My Hospital Caught a Virus | How Healthcare Is Sick With Cyber

As the recent global panic surrounding the “Wuhan Coronavirus” demonstrates, health is everyone’s top priority, and anything that endangers it has to be considered a grave threat. But recent events have shown that the biggest challenge facing our healthcare systems is not a biological virus but a computerized one. Numerous hospitals, clinics and healthcare facilities like care centers and even dental clinics have suffered from cyber attacks in the last few years, forcing them to shut down, postpone treatments or manage operations with pen and paper. The recent wave of attacks against healthcare facilities started with the wannacry infection of 2017, but even though there haven’t been any single cyber attacks of this magnitude since then, we’ve witnessed a steady rise in the number of incidents and their severity since that watershed moment.

image of healthcare

Cyber Attacks on Healthcare: A Global Epidemic

It is estimated that data breaches cost the US healthcare industry $4 billion in 2019. In a survey, a staggering 93% of responders from healthcare organizations said that they had experienced a data breach in the past three years.

In the UK, things are no different. Another survey found that 67% of healthcare organizations had suffered a cyber security incident in the last 12 months, and nearly half of the incidents occurred as a result of malware. Cyber attacks have also hit hospitals and healthcare facilities in the EU, APAC and Australia, making this a truly global epidemic.

How can this uptick in cyber attacks on healthcare providers be explained? Let’s take a look at the threats and challenges the industry is facing.

Cyber Challenges to Healthcare in 2020

Hospitals are a rare breed of IT-heavy environments with very little ability to impose the necessary security controls. As such, they suffer from all the “ailments” of modern organizations when it comes to cyber: phishing, ransomware attacks, data theft and even fraud. But unlike a regular enterprise, hospitals suffer from insufficient security resources, abundant legacy systems, multiple operational and IT networks, often without proper segmentation, and to top it off, a shortage of dedicated security personnel.

    Hospitals are Complex Environments

    One of the major security challenges in hospitals is the complexity of the environment. This alone makes security much harder than in the ordinary enterprise. A hospital can contain a number of IT networks, operational networks, connected medical equipment, legacy IT and OT systems such as HVAC systems and other industrial machinery such as generators. Many of these systems are old and have not been patched for years. Others are legacy systems, and it is anybody’s guess just how many security flaws they suffer from. Then there’s the medical equipment: very sensitive, expensive and mission critical. All these factors make it hard to deploy standard security solutions to secure then environment.

    ‘Service First’ Is an Obstacle to Security

    A modern hospital treats thousands of patients every day and is now required to be able to provide digital services in addition to physical ones. This means that stringent cybersecurity measures are difficult to employ since anything that is considered a nuisance will detract from the “customer experience” and cause patients to complain that their welfare is not top priority. Staff are geared toward providing the best medical care for patients, and are much less security-minded than employees in other sectors.   

    A Lack of Security Expertise Is Common

    A survey conducted two years ago found that 84% of hospitals were operating without a dedicated security executive. In one respect, that’s because the healthcare industry suffers from the same challenges as all the rest when it comes to recruiting security personnel, who are hard to find and expensive to hire and retain. But the situation is comparatively worse for healthcare than other sectors facing the same challenges. 

    Healthcare organizations typically have lower budgets for security than other types of organizations, which makes it difficult for them to compete in terms of attractive salaries and remuneration packages given the small pool of talent available. In addition, the wide range and specialist nature of medical devices used in healthcare make it even more difficult to find staff with the requisite skills. A candidate with only Windows security background is not going to be sufficient. 

    With a shortage of staff and a lack of the requisite expertise, the attack surface in healthcare is growing over time, as more unmanaged, unpatched devices with unknown flaws continue to appear on the network.

    Heavy Regulation Is a Boon…and a Bane

    The healthcare industry is heavily regulated. This is positive because it forces institutes to take patients’ privacy seriously. However, it also means that shifting from older, more vulnerable infrastructure to a modern, secured cloud environment is challenging.   

    In one survey, over half of the participants said they had 50 or more data sources that needed to be inventoried and assessed for sensitive data content.

    According to the study, the sheer quantity, variety, and velocity of data being consumed by healthcare organizations exceeds the capacity of the access and monitoring tools available to them, meaning it’s impossible to fully secure the personal data crisscrossing their networks.

The Security Threats Facing Healthcare

Given the challenging nature of securing healthcare organisations, it’s vital to have a clear idea of where threats can come from. The security threats to this sector can be divided into two distinct classes: general threats and focused threats.

