Activist investor Starboard Value taking three Box board seats as involvement deepens

/0 Comments/in /by

When activist investors Starboard Value took a 7.5% stake in Box last September, there was reasonable speculation that it would begin to try and push an agenda, as activist investors tend to do. While the firm has been quiet to this point, today Box announced that Starboard was adding three members to the 9 member Box board.

At the same time, two long-time Box investors and allies, Rory O’Driscoll from Scale Venture Partners and Josh Stein from Threshold Ventures (formerly from DFJ), will be retiring from the board and not seeking re-election at the annual stockholder’s meeting in June.

O’Driscoll involvement with the company dates back a decade, and Stein has been with the company for 14 years and has been a big supporter from almost the beginning of the company.

Starboard Value takes 7.5% stake in Box

For starters, Jack Lazar, whose credentials including being chief financial officer at GoPro and Atheros Communications, is joining the board immediately. A second new board member from a list to be agreed upon by Box and Starboard will also be joining immediately.

Finally, a third member will be selected by the newly constituted board in June, giving Starboard three friendly votes and the ability to push the Box agenda in a significant way.

While this was obviously influenced by Starboard’s activist approach, a person close to the situation stressed that it was a highly collaborative effort between the two organizations, and also indicated that there was general agreement that it was time to bring in new perspectives to the board. The end goal for all concerned is to raise the stock value, and do this against the current bleak economic backdrop.

At the time it announced it was taking a stake in Box, Starboard telegraphed that it could be doing something like this. Here’s what it had to say in its filing at the time:

“Depending on various factors including, without limitation, the Issuer’s financial position and investment strategy, the price levels of the Shares, conditions in the securities markets and general economic and industry conditions, the Reporting Persons may in the future take such actions with respect to their investment in the Issuer as they deem appropriate including, without limitation, engaging in communications with management and the Board of Directors of the Issuer, engaging in discussions with stockholders of the Issuer or other third parties about the Issuer and the [Starboard’s] investment, including potential business combinations or dispositions involving the Issuer or certain of its businesses, making recommendations or proposals to the Issuer concerning changes to the capitalization, ownership structure, board structure (including board composition), potential business combinations or dispositions involving the Issuer or certain of its businesses, or suggestions for improving the Issuer’s financial and/or operational performance, purchasing additional Shares, selling some or all of their Shares, engaging in short selling of or any hedging or similar transaction with respect to the Shares…”

Box looks to balance growth and profitability as it matures

Box CEO Aaron Levie appeared at TechCrunch Sessions: Enterprise, the week this news about Starboard broke, and he was careful in how he discussed a possible relationship with the firm. “Well, I think in their statement actually they really just identified that they think there’s upside in the stock. It’s still very early in the conversations and process, but again we’re super collaborative in these types of situations. We want to work with all of our investors, and I think that’ll be the same here,” Levie told us at the time.

Now the company has no choice but to work more collaboratively with Starboard as it takes a much more meaningful role on the company board. What impact this will have in the long run is hard to say, but surely significant changes are likely on the way.

Box’s Aaron Levie says it will take creativity and focus to get through this crisis

Ceros launches MarkUp, a design collaboration tool for live websites

/0 Comments/in /by

When designers need to collaborate with other teams, they can currently turn to products like InVision and Zeplin. But Ceros creative director Jack Dixon said there’s a “pretty interesting gap in the market” — once you move beyond prototypes and start working with websites that are either live or in staging, the process starts to become fragmented, relying on screenshots and email/phone/Google Docs.

That’s why the company (which focuses on powering interactive content “experiences”) is launching a new product called MarkUp. The product was created by a team led by Greg DiNardo and Alex Bullington, who joined Ceros last August through the acquisition of their polling and market research startup Arbit.

Dixon, DiNardo and Bullington gave me a quick demo, showing off how users can mark areas of interest on a website, leave comments and tasks, then mark revisions as completed.

It all looked pretty simple and straightforward, but DiNardo suggested that it’s a real technical challenge — even more than he and Bullington had expected — to provide those kinds of features on top of a live site.

He added that the product’s simplicity was very much by design: “I don’t think we’re going to add a million features … The goal is honestly simplicity, something that graphic designers can kind of live in.”

