Microsoft launches industry-specific cloud solutions, starting with healthcare

Microsoft today announced the launch of the Microsoft Cloud for Healthcare, an industry-specific cloud solution for healthcare providers. This is the first in what is likely going to be a set of cloud offerings that target specific verticals and extends a trend we’ve seen among large cloud providers (especially Google) that tailor specific offerings to the needs of individual industries.

“More than ever, being connected is critical to create an individualized patient experience,” writes Tom McGuinness, corporate vice president, Worldwide Health at Microsoft, and Dr. Greg Moore, corporate vice president, Microsoft Health, in today’s announcement. “The Microsoft Cloud for Healthcare helps healthcare organizations to engage in more proactive ways with their patients, allows caregivers to improve the efficiency of their workflows and streamline interactions with Classified as Microsoft Confidential patients with more actionable results.”

Like similar Microsoft-branded offerings from the company, Cloud for Healthcare is about bringing together a set of capabilities that already exist inside of Microsoft. In this case, that includes Microsoft 365, Dynamics, Power Platform and Azure, including Azure IoT for monitoring patients. The solution sits on top of a common data model that makes it easier to share data between applications and analyze the data they gather.

“By providing the right information at the right time, the Microsoft Cloud for Healthcare will help hospitals and care providers better manage the needs of patients and staff and make resource deployments more efficient,” Microsoft says in its press materials. “This solution also improves end-to-end security compliance and accessibility of data, driving better operational outcomes.”

Since Microsoft never passes up a chance to talk up Teams, the company also notes that its communications service will allow healthcare workers to more efficiently communicate with each other, but it also notes that Teams now includes a Bookings app to help its users — including healthcare providers — schedule, manage and conduct virtual visits in Teams. Some of the healthcare systems that are already using Teams include St. Luke’s University Health Network, Stony Brook Medicine, Confluent Health and Calderdale & Huddersfield NHS Foundation Trust in the U.K.

In addition to Microsoft’s own tools, the company is also working with its large partner ecosystem to provide healthcare providers with specialized services. These include the likes of Epic, Allscripts, GE Healthcare, Adaptive Biotechnologies and Nuance.

Ukraine Nabs Suspect in 773M Password ‘Megabreach’

In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.” A subsequent review by KrebsOnSecurity quickly determined the data was years old and merely a compilation of credentials pilfered from mostly public data breaches. Earlier today, authorities in Ukraine said they’d apprehended a suspect in the case.

The Security Service of Ukraine (SBU) on Tuesday announced the detention of a hacker known as Sanix (a.k.a. “Sanixer“) from the Ivano-Frankivsk region of the country. The SBU said they found on Sanix’s computer records showing he sold databases with “logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies, PayPal accounts, and information about computers hacked for further use in botnets and for organizing distributed denial-of-service (DDoS) attacks.”

Items SBU authorities seized after raiding Sanix’s residence. Image: SBU.

Sanix became famous last year for posting to hacker forums that he was selling the 87GB password dump, labeled “Collection #1.” Shortly after his sale was first detailed by Troy Hunt, who operates the HaveIBeenPwned breach notification service, KrebsOnSecurity contacted Sanix to find out what all the fuss was about. From that story:

“Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his ‘freshest’ offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.”

Alex Holden, chief technology officer and founder of Milwaukee-based Hold Security, said Sanixer’s claim to infamy was simply for disclosing the Collection #1 data, which was just one of many credential dumps amalgamated by other cyber criminals.

“Today, it is even a more common occurrence to see mixing new and old breached credentials,” Holden said. “In fact, large aggregations of stolen credentials have been around since 2013-2014. Even the original attempt to sell the Yahoo breach data was a large mix of several previous unrelated breaches. Collection #1 was one of many credentials collections output by various cyber criminals gangs.”

Sanix was far from a criminal mastermind, and left a long trail of clues that made it almost child’s play to trace his hacker aliases to the real-life identity of a young man in Burshtyn, a city located in Ivano-Frankivsk Oblast in western Ukraine.

Still, perhaps Ukraine’s SBU detained Sanix for other reasons in addition to his peddling of Collection 1. According to cyber intelligence firm Intel 471, Sanix has stayed fairly busy selling credentials that would allow customers to remotely access hacked resources at several large organizations. For example, as recently as earlier this month, Intel 471 spotted Sanix selling access to nearly four dozen universities worldwide, and to a compromised VPN account for the government of San Bernadino, Calif.

KrebsOnSecurity is covering Sanix’s detention mainly to close the loop on an incident that received an incredible amount of international attention. But it’s also another excuse to remind readers about the importance of good password hygiene. A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when available.

By far the most important passwords are those protecting our email inbox(es). That’s because in nearly all cases, the person who is in control of that email address can reset the password of any services or accounts tied to that email address – merely by requesting a password reset link via email. For more on this dynamic, please see The Value of a Hacked Email Account.