General threats such as ransomware, credential theft, and malware infection do not target the healthcare sector specifically, but as explained above, the nature of the environment makes healthcare organizations extremely susceptible to indiscriminate attacks. As we’ve seen over the last 12 to 18 months in the US, the increase in cheap, ransomware-as-a-service products has made it possible for a whole new class of low-level, unskilled threat actors to try their hand at criminal enterprise.

Targeted threats are much more menacing. These can include data theft of specific medical information as well as tampering with medical devices. 

In attacks targeting the Singapore health system, a total of 1.5 million SingHealth patients’ non-medical personal data were stolen, while 160,000 of those had their dispensed medicines’ records taken too, including personal data belonging to the nation’s prime minister Lee Hsien Loong

Attacks against medical devices have proven to be possible and potentially lethal. Last year, the U.S. Food and Drug Administration (FDA) issued a warning about two security flaws affecting dozens of implantable cardioverter defibrillators, and very recently the EU has issued guidelines for medical device cybersecurity, showing that regulators around the world are taking this threat seriously. 

However, unlike “traditional” threats, mitigating the risk to medical devices is almost exclusively up to the device manufacturers, and in some cases can require replacing an older machine for a newer one. That might be an unrealistic expectation given that some medical equipment – think, MRI machines – is so expensive that hospital administrators will prefer to “take their chances” and continue to operate vulnerable machines instead of replacing them with newer, costlier models.

Problems Persist After Security Breaches

A study published by researchers at Vanderbilt and the University of Central Florida found higher mortality rates for heart attacks at hospitals that had been affected by cyber attacks. At these hospitals, it took 2.7 minutes longer to give patients an ECG in the years following a data breach.

This is likely due to a dual impact: a psychological one arising from doctors and nurses losing trust in their digital equipment, and a procedural one resulting from medical staff having to adapt to new IT procedures aimed at reducing cyber risk.

And What About the Financial Cost?

Nations and individuals spend a fortune on healthcare, and these costs are growing every year. With an aging population, reduced efficiency of treatments such as antibiotics, addition of new diseases and the public outcry over cuts to budgets, it is not surprising that healthcare facilities operate on a tight and diminishing budget.

Adopting new cybersecurity solutions within this budget may be challenging, but it is a necessity. Given that this is the case, healthcare operators should ask themselves what would be the cost of being the victim of a cyberattack? For instance, Erie County Medical Center suffered an intrusion that brought down the hospital’s computer system and cost almost $10 million, a hefty sum for a single attack that far outweighs the costs of a security solution that could have prevented it. It is advisable to analyze how such attacks manifest and invest in preventing or neutralizing these attack vectors. As attacks that cripple healthcare and other facilities involve malware on or intrusion of physical devices, securing endpoints is where most of the security budget should be spent.

Conclusion

With vast amounts of personally identifiable information (PII) of the most sensitive kind, a lack of security expertise, insufficient budget and a large attack surface, it is hardly any wonder that healthcare organizations are firmly in the sights of cyber criminals. The answer to these challenges lies in protecting every endpoint that can be protected and having visibility into everything else. SentinelOne’s unique, single agent solution offers both advanced protection and full visibility in one easy-to-use product. If you would like to find out more about how SentinelOne can help secure your organization, contact us or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Xerox sweetens HP offer to $24 per share as take-over drama continues

Ever since Xerox set its sights on HP last November, the companies have been engaged in an ongoing battle. Xerox would like very much to take over the much larger HP, while the printer giant has so far rejected Xerox’s advances. Today, Xerox decided to sweeten the pot, raising its offer by two dollars per share, from $22 to $24, or about $34 billion in total.

The company says it will make a tender offer officially on around March 2nd, which should give it more time to lobby shareholders, but Xerox claims to have spoken to larger HP stockholders, and they believe the larger number could finally push this over the finish line. Given HP’s previous reluctance, that remains to be seen.

“Xerox has met, in some cases multiple times, with many of HP’s largest stockholders. These stockholders consistently state that they want the enhanced returns, improved growth prospects and best-in-class human capital that will result from a combination of Xerox and HP. The tender offer announced today will enable these stockholders to accept Xerox’s compelling offer despite HP’s consistent refusal to pursue the opportunity,” the company wrote in a statement today.

The current dance between the two companies dates back to last fall, with Xerox believing the two companies would match up well together to become a printer giant, while HP’s board unanimously rejected the offer.

In a rejection letter last November, the company made clear it didn’t appreciate or welcome Xerox’s overtures:

“We reiterate that we reject Xerox’s proposal as it significantly undervalues HP.