Eventually, MarkUp could be used not just to solicit design feedback across teams, but also from the public at-large.

Ceros says MarkUp is free to everyone and will function separately from the core Ceros Studio platform. In fact, it’s already being used by designers at the Huffington Post, Cushman & Wakefield and Informa.

“As of today we want to remove any friction or barrier to entry, so it’s 100 percent free to [everyone],” Dixon said. “Getting the  involvement of the broadest community and user base is going to be critical for this. What we’re learning is that some of the enterprise clients might pay for bigger, more grown-up features [like white labeling]. We can figure out how to monetize later.”

Update: An earlier version of this post incorrectly stated that MarkUp would only be free to Ceros customers.

Ceros raises $14M for its interactive content platform

Startups are helping cloud infrastructure customers avoid vendor lock-in

/0 Comments/in /by

For much of the history of enterprise technology, companies tended to buy from a single vendor because it made managing the entire affair much easier while giving them a “single throat to choke” when something went wrong. On the flip side, it also put customers at the mercy of said vendor — and it wasn’t always pretty.

As we move deeper into the cloud model, many IT pros are looking for more flexibility than they had in the past, avoiding the vendor lock-in from the previous generation of enterprise tech, and what being beholden to a single vendor could mean for the bottom line and their own flexibility.

This is something that comes up frequently in discussions about moving workloads from one cloud to another, and is sometimes referred to as a multi-cloud approach. Customers are loath to leave their workloads in the hands of one vendor again and repeat the mistakes of the past. They are looking to have the same flexibility on the infrastructure side that they are getting in the SaaS world, where companies tend to purchase best-of-breed from multiple vendors.

That means, they want the freedom to move workloads between clouds, but that’s not always as easy a prospect as it might seem, and it’s an area where startups could help lead the way.

Good news for enterprise startups: SaaS helped kill the single-vendor stack

What’s the problem?

What’s stopping customers from just moving data and applications between clouds? It turns out that there is a complex interlinking of public cloud APIs that help the applications and data work in tandem. If you want to pull out of one public cloud, it’s not a simple matter of just migrating to the next one.

Who’s Behind the ‘Web Listings’ Mail Scam?

/0 Comments/in /by

In December 2018, KrebsOnSecurity looked at how dozens of U.S. political campaigns, cities and towns had paid a shady company called Web Listings Inc. after receiving what looked like a bill for search engine optimization (SEO) services rendered on behalf of their domain names. The story concluded that this dubious service had been scamming people and companies for more than a decade, and promised a Part II to explore who was behind Web Listings. What follows are some clues that point to a very convincing answer to that question.

Since at least 2007, Web Listings Inc. has been sending snail mail letters to domain registrants around the world. The missives appear to be an $85 bill for an “annual search engine listing” service. The notice does disclose that it is in fact a solicitation and not a bill, but wording of the notice asserts the recipient has already received the services in question.

Image: Better Business Bureau.

The mailer references the domain name web-listings.net, one of several similarly-named domains registered sometime in 2007 or later to a “James Madison,” who lists his address variously as a university in New Britain, Connecticut or a UPS Store mailbox in Niagara Falls, New York.

Some others include: weblistingservices.com, webservicescorp.net, websiteservicescorp.com, web-listingsinc.com, weblistingsinc.net, and weblistingsreports.net. At some point, each of these domains changes the owner’s name from James Madison to “Mark Carter.” As we’ll see, Mark is a name that comes up quite a bit in this investigation.

Image: Better Business Bureau.

A Twitter account for Web Listings Inc. has posts dating back to 2010, and points to even more Web Listings domains, including weblistingsinc.orgCached versions of weblistingsinc.org at archive.org show logos similar to the one featured on the Web Listings mailer, and early versions of the site reference a number of “business partners” in India that also perform SEO services.

Searching the Internet for some of these Web listing domains mentioned in the company’s Twitter account brings up a series of press releases once issued on behalf of the company. One from May 2011 at onlineprnews.com sings the praises of Weblistingsinc.info, weblistingsinc.org and web-listings.net in the same release, and lists the point of contact simply as “Mark.”