Your email account may be worth far more than you imagine.

And instead of thinking about passwords, consider using unique, lengthy passphrases — collections of words in an order you can remember — when a site allows it. In general, a long, unique passphrase takes far more effort to crack than a short, complex one. Unfortunately, many sites do not let users choose passwords or passphrases that exceed a small number of characters, or they will otherwise allow long passphrases but ignore anything entered after the character limit is reached.

If you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong and unique passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Finally, if you haven’t done so lately, mosey on over to twofactorauth.org and see if you are taking full advantage of the strongest available multi-factor authentication option at sites you trust with your data. The beauty of multi-factor is that even if thieves manage to guess or steal your password just because they hacked some Web site, that password will be useless to them unless they can also compromise that second factor — be it your mobile device, phone number, or security key. Not saying these additional security methods aren’t also vulnerable to compromise (they absolutely are), but they’re definitely better than just using a password.

Windows Security Essentials | Preventing 4 Common Methods of Credentials Exfiltration

In our recent article Exploring an NTLM Brute Force Attack with Bloodhound, we explored how attackers are still abusing the NTLM authentication protocol. In this post, we will elaborate more generally about basic attacks against SAM, LSA secrets, SYSKEY and LSASS. We will explain how attackers use these to get credentials from a Windows machine in order to highlight the importance of having these methods monitored by security teams. Although these are well-known and relatively simple credential stealing attacks, they are still used in the wild, which suggests that there are security teams overlooking these tried-and-trusted techniques.

Seeking clear text credentials via LSASS or acquiring the SAM for the NTLM or LSA keys for its secrets has great value to attackers. Just having access to a machine won’t satisfy an attacker when they can do far more with valid credentials at their disposal across multiple steps of the ‘Kill Chain’.

Consequently, credential dumping is frequently used by attackers during lateral movement. Having obtained account login names and passwords, attackers can spread further through an organization’s network, access restricted data, and execute commands and programs with higher privileges.

Overview of Credentials Exfiltration

At a high level, a potential attacker will want to do the following:

1. Obtain the NTLM hash(s) for offline cracking and manipulation.

  • HKLMSAM: contains the NTLMv2 hashes of users passwords
  • HKLMsecurity: contains cached domain records LSA secrets/LSA keys
  • HKLMsystem – aka SYSKEY: contains keys that could be used to encrypt the LSA secret and SAM database

2. Dump LSASS, either to get the clear text password, or just the NTLM hashes (depending on the version of Windows being targeted).

Note: the functionality and the information stored may vary. For example, there are differences between machines that are in an Active Directory domain versus those that are not.

Now let’s dig into the details of the different components mentioned above.

1. SAM: HKLMSAM

The Security Account Manager (SAM) database is where Windows stores information about user accounts. It stores usernames and hashes of user passwords, and it is used to authenticate users when they try to log in and provide their password.

Hash length and complexity vary according to the algorithm used to encrypt the password. This may be a simple DES-based LM (Lan Manager) encryption algorithm or one of the two versions of the NTHash algorithm: NTLMv1 or NTLMv2, both of which output 32 hexadecimal digits and are derived from the MD4 digest.

One of the most common methods of gaining user passwords is to dump the SAM database either with a tool that can extract the password hashes or by directly copying the registry to a file [reg.exe save hklmSAM] and working on it offline with a software utility to extract the stored user account password hashes.

Once the LM or NTLM hash has been gained, an offline brute force on the password hash can be performed, as explained in more detail later in this post.

Security Researcher?
Visit SentinelLabs, our research and threat intelligence blog

2. LSA secrets: HKLMSecurity

LSA secrets is a storage used by the Local Security Authority (LSA) in Windows.

The purpose of the Local Security Authority is to manage a system’s local security policy, so by definition it means it will store private data regarding user logins, authentication of users and their LSA secrets, among other things. Access to the LSA secret storage is only granted to SYSTEM account processes.

LSA secrets stores system sensitive data, such as: 

  • Users passwords
  • Internet Explorer passwords
  • Service account passwords (Services on the machine that require authentication with secret)
  • Cached domain password encryption key
  • SQL passwords
  • SYSTEM account passwords
  • Account passwords for configured scheduled tasks
  • Time left until the expiration of an unactivated copy of Windows

and much more. Early implementations of LSA secrets were quickly cracked and tools like mimikatz can also dump LSA secrets from memory and registry hives on some versions of Windows.

3. SYSKEY: HKLMSystem

Syskey, also known as the SAM Lock Tool, existed in older Windows versions. This feature’s purpose is to encrypt the Security Account Manager database (SAM) and thus afford an extra layer of protection to the SAM during machine boot up.

