneConnect lowered its IPO price range from $12 to $14 per share (a more standard price band) to the lower figures. So, the company managed to price at the top of its expectations, but only after those were cut to size.

When it all wrapped, OneConnect was worth about $3.7 billion at its IPO price, according to math from The New York Times. TechCrunch’s own calculations value the firm at a slightly richer $3.8 billion. Regardless, the figure was a disappointment.

When OneConnect raised from SoftBank’s Vision Fund in early 2018, $650 million was invested at a $6.8 billion pre-money valuation, according to Crunchbase data. That put a $7.45 billion post-money price tag on the Ping An-sourced business. To see the company forced to cut its IPO valuation so far is difficult for OneConnect itself, its parent Ping An and its backer SoftBank.

Why so little?

I promised to be brief when we started, so let’s stay curt: OneConnect’s business was worth far less than expected because while it posted impressive revenue gains, the company’s deep unprofitability made it less palatable than expected to public investors.

OneConnect managed to post revenue growth of more than 70% in the first three quarters of 2019, expanding top line to $217.5 million in the period. However, during that time it generated just $70.9 million in gross profit, the sum it could use to cover its operating costs. The company’s cost structure, however, was far larger than its gross profit.

Over the same nine-month period, OneConnect’s sales and marketing costs alone outstripped its total gross profit. All told, OneConnect posted operating costs of $227.6 million in the first three quarters of 2019, leading to an operating loss of $156.6 million in the period.

The company will, therefore, burn lots of cash as it grows; OneConnect is still deep in its investment motion, and far from the sort of near-profitability that we hear is in vogue. In a sense, OneConnect bears the narrative out. It had to endure a sharp valuation reduction to get out. You can see the market’s changed mood in that fact alone.

Photo by Roberto Júnior on Unsplash

Cisco acquires ultra-low latency networking specialist Exablaze

Cisco today announced that it has acquired Exablaze, an Australia-based company that designs and builds advanced networking gear based on field programmable gate arrays (FPGAs). The company focuses on solutions for businesses that need ultra-low latency networking, with a special emphasis on high-frequency trading. Cisco plans to integrate Exablaze’s technology into its own product portfolio.

“By adding Exablaze’s segment leading ultra-low latency devices and FPGA-based applications to our portfolio, financial and HFT customers will be better positioned to achieve their business objectives and deliver on their customer value proposition,” writes Cisco’s head of corporate development Rob Salvagno.

Founded in 2013, Exablaze has offices in Sydney, New York, London and Shanghai. While financial trading is an obvious application for its solutions, the company also notes that it has users in the big data analytics, high-performance computing and telecom space.

Cisco plans to add Exablaze to its Nexus portfolio of data center switches. The company also argues that in addition to integrating Exablaze’s current portfolio, the two companies will work on next-generation switches, with an emphasis on creating opportunities for expanding its solutions into AI and ML segments.

“The acquisition will bring together Cisco’s global reach, extensive sales and support teams, and broad technology and manufacturing base, with Exablaze’s cutting-edge low-latency networking, layer 1 switching, timing and time synchronization technologies, and low-latency FPGA expertise,” explains Exablaze co-founder and chairman Greg Robinson.

Cisco, which has always been quite acquisitive, has now made six acquisitions this year. Most of these were software companies, but with Acacia Communications, it also recently announced its intention to acquire another fabless semiconductor company that builds optical interconnects.

 

Inside ‘Evil Corp,’ a $100M Cybercrime Menace

The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insider’s look at the back-end operations of this gang.

Image: FBI

The $5 million reward is being offered for 32 year-old Maksim V. Yakubets, who the government says went by the nicknames “aqua,” and “aquamo,” among others. The feds allege Aqua led an elite cybercrime ring with at least 16 others who used advanced, custom-made strains of malware known as “JabberZeus” and “Bugat” (a.k.a. “Dridex“) to steal banking credentials from employees at hundreds of small- to mid-sized companies in the United States and Europe.

