The Good, the Bad and the Ugly in Cybersecurity – Week 16

The Good

The Dutch police have taken down at least 15 DDoS for hire services this past week. In addition, the main perpetrator, a man aged 19 from Breda, allegedly launched an attack against the country’s two main information access and document portals, MijnOveheid.nl and Overheid.nl. These sites are used by the general public and provide services such as information about tax returns and child benefits, as well as playing a vital role in disseminating official notices from government organizations about the coronavirus crisis. An attack last month knocked both sites offline for several hours. The unnamed suspect will be charged with computer-related criminal offences and face magistrates at an as yet undecided date.

The Bad

Nation-state hackers are not resting in these turbulent times. Earlier this week it was made public that the San-Francisco Airport websites SFOConnect.com and SFOConstruction.com were attacked, allegedly by a Russian-sponsored APT group. The aim of the attack was to steal Windows account credentials from visitors to the sites by exploiting an SMB feature and the file:// URL scheme to gather usernames and NTLM local password hashes. The technique is similar to one used by the APT group Dragonfly/Energetic Bear.

Meanwhile, an alert sent by the Defense Counterintelligence and Security Agency to subcontractors stated that 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1. To top things off, an official alert issued by US DHS, State and Treasury and the FBI stated that North Korea poses a ‘significant threat’ to the global financial system as it pursues campaigns against such facilities with the aim of generating funds for the cash-strapped regime.

The Ugly

Cybercrime is often opportunistic, but leveraging a global pandemic affecting billions of people is plain ugly. Despite earlier claims not to target medical facilities, cybercrime organizations continue to attack these at full swing. Ransomware attacks against hospitals and medical facilities are nothing new, but the damage such attacks cause nowadays, when these facilities are functioning at full stretch to try to find a cure or treat the sick is simply staggering. Just this week, two Canadian organizations (a government facility and a university) involved in work on COVID-19 have been the targets of ransomware attacks.

This has not gone unnoticed by law enforcement agencies, and Interpol has issued a global alert about the increased risk of ransomware attacks on hospitals, healthcare providers and other organizations researching or responding to the COVID-19 pandemic. Threat actors took little notice, however, and the following day launched an attack on a hospital in the Czech republic. The attack targeting the university hospital in the eastern Czech city of Ostrava was foiled by the hospital’s IT security staff. 

A spokesperson said the attack “was aimed at one of our servers. Our IT staff have foiled similar attacks often”. In a radio interview, the Czech Prime Minister summed up our thoughts exactly: “I don’t understand why anyone would do anything so filthy at this time.”

SentinelLabs maintains a rolling update on cybercrime activity exploiting the Coronavirus pandemic. To keep up with breaking attacks visit: Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Sales startup People.ai lays off 18% of staff, raises debt round amid COVID-19 uncertainty

Another startup has turned to downsizing and fund raising to help weather the uncertainty around the economy amid the global coronavirus health pandemic. People.ai, a predictive sales startup backed by Andreessen Horowitz, Iconiq, Lightspeed and other investors and last year valued at around $500 million, has laid off around 30 people, working out to about 18% of staff, TechCrunch has learned and confirmed.

Alongside that, the company has quietly raised a debt round in the “tens of millions of dollars” to make strategic investments in new products and potentially other moves.

Oleg Rogynskyy, the founder and CEO, said the layoffs were made not because business has slowed down, but to help the company shore up for whatever may lie ahead.

“We still have several years of runway with what we’ve raised,” he noted (it has raised just under $100 million in equity to date). “But no one knows the length of the downturn, so we wanted to make sure we could sustain the business through it.”

Specifically, the company is reducing its international footprint — big European customers that it already has on its books will now be handled from its U.S. offices rather than local outposts — and it is narrowing its scope to focus more on the core verticals that make up the majority of its current customer base.

He gave as an example the financial sector. “We create huge value for financial services industry but have moved the functionality for them out to next year so that we can focus on our currently served industries,” he said.

People.ai’s software tracks the full scope of communication touch points between sales teams and customers, supposedly negating the tedious manual process of activity logging for SDRs. The company’s machine learning tech is also meant to generate the average best way to close a deal — educating customer success teams about where salespeople may be deviating from a proven strategy.

People.ai is one of a number of well-funded tech startups that is making hard choices on business strategy, costs and staffing in the current climate.