Syskey only protects the security data when the operating system isn’t running. When the OS is up, the Syskey value is loaded into memory so it can later decrypt the SAM. HKLMSAM is linked to the SECURITY subkey under HKLMSECURITYSAM.

The Syskey feature has been discontinued since 2017, but it can be found under hklmsystem on relevant versions of Windows where it is turned on and configured.

4. Dumping Credentials with LSASS

Until the release of Windows 8, using mimikatz on Windows could get the credentials in clear text from the Local Security Authority Subsystem Service (LSASS).

Several fixes were suggested over time, each of which hardens LSASS usage making it harder to get even the hashed password. In Windows 10 Enterprise, Credential Guard is also available to isloate the LSASS process even from users with SYSTEM privileges.

Mimikatz password extraction on Windows 7:

We can see the changes when running the tool against Windows 10. We don’t see the clear text password, but we do acquire the NTLMv1 hash.

Password Extraction from NTLMv2 Hash

There are many ways to get the NTLM hash if you do not have local access to the target machine.

The Responder tool is one of the more popular tools used for this task.


Example of the NTLMv2 hash that we can output with the Responder tool :

admin::M57oDBrlht:08ca45b7d6da58ee:88dcbe4346168966a153a0064958dae6:5b6740315c7830310000000000000b45c67103d07d7b95acd12dea11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

This tool has many capabilities, but one that is relevant here is the ability to prompt users for credentials when certain network services are requested. This can result in clear text passwords or password hashes. 

For this attack the tool usage is for capturing LLMNR packets and extracting the hash from the challenge/response. We set up the tool to listen for the right packets on the network, and then we try from the victim machine to get to a network resource that isn’t actually there. This way we would be able to capture the traffic and from there we would get the NTLM hash.

From a Windows machine I was trying to access a non existent share with the name “MadeUpNetworkShare”, and the tool ran on a machine on the same network and recorded the challenge/response, which disclosed the NTLM hashes.

How Can We Use Password Hashes?

Now that we have the hash, we have a couple of options to try and extract the clear text password.

Dictionary attack/Brute force attack – This method involves the use of a wordlist to compare against the passwords. We can use publicly available tools for this kind of work such as John the Ripper, hashcat, Cain & Abel, and Ophcrack, among others.

Rainbow table attack – This is more suitable when trying to crack a hash, but it relies on having an existing database of possible passwords and their pre-computed hashes.

Example of cracking NTLMv1 password with rainbow table (taken from https://crackstation.net/):

Note that only known, unsalted hashes could be reverted back from hash to password in this way.

If the password is too hard to crack, we have other options such as a pass the hash attack. This involves leveraging any services on the network that authenticate by using a hash of the password rather than the password itself. A good example of this is psexec and other services that communicate over SMB.

Recommendations to Prevent Credentials Exfiltration

In order to prevent credential dumping and exfiltration, it is recommended that organizations ensure that any older systems on the network do not still have LM encrypted passwords in the SAM database, and that LM (disabled by default) has not been enabled on newer systems. LM passwords use only a limited character set and are trivial to crack.

It is also recommended that NTLMv1 be disabled. It is relatively easy to extract the password from an NTLMv1 hash, and as long as it wasn’t configured otherwise, most services that will work with NTLMv1 should also work with NTLMv2.

One way to ensure that both LM and NTLMv1 are disabled is from the GPO page:

Make the following configuration changes in the GPO to prevent usage of NTLMv1:

It’s not trivial to crack the NTLMv2 hash if the password is long and unique. Also, having the hash won’t necessarily give an attacker an advantage if there are no services that authenticate with NTLM hashes.

It is also recommended that Credential Guard be enabled on Windows 10 machines that support it for extra protection for NTLM and Kerberos credentials.

The most effective way for an organization to reduce its attack surface and protect against credential exfiltration is by deploying a next-gen security solution like SentinelOne that uses machine learning and Active EDR.

Final Thoughts

These basic attacks can be prevented by paying attention to your network architecture and the services being used in your environment. In particular, these kinds of attacks are most effective against Windows 7 (and below) targets, which despite their EOL status are still prevalent across many enterprise networks. These days, many organizations are rightly using more secure implementations like Kerberos in a group domain to avoid exactly the kind of vulnerabilities discussed here, as well as deploying a trusted, next-gen endpoint security platform to protect their devices and network
 

MITRE ATT&CK References

Credential Dumping – T1003
Pass the Hash – T1075
Brute Force – T1110


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Electric gets another $7 million in funding from 01 Advisors and the Slack Fund

Electric, a platform that aims to put IT departments in the cloud, today announced new funding following a continuation of its Series B earlier this year.

Dick Costolo and Adam Bain (01 Advisors) and the Slack Fund participated in the $7 million capital infusion.