Historic WHOIS registration records from Domaintools [an advertiser on this blog] say Weblistingsinc.org was registered in Nov. 2010 to a Mark Scott in Blairgowrie, Scotland, using the email address clientnews@reputationmanagementfor.com.

Reputationmanagementfor.com bills itself as an online service for “fighting negative and incorrect content on the internet,” which is especially interesting for reasons that should become clearer in a few paragraphs. The site says Mark Scott, 46, is an employee of Reputationmanagementfor.com, and that he is also involved with two other companies:

-GoBananas, a business that sets up group outings, with a focus on bachelor and bachelorette parties;

-HelpMeGo.to, an entity in Scotland that did online marketing and travel tourism both in Scotland (via sites like Scotland.org.uk and marketinghotelsonline.co.uk) and on India’s coastal Kerala state where HelpMeGo.to employed a number of people involved in the SEO business. Helpmego.to now simply redirects to GoBananas.

According to Farsight Security, a company that keeps historic records of which Web sites were hosted at which Internet addresses, Weblistingsinc.org was for a while hosted at the IP address 68.169.45.65 with just six other domains, including travelingalberta.com, which was a blog about traveling and living in Alberta, Canada registered to Mark Scott and the email address management@helpmego.to. Cached versions of this site from 2011 show it naming Web Listings Inc. as a business partner.

That same management@helpmego.to email address is tied to the WHOIS records for markscottblog.com, gobananas.co.uk, gobananas.com. Cached copies of markscottblog.com from 2010 at Archive.org show his profile page on blogger.com links to another blog with much the same content, images and links called internetmadness.blogspot.com.

Among the 2011 entries from the Internetmadness blog is a post promoting the wonders of benefits of Web Listings Inc.

A cached copy of Mark Scott’s blog Internet Madness from 2011 promotes Web Listings Inc.

THE COBRA/APPCO GROUP

Aha! But wait, there’s more. You see, for years Weblistingsinc.org was hosted on the same servers along with a handful of other domains that all switched Internet addresses at the same times, including gobananas.com, gobananasworld.com and the IP addresses 107.20.142.166 (17 hosts), 54.85.65.241 (6 hosts).

Most of the other domains at these IPs historically have been tied to other domains connected to Mark Scott and his various companies and business partners, including chrisniarchos.net, redwoodsadvance.net, gdsinternationalus.com, staghensscotlands.com, cobra-group.blogspot.comthe-cobra-group.com, appcogroup.co.uk, and reputationmanagementfor.com.

I found a similar pattern with domains stemming from a Crunchbase company profile on Web Listings Inc., which says the firm is based in Toronto, Canada, with the Web site webtechnologiesinc.net, and email address webtechnologiesletter@gmail.com. Historic WHOIS data from Domaintools.com says Webtechnologiesinc.net was registered in 2013 to a Marcus Ruskov in Toronto.

Information about who registered Webtechnologiesletter.com is completely hidden behind privacy protection services. But Farsight says the domain was in 2015 hosted at the Internet address 54.77.128.87, along with just 70 other domains, including the same list of domains mentioned above, chrisniarchos.net, redwoodsadvance.net, gdsinternationalus.com, et cetera.

What do all of these domains have in common? They are tied to companies for which Mark Scott was listed as a key contact. For example, this press release from 2o11 says Mark Scott is the contact person for a company called Appco Group UK which bills itself as a market leader in face-to-face marketing and sales.

“Worldwide, Appco Group has raised hundreds of millions of pounds for some of the world’s biggest charities, delivered pay-TV and broadband services, financial services, security and many other successful marketing solutions on a diverse range of products,” the press release enthuses.

The Appco Group is the re-branded name of a family of marketing and sales companies originally created under the name The Cobra Group, whose Wikipedia page states that it is a door-to-door selling and marketing company headquartered in Hong Kong. It says investigations by the media have found the company promises much larger compensation rates that employees actually receive.

“It is also criticized for being a cult, a scam and a pyramid scheme,” the entry reads.

The Cobra Group and its multifariously named direct sales and marketing companies are probably best described as “multi-level marketing” schemes; that is, entities which often sell products and/or services of dubious quality, use high-pressure sales tactics and misleading if not deceptive advertising practices, and offer little to no employee payment for anything other than direct sales.