“Additionally, it is highly conditional and uncertain. In particular, there continues to be uncertainty regarding Xerox’s ability to raise the cash portion of the proposed consideration and concerns regarding the prudence of the resulting outsized debt burden on the value of the combined company’s stock even if the financing were obtained,” the letter stated.

At the end of November, Xerox vowed to take the offer to shareholders. More recently, it said it would try to replace all of the HP board members who rejected the offer previously with a friendlier slate of candidates. That is slated to be voted on by stockholders at the HP stockholders meeting in April.

HP has not responded yet to this latest offer. Surprisingly, HP stock was down .12/share, or 0.81%, in early trading.

Note: We requested comment from HP, but had not heard from the company as we went to publish. Should this change we will update the report.

Amazon wants to depose president and secretary of Defense as part of JEDI protest

Today, AWS made public its Motion to Supplement the Record in its protest of the JEDI contract decision. As part of that process, the company has announced it wants to depose President Trump and Secretary of Defense Mark Esper.

When Amazon announced at the end of last year that it was protesting the DoD’s decision to award the $10 billion, decade-long JEDI contract to Microsoft, the company made clear that it was not happy with the decision. The company believes that the president steered the contract away from Amazon because of personal political differences with Amazon CEO Jeff Bezos, who also owns The Washington Post.

“President Trump has repeatedly demonstrated his willingness to use his position as President and Commander in Chief to interfere with government functions – including federal procurements – to advance his personal agenda. The preservation of public confidence in the nation’s procurement process requires discovery and supplementation of the administrative record, particularly in light of President Trump’s order to ‘screw Amazon.’ The question is whether the President of the United States should be allowed to use the budget of the DoD to pursue his own personal and political ends,” an AWS spokesperson said in a statement.

This is consistent with public statements the company has been making since the DoD made the surprise decision in October to go with Microsoft. It had been widely believed that Amazon would win the contract, and there was much wrangling and complaining throughout the procurement process that the contract had been designed to favor Amazon, something that the DoD repeatedly denied.

At AWS re:Invent at the end last year, AWS CEO Andy Jassy made it clear he was unhappy with the decision and that he believed the president showed bias. “I think that we ended up with a situation where there was political interference. When you have a sitting president, who has shared openly his disdain for a company, and the leader of that company, it makes it really difficult for government agencies, including the DoD, to make objective decisions without fear of reprisal,” Jassy said last year.

Sources say that the DoD gave Amazon a written debriefing after the decision to award the contract to Microsoft, but the company is particularly upset that the department has failed to respond in a timely fashion to requests for additional information and questions, as required by law.

Facebook Workplace co-founder launches downtime fire alarm Kintaba

“It’s an open secret that every company is on fire,” says Kintaba co-founder John Egan. “At any given moment something is going horribly wrong in a way that it has never gone wrong before.” Code failure downtimes, server outages and hack attacks plague engineering teams. Yet the tools for waking up the right employees, assembling a team to fix the problem and doing a post-mortem to assess how to prevent it from happening again can be as chaotic as the crisis itself.

Text messages, Slack channels, task managers and Google Docs aren’t sufficient for actually learning from mistakes. Alerting systems like PagerDuty focus on the rapid response, but not the educational process in the aftermath. Finally, there’s a more holistic solution to incident response with today’s launch of Kintaba.

The Kintaba team experienced these pains firsthand while working at Facebook after Egan and Zac Morris’ Y Combinator-backed data transfer startup Caffeinated Mind was acqui-hired in 2012. Years later, when they tried to build a blockchain startup and the whole stack was constantly in flames, they longed for a better incident alert tool. So they built one themselves and named it after the Japanese art of Kintsugi, where gold is used to fill in cracked pottery, “which teaches us to embrace the imperfect and to value the repaired,” Egan says.

With today’s launch, Kintaba offers a clear dashboard where everyone in the company can see what major problems have cropped up, plus who’s responding and how. Kintaba’s live activity log and collaboration space for responders let them debate and analyze their mitigation moves. It integrates with Slack, and lets team members subscribe to different levels of alerts or search through issues with categorized hashtags.

“The ability to turn catastrophes into opportunities is one of the biggest differentiating factors between successful and unsuccessful teams and companies,” says Egan. That’s why Kintaba doesn’t stop when your outage does.

Kintaba Founders (from left): John Egan, Zac Morris and Cole Potrocky

As the fire gets contained, Kintaba provides a rich text editor connected to its dashboard for quickly constructing a post-mortem of what went wrong, why, what fixes were tried, what worked and how to safeguard systems for the future. Its automated scheduling assistant helps teams plan meetings to internalize the post-mortem.