01 Advisors put up the majority of the financing ($5 million) with the Slack Fund putting up a little under $1 million and other insiders covering the rest, according to Electric founder and CEO Ryan Denehy.

The funding situation with Electric is a bit unique. Electric raised a $25 million Series B round led by GGV in January of 2019. In March of this year, just before the lockdown, the company reopened the Series B at a higher valuation to make room for Dick Costolo and Adam Bain, raising an additional $14.5 million.

Then the coronavirus pandemic rocked the globe. On Monday March 9, the stock market felt it, triggering a temporary halt on trading. The following week was total financial chaos.

That’s when Adam Bain called up Denehy again. They ‘rapped out’ about the potential for Electric during this turbulent time.

“The increase in remote work is going to be dramatic,” said Denehy, relaying his conversation with Bain. “Larger companies are going to get smarter about budgeting and there is a lot of urgency for them to find ways to spend money around back office tasks like IT more efficiently. Electric becomes more appealing because, dollar for dollar, it’s a lot more efficient than building a big IT department.”

The first week of April, Bain called Denehy again, this time saying that 01 Advisors wanted to put in more money into Electric.

Electric is a platform designed to support the existing IT department of an organization, or in some cases, replace an outsourced IT department. Most of IT’s responsibilities focus on administration, distribution and maintenance of software programs. Electric allows IT to install its software on every corporate machine, giving the department a bird’s-eye view of the organization’s IT situation. It also aims to give IT departments more time to focus on real problem-solving and troubleshooting tasks.

From their own machine, lead IT professionals can grant and revoke permissions, assign roles and ensure all employees’ software is up to date.

Electric is also integrated with the APIs of top software programs, like Dropbox and G-suite, letting IT handle most of their day-to-day tasks through the Electric dashboard. Moreover, Electric is also integrated with Slack, letting folks within the organization flag an issue or ask a question from the platform where they spend the most time.

“The biggest challenge for Electric is keeping up with demand,” said Jason Spinell from the Slack Fund, who also mentioned that he passed on investing in Electric’s seed round and is “excited to sort of rectify [his] mistake.”

Electric also added a new self-service product that can live in the dock, letting employees look at all the software applications provided by the organization from their remote office.

“There are so many stretched IT departments now that have to do a lot more with a lot less,” said Denehy. “There are also companies who were working with an outsourced IT provider and relied on them showing up to the office a few times a week, and all of a sudden that doesn’t work anymore.”

With the current ecosystem, Electric is continuing to spend on marketing but with 180 percent increase in interest from potential clients in the pipeline, according to Denehy.

Editor’s Note: This article has been updated to reflect the accurate amount invested by participants in the round.

GO1, an enterprise learning platform, picks up $40M from Microsoft, Salesforce and more

With a large proportion of knowledge workers doing now doing their jobs from home, the need for tools to help them feel connected to their profession can be as important as tools to, more practically, keep them connected. Today, a company that helps do precisely that is announcing a growth round of funding after seeing engagement on its platform triple in the last month.

GO1.com, an online learning platform focused specifically on professional training courses (both those to enhance a worker’s skills as well as those needed for company compliance training), is today announcing that it has raised $40 million in funding, a Series C that it plans to use to continue expanding its business. The startup was founded in Brisbane, Australia and now has operations also based out of San Francisco — it was part of a Y Combinator cohort back in 2015 — and more specifically, it wants to continue growth in North America, and to continue expanding its partner network.

GO1 not disclosing its valuation but we are asking. It’s worth pointing out that not only has it seen engagement triple in the last month as companies turn to online learning to keep users connected to their professional lives even as they work among children and house pets, noisy neighbours, dirty laundry, sourdough starters, and the rest (and that’s before you count the harrowing health news we are hit with on a regular basis). But even beyond that, longer term GO1 has shown some strong signs that speak of its traction.

It counts the likes of the University of Oxford, Suzuki, Asahi and Thrifty among its 3,000+ customers, with more than 1.5 million users overall able to access over 170,000 courses and other resources provided by some 100 vetted content partners. Overall usage has grown five-fold over the last 12 months. (GO1 works both with in-house learning management systems or provides its own.)

“GO1’s growth over the last couple of months has been unprecedented and the use of online tools for training is now undergoing a structural shift,” said Andrew Barnes, CEO of GO1, in a statement. “It is gratifying to fill an important void right now as workers embrace online solutions. We are inspired about the future that we are building as we expand our platform with new mediums that reach millions of people every day with the content they need.”

The funding is coming from a very strong list of backers: it’s being co-led by Madrona Venture Group and SEEK — the online recruitment and course directory company that has backed a number of edtech startups, including FutureLearn and Coursera — with participation also from Microsoft’s venture arm M12; new backer Salesforce Ventures, the investing arm of the CRM giant; and another previous backer, Our Innovation Fund.