From 2009 to the present, Aqua’s primary role in the conspiracy was recruiting and managing a continuous supply of unwitting or complicit accomplices to help Evil Corp. launder money stolen from their victims and transfer funds to members of the conspiracy based in Russia, Ukraine and other parts of Eastern Europe. These accomplices, known as “money mules,” are typically recruited via work-at-home job solicitations sent out by email and to people who have submitted their resumes to job search Web sites.

Money mule recruiters tend to target people looking for part-time, remote employment, and the jobs usually involve little work other than receiving and forwarding bank transfers. People who bite on these offers sometimes receive small commissions for each successful transfer, but just as often end up getting stiffed out of a promised payday, and/or receiving a visit or threatening letter from law enforcement agencies that track such crime (more on that in a moment).

HITCHED TO A MULE

KrebsOnSecurity first encountered Aqua’s work in 2008 as a reporter for The Washington Post. A source said they’d stumbled upon a way to intercept and read the daily online chats between Aqua and several other mule recruiters and malware purveyors who were stealing hundreds of thousands of dollars weekly from hacked businesses.

The source also discovered a pattern in the naming convention and appearance of several money mule recruitment Web sites being operated by Aqua. People who responded to recruitment messages were invited to create an account at one of these sites, enter personal and bank account data (mules were told they would be processing payments for their employer’s “programmers” based in Eastern Europe) and then log in each day to check for new messages.

Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.

One of several sites set up by Aqua and others to recruit and manage money mules.

When it came time to transfer stolen funds, the recruiters would send a message through the mule site saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”

Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.

Here’s where it got interesting. Each of these mule recruitment sites had the same security weakness: Anyone could register, and after logging in any user could view messages sent to and from all other users simply by changing a number in the browser’s address bar. As a result, it was trivial to automate the retrieval of messages sent to every money mule registered across dozens of these fake company sites.

So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.

My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”

Messages to and from a money mule working for Aqua’s crew, circa May 2011.

In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.

Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations. Needless to say, the victims that spun their wheels chasing after me usually suffered far more substantial financial losses (mainly because they delayed calling their financial institution until it was too late).

Collectively, these notifications to Evil Corp.’s victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I don’t believe I ever wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies.

LOW FRIENDS IN HIGH PLACES

According to the U.S. Justice Department, Yakubets/Aqua served as leader of Evil Corp. and was responsible for managing and supervising the group’s cybercrime activities in deploying and using the Jabberzeus and Dridex banking malware. The DOJ notes that prior to serving in this leadership role for Evil Corp, Yakubets was also directly associated with Evgeniy “Slavik” Bogachev, a previously designated Russian cybercriminal responsible for the distribution of the Zeus, Jabber Zeus, and GameOver Zeus malware schemes who currently has a $3 million FBI bounty on his head.

Evgeniy M. Bogachev, in undated photos.

As noted in previous stories here, during times of conflict with Russia’s neighbors, Slavik was known to retool his crime machines to search for classified information on victim systems in regions of the world that were of strategic interest to the Russian government – particularly in Turkey and Ukraine.

“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,” reads a 2017 story from The Register on security firm Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most technically advanced and bold cybercriminal community in the world.”

This is interesting because the U.S. Treasury Department says Yukabets as of 2017 was working for the Russian FSB, one of Russia’s leading intelligence organizations.

“As of April 2018, Yakubets was in the process of obtaining a license to work with Russian classified information from the FSB,” notes a statement from the Treasury.

The Treasury Department’s role in this action is key because it means the United States has now imposed economic sanctions on Yukabets and 16 accused associates, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with these individuals.