Kintaba’s well-pedigreed team and their approach to an unsexy but critical software-as-a-service attracted $2.25 million in funding led by New York’s FirstMark Capital.

“All these features add up to Kintaba taking away all the annoying administrative overhead and organization that comes with running a successful modern incident management practice,” says Egan, “so you can focus on fixing the big issues and learning from the experience.”

Egan, Morris and Cole Potrocky met while working at Facebook, which is known for spawning other enterprise productivity startups based on its top-notch internal tools. Facebook co-founder Dustin Moskovitz built a task management system to reduce how many meetings he had to hold, then left to turn that into Asana, which filed to go public this week.

The trio had been working on internal communication and engineering tools as well as the procedures for employing them. “We saw firsthand working at companies like Facebook how powerful those practices can be and wanted to make them easier for anyone to implement without having to stitch a bunch of tools together,” Egan tells me. He stuck around to co-found Facebook’s enterprise collaboration suite Workplace while Potrocky built engineering architecture there and Morris became a mobile security lead at Uber.

Like many blockchain projects, Kintaba’s predecessor, crypto collectibles wallet Vault, proved an engineering nightmare without clear product market fit. So the team ditched it and pivoted to build out the internal alerting tool they’d been tinkering with. That origin story sounds a lot like Slack’s, which began as a gaming company that pivoted to turn its internal chat tool into a business.

So what’s the difference between Kintaba and just using Slack and email or a monitoring tool like PagerDuty, Splunk’s VictorOps or Atlassian’s OpsGenie? Here’s how Egan breaks a site downtime situation handled with Kintaba:

You’re on call and your pager is blowing up because all your servers have stopped serving data. You’re overwhelmed and the root cause could be any of the multitude of systems sending you alerts. With Kintaba, you aren’t left to fend for yourself. You declare an incident with high severity and the system creates a collaborative space that automatically adds an experienced IMOC (incident manager on call) along with other relevant on calls. Kintaba also posts in a company-wide incident Slack channel. Now you can work together to solve the problem right inside the incident’s collaborative space or in Slack while simultaneously keeping stakeholders updated by directing them to the Kintaba incident page instead of sending out update emails. Interested parties can get quick info from the stickied comments and #tags. Once the incident is resolved, Kintaba helps you write a postmortem of what went wrong, how it was fixed, and what will be done to prevent it from happening. Kintaba then automatically distributes the postmortem and sets up an incident review on your calendar.

Essentially, instead of having one employee panicking about what to do until the team struggles to coordinate across a bunch of fragmented messaging threads, a smoother incident reporting process and all the discussion happens in Kintaba. And if there’s a security breach that a non-engineer notices, they can launch a Kintaba alert and assemble the legal and PR team to help, too.

Alternatively, Egan describes the downtime fiascoes he’d experience without Kintaba like this:

The on call has to start waking up their management chain to try and figure out who needs to be involved. The team maybe throws a Slack channel together but since there’s no common high severity incident management system and so many teams are affected by the downtime, other teams are also throwing slack channels together, email threads are happening all over the place, and multiple groups of people are trying to solve the problem at once. Engineers begin stepping all over each other and sales teams start emailing managers demanding to know what’s happening. Once the problem is solved, no one thinks to write up a postmortem and even if they do it only gets distributed to a few people and isn’t saved outside that email chain. Managers blame each other and point fingers at people instead of taking a level headed approach to reviewing the process that led to the failure. In short: panic, thrash, and poor communication.

While monitoring-apps like PagerDuty can do a good job of indicating there’s a problem, they’re weaker at the collaborative resolution and post-mortem process, and designed just for engineers rather than everyone, like Kintaba. Egan says, “It’s kind of like comparing the difference between the warning lights on a piece of machinery and the big red emergency button on a factory floor. We’re the big red button . . . That also means you don’t have to rip out PagerDuty to use Kintaba,” since it can be the trigger that starts the Kintaba flow.

Still, Kintaba will have to prove that it’s so much better than a shared Google Doc, an adequate replacement for monitoring solutions or a necessary add-on that companies should pay $12 per user per month. PagerDuty’s deeper technical focus helped it go public a year ago, though it has fallen about 60% since to a market cap of $1.75 billion. Still, customers like Dropbox, Zoom and Vodafone rely on its SMS incident alerts, while Kintaba’s integration with Slack might not be enough to rouse coders from their slumber when something catches fire.