Even the most cursory amount of time spent searching the Internet for information on some of the companies named above (Appco Group, Cobra Group, Redwoods Advance, GDS International) reveals a mountain of bad press and horrible stories from former employees.

For example, Appco salespeople became known as “charity muggers” because they were trained to solicit donations on behalf of charities from random people on the street, and because media outlets later discovered that the people running Appco kept the majority of the millions of dollars they raised for the charities.

This exhaustive breakdown on the door-to-door sales industry traces Cobra and Appco Group back to a long line of companies that simply renamed and rebranded each time a scandal inevitably befell them.

Now it makes sense why Web Listings Inc. had so many confusingly-named domain names. And this might also explain the primary role of Mr. Scott’s business — the online reputation management company reputationmanagementfor.com — in relation to the Cobra Group/Appco’s efforts to burnish its reputation online.

A partial screenshot of a mind map I used to keep track of the myriad connections between various Web Listings domains and their owners. This map was created with MindNode Pro for Mac.

Mark Scott did not respond to multiple requests for comment sent to various email addresses and phone numbers tied to his name. However, KrebsOnSecurity did receive a response from Cobra Group founder Chris Niarchos, a Toronto native who said this was the first he’d heard of the Web Listings scam.

“Mark used to provide some services to us but my understanding was that stopped a long time ago,” Niarchos said. “He used to own a marketing company that we supplied but that contract ended maybe 12 years ago. That’s how we met. After that he did start some internet based businesses where he sold services to us as a customer at arms length. That also stopped many years ago again as we did it all in house. As far as I know he did this for many companies and we were simply a customer of his. In my dealings with him we got what we paid for but never did we have any closer relationship than that.”

USA CONNECTIONS

Two more small — possibly insignificant — but interesting things. First, if we go back and look at archived posts from markscottblog.com in 2010, we can see a number of entries where he defends the honor of Cobra Group, Appco, and other multi-level marketing programs he supports, saying they’re not scams. If we go back further to 2008 and look at Mark Scott’s profile on Blogger.com, we can see at the bottom of the page a link called “Enquiries and Emails.”

Visiting that link brings up what looks like a public shaming page of emails apparently sent to Mr. Scott from scammers trying to set him up for some kind of fake check scheme in connection with renting one of the U.K. properties listed by his various travel accommodations Web sites. Click the “Contact” tab at the top right of that page and you’ll see Travel Scotland has a U.S. phone number that potential customers here in the states can use to make reservations toll-free.

That number happens to be in Connecticut. Recall that the address listed in the ownership records for many of the Web Listings domains tied to the “James Madison/Mark Carter” identities were for an address in Connecticut.

Finally, I wanted to mention something that has stumped me (until very recently) since I began this investigation a couple of years ago. There are two unexpected domains returned when one performs a reverse search on a couple of different persistent data points in the WHOIS registration records for the Web Listings domains. See if you can spot the odd duck in this list produced by running a reverse search at Domaintools on info@web-listings.net (the contact email address shown on the mailed letter above):

Domain Name Create Date Registrar
finzthegoose.com 2010-08-03 enom, inc.
web-listings.net 2007-04-24 ENOM, INC.,ENOM, LLC
web-listingsinc.com 2015-11-06 ENOM, INC.,ENOM, LLC
weblistingservices.com 2007-04-23 ENOM, INC.,ENOM, LLC
weblistingsinc.com 2014-06-21 GODADDY.COM, LLC
weblistingsinc.net 2016-02-09 ENOM, INC.,ENOM, LLC
weblistingsreports.net 2015-11-06 ENOM, INC.,ENOM, LLC
webservicescorp.net 2007-06-03 ENOM, INC.,ENOM, LLC
websiteservicescorp.com 2007-06-03 —

Ten points if you said “finzthegoose.com.” Now let’s run a search on the phone number for Mark Carter — the phony persona behind all the Web Listings domains registered to the Niagara Falls address — +1.716-285-3575. What stands out about this list?