Microsoft is a strategic backer: GO1 integrated with Teams, so now users can access GO1 content directly via Microsoft’s enterprise-facing video and messaging platform.

“GO1 has been critical for business continuity as organizations navigate the remote realities of COVID-19,” said Nagraj Kashyap, Microsoft Corporate Vice President and Global Head of M12, in a statement. “The GO1 integration with Microsoft Teams offers a seamless learning experience at a time when 75 million people are using the application daily. We’re proud to invest in a solution helping keep employees learning and businesses growing through this time.”

Similarly, Salesforce is also coming in as a strategic, integrating this into its own online personal development products and initiatives.

“We are excited about partnering with GO1 as it looks to scale its online content hub globally. While the majority of corporate learning is done in person today, we believe the new digital imperative will see an acceleration in the shift to online learning tools. We believe GO1 fits well into the Trailhead ecosystem and our vision of creating the life-long learner journey,” said Rob Keith, Head of Australia, Salesforce Ventures, in a statement.

Working remotely has raised a whole new set of challenges for organizations, especially those whose employees typically have never before worked for days, weeks and months outside of the office.

Some of these have been challenges of a more basic IT nature: getting secure access to systems on the right kinds of machines and making sure people can communicate in the ways that they need to to get work done.

But others are more nuanced and long-term but actually just as important, such as making sure people remain in a healthy state of mind about work. Education is one way of getting them on the right track: professional development is not only useful for the person to do her or his job better, but it’s a way to motivate people, to focus their minds, and take a rest from their routines, but in a way that still remains relevant to work.

GO1 is absolutely not the only company pursuing this opportunity. Others include Udemy and Coursera, which have both come to enterprise after initially focusing more on traditional education plays. And LinkedIn Learning (which used to be known as Lynda, before LinkedIn acquired it and shifted the branding) was a trailblazer in this space.

For these, enterprise training sits in a different strategic place to GO1, which started out with compliance training and onboarding of employees before gravitating into a much wider set of topics that range from photography and design, through to Java, accounting, and even yoga and mindfulness training and everything in between.

It’s perhaps the directional approach, alongside its success, that have set GO1 apart from the competition and that has attracted the investment, which seems to have come ahead even of the current boost in usage.

“We met GO1 many months before COVID-19 was on the tip of everyone’s tongue and were impressed then with the growth of the platform and the ability of the team to expand their corporate training offering significantly in North America and Europe,” commented S. Somasegar, managing director, Madrona Venture Group, in a statement. “The global pandemic has only increased the need to both provide training and retraining – and also to do it remotely. GO1 is an important link in the chain of recovery.” As part of the funding Somasegar will join the GO1 board of directors.

Notably, GO1 is currently making all COVID-19 related learning resources available for free “to help teams continue to perform and feel supported during this time of disruption and change,” the company said.

Verizon wraps up BlueJeans acquisition lickety split

When Verizon (which owns this publication) announced it was buying video conferencing company BlueJeans for around $500 million last month, you probably thought it was going take awhile to bake, but the companies announced today that they has closed the deal.

While it’s crystal clear that video conferencing is a hot item during the pandemic, all sides maintained that this deal was about much more than the short-term requirements of COVID-19. In fact, Verizon saw an enterprise-grade video conferencing platform that would fit nicely into its 5G strategy around things like tele-medicine and online learning.

They believe these needs will far outlast the current situation, and BlueJeans puts them in good shape to carry out a longer-term video strategy, especially on the burgeoning 5G platform. As BlueJean’s CEO Quentin Gallivan and co-founders, Krish Ramakrishnan and Alagu Periyannan reiterated in a blog post today announcing the deal has been finalized, they saw a lot of potential for growth inside the Verizon Business family that would have been difficult to achieve as a stand-alone company.

“Today, organizations are relying on connectivity and digital communications now more than ever. As Verizon announced, adding BlueJeans’ trusted, enterprise-grade video conferencing and event platform to the company’s Advanced Communications portfolio is critical to keep businesses, from small organizations to some of the world’s largest multinational brands, operating at the highest level,” the trio wrote.

As Alan Pelz-Sharpe, founder and principal analyst at Deep Analysis told TechCrunch at the time of the acquisition announcement, Verizon got a good deal here.

Verizon is getting one of the only true enterprise-grade online conferencing systems in the market at a pretty low price,” he told TechCrunch. “On one level, all these systems do pretty much the same thing, but BlueJeans has always prided itself on superior sound and audio quality. It is also a system that scales well and can handle large numbers of participants as well, if not better, than its nearest competitors.

BlueJean brings with it 15,000 enterprise customers. It raised $175 million since its founding in 2009.