If Kintaba can succeed in incident resolution with today’s launch, the four-person team sees adjacent markets in task prioritization, knowledge sharing, observability and team collaboration, though those would pit it against some massive rivals. If it can’t, perhaps Slack or Microsoft Teams could be suitable soft landings for Kintaba, bringing more structured systems for dealing with major screw-ups to their communication platforms.

When asked why he wanted to build a legacy atop software that might seem a bit boring on the surface, Egan concluded that, “Companies using Kintaba should be learning faster than their competitors . . . Everyone deserves to work within a culture that grows stronger through failure.”

After $479M round on $12.4B valuation, Snowflake CEO says IPO is next step

Snowflake, the cloud-based data warehouse company, doesn’t tend to do small rounds. On Friday night word leaked out about its latest mega round. This one was for $479 million on a $12.4 billion valuation. That’s triple the company’s previous $3.9 billion valuation from October 2018, and CEO Frank Slootman suggested that the company’s next finance event is likely an IPO.

Dragoneer Investment led the round along with new investor Salesforce Ventures. Existing Snowflake investors Altimeter Capital, ICONIQ Capital, Madrona Venture Group, Redpoint Ventures, Sequoia, and Sutter Hill Ventures also participated. The new round brings the total raised to over $1.4 billion, according to PitchBook data.

All of this investment begs the question when this company goes public. As you might expect, Slootman is keeping his cards close to the vest, but he acknowledges that is the next logical step for his organization, even if he is not feeling pressure to make that move right now.

“I think the earliest that we could actually pull that trigger is probably early- to mid-summer timeframe. But whether we do that or not is a totally different question because we’re not in a hurry, and we’re not getting pressure from investors,” he said.

He grants that the pressure is about allowing employees to get their equity out of the company, which can only happen once the company goes public. “The only reason that there’s always a sense of pressure around this is because it’s important for employees, and I’m not minimizing that at all. That’s a legitimate thing. So, you know, it’s certainly a possibility in 2020 but it’s also a possibility the year thereafter. I don’t see it happening any later than that,” he said.

The company’s most recent round prior to this was $450 million in October 2018. Slootman says that he absolutely didn’t need the money, but the capital was there, and the chance to forge a relationship with Salesforce also was key in their thinking in taking this funding.

“At a high level, the relationship is really about allowing Salesforce data to be easily accessed inside Snowflake. Not that it’s impossible to do that today because there are lots of tools that will help you do that, but this relationship is about making that seamless and frictionless, which we find is really important,” Slootman said.

Snowflake now has relationships with AWS, Microsoft Azure and Google Cloud Platform, and has a broad content strategy to have as much quality data (like Salesforce) on the platform. Slootman says that this helps induce a network effect, while helping move data easily between major cloud platforms, a big concern as more companies adopt a multiple cloud vendor strategy.

“One of the key distinguishing architectural aspects of Snowflake is that once you’re on our platform, it’s extremely easy to exchange data with other Snowflake users. That’s one of the key architectural underpinnings. So content strategy induces network effect which in turn causes more people, more data to land on the platform, and that serves our business model,” he said.

Slootman says investors want to be part of his company because it’s solving some real data interchange pain points in the cloud market, and the company’s growth shows that in spite of its size, that continues to attract new customers at high rate.

“We just closed off our previous fiscal year which ended last Friday, and our revenue grew at 174%. For the scale that we are, this by far the fastest growing company out there…So, that’s not your average asset,” he said.

The company has 3400 active customers, which he defines as customers who were actively using the platform in the last month. He says that they have added 500 new customers alone in the last quarter.

Dangerous Domain Corp.com Goes Up for Sale

As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.

Now, facing 70 and seeking to simplify his estate, O’Connor is finally selling corp.com. The asking price — $1.7 million — is hardly outlandish for a 4-letter domain with such strong commercial appeal. O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.

One reason O’Connor hopes Microsoft will buy it is that by virtue of the unique way that Windows handles resolving domain names on a local network, virtually all of the computers trying to share sensitive data with corp.com are somewhat confused Windows PCs. More importantly, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com.

At issue is a problem known as “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” which is a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

For instance, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “drive1” alone will suffice, and Windows takes care of the rest.

But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

INSTANT CORPORATE BOTNET, ANYONE?

That’s according to Jeff Schmidt, a security expert who conducted a lengthy study on DNS namespace collisions funded in part by grants from the U.S. Department of Homeland Security. As part of that analysis, Schmidt convinced O’Connor to hold off selling corp.com so he and others could better understand and document the volume and types of traffic flowing to it each day.

During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks.