Layoffs.fyi, which has been tallying those losing their jobs in the tech industry in the wake of the coronavirus (it’s based primarily on public reports with a view to providing lists of people for hire), says that as of today, there have been nearly 25,000 people laid off from 258 tech startups and other companies. With companies like Opendoor laying off some 600 people earlier this week, the numbers are ratcheting up quickly: just seven days ago, the number was just over 16,000.

In that context, People.ai cutting 30 may be a smaller increment in the bigger picture (even if for the individuals impacted, it’s just as harsh of an outcome). But it also underscores one of the key business themes of the moment.

Some businesses are getting directly hit by the pandemic — for example, house sales and transportation have all but halted, leaving companies in those categories scrambling to figure out how to get through the coming weeks and months and prepare for a potentially long haul of life and consumer and business behavior not looking like it did before January.

But other businesses, like People.ai, which provides predictive sales tools to help salespeople do their jobs better, is (for now at least) falling into that category of IT still in demand, perhaps even more than ever in a shrinking economy. In People.ai’s case, software to help salespeople have better sales conversations and ultimately conversions at a time when many customers might not be as quick to buy things is an idea that sells right now (so to speak).

Rogynskyy noted that more than 90% of customers that are up for renewal this quarter have either renewed or expanded their contracts, and it has been adding new large customers in recent weeks and months.

The company has also just closed a round of debt funding in the “tens of millions” of dollars to use for strategic investments.

It’s not disclosing the lender right now, but it opted for debt in part because it still has most of its most recent round — $60 million raised in May 2019 led by Iconiq — in the bank. Although investors would have been willing to invest in another equity round, given that the company is in a healthy position right now, Rogynskyy said he preferred the debt option to have the money without the dilution that equity rounds bring.

The money will be used for strategic purposes and considering how to develop the product in the current climate. For example, with most people now working from home, and that looking to be a new kind of “normal” in office life (if not all the time, at least more of the time), that presents a new opportunity to develop products tailored for these remote workers.

There have been some M&A moves in tech in the last couple of weeks, and from what we understand People.ai has been approached as well as a possible buyer, target and partner. All of that for now is not something the company is considering, Rogynskyy said. “We’re focused on our own future growth and health and making sure we are here for a long time.”

Return to Base | The CISO’s Guide to Preparing A COVID-19 Exit Strategy

While governments and public healthcare specialists are looking into the timing and manner of reopening the economy, it is clear that at some point in the hopefully not-too-distant future, restrictions will be eased and businesses will return to normal operations.

Returning to recently-vacated offices will certainly signify a return to normality, and for most that will be a welcome relief after working from home for an extended period. However, just as the shift to working from home required organizations to adapt and act differently, so will the return to the office. In this post, we discuss the preparation CISOs should consider making to offset a number of security implications that arise from returning your workforce from home and back to the office. 

Making Sure Returning Devices Are Safe To Use

When returning to the office, employees will haul back all the IT equipment they have used at home. Some of this is trivial office equipment like screens, docking stations and cables, but computing devices can be a security blindspot.

Rogue Devices: While unknown connected devices pose a security risk at all times, the return to the office represents an even bigger risk. People could have used all sorts of devices during their time at home, for leisure and convenience. While there, such devices may not pose a serious security risk, but if they are introduced to the corporate network, they could become one.

Do run a scan on your network to identify new, unknown devices.

Home Laptops: Some employees working from home may have had to use their own laptops, either because in the rush to vacate offices the IT department might not have had sufficient inventory or just through personal preference. In such cases, they are likely to bring these laptops with them when they return to the office, plug them into the corporate network and continue to work as they had been doing at home. These devices could potentially be infected with malware if they have not been running updated, corporate-grade EDR solutions.

Do forbid work on personal laptops in the corporate environment whenever possible.

Employees should transfer their work to their company-issued laptop and take their personal laptop back home.

Do install NAC for employees who now find they must work with their own device, and ensure they use company-issued EDR.

USBs and NAS: Another practice employees may have adopted while working from home is the use of USB thumb drives and network storage devices. Personal storage devices should be prohibited in the corporate environment and not allowed to connect to company computers and networks.

Do enforce device control to block unathorized USB and other peripheral devices.

Inventory: As many employees took equipment home, it is necessary to register and keep an up-to-date inventory of this equipment and its whereabouts. In the first instance, this makes sense to avoid wasting resources: ensure employees return cables and screens that they have borrowed from the workplace. It is possible that some staff took an extra laptop home and that the device is now stranded somewhere, perhaps even connected to the home network and exposed to the world.

Do keep an up-to-date inventory. It will also help in the event employees have to move back to working from home in the future.