Arculus raises €16M to upgrade assembly lines with its ‘modular production platform’

Arculus, the Ingolstadt, Germany-based startup that has developed a “modular production platform” to bring assembly lines into the 21st century, has raised €16 million in Series A investment.

Leading the round is European venture firm Atomico, with participation from Visionaries Club and previous investor La Famiglia. Arculus says it will use the injection of capital to “strengthen product development, broaden customer base and prepare for a global rollout”.

As part of the investment, Atomico partner Siraj Khaliq is joining the Arculus board. (Khaliq seems to be on a bit of a run at the moment after quietly leading the firm’s investment in quantum computing company PsiQuantum last month.)

Founded in 2016, Arculus already works with some of the leading manufacturing companies across a range of industries. They include Siemens in robotics, heating, ventilation and air conditioning, Viessmann in logistics, and Audi in automotive.

Its self-described mission is to transform the “one-dimensional” assembly line of the 20th century into a more flexible modular production process that is capable of manufacturing today’s most complex products in a much more efficient way.

Instead of a single line with a conveyor belt, a factory powered by Arculus’ hardware and software is made up of modules in which individual tasks are performed and the company’s robots — dubbed “arculees” — move objects between these modules automatically based on which stations are free at that moment. Underlying this system is the assembly priority chart, a tree of interdependencies that connects all the processes needed to complete individual products.

That’s in contrast to more traditional linear manufacturing, which, claims Arculus, hasn’t been able to keep up as demand for customisation increases and “innovation cycles speed up”.

Explains Fabian Rusitschka, co-founder and CEO of Arculus: “Manufacturers can hardly predict what their customers will demand in the future, but they need to invest in production systems designed for specific outputs that will last for years. With Modular Production we can now ensure optimal productivity for our customers, whatever the volume or mix. This technological shift in manufacturing, from linear to bespoke, has been long overdue but for manufacturers looking ahead at the coming decades of shifting consumer buying behaviours it is mission critical to survival”.

To that end, Arculus is making some bold claims, namely that the company’s technology increases worker productivity by 30% and reduces space consumption by 20%. It also reckons it can save its customers up to €155 million per plant every year “at full implementation”.

Siraj Khaliq, Partner at Atomico, says the manufacturing sector “is huge and the inefficiencies are well known”.

“We estimate that the auto industry alone could save nearly $100bn, were all manufacturers to adopt Arculus’s modular production technology,” he tells TechCrunch. “And beyond auto, their technology applies to any linear/assembly line manufacturing process – in time perhaps a tenfold greater market still. We’ve already seen the Covid-19 crisis hugely boost interest in the wave of startups democratizing automation, as companies try to build resilience into their supply chains. If you’re an exec thinking through this kind of thing right now, the way we see it, using Arculus’s technology is just common sense”.

Asked why it is only now that assembly lines can be reinvented, the Atomico VC says a number of building blocks weren’t in place until now. They include cheap, versatile sensors, reliable connectivity, “sufficiently powerful compute resources”, machine vision, and “learning-driven” control systems.

“And even if the tech could have been deployed, the motivation doesn’t come until you buckle under the pressure of increasing product customisation,” he says. “High-speed linear production lines are pretty efficient if you’re only producing one thing, ideally in one colour. But as this has become less and less the case, the industry reacted by incrementally improving, such as adding sub-assemblies that feed into the main line. You can only go so far with that… to be really efficient you’ve got to start fresh and be modular from the ground up. That’s hard”.

Meanwhile, Arculus also counts a number of German entrepreneurs as previous backers. They include Hakan Koc (founder of Auto 1), Johannes Reck (founder of GetYourGuide), Valentin Stalf (founder of N26), as well as the founders of Flixbus.

This Service Helps Malware Authors Fix Flaws in their Code

Almost daily now there is news about flaws in commercial software that lead to computers getting hacked and seeded with malware. But the reality is most malicious software also has its share of security holes that open the door for security researchers or ne’er-do-wells to liberate or else seize control over already-hacked systems. Here’s a look at one long-lived malware vulnerability testing service that is used and run by some of the Dark Web’s top cybercriminals.

It is not uncommon for crooks who sell malware-as-a-service offerings such as trojan horse programs and botnet control panels to include backdoors in their products that let them surreptitiously monitor the operations of their customers and siphon data stolen from victims. More commonly, however, the people writing malware simply make coding mistakes that render their creations vulnerable to compromise.

At the same time, security companies are constantly scouring malware code for vulnerabilities that might allow them peer to inside the operations of crime networks, or to wrest control over those operations from the bad guys. There aren’t a lot of public examples of this anti-malware activity, in part because it wades into legally murky waters. More importantly, talking publicly about these flaws tends to be the fastest way to get malware authors to fix any vulnerabilities in their code.