Domain Name Create Date Registrar
aquariumofniagara.org 2001-01-11 GODADDY.COM, LLC
web-listings.net 2007-04-24 ENOM, INC.,ENOM, LLC
web-listingsinc.com 2015-11-06 ENOM, INC.,ENOM, LLC
weblistingservices.com 2007-04-23 ENOM, INC.,ENOM, LLC
weblistingsinc.com 2014-06-21 GODADDY.COM, LLC
weblistingsinc.net 2016-02-09 ENOM, INC.,ENOM, LLC
weblistingsreports.net 2015-11-06 ENOM, INC.,ENOM, LLC
webservicescorp.net 2007-06-03 ENOM, INC.,ENOM, LLC
websiteservicescorp.com 2007-06-03 —

If you’re picking up an aquatic and marine life theme here, you’re two for two. That is actually the real phone number for the Aquarium of Niagara; the Web-Listings people just for some reason decided to list it in their WHOIS records as theirs.

It appears that a Scotsman named Robert Paul Graham Scott — perhaps Mark’s older brother — was in the same line of work (SEO and advertising) and pimping the exact same companies as Mark. According to a listing at Companies House, the official ledger of corporations in the United Kingdom, Paul Scott was for four years until Sept. 2019 a director in HMGT Services Ltd. (HMGT stands for the aforementioned HelpMeGo.To business).

Paul Scott’s own Internet presence says he lives in Perth — a short distance from Mark’s hometown in Blairgowrie, Scotland. Like Mark, Paul Scott did not respond to requests for comment. But Paul Scott’s Twitter profile — @scubadog_uk — shows him tweeting out messages supporting many of the same companies and causes as Mark over the past decade.

More to the point, Paul’s Website — scubadog.co.uk — says he has an abiding interest in underwater photography, scuba diving, and all things marine-related.

Box’s Aaron Levie says it will take creativity and focus to get through this crisis

/0 Comments/in /by

The COVID-19 virus is touching every aspect of our lives and having a profound impact on individuals, businesses and society at large. Box’s Aaron Levie has built a successful business from dorm room to IPO and beyond. He spoke to TechCrunch today about the level of creativity and focus that it’s going to take to succeed in the current environment.

Levie pointed out that his company was a fledgling startup when the economic downturn hit in 2008, but he thinks this one could have a much greater impact on business than that one did.

“I think Silicon Valley is going to definitely experience this in a very, very significant way. We were building a company in 2008, and that was extremely hard, but I don’t think it is going to compare to how hard the coming year is going to be,” Levie said.

This morning on Twitter, Levie wrote that we are in uncharted territory, and everyone will have to work together to help navigate this crisis.

He believes the government will need to step in to help individuals and businesses alike. “Businesses, who have lots of employees, need to be supported, but fundamentally we need to make sure that we’re focused on all the workers that are out of work, hopefully just temporarily displaced, but we’re going to need a lot of government financial support to get through this,” he said.

For startups, he advised startups to firmly focus on their mission. “It’s about extreme focus right now. It’s about extreme discipline. It’s about making sure that you’re maintaining your culture during this time,” Levie said.

As for his own company, he’s looking a three areas: his employees, his customers and the community. He said his first priority is making sure his employees are safe and healthy and that the hourly workers who support the business normally are being taken care of as we move through this unprecedented situation.

Secondly, he’s making sure that he supports his customers. To that end the company has removed any license limits as customers deal with increased usage with employees working from home.

He has also joined forces with Cloudflare in an effort to provide small businesses with 90 days of free services to help ride out the situation, and he said they would revisit extending these programs if the situation continues.

Thirdly, he says every business who can has to look at ways to support the communities where they live to assist non-profit organizations who are helping in the response. “This is an event where business communities globally are going to have to put more of a concerted effort on this than any issue in modern history,” Levie said.

Levie is not alone in this thinking by any means. He points to other leaders such as Chuck Robbins, Marc Benioff and Tim Cook, all who have stepped up in recent days to offer help and support.

He has built his company from the ground up to one that’s on nearly an $800 million run rate, but like so many business leaders, he is dealing with a situation which, as he said, has no playbook. Like every other CEO, he’s trying to help keep his business thriving, while not losing sight of the needs of the people in his organization, his customers or his community. It’s not an easy balancing act for anyone right now.