The Justice Department’s criminal complaint against Yukabets (PDF) mentions several intercepted chat communications between Aqua and his alleged associates in which they puzzle over why KrebsOnSecurity seemed to know so much about their internal operations and victims. In the following chat conversations (translated from Russian), Aqua and others discuss a story I wrote for The Washington Post in 2009 about their theft of hundreds of thousands of dollars from the payroll accounts of Bullitt County, Ky:

tank: [Are you] there?
indep: Yeah.
indep: Greetings.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more
tank: This is still about me.
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: He is the account from which we cashed.
tank: Today someone else send this news.
tank: I’m reading and thinking: Let me take a look at history. For some reason this name is familiar.
tank: I’m on line and I’ll look. Ah, here is this shit.
indep: How are you?
tank: Did you get my announcements?
indep: Well, I congratulate [you].
indep: This is just fuck when they write about you in the news.
tank: Whose [What]?
tank: 😀
indep: Too much publicity is not needed.
tank: Well, so nobody knows who they are talking about.

tank: Well, nevertheless, they were writing about us.
aqua: So because of whom did they lock Western Union for Ukraine?
aqua: Tough shit.
tank: *************Originator: BULLITT COUNTY FISCAL Company: Bullitt
County Fiscal Court
aqua: So?
aqua: This is the court system.
tank: Shit.
tank: Yes
aqua: This is why they fucked [nailed?] several drops.
tank: Yes, indeed.
aqua: Well, fuck. Hackers: It’s true they stole a lot of money.

At roughly the same time, one of Aqua’s crew had a chat with Slavik, who used the nickname “lucky12345” at the time:

tank: Are you there?
tank: This is what they damn wrote about me.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more
tank: I’ll take a quick look at history
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you got [it] from that cash-in.
lucky12345: From 200K?
tank: Well, they are not the right amounts and the cash out from that account was shitty.
tank: Levak was written there.
tank: Because now the entire USA knows about Zeus.
tank: 😀
lucky12345: It’s fucked.

On Dec. 13, 2009, one of the Jabberzeus gang’s money mule recruiters –- a crook who used the pseudonym “Jim Rogers” — somehow learned about something I hadn’t shared beyond a few trusted friends at that point: That The Washington Post had eliminated my job in the process of merging the newspaper’s Web site (where I worked at the time) with the dead tree edition. The following is an exchange between Jim Rogers and the above-quoted “tank”:

jim_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation 🙂 Good news expected exactly by the New Year! Besides us no one reads his column 🙂

tank: Mr. Fucking Brian Fucking Kerbs!

In March 2010, Aqua would divulge in an encrypted chat that his crew was working directly with the Zeus author (Slavik/Lucky12345), but that they found him abrasive and difficult to tolerate:

dimka: I read about the king of seas, was it your handy work?
aqua: what are you talking about? show me
dimka: zeus
aqua: 🙂
aqua: yes, we are using it right now
aqua: its developer sits with us on the system
dimka: it’s a popular thing
aqua: but, he, fucker, annoyed the hell out of everyone, doesn’t want to write bypass of interactives (scans) and trojan penetration 35-40%, bitch
aqua: yeah, shit
aqua: we need better
aqua: http://voices.washingtonpost.com/securityfix read it 🙂 here you find almost everything about us 🙂
dimka: I think everything will be slightly different, if you think so
aqua: we, in this system, the big dog, the rest on the system are doing small crap

Later that month, Aqua bemoaned even more publicity about their work, pointing to a KrebsOnSecurity story about a sophisticated attack in which their malware not only intercepted a one-time password needed to log in to the victim’s bank account, but even modified the bank’s own Web site as displayed in the victim’s browser to point to a phony customer support number.