Enter malware testing services like the one operated by “RedBear,” the administrator of a Russian-language security site called Krober[.]biz, which frequently blogs about security weaknesses in popular malware tools.

For the most part, the vulnerabilities detailed by Krober aren’t written about until they are patched by the malware’s author, who’s paid a small fee in advance for a code review that promises to unmask any backdoors and/or harden the security of the customer’s product.

RedBear’s profile on the Russian-language xss[.]is cybercrime forum.

RedBear’s service is marketed not only to malware creators, but to people who rent or buy malicious software and services from other cybercriminals. A chief selling point of this service is that, crooks being crooks, you simply can’t trust them to be completely honest.

“We can examine your (or not exactly your) PHP code for vulnerabilities and backdoors,” reads his offering on several prominent Russian cybercrime forums. “Possible options include, for example, bot admin panels, code injection panels, shell control panels, payment card sniffers, traffic direction services, exchange services, spamming software, doorway generators, and scam pages, etc.”

As proof of his service’s effectiveness, RedBear points to almost a dozen articles on Krober[.]biz which explain in intricate detail flaws found in high-profile malware tools whose authors have used his service in the past, including; the Black Energy DDoS bot administration panel; malware loading panels tied to the Smoke and Andromeda bot loaders; the RMS and Spyadmin trojans; and a popular loan scan script.

ESTRANGED BEDFELLOWS

RedBear doesn’t operate this service on his own. Over the years he’s had several partners in the project, including two very high-profile cybercriminals (or possibly just one, as we’ll see in a moment) who until recently operated under the hacker aliases “upO” and “Lebron.”

From 2013 to 2016, upO was a major player on Exploit[.]in — one of the most active and venerated Russian-language cybercrime forums in the underground — authoring almost 1,500 posts on the forum and starting roughly 80 threads, mostly focusing on malware. For roughly one year beginning in 2016, Lebron was a top moderator on Exploit.

One of many articles Lebron published on Krober[.]biz that detailed flaws found in malware submitted to RedBear’s vulnerability testing service.

In 2016, several members began accusing upO of stealing source code from malware projects under review, and then allegedly using or incorporating bits of the code into malware projects he marketed to others.

up0 would eventually be banned from Exploit for getting into an argument with another top forum contributor, wherein both accused the other of working for or with Russian and/or Ukrainian federal authorities, and proceeded to publish personal information about the other that allegedly outed their real-life identities.

The cybercrime actor “upO” on Exploit[.]in in late 2016, complaining that RedBear was refusing to pay a debt owed to him.

Lebron first appeared on Exploit in September 2016, roughly two months before upO was banished from the community. After serving almost a year on the forum while authoring hundreds of posts and threads (including many articles first published on Krober), Lebron abruptly disappeared from Exploit.

His departure was prefaced by a series of increasingly brazen accusations by forum members that Lebron was simply upO using a different nickname. His final post on Exploit in May 2017 somewhat jokingly indicated he was joining an upstart ransomware affiliate program.

RANSOMWARE DREAMS

According to research from cyber intelligence firm Intel 471, upO had a strong interest in ransomware and had partnered with the developer of the Cerber ransomware strain, an affiliate program operating between Feb. 2016 and July 2017 that sought to corner the increasingly lucrative and competitive market for ransomware-as-a-service offerings.

Intel 471 says a rumor has been circulating on Exploit and other forums upO frequented that he was the mastermind behind GandCrab, another ransomware-as-a-service affiliate program that first surfaced in January 2018 and later bragged about extorting billions of dollars from hacked businesses when it closed up shop in June 2019.

Multiple security companies and researchers (including this author) have concluded that GandCrab didn’t exactly go away, but instead re-branded to form a more exclusive ransomware-as-a-service offering dubbed “REvil” (a.k.a. “Sodin” and “Sodinokibi”). REvil was first spotted in April 2019 after being installed by a GandCrab update, but its affiliate program didn’t kick into high gear until July 2019.

Last month, the public face of the REvil ransomware affiliate program — a cybercriminal who registered on Exploit in July 2019 using the nickname “UNKN” (a.k.a. “Unknown”) — found himself the target of a blackmail scheme publicly announced by a fellow forum member who claimed to have helped bankroll UNKN’s ransomware business back in 2016 but who’d taken a break from the forum on account of problems with the law.

That individual, using the nickname “Vivalamuerte,” said UNKN still owed him his up-front investment money, which he reckoned amounted to roughly $190,000. Vivalamuerte said he would release personal details revealing UNKN’s real-life identity unless he was paid what he claims he is owed.

In this Google-translated blackmail post by Vivalamuerte to UNKN, the latter’s former nickname was abbreviated to “L”.