Box looks to balance growth and profitability as it matures

The Good, the Bad and the Ugly in Cybersecurity – Week 12

/0 Comments/in /by

The Good

Europol has been busy this week rounding up 26 fraudsters belonging to two separate SIM swapping gangs in Spain and Romania in ‘Operation Quinientos Dusim’ and ‘Operation Smart Cash’. SIM swapping involves socially engineering the staff of major phone carriers using personal data obtained in breaches, through phishing and by using OSINT techniques. SIM swappers impersonate their intended victim and convince the phone carrier to transfer the target’s cell services to a SIM card belonging to the attackers. Famously, Twitter CEO Jack Dorsey was caught in a SIM swap attack last year. Typically, fraudsters use the stolen services to gain access to the victim’s online banking and to bypass 2FA and one-time password controls on online accounts. The gangs caught in this week’s report are believed to have snatched funds from over 100 victims’ bank accounts before being nabbed by Europol with the help of the Spanish and Romanian police.

image of advice how to protect against sim swapping

If you’re an Adobe user, and let’s face it most of us are, then you’ll be pleased to hear that Adobe fixed 41 security flaws this week. In a massive security update across both Windows and macOS versions, Adobe plugged vulnerabilities in six major products, including ubiquitous favorites Adobe Acrobat, Adobe Reader and Photoshop. If you haven’t already, update those apps before the hackers reverse and exploit the multiple arbitrary code execution vulnerabilities just fixed.

The Bad

We’re all only too aware of what the big, bad news is this week and likely to be for many weeks ahead: the COVID-19/Coronavirus outbreak that’s wreaking havoc on people’s health, livelihoods and lifestyles across the globe. SentinelOne, like a number of other vendors, is offering free platform access to help secure enterprises and remote workers during this unprecedented crisis. Meanwhile, the bad guys are, of course, taking every opportunity they can to milk the FUD for all it’s worth with malware campaigns, phishing kits and good old fashioned snake oil frauds becoming almost too numerous to count. 

In a sign of the upside-down times that we’re living in, our bad news this week comes with an oddly welcome twist. For the time being anyway, some ransomware operators, namely DoppelPaymer and Maze, have claimed they will avoid deliberately targeting medical services and even offer free decryptors to those that do get hit. Of course, criminals like anyone else may need access to healthcare services before we see the back of the COVID-19 crisis, so we don’t think they’ll be winning any “service to the community” awards just yet.

image of Maze ransomware press release

On a different note, in other bad news this week, it seems TrickBot developers have been busy retooling in order to target US and Hong Kong-based telecoms organizations through a brute-force RDP attack leveraging a malicious DLL file called rdpScanDll. Researchers say very specific IPs have been targeted and that the purpose appears to be espionage. We already know that TrickBot is being leveraged by some APTs, and this looks like it could well be more of the same. More intel on this as soon as we have it.

The Ugly

Data breaches are always ugly, and data breaches by security companies are even uglier still. This week potentially sees one of the worst ever (it’s shaping up to be that kind of year, isn’t it?) as one security vendor may have leaked over 5 billion records that they’d been stockpiling since at least 2012. The vendor, UK-based Keepnet Labs, appears to have amassed data from other previously known sources and compiled it into a well-structured database with hash types, leak data, email, password and other information.

image of tweet about KeepNet Labs data breach

Such a massive and organized collection would undoubtedly be a prize asset for fraudsters to get their hands on. It’s not immediately clear whether the database contained other, previously undisclosed breach data or whether it had been accessed by bad actors. What is known is that security researchers were able to access the unsecured Elasticsearch instance without Keepnet Labs’ awareness. The researchers informed the cybersecurity vendor, who promptly secured the data within the hour. As bad actors routinely probe for such insecure databases in the same way as the researchers who found this one, it’s anyone’s guess at this point whether the treasure trove is already in the hands of spammers, fraudsters and criminals intent on phishing attacks.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Google cancels I/O developer conference in light of COVID-19 crisis

/0 Comments/in /by

Google announced on Twitter today that it was cancelling its annual I/O developer conference out of concern for the health and safety of all involved. It will not be holding any online conference in its place either.