Ironically, the fake bank phone number was what tipped off the victim company employee. In this instance, the victim’s bank — Fifth Third Bank (referred to as “53” in the chat below) was able to claw back the money stolen by Aqua’s money mules, but not funds that were taken via fraudulent international wire transfers. The cybercriminals in this chat also complain they will need a newly-obfuscated version of their malware due to public exposure:

aqua: tomorrow, everything should work.
aqua: fuck, we need to find more socks for spam.
aqua: okay, so tomorrow Petro [another conspirator who went by the nickname Petr0vich] will give us a [new] .exe
jtk: ok
jim_rogers: this one doesn’t work
jim_rogers: http://www.krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/
jim_rogers: here it’s written about my transfer from 53. How I made a number of wires like it said there. And a woman burnt the deal because of a fake phone number.

ANTI-MULE INITIATIVE

In tandem with the indictments against Evil Corp, the Justice Department joined with officials from Europol to execute a law enforcement action and public awareness campaign to combat money mule activity.

“More than 90% of money mule transactions identified through the European Money Mule Actions are linked to cybercrime,” Europol wrote in a statement about the action. “The illegal money often comes from criminal activities like phishing, malware attacks, online auction fraud, e-commerce fraud, business e-mail compromise (BEC) and CEO fraud, romance scams, holiday fraud (booking fraud) and many others.”

The DOJ said U.S. law enforcement disrupted mule networks that spanned from Hawaii to Florida and from Alaska to Maine. Actions were taken to halt the conduct of over 600 domestic money mules, including 30 individuals who were criminally charged for their roles in receiving victim payments and providing the fraud proceeds to accomplices.

Some tips from Europol on how to spot money mule recruitment scams dressed up as legitimate job offers.

It’s good to see more public education about the damage that money mules inflict, because without them most of these criminal schemes simply fall apart. Aside from helping to launder funds from banking trojan victims, money mules often are instrumental in fleecing elderly people taken in by various online confidence scams.

It’s also great to see the U.S. government finally wielding its most powerful weapon against cybercriminals based in Russia and other safe havens for such activity: Economic sanctions that severely restrict cybercriminals’ access to ill-gotten gains and the ability to launder the proceeds of their crimes by investing in overseas assets.

Further reading:

DOJ press conference remarks on Yakubets
FBI charges announced in malware conspiracy
2019 indictment of Yakubets, Turashev. et al.
2010 Criminal complaint vs. Yukabets, et. al.
FBI “wanted” alert on Igor “Enki” Turashev
US-CERT alert on Dridex

Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up

As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.

The message displayed at the top of the Maze Ransomware public shaming site.

Less than 48 hours ago, the cybercriminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand.

“Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”

KrebsOnSecurity was able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media.

The information disclosed for each Maze victim includes the initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze.

As shocking as this new development may be to some, it’s not like the bad guys haven’t warned us this was coming.

“For years, ransomware developers and affiliates have been telling victims that they must pay the ransom or stolen data would be publicly released,” said Lawrence Abrams, founder of the computer security blog and victim assistance site BleepingComputer.com. “While it has been a well-known secret that ransomware actors snoop through victim’s data, and in many cases steal it before the data is encrypted, they never actually carried out their threats of releasing it.”

Abrams said that changed at the end of last month, when the crooks behind Maze Ransomware threatened Allied Universal that if they did not pay the ransom, they would release their files. When they did not receive a payment, they released 700MB worth of data on a hacking forum.

“Ransomware attacks are now data breaches,” Abrams said. “During ransomware attacks, some threat actors have told companies that they are familiar with internal company secrets after reading the company’s files. Even though this should be considered a data breach, many ransomware victims simply swept it under the rug in the hopes that nobody would ever find out. Now that ransomware operators are releasing victim’s data, this will need to change and companies will have to treat these attacks like data breaches.”

The move by Maze Ransomware comes just days after the cybercriminals responsible for managing the “Sodinokibi/rEvil” ransomware empire posted on a popular dark Web forum that they also plan to start using stolen files and data as public leverage to get victims to pay ransoms.

The leader of the Sodinokibi/rEvil ransomware gang promising to name and shame victims publicly in a recent cybercrime forum post. Image: BleepingComputer.