Keeping Insecure Software Off Your Network

Even if the devices used at home were company-issued, they can still be a threat if they are not installed with updated software and security systems.

Updated OS and Software: Unpatched and outdated Operating Systems can facilitate data breaches. Some employees may have ignored the update prompt or rescheduled these indefinitely. In addition, some computers and servers left on-premise may have been shut down throughout this period. After restarting these, it is important to install all available software patches and updates.

Do make sure that all software is patched on all devices returning to the office as soon as practically possible.

Updated and Active EDR: An updated EDR solution was vital to securing the laptop at home, and it is of course crucial in securing all devices in the work environment. It’s not unheard of for some employees to disable security software in order to perform certain actions on their devices.

Do ensure that all your endpoints have an active and up to date EDR Solution.

Unregistered Software: It is possible that some employees have installed software for their own use, perhaps because they were unable to use company resources or simply because it was more convenient than asking for the approval of the IT department.

Do make sure your EDR solution can inventory software and can report on application risk levels.

Software License Inventory: Working from home may have required certain software licenses that are no longer needed when working at the office. For instance, at SentinelOne we licensed Zoom Pro for all employees as part of the great transition to remote work. For any software that employees no longer need access to, it’s sensible to cancel these licenses to reduce costs. The same logic applies to cloud resource usage, which may have skyrocketed while people were working from home but which now may no longer be necessary.

Do revoke unnecessary software licenses and transition staff back to using resources provided on-site.

Preparing Processes And Procedures

In addition to inspecting devices and ensuring proper software is installed, certain processes and procedures must be implemented in order to facilitate security.

Password Reset: It is possible that employees have shared their laptops and credentials with their family or friends. They may have re-used passwords on new services or devices at home, or lapsed into other insecure habits. It is advisable to reset credentials and ensure 2FA/ MFA for all company devices and software.

Do ensure that all your employees are aware of company password policy and enforce compliance.

New Employees: Some companies have recruited new employees during the COVID-19 outbreak and have onboarded them remotely. Moving into the office will be a new experience for these new hires and they may need an early refresher on training that was not applicable while they were working from home.

Do ensure new hires are up to speed on additional company security policies that are pertinent to working in the office.

Maintain Readiness for WFH: At some point in the future, it could be necessary to transition to work from home again, and there’s always the real possibility in the near-to-mid term future that individual employees could contract the virus and need to self-isolate again.

Therefore, it is prudent to use the lessons learned from the mass transition to work from home in early 2020 and be better prepared to do it again, whether on a small scale or throughout the company. This includes having an up-to-date inventory of all IT equipment, having all company laptops installed with a modern EDR and ensuring that employees have access to company assets via VPN protected by 2fA.

Do formalize the lessons learned from this unprecedented crisis so that they can be used to help your business manage future crises with less pain.

Conclusion

Returning to the office environment might come sooner or later, but come it surely will. In order to reduce the risk and facilitate a quick return to normal operations, CISOs should consider the possibility that employees may bring threats with them when they shift back to the office desk.

Unlike the rushed, unexpected manner in which many organizations sent their employees home with little opportunity for planning or preparation, the return to the office is something that can be planned for in a more organized and orderly fashion. Prepare now to ensure the necessary processes and tools are in place before this happens.

SentinelOne Ranger is suitable for scanning corporate networks and identifying unknown devices and updating an inventory of corporate devices, their OS and updatedness of their EDR systems. Contact us to schedule a scan today.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

VAST Data lands $100M Series C on $1.2B valuation to turn storage on its head

VAST Data, a startup that has come up with a cost-effective way to deliver flash storage, announced a $100 million Series C investment today on a $1.2 billion valuation, both unusually big numbers for an enterprise startup in Series C territory.

Next47, the investment arm of Siemens, led the round with participation from existing investors 83North, Commonfund Capital, Dell Technologies Capital, Goldman Sachs, Greenfield Partners, Mellanox Capital and Norwest Venture Partners. Today’s investment brings the total raised to $180 million.

That’s a lot of cash any time, but especially in the middle of a pandemic. Investors believe that VAST is solving a difficult problem around scaled storage. It’s one where customers tend to deal with petabytes of data and storage price tags beginning at a million dollars, says company founder and CEO Renen Hallak.

As Hallak points out, traditional storage is delivered in tiers with fast, high-cost flash storage at the top of the pyramid all the way down to low-cost archival storage at the bottom. He sees this approach as flawed, especially for modern applications driven by analytics and machine learning that rely on lots of data being at the ready.