“Out of concern for the health and safety of our developers, employees, and local communities — and in line with recent ‘shelter in place’ orders by the local Bay Area counties — we sadly will not be holding I/O in any capacity this year,” the company tweeted.

This is not a small deal, as Google uses this, and the Google Cloud Next conference, which it has also canceled, to let developers, customers, partners and other interested parties know about what new features, products and services they will be introducing in the coming year.

Without a major venue to announce these new tools, it will be harder for the company to get the word out about them or gain the power of human networking that these conferences provide. All of that is taking a backseat this year over concerns about the virus.

The company made clear that it does not intend to reschedule these events in person or in a virtual capacity at all this year, and will look for other ways to inform the community of changes, updates and new services in the coming months.

“Right now, the most important thing all of us can do is focus our attention on helping people with the new challenges we all face. Please know that we remain committed to finding other ways to share platform updates with you through our developer blogs and community forums,” the company wrote.

AWS, IBM launch programs to encourage developers solving COVID-19 problems

/0 Comments/in /by

As society comes to grips with the growing worldwide crisis related to the COVID-19 virus, many companies are stepping up in different ways. Today, two major tech companies — Amazon and IBM — each announced programs to encourage developers to find solutions to a variety of problems related to the pandemic.

For starters, AWS, Amazon’s cloud arm, announced the AWS Diagnostic Development Initiative. It has set aside $20 million, which it will distribute in the form of AWS credits and technical support. The program is designed to assist and encourage teams working on COVID-19 diagnostic issues with the goal of developing better diagnostic tooling.

“In our Amazon Web Services (AWS) business, one area where we have heard an urgent need is in the research and development of diagnostics, which consist of rapid, accurate detection and testing of COVID-19. Better diagnostics will help accelerate treatment and containment, and in time, shorten the course of this epidemic,” Teresa Carlson wrote in the company’s Day One blog today.

The program aims to help customers who are working on building diagnostics solutions to bring products to market more quickly, and also encourage teams working on related problems to work together.

The company also announced it was forming an advisory group made up of scientists and health policy experts to assist companies involved with initiative.

Meanwhile, IBM is refocusing its 2020 Call for Code Global Challenge developer contest on not only solving problems related to global climate change, which was this year’s original charter, but also solving issues around the growing virus crisis by building open-source tooling.

“In a very short period of time, COVID-19 has revealed the limits of the systems we take for granted. The 2020 Call for Code Global Challenge will arm you with resources […] to build open source technology solutions that address three main COVID-19 areas: crisis communication during an emergency, ways to improve remote learning, and how to inspire cooperative local communities,” the company wrote in a blog post.

All of these areas are being taxed as more people are forced to stay indoors as we to try to contain the virus. The company hopes to incentivize developers working on these issues to help solve some of these problems.

During a time of extreme social and economic upheaval when all aspects of society are being affected, businesses, academia and governments need to work together to solve the myriad problems related to the virus. These are just a couple of examples of that.

Zyxel Flaw Powers New Mirai IoT Botnet Strain

/0 Comments/in /by

In February, hardware maker Zyxel fixed a zero-day vulnerability in its routers and VPN firewall products after KrebsOnSecurity told the company the flaw was being abused by attackers to break into devices. This week, security researchers said they spotted that same vulnerability being exploited by a new variant of Mirai, a malware strain that targets vulnerable Internet of Things (IoT) devices for use in large-scale attacks and as proxies for other cybercrime activity.

Security experts at Palo Alto Networks said Thursday their sensors detected the new Mirai variant — dubbed Mukashi — on Mar. 12. The new Mirai strain targets CVE-2020-9054, a critical flaw that exists in many VPN firewalls and network attached storage (NAS) devices made by Taiwanese vendor Zyxel Communication Corp., which boasts some 100 million devices deployed worldwide.

Like other Mirai variants, Mukashi constantly scans the Internet for vulnerable IoT devices like security cameras and digital video recorders (DVRs), looking for a range of machines protected only by factory-default credentials or commonly-picked passwords.

Palo Alto said IoT systems infected by Mukashi then report back to a control server, which can be used to disseminate new instructions — such as downloading additional software or launching distributed denial of service (DDoS) attacks.