For a brief period during that testing, Schmidt’s company JAS Global Advisors accepted connections at corp.com that mimicked the way local Windows networks handle logins and file-sharing attempts.

“It was terrifying,” Schmidt said. “We discontinued the experiment after 15 minutes and destroyed the data. A well-known offensive tester that consulted with JAS on this remarked that during the experiment it was ‘raining credentials’ and that he’d never seen anything like it.”

Likewise, JAS temporarily configured corp.com to accept incoming email.

“After about an hour we received in excess of 12 million emails and discontinued the experiment,” Schmidt said. “While the vast majority of the emails were of an automated nature, we found some of the emails to be sensitive and thus destroyed the entire corpus without further analysis.”

Schmidt said he and others concluded that whoever ends up controlling corp.com could have an instant botnet of well-connected enterprise machines.

“Hundreds of thousands of machines directly exploitable and countless more exploitable via lateral movement once in the enterprise,” he said. “Want an instant foothold into about 30 of the world’s largest companies according to the Forbes Global 2000? Control corp.com.”

THE EARLY ADVENTURES OF CORP.COM

Schmidt’s findings closely mirror what O’Connor discovered in the few years corp.com was live on the Internet after he initially registered it back in 1994. O’Connor said early versions of a now-defunct Web site building tool called Microsoft FrontPage suggested corporation.com (another domain registered early on by O’Connor) as an example domain in its setup wizard.

That experience, portions of which are still indexed by the indispensable Internet Archive, saw O’Connor briefly redirecting queries for the domain to the Web site of a local adult sex toy shop as a joke. He soon got angry emails from confused people who’d also CC’d Microsoft co-founder Bill Gates.

Archive.org’s index of corp.com from 1997, when its owner Mike O’Connor briefly enabled a Web site mainly to shame Microsoft for the default settings of its software.

O’Connor said he also briefly enabled an email server on corp.com, mainly out of morbid curiosity to see what would happen next.

“Right away I started getting sensitive emails, including pre-releases of corporate financial filings with The U.S. Securities and Exchange Commission, human resources reports and all kinds of scary things,” O’Connor recalled in an interview with KrebsOnSecurity. “For a while, I would try to correspond back to corporations that were making these mistakes, but most of them didn’t know what to do with that. So I finally just turned it off.”

TOXIC WASTE CLEANUP IS HARD

Microsoft declined to answer specific questions in response to Schmidt’s findings on the wayward corp.com traffic. But a spokesperson for the company shared a written statement acknowledging that “we sometimes reference ‘corp’ as a label in our naming documentation.”

“We recommend customers own second level domains to prevent being routed to the internet,” the statement reads, linking to this Microsoft Technet article on best practices for setting up domains in Active Directory.

Over the years, Microsoft has shipped several software updates to help decrease the likelihood of namespace collisions that could create a security problem for companies that still rely on Active Directory domains that do not map to a domain they control.

But both O’Connor and Schmidt say hardly any vulnerable organizations have deployed these fixes for two reasons. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time. Second, according to Microsoft applying the patch(es) will likely break or at least slow down a number of applications that the affected organization relies upon for day-to-day operations.

Faced with either or both of these scenarios, most affected companies probably decided the actual risk of not applying these updates was comparatively low, O’Connor said.

“The problem is that when you read the instructions for doing the repair, you realize that what they’re saying is, ‘Okay Megacorp, in order to apply this patch and for everything to work right, you have to take down all of your Active Directory services network-wide, and when you bring them back up after you applied the patch, a lot of your servers may not work properly’,” O’Connor said.

Curiously, Schmidt shared slides from a report submitted to a working group on namespace collisions suggesting that at least some of the queries corp.com received while he was monitoring it may have come from Microsoft’s own internal networks.

Image: JAS Global Advisors

“The reason I believe this is Microsoft’s issue to solve is that someone that followed Microsoft’s recommendations when establishing an active directory several years back now has a problem,” Schmidt said.

“Even if all patches are applied and updated to Windows 10,” he continued. “And the problem will persist while there are active directories named ‘corp’ – which is forever. More practically, if corp.com falls into bad hands, the impact will be on Microsoft enterprise clients – and at large scale – paying, Microsoft clients they should protect.”

Asked why he didn’t just give corp.com to Microsoft as an altruistic gesture, O’Connor said the software giant ought to be accountable for its products and mistakes.

“It seems to me that Microsoft should stand up and shoulder the burden of the mistake they made,” he said. “But they’ve shown no real interest in doing that, and so I’ve shown no interest in giving it to them. I don’t really need the money. I’m basically auctioning off a chemical waste dump because I don’t want to pass it on to my kids and burden them with it. My frustration here is the good guys don’t care and the bad guys probably don’t know about it. But I expect the bad guys would like it.”