Vivalamuerte also claimed UNKN has used four different nicknames, and that the moniker he interacted with back in 2016 began with the letter “L.” The accused’s full nickname was likely redacted by forum administrators because a search on the forum for “Lebron” brings up the same post even though it is not visible in any of Vivalamuerte’s threatening messages.

Reached by KrebsOnSecurity, Vivalamuerte declined to share what he knew about UNKN, saying the matter was still in arbitration. But he said he has proof that Lebron was the principle coder behind the GandCrab ransomware, and that the person behind the Lebron identity plays a central role in the REvil ransomware extortion enterprise as it exists today.

The Good, the Bad and the Ugly in Cybersecurity – Week 20

The Good

This week CISA (The Cybersecurity and Infrastructure Security Agency) released Alert AA20-133A. This alert is more of a summary bulletin covering the most commonly exploited vulnerabilities, both for the current year and trends from 2016 to 2019. It is a well-documented reminder that attackers are not always going to gravitate towards new zero-days or ultra-fancy exploitation. Most of the time, they use what works reliably and well. And unfortunately, attackers can usually rely on targets not being up to date with every possible security patch for every possible vendor.

The top 10 routinely exploited vulnerabilities between 2016 and 2019 were found to be:

The top routinely exploited vulnerabilities (so far) in 2020 are:

Those noted for 2020 are in addition to various MS Office 365, Teams, Zoom and other flaws that have come to attention as a result of the mass transition to work from home during the COVID-19 pandemic and resulting lockdown.

So, why is this good news? Accurate knowledge of attack trends is always a good thing. Environments that struggle to prioritize their assets and approach to risk management and mitigation can quickly use data like this to identify weaknesses in their environment and take appropriate action. The CISA alert also links to the various mitigation options for each CVE (vulnerability), allowing for quick action where needed.

The Bad

This week it was reported that the Israeli security cabinet held meetings to discuss a cyberattack against Israel’s water infrastructure. The attacks, according to various media outlets, have been attributed to Iran. While current intelligence suggests that there was no damage or negative outcome from the attack, it does represent a significant escalation of tensions between Iran and Israel.

The attacks themselves were originally reported to the INCD (Israeli National Cyber Directorate) in late April 2020. At that time, multiple operators of civilian water facilities reported “abnormal equipment operation” and “unexpected process behavior”. The attack was specifically pointed at exposed (internet-connected) PLCs (programmable logic controllers) contained in multiple facilities.

It’s fortunate that no damage resulted from this attack (unlike something…Stuxnet). However, the initial entry vector should definitely raise some alarms. The exposed PLCs required no authentication. All that was required to connect was knowledge of the specific controllers management interface and required ports for connecting. Arguably, all of which is a quick Google search away from any potential attacker. It should be noted that the targeted PLCs spanned multiple vendors. The attackers would have needed to take their time and gather essential information via thorough recon prior to the attack. The attackers were able to modify the process logic of the targeted controllers, but as stated prior, the only result was “abnormal behavior”.

Infrastructure attacks often present us with a somewhat scary juxtaposition. Our most critical equipment is often the most exposed and simplest to compromise. That mindset should inform security teams as they work to secure these systems. Following guidelines from CISA and DOE (Department of Energy) are key in staving off these types of attacks. Proper use of VPNs, MFA, user management/control, and true network segmentation will go a long way to preventing more catastrophic scenarios. CISA also provides a number of tools that can be helpful in evaluating and strengthening your security posture.

The Ugly

We are all still dealing, in various ways, with our new pandemic-centric reality. This includes the continued use of collaboration and conferencing tools like Zoom to facilitate our ongoing business and communication needs. By now we are all familiar with “Zoom Bombing” and similar attacks. This week there was another high-profile incident of Zoom Bombing involving the Dallas ISD (Independent School District). During a graduation-based conference, which involved parents, teachers and students, the call was temporarily hijacked. The unwanted participant quickly displayed pornographic images to the audience. The following statement was issued shortly after the incident:

“We apologize for the graphic images some of our students and families may have seen during a parent-senior Zoom meeting, which was hacked by an unknown source yesterday. It’s unfortunate the digital platform that many of us rely on to connect students with teachers each day, has been compromised through various “Zoom-bombings”. Though we are disappointed the incident occurred, campus administrators successfully restarted the meeting without further incident and are working with Dallas ISD Police to investigate. A formal complaint was reported to Zoom, as we hope this incident prompts a stronger review of their security measures.”

It’s worth remembering that organizations can never be complacent about security. While Zoom and other vendors have been rising to the occasion to remedy various flaws and concerns, there will always be the potential for attacks. We encourage readers to review our guidelines on the safety and security of applications like Zoom and Slack.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

(Formerly Augean) Burro is giving a helping hand to field workers

Rather than focusing on robots that will replace human workers outright, the company has created a semi-autonomous robotic cart that saves pickers a long trip.