VAST built a system they believe addresses these issues around the way storage has traditionally been delivered.”We build a single system. This as fast or faster than your tier one, all-flash system today and as cost effective, or more so, than your lowest tier five hard drives. We do this at scale with the resilience of the entire [traditional storage] pyramid. We make it very, very easy to use, while breaking historical storage trade-offs to enable this next generation of applications,” Hallak told TechCrunch.

The company, which was founded in 2016 and came to market with its first solution in 2018, does this by taking advantage of some modern tools like Intel 3D XPoint technology, a kind of modern non-volatile memory along with consumer-grade QLC flash, NVMe over Fabrics protocol and containerization.

“This new architecture, coupled with a lot of algorithmic work in software and types of metadata structures that we’ve developed on top of it, allows us to break those trade-offs and allows us to make much more efficient use of media, and also allows us to move beyond scalability limits, resiliency limits and problems that other systems have in terms of usability and maintainability,” he said.

They have a large average deal size; as a result, the company can keep its cost of sales and marketing to revenue ratio low. They intend to use the money to grow quickly, which is saying something in the current economic climate.

But Hallak sees vast opportunity for the kinds of companies with large amounts of data who need this kind of solution, and even though the cost is high, he says ultimately switching to VAST should save companies money, something they are always looking to do at this kind of scale, but even more so right now.

You don’t often see a unicorn valuation at Series C, especially right now, but Hallak doesn’t shy away from it at all. “I think it’s an indication of the trust that our investors put in our growth and our success. I think it’s also an indication of our very fast growth in our first year [with a product on the market], and the unprecedented adoption is an indication of the product-market fit that we have, and also of our market efficiency,” he said.

They count The National Institute of Health, General Dynamics and Zebra as customers.

Anodot grabs $35M Series C to help monitor business operations

Anodot, a startup that helps customers monitor business operations against a set of KPIs, announced a $35 million Series C investment today.

Intel Capital led this round with a lot of help. New investors SoftBank Ventures Asia, Samsung NEXT and La Maison also participated along with existing investors Disruptive Technologies L.P., Aleph Venture Capital and Redline Capital. Today’s investment brings the total raised to $62.5 million, according to the company.

Anodot lets you take any kind of data, whatever your company finds important, and it tracks it automatically and reports on changes that would have an impact on the business, according to David Drai, CEO and co-founder.

“We take any kind of normalized data into our platform and learn all the behavior of the data against normal behavior. When I say normal behavior, it means any time-based data in what is called a time series. And we understand all the trends of that data, and we do this autonomously without any configuration, except defining what is interesting for you,” Drai explained.

That means that the platform will let you know, for example, of any drop in your business, any drop in your conversions, any spike in your costs — and so forth. What you track depends on your vertical and what’s important to your business.

He compares it to applications performance monitoring, but instead of monitoring the company’s technology systems, it’s monitoring the systems that run the business. Just as you don’t want to miss signals that your servers could be going down, neither do you want to let factors that could cost your business money go unnoticed.

This dashboard lets you monitor unusual changes in cloud costs. Image Credit: Anodot

The way it works is you connect to the systems that matter, and Anodot can review those systems, learn what constitutes a level of normal behavior, then identify when anomalies occur. It does this by mapping against your KPIs, and this can involve thousands or even tens of thousands of KPIs based on an individual company.

As Drai points out, an eCommerce company with 1000 products in 50 countries, will have 50,000 KPIs, one for each product in each country, and you can track these in Anodot.

He says that under the current economic conditions, he is taking a two-pronged approach to building his business involving both offense and defense. On defense, he will take a cautious approach to hiring, but he sees his product helping companies understand and control costs, so he will continue to sell the product as a cost-saving device at a time when that is of increasing importance to businesses everywhere.

The company was founded in 2014. It currently has 70 employees and 100 paying customers including Atlassian, T Mobile, Lyft and Pandora.

Verizon is buying B2B videoconferencing firm BlueJeans

US carrier Verizon* has splashed out to buy veteran B2B videoconferencing platform, BlueJeans Network — shelling out less than $500 million on the acquisition, according to the Wall Street Journal which first reported the news.

A Verizon spokeswoman confirmed to TechCrunch that the price-tag is sub-$500M but did not provide a more exact figure. Videoconferencing platform Blue Jeans has raised ~$175M since being founded around a decade ago, per Crunchbase, with US investor NEA leading a Series E round back in 2015.