Further reading:

Mitigating the Risk of DNS Namespace Collisions (PDF)

DEFCON 21 – DNS May Be Hazardous to your Health (Robert Stucke)

Mitigating the Risk of Name Collision-Based Man-in-the-Middle Attacks (PDF)

The Good, the Bad and the Ugly in Cybersecurity – Week 6

Image of The Good, The Bad & The Ugly in CyberSecurity

Good

We’ve noted several laudable developments in bug bounty programs over recent months, and news this week that the Open Bug Bounty project has racked up 272,388 vulnerability fixes and counting since its inception is certainly good cheer for website owners and web application developers. Open Bug Bounty is kind of unique in the vulnerability rewards space. For one thing, the not-for-profit program makes it simple for website owners to get help securing their sites at no cost. Rewards can be as simple as a bit of company swag, a crate of refreshing drinks or just a ‘thank you’, but there’s no obligation to reward at all. Meanwhile, security researchers can get an easy intro into the world of bug hunting and can earn various ‘badges’ for their submissions. Kudos to all those who set up the project and the researchers who participate to make the web a safer place.

image showing how to get involved in open bug bounty

More good news for defenders and bad news for young, talented ‘hackers’ who misuse their skills to the detriment of others this week as RyanRocks aka Ryan Hernandez pleaded guilty to hacking charges. Hernandez’s misdeeds began when he was 17, phishing a Nintendo employee and installing malware on the victim’s computer. Using credentials scraped from the victim, Hernandez then breached the Nintendo Developer Portal and began stealing the game console maker’s IP. The FBI first caught Hernandez in 2017, but since he was a minor, let him off with a caution. Unfortunately, RyanRocks wasn’t wise enough to realize how lucky he’d been and went back to further hacking and data theft. After catching him a second time, the FBI ensured that this time he’d be doing jail time and the rest of us would have one less hacker on the ‘streets’ to deal with. On top of facing incarceration, Hernandez has also been hit with a quarter-million dollar fine for damage caused. If only he’d spent his time and talent on something like Open Bug Bounty, instead. Sentencing is in April.

The Bad

Readers may have mixed feelings about the demise of Windows 7, but one thing is for sure, hackers are quite pleased about the end of security patches and updates to the decade old OS. With somewhere like 200 million devices still running the now EOL’d version of Windows operating system, those devices make for a juicy target for bad actors. A recent campaign targeting IoT devices running Windows 7 utilizes Lemon Duck PowerShell malware to attack manufacturing sites hosting smart devices like network-connected printers, televisions and automated vehicles.

image of lemon_duck attack scripts

The news has been abuzz this week with the discovery that Gamaredon APT, a group linked to Russian intelligence and military units, has been “supercharging” its operations in recent months, improving its toolset and developing its tactics. The research suggests that while Gamaredon’s activities may be committed to targeting Ukrainian assets, the lessons the group is learning in how to conduct cyber warfare are likely being consumed by other affiliated groups and may well represent a kind of “battlefield training ground” for TTPs that may soon see use against other targets.

image of gamaredon tweet

The Ugly

Enterprise must always be on the lookout for the unexpected, and intrusion into your networks and infrastructure isn’t always mediated through a phishing or spear-phishing attack. Companies are now being warned to look out for cyber criminals who implant cleaners on the premises to conduct physical breaches. Once in, these hackers-in-disguise may plant malicious USB devices or physically remove or infect unattended hardware. Cleaners, painter-and-decorators, almost anyone who has access to a building out of hours are being used to bypass company vetting and recruitment processes.

image of tweet about cybersecurity fake cleaners

The Huawei saga continued this week with the Chinese telecom company demanding that the FCC drop the designation of the company as a national security threat. While Huawei are globally one of the largest mobile device manufacturers, they also produce a wide range of other telecommunications equipment and are lined up to provide the UK with infrastructure for its 5G nationwide rollout later this year, much to the chagrin of the US government. Worries that Huawei cooperate with or actively enable Chinese government cyber espionage led the current US administration in May and then the FCC in November to label the company a threat to national security. However, in a 200-page filing this week the Chinese tech giant described the FCC’s move as “unlawful”, “misguided” and “unconstitutional”.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Who Are the Gamaredon Group and What Do They Want?