The commands Mukashi botmasters can send to infected devices include scanning for and exploiting other systems, and launching DDoS attacks. Image: Palo Alto Networks.

Zyxel issued a patch for the flaw on Feb. 24, but the update did not fix the problem on many older Zyxel devices which are no longer being supported by the company. For those devices, Zyxel’s advice was not to leave them connected to the Internet.

A joint advisory on CVE-2020-9054 from the U.S. Department of Homeland Security and the CERT Coordination Center rates this vulnerability at a “10” — the most severe kind of flaw. The DHS/CERT advisory also includes sample code to test if a Zyxel product is vulnerable to the flaw.

My advice? If you can’t patch it, pitch it, as Mukashi is not the only thing interested in this Zyxel bug: Recent activity suggests attackers known for deploying ransomware have been actively working to test it for use against targets.

Security Breach Disrupts Fintech Firm Finastra

/0 Comments/in /by

Finastra, a company that provides a range of technology solutions to banks worldwide, said today it was shutting down key systems in response to a security breach discovered this morning. The company’s public statement and notice to customers does not mention the cause of the outage, but their response so far is straight out of the playbook for dealing with ransomware attacks.

London-based Finastra has offices in 42 countries and reported more than $2 billion in revenues last year. The company employs more than 10,000 people and has over 9,000 customers across 130 countries — including nearly all of the top 50 banks globally.

Earlier today, sources at two different U.S. financial institutions forwarded a notice they received from Finastra saying the outage was expected to disrupt certain services, particularly for clients in North America.

“We wish to inform our valued customers that we are investigating a potential security breach. At 3:00 a.m. EST on March 20, 2020, we were alerted to anomalous activity on our network which risked the integrity of our data-centers,” reads the notice. “As such, and to protect our customers, we have taken quick and strict remedial action to contain and isolate the incident, while we investigate further.”

Update, 5:21 p.m. ET: Finastra has acknowledged that it is battling ransomware.

“At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted,” the company said in a revised statement.

The statement continues:

“Our approach has been to temporarily disconnect from the internet the affected servers, both in the USA and elsewhere, while we work closely with our cybersecurity experts to inspect and ensure the integrity of each server in turn. Using this ‘isolation, investigation and containment’ approach will allow us to bring the servers back online as quickly as possible, with minimum disruption to service, however we are anticipating some disruption to certain services, particularly in North America, whilst we undertake this task. Our priority is ensuring the integrity of the servers before we bring them back online and protecting our customers and their data at this time.”

Finastra also acknowledged an incident via a notice on its Web site that offers somewhat less information and refers to the incident merely as the detection of anomalous activity.

“The Finastra risk and security services team has detected anomalous activity on our systems,” wrote Tom Kilroy, Finastra’s chief operating officer. “In order to safeguard our customers and employees, we have made the decision to take a number of our servers offline while we investigate. This, of course, has an impact on some of our customers and we are in touch directly with those who may be affected.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to strongarm victim companies into paying up.

One reader on Twitter told KrebsOnSecurity they’d heard Finastra had sent thousands of employees home today as a result of the security breach. Finastra told this author the company closed select offices in Canada and Paddington, London today where employees were unable to access the servers which they took offline.

“The majority of the Company’s employees are already working from home,” a statement shared by Finastra reads. “This is determined by Finastra’s response to COVID-19 and not related in any way to this incident.”

Interestingly, several ransomware gangs have apparently stated that they are observing a kind of moratorium on attacking hospitals and other healthcare centers while the COVID-19/Coronavirus epidemic rages on. Bleeping Computer’s Lawrence Abrams said he recently reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to ask if they would continue targeting health and medical organizations during the outbreak.

Abrams said several of those gangs told him they would indeed stop attacking healthcare providers for the time being. One gang even used its victim-shaming Web site to post a “press release” on Mar. 18 stated that “due to situation with incoming global economy crisis and virus pandemic” it would be offering discounts to victims of their ransomware.

“We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus,” reads the release from the Maze ransomware gang.

A press release published by the Maze ransomware group.

This story will be updated as more details become available.