In a press release announcing the deal, Verizon said it has entered into a definitive agreement to acquire the enterprise-grade videoconferencing and event platform in order to expand its “immersive unified communications portfolio”.

“Customers will benefit from a BlueJeans enterprise-grade video experience on Verizon’s high-performance global networks. In addition, the platform will be deeply integrated into Verizon’s 5G product roadmap, providing secure and real-time engagement solutions for high growth areas such as telemedicine, distance learning and field service work,” it wrote.

“As the way we work continues to change, it is absolutely critical for businesses and public sector customers to have access to a comprehensive suite of offerings that are enterprise ready, secure, frictionless and that integrate with existing tools,” added Tami Erwin, CEO of Verizon Business, in a supporting statement. “Collaboration and communications have become top of the agenda for businesses of all sizes and in all sectors in recent months. We are excited to combine the power of BlueJeans’ video platform with Verizon Business’ connectivity networks, platforms and solutions to meet our customers’ needs.”

The acquisition comes at a time when videoconferencing is seeing a massive uptick in usage as white collar workers around the world log on to meetings from home during the coronavirus pandemic.

Although it’s BlueJeans’ rival, Zoom, that’s been the most high profile name linked to the viral videoconferencing boom in recent weeks. The latter recently revealed that daily meeting participants on its platform jumped from a modest 10M in December to 200M in March.

However such booming growth and consumer usage has brought increased scrutiny for Zoom — leading to a spate of warnings (and even some bans), related to security and privacy concerns. And earlier this month the company said it would freeze product dev to focus on the laundry list of issues that have surfaced as users have piled in and kicked its tires, taking a little of the shine off of surging growth. 

On the sheer usage front BlueJeans is certainly small fish in comparison to Zoom — having remained b2b focused. A BlueJeans spokeswoman told us it has more than $100M ARR and over 15,000 customers at this point. (Some notable users include Facebook and Disney.)

But it’s paying users that are likely of most interest to Verizon, hence talk of telemedicine, distance learning and field service work — areas ripe for coronavirus-accelerated digitization. Carriers generally, meanwhile, haven’t been able to translate increased usage during the pandemic into a revenue growth story — as a result of a combination of fixed costs, debt and market disruption that’s been hitting their shares during the coronavirus crisis, per Reuters. Bolting on more b2b tools looks to be one way of growing network revenues.

“The combination of BlueJeans’ world class enterprise video collaboration platform and trusted brand with Verizon Business’ next generation edge computing innovation will deliver highly differentiated and compelling solutions to our joint customers,” said Quentin Gallivan, BlueJeans CEO, in a statement. “We are very excited about joining the Verizon team and we truly believe the future of business communications starts today!”

Verizon said today that said BlueJeans founders and “key management” will join the company as part of the acquisition, with BlueJeans employees set to become Verizon employees immediately following the close of the deal — which is expected in the second quarter, pending customary closing conditions.

BlueJeans co-founder Krish Ramakrishnan has a history of exits, selling a couple of his previous startups to networking giant Cisco — where he has also worked, in between spinning out his own companies.

*Disclosure: Verizon is also TechCrunch’s parent company

Bridgecrew announces $14M Series A to automate cloud security

In today’s grim economic climate, companies are looking for ways to automate wherever they can. Bridgecrew, an early-stage startup that makes automated cloud security tooling aimed at engineers, announced a $14 million Series A today.

Battery Ventures led the round with participation from NFX, the company’s $4 million seed investor. Sorensen Ventures, DNX Ventures, Tectonic Ventures, and Homeward Ventures also participated. A number of individual investors also helped out. The company has raised a total of $18 million.

Bridgecrew CEO and co-founder Idan Tendler says that it is becoming easier to provision cloud resources, but that security tends to be more challenging. “We founded Bridgecrew because we saw that there was a huge bottleneck in security engineering, in DevSecOps, and how engineers were running cloud infrastructure security,” Tendler told TechCrunch.

They found that a lot issues involved misconfigurations, and while there were security solutions out there to help, they were expensive, and they weren’t geared towards the engineers who were typically being charged with fixing the security issues, he said.

The company decided to solve that problem by coming up with a solution geared specifically for the way engineers think and operate. “We do that by codifying the problem, by codifying what the engineers are doing. We took all the tasks that they needed to do to protect around remediation of their cloud environment and we built a playbook,” he explained.

The playbooks are bits of infrastructure as code that can resolve many common problems quickly. When they encounter a new problem, they build a playbook and then that becomes part of the product. He says that 90% of the issues are fairly generic like following AWS best practices or ensuring SOC-2 compliance, but the engineers are free to tweak the code if they need to.