In new research published yesterday by SentineLabs, head of research Vitali Kremez reveals how a Russian-backed APT threat actor known as the ‘Gamaredon group’ has intensified its clandestine cyber warfare activities against Ukrainian national security and infrastructure targets, even as Russia and the Ukraine go through the external motions of conflict resolution in the wake of the armed conflict that broke out in the Donbass region in 2014.

image of Gamaredon group

Who Are the Gamaredon Group?

According to the report findings, the Gamaredon group functions as a proxy for Russian intelligence and pro-Russian groups with a remit to conduct attacks such as espionage and intelligence gathering on Ukrainian military forces. In the event that armed conflict were to break out again between the Ukraine and separatists, intel gathered by the Gamaredon group would help to give the pro-Russian forces a strategic edge.

But the group’s purpose is likely to extend beyond the Ukraine. The report quotes Secretary of the NSDC Security Council of Ukraine Aleksey Danilov’s claim that “the country has become a testing ground for Russian cyber attacks“, and goes on to point out that Gamaredon’s activities allow the Russian military and other agencies to observe the potential of utilizing cyber warfare in a contemporary violent conflict. In other words, the group’s experience can feed into a wider understanding of how adversaries respond to its tools, tactics and procedures in order to iterate and improve those for potential use in future conflicts or against other foreign targets.

SentinelLabs telemetry shows that the group has attacked over 5000 individual entities across the Ukraine, with particular focus on areas where Ukrainian troops are deployed.

image showing a map of the Ukrainian  separation line

Multi-function Pterodo Custom Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has been warning for some time that the Pterodo-type malware it had been seeing on endpoints belonging to Ukrainian state authorities was likely a preparatory stage for a cyber attack. The malware gathered up system data and communicated with C2 servers via a backdoor, apparently waiting for further instructions.

However, the research showed that this toolset has had extensive updating. Social engineering campaigns serve to implant malware through obfuscated Excel and Word macros. The malware allows macro execution while disabling Visual Basic for Applications (VBA) warnings. It also uses a fake Microsoft digital certificate belonging to Microsoft Time-Stamp Service to achieve trust on the local system. More technical analysis is provided in the SentinelLabs report here

image of Ukrainian military intelligence report on purported Russian cyber warfare action

What the Gamaredon Group Research Means to Enterprise

As the report makes clear, Gamaredon is very much a training exercise, and who better to test it on than a military adversary? While Gamaredon may currently be focused in a particular arena, it’s reasonable to assume that the lessons learned by this group in terms of espionage and data gathering are likely to be shared among other Russian intelligence agencies and cyber actors, many of whom we know are focused on both governmental and enterprise organizations in the U.S. and other countries. 

SentinelOne customers are already fully protected from Gamaredon Pterodo malware, and a full list of IoCs and further technical details are available here. If you would like to see how SentinelOne’s autonomous AI solution can help protect your organization from attacks by Gamaredon and other APT groups, contact us today or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Where top VCs are investing in open source and dev tools (Part 1 of 2)

The once-polarizing world of open-source software has recently become one of the hotter destinations for VCs.

As the popularity of open source increases among organizations and developers, startups in the space have reached new heights and monstrous valuations.

Over the past several years, we’ve seen surging open-source companies like Databricks reach unicorn status, as well as VCs who cashed out behind a serious number of exits involving open-source and dev tool companies, deals like IBM’s Red Hat acquisition or Elastic’s late-2018 IPO. Last year, the exit spree continued with transactions like F5 Networks’ acquisition of NGINX and a number of high-profile acquisitions from mainstays like Microsoft and GitHub.

Similarly, venture investment in new startups in the space has continued to swell. More investors are taking shots at finding the next big payout, with annual invested capital in open-source and dev tool startups increasing at a roughly 10% compounded annual growth rate (CAGR) over the last five years, according to data from Crunchbase. Furthermore, attractive returns in the space seem to be adding more fuel to the fire, as open-source and dev tool startups saw more than $2 billion invested in the space in 2019 alone, per Crunchbase data.

As we close out another strong year for innovation and venture investing in the sector, we asked 18 of the top open-source-focused VCs who work at firms spanning early to growth stages to share what’s exciting them most and where they see opportunities. For purposes of length and clarity, responses have been edited and split (in no particular order) into part one and part two of this survey. In part one of our survey, we hear from:

Where top VCs are investing in open source and dev tools (Part 2 of 2)

In part two of a survey that asks top VCs about exciting opportunities in open source and dev tools, we dig into responses from 10 leading open-source-focused investors at firms that span early to growth stage across software-specific firms, corporate venture arms and prominent generalist firms.

In the conclusion to our survey, we’ll hear from:

These responses have been edited for clarity and length.