This is especially ghastly news for companies that may already face steep fines and other penalties for failing to report breaches and safeguard their customers’ data. For example, healthcare providers are required to report ransomware incidents to the U.S. Department of Health and Human Services, which often documents breaches involving lost or stolen healthcare data on its own site.

While these victims may be able to avoid reporting ransomware incidents if they can show forensic evidence demonstrating that patient data was never taken or accessed, sites like the one that Maze Ransomware has now erected could soon dramatically complicate these incidents.

The Good, the Bad and the Ugly in Cybersecurity – Week 50

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

A decade’s old cyber criminal group named “Bayrob” has finally been brought down and the gang members sentenced to prison. Bogdan Nicolescu got 20 years and Radu Miclaus got 18 years. 

FBI and foreign law enforcement have been bringing down criminals left and right lately thanks to much increased coordination and global trust groups where information about criminals’ TTPs (Tactics, Techniques and Procedures), whereabouts, and hacking infrastructure are being shared more than ever before. 

In this case, the two criminals sent emails spoofed to look like they were from major trusted companies like Western Union, Norton AntiVirus and even the United States IRS. Those phishing emails contained malware that then allowed them to harvest and send more malicious emails to the next round of victims and so on, until in the end, they had sent tens of millions of malicious emails. They also scammed ebay shoppers via malicious images placed in fake ebay ads that led to fake ebay payment websites. 

But like most criminals, eventually Darwin caught up before Common Sense did, as they didn’t stop while they were ahead. $4,000,000 of stolen money, and all it did was land them in decades of prison time…and that is why this is this week’s GOOD!

image of Bayrob gang

The Bad

Politicians still don’t understand the nature of cryptosystems, their key-management challenges, and the balance of privacy vs. the needs of law enforcement to detect and prosecute child molesters, traffickers and the like. In a hearing this Tuesday, Senator Lindsey Graham (R-S.C.) made a statement that sums up this ignorance perfectly (at ~20 minutes in the video):

“…the fact that people cannot hack into my phone, listen to my phone calls, follow the messages, the texts that I receive. I think all of us want devices that protect our privacy…however, no American should want a device that is a safe haven for criminality.”

(an ironic statement for anyone that understands the nature of crypto systems and their protection)

Recently, Interpol held similar dialogue and by the end, walked away not so quick to criticize proper encryption and the devastating impact that broken-by-design encryption has on those who cannot protect themselves from their oppressive governments, for example.

When Senator Diane Feinstein (D-Calif.) asked Apple’s Manager of User Privacy Erik Neuenschwander whether even a court order can convince Apple to open a device, he responded with a simple statement that best sums up the challenge:

“…ultimately we believe strong encryption makes us all safer, and we haven’t found a way to provide access to users’ devices that wouldn’t weaken security for everyone.”

As was obvious when watching the hearing, that’s because the extent to which the ask is to create a master key to decrypt all user’s devices is the extent to which a cryptosystem is jeopardized, along with the security of millions of people worldwide who depend on cryptography to protect them from myriad threats.

image of encryption judiciary hearing

The Ugly

In what appears to be a very heavy-handed action, the state Russian police raided the Moscow offices of F5 Network’s NGINX Inc. subsidiary and arrested two of its founders on Thursday.

image of nginx raid

For those that don’t already know, NGINX is what powers 4 out of every 10 web servers on the Internet and is (today) an open-source platform. The action was brought on by the owners of Rambler.ru, a popular Russian search engine and Internet portal. They claim that the code of NGINX was written by an employee of theirs and, therefore, the code is also technically theirs. There’s only one problem: that was over 15 years ago, and well beyond the statute of limitations, as the Chief of Staff of Presidential candidate Alexei Navalny tweeted in Russian:

image of nginx raid tweet

Given the plainly obvious statute of limitations, one is left wondering “why now?” and “what is the ulterior motive here?”.  Whatever it is, it is probably quite ugly.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security