Tendler says he is hiring and sees his product helping companies looking to reduce costs through automation. “We are planning to grow fast. The need is huge and the COVID-19 implications mean that more and more companies will be moving to cloud and trying to reduce costs, and we help them do that by reducing the barriers and bottlenecks for cloud security.”

The company was founded 14 months ago and has 100 playbooks available. It’s keeping the crew lean for now with 16 employees, but it has plans to double that by the end of the year.

Daily Crunch: Verizon buys videoconferencing company BlueJeans

Verizon makes a move into videoconferencing, Jeff Bezos discusses a plan to test Amazon employees for COVID-19 and Apple is reportedly working on new over-ear headphones. Here’s your Daily Crunch for April 16, 2020.

1. Verizon is buying b2b videoconferencing firm BlueJeans

TechCrunch’s parent company is buying veteran videoconferencing platform BlueJeans Network — shelling out less than $500 million on the acquisition, according to the Wall Street Journal. (A Verizon spokeswoman confirmed that the price-tag is sub-$500 million but did not provide a more exact figure.)

“Customers will benefit from a BlueJeans enterprise-grade video experience on Verizon’s high-performance global networks,” the company said in a statement. “In addition, the platform will be deeply integrated into Verizon’s 5G product roadmap, providing secure and real-time engagement solutions for high growth areas such as telemedicine, distance learning and field service work.”

2. Bezos details Amazon’s COVID-19 testing plans in shareholder letter

Jeff Bezos dropped Amazon’s annual shareholder letter today, which includes more information on the Amazon-built testing labs that were announced last week. Bezos said the company is considering “regular testing of all Amazonians, including those showing no symptoms.”

3. Apple said to be working on modular, high-end, noise-cancelling over-ear headphones

Bloomberg reports that Apple is developing its own competitors to popular over-ear noise-cancelling headphones like those made by Bose and Sony, but with similar technology to that used in the AirPod and AirPod Pro lines.

4. Unicorn layoffs keep piling up as the economy gets worse

Yesterday, news broke that a trio of well-known, heavily-backed unicorns — Carta, Zume and Opendoor — were cutting staff.

5. Punitive liquidation preferences return to VC — don’t do it

VC Pascal Levensohn says that several of his current portfolio companies have recently proposed “emergency bridge” convertible note financings of between $5 million and $15 million, each featuring a painful feature for non-participants. (Extra Crunch membership required.)

6. DoD Inspector General report finds everything was basically hunky-dory with JEDI cloud contract bid

While controversy has dogged the $10 billion, decade-long JEDI contract since its earliest days, a report by the Department of Defense’s Inspector General’s Office concluded that the contract procurement process was fair and legal.

7. Google Play adds a ‘Teacher Approved’ section to its app store

All apps found in this section are vetted by a panel of reviewers, including more than 200 teachers across the U.S., and meet Google’s existing requirements (around government regulation and advertising) for its “Designed for Families” program.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

Sipping from the Coronavirus Domain Firehose

Security experts are poring over thousands of new Coronavirus-themed domain names registered each day, but this often manual effort struggles to keep pace with the flood of domains invoking the virus to promote malware and phishing sites, as well as non-existent healthcare products and charities. As a result, domain name registrars are under increasing pressure to do more to combat scams and misinformation during the COVID-19 pandemic.

By most measures, the volume of new domain registrations that include the words “Coronavirus” or “Covid” has closely tracked the spread of the deadly virus. The Cyber Threat Coalition (CTC), a group of several thousand security experts volunteering their time to fight COVID-related criminal activity online, recently published data showing the rapid rise in new domains began in the last week of February, around the same time the Centers for Disease Control began publicly warning that a severe global pandemic was probably inevitable.

The total number of domains registered per day that contain a COVID-19 related term, according to DomainTools. The red line indicates the count of domains that DomainTools determined are “likely malicious.” The blue line refers to domains that are likely benign.

“Since March 20th, the number of risky domains registered per day has been decreasing, with a notable spike around March 30th,” wrote John Conwell, principal data scientist at DomainTools [an advertiser on this site]. “Interestingly, legitimate organizations creating domains in response to the COVID-19 crisis were several weeks behind the curve from threat actors trying to take advantage of this situation. This is a pattern DomainTools hasn’t seen before in other crises.”

Security vendor Sophos looked at telemetry from customer endpoints to illustrate the number of new COVID-related domains that actually received traffic of late. As the company noted, one challenge in identifying potentially malicious domains is that many of them can sit dormant for days or weeks before being used for anything.

Data from security vendor Sophos, published by the Cyber Threat Coalition, shows the number of Coronavirus or COVID-19 themed domains registered per week that received traffic.

“We can see a rapid and dramatic increase of visits to potentially malicious domains exploiting the Coronavirus pandemic week over week, beginning in late February,” wrote Sophos’ Rich Harang. “Even though still a minority of cyber threats use the pandemic as a lure, some of these new domains will eventually be used for malicious purposes.”

CTC spokesman Nick Espinosa said the first spike in visits was on February 25, when group members saw about 4,000 visits to the sites they were tracking.

“The following two weeks starting on March 9 saw rapid growth, and from March 23 onwards we’re seeing between 75,000 to 130,000 visits per weekday, and about 40,000 on the weekends,” Espinosa said. “Looking at the data collected, the pattern of visits are highest on Monday and Friday, and the lowest visit count is on the weekend. Our data shows that there were virtually no customer hits on COVID-related domains prior to February 23.”

Milwaukee-based Hold Security has been publishing daily and weekly lists of all COVID-19 related domain registrations (without any scoring assigned). Here’s a graph KrebsOnSecurity put together based on that data set, which also shows a massive spike in new domain registrations in the third week of March, trailing off considerably over the past couple of weeks.

Data: Hold Security.

Not everyone is convinced we’re measuring the right things, or that the current measurements are accurate. Neil Schwartzman, executive director of the anti-spam group CAUCE, said he believes DomainTool’s estimates on the percentage of new COVID/Coronavirus-themed domains that are malicious are too high, and that many are likely benign and registered by well-meaning people seeking to share news or their own thoughts about the outbreak.

“But there’s the rub,” he said. “Bad guys get to hide amidst the good really effectively, so each one needs to be reviewed on its own. And that’s a substantial amount of work.”

At the same time, Schwartzman said, focusing purely on domains may obscure the true size and scope of the overall threat. That’s because scammers very often will establish multiple subdomains for each domain, meaning that a single COVID-related new domain registration could eventually be tied to a number of different scammy or malicious sites.

Subdomains can not only make phishing domains appear more legitimate, but they also tend to lengthen the domain so that key parts of it get pushed off the URL bar in mobile browsers.

To that end, he said, it makes perhaps the most sense to focus on new domain registrations that have encryption certificates tied to them, since the issuance of an SSL certificate for a domain is usually a sign that it is about to be put to use. As noted in previous stories here, roughly 75 percent of all phishing sites now have the padlock (start with “https://”), mainly because the major Web browsers display security alerts on sites that don’t.

Schwartzman said more domain registrars should follow the example of Los Angeles-based Namecheap Inc., which last month pledged to stop accepting the automated registration of website names that include words or phrases tied to the COVID-19 pandemic. Since then, a handful of other registrars have said they plan to manually review all such registrations going forward.

The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the registrar industry, recently sent a letter urging registrars to be more proactive, but stopped short of mandating any specific actions.

Schwartzman called ICANN’s response “weak tea.”

“It’s absolutely ludicrous that ICANN hasn’t stepped up, and they will bear significant responsibility for any deaths that may happen as a result of all this,” Schwartzman said. “This is a CYA response at best, and dictates to no one that they should do anything.”

Michael Daniel, president of the Cyber Threat Alliance — a cybersecurity industry group that’s also been working to fight COVID-19 related fraud — agreed, saying more pressure needs to be applied to the registrar community.

“It’s really hard to do anything about this unless the registrars step up and do something on their own,” Daniel said. “It’s either that or the government gets involved. That doesn’t mean some [registrars] aren’t doing what they can, but in general what the industry is doing is nowhere near as fast as the bad guys are generating these domains.”

The U.S. government may well soon get more involved. Earlier this week, Senators Cory Booker (D-N.J.), Maggie Hassan (D-N.H.) and Mazie K. Hirono (D-Hawaii) sent letters to eight domain name company leaders, demanding to know what they were doing to combat the threat of malicious domains, and urging them to do more.

“As cybercriminals and other malevolent actors seek to take advantage of the Coronavirus pandemic, it is critical that domain name registrars like yours (1) exercise diligence and ensure that only legitimate organizations can register Coronavirus-related domain names and domain names referencing online communications platforms; (2) act quickly to suspend, cancel, or terminate registrations for domains that are involved in unlawful or harmful activity; and (3) cooperate with law enforcement to help bring to justice cybercriminals profiting from the Coronavirus pandemic,” the senators wrote.

MBRLocker Wiper Malware | Destructive Pranks Are No Joke For Victims

Earlier this month a steady stream of new MBRLocker malware variants began to appear, locking victims out of their devices. While many of these seem to be pranks rather than serious attempts at extortion like typical ransomware, the effect is no less disruptive and potentially just as damaging. This week, some attention-seeking pranksters decided to troll our own Vitali Kremez by releasing an MBRLocker variant using his name and revealing his personal contact details. While we wouldn’t ordinarily comment on such stunts, the issue has already been widely reported in the media.

Why Are Security Researchers Targeted by Malware Authors?

It’s not uncommon for malware authors to bait prominent security researchers and other cybercrime fighters. For example, a malspam campaign trolled AVIRA CEO, Travis Witteveen in 2016, while a ransomware campaign the same year dubbed ‘Black Shades’ included strings taunting researchers. Other ransomware like GandCrab has been known to call out researchers by name in code strings, and earlier this year Maze ransomware singled out Vitali Kremez, Hasherezade and CryptoInsane for special mention in their code.

However, it rarely gets as personal as this latest incident, in which the malware authors impersonated Vitali Kremez, and also included his personal contact details, falsely claimed to be promoting SentinelOne,  and also called out security researchers @MalwareHunterTeam. Needless to say, neither SentinelOne nor any of the named researchers are in any way associated with this destructive prank. 

The purpose of such stunts is usually attention-seeking, one of the trademarks of the ‘script kiddie’ class of threat actors; professionals generally avoid such behavior, as history shows such attention-seeking is one of the primary opsec failures that lead to the capture of cyber criminals by law enforcement. And while we wouldn’t ordinarily “feed the troll”, the widespread attention this has received in the mainstream cyber media as well as the confusion on behalf of some victims of this recent spate of MBRLocker variants justifies a clarification.

What is an MBRLocker?

MBR stands for “Master Boot Record”, which is a small sector on a disk drive that holds information needed by the operating system in order to boot. Once a machine boots, it will read the MBR first and only then will start the operating system. As such, manipulating the MBR will cause a failure to start the operating system, and from the average user standpoint, they will face a situation where, instead of the operating system being loaded and the user presented with a login screen or desktop view, they will get a command line view of a taunting message from the attacker splashed across the screen. 

From a technical point of view, malware that ‘locks’ the MBR typically copies the original MBR to another part of the drive and overwrites the original MBR with the malware author’s code. When the user attempts to boot or restart a device after the malware has done its work, the computer will load whatever code the malicious prankster has placed in the custom MBR. Instead of loading the operating system, the malware displays the attacker’s taunting or threatening message.

MBRLockers have been around for a long time and are relatively unsophisticated malware. The tools to create these have been around since 2011 or so, and are widely available. 

Over the last year we have seen something of a resurgence in the use of MBRLockers, resulting from some ‘aggressive’ advertising through Youtube, Discord, and similar social media platforms. Recently there have been multiple attacks observed leveraging this tool, outside of the ‘SentinelOne Labs’ focused example. Most are far more generic in nature, prompting victims to communicate with the attackers, via email, to receive the “unlock code”. Some of these are scams, others are genuine ransomware attempts, and still others are just purely destructive.

Often, an MBRLocker is not as fatal as it may seem. In some cases, victims have found that they can escape the custom MBR and restore the original by using the keychord “CTL+ALT+ESC”. However, this does not work on all variants, including the one released this week that has caused so much attention. 

If you have been affected by this recent MBRLocker on an unprotected machine, the primary mitigation is to restore from a known-good backup. As MBRLockers are typically spread through download sites offering cracked versions of commercial software, be sure that your users are avoiding such sites and ensure your devices are protected by a trusted security solution. 

Does SentinelOne Protect Against MBRLocker?

Yes, it does. As demonstrated in the video below, the SentinelOne platform protects customers from all variants of MBRLocker.  
 

Conclusion

Defenders are used to dealing with cybercriminals that are motivated by profit, whether that comes from ransomware, adware, business email compromise, cryptomining, data theft or any one of the other myriad scams they come up with. Crude wiper malware like the one we’ve seen this week is just a destructive prank that yields only two things for the perpetrators: thrills and publicity. For victims without the protection of a modern security solution, it’s nothing but misery. Therein lies the one thing that such pranksters do have in common with professional cybercriminals: a lack of concern for the damage they do.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security