Look Who’s Back? It’s DDoS!

Starting on the afternoon of June 15, a wide outage appeared to be affecting ISPs, social media platforms and mobile carriers. A Twitter account associated with Anonymous announced that the US was currently under “a major DDoS attack.” It included a map showing the US being bombarded by internet traffic from all over the globe.

The internet was soon abuzz with speculations about “the world’s largest ever DDoS attack”. But was it?

Matthew Prince, CEO at DDoS protection company Cloudflare, answered with his own tweet, stating that the outage wasn’t the result of a massive-scale DDoS attack. It was, rather, “far more boring,” Prince said, resulting from US carrier T-Mobile making network configuration changes that “went badly,” affecting both its voice and data networks.

Later that day, T-Mobile CEO Mike Sievert issued a statement confirming the voice and text issues, blaming “an IP traffic related issue that has created significant capacity issues in the network core throughout the day.” The issue was eventually resolved in the early hours of June 16.

While the incident seems to be a case of crying wolf, denial of service attacks are, in fact, making something of a comeback. Those branding themselves as Anonymous hacktivists are partly to blame.

Riots and Denial of Service

During the recent waves of riots sweeping the US, members of the hacktivist group launched several DDoS attacks against law enforcement agencies and municipalities. Minneapolis website was hit by a DDoS attack, followed by an attack on the Minneapolis Police Department.

On the law enforcement side, the latest victim is the Atlanta Police Department’s website.

This isn’t surprising. In the past, DDoS was the weapon of choice for this group. What is surprising is that this time around, the attacks weren’t limited to anarchists fighting the establishment. Subsequent attacks were launched from the opposite end of the political spectrum, targeting advocacy groups that fight for Black rights. 

Cloudflare saw 1120 times as many attacks in May as it did in April.

“In fact, those groups went from having almost no attacks at all in April, to attacks peaking at 20,000 requests per second on a single site,” the company said. Others may have also been victimized after taking a side in the Black Lives Matter debate, including government and military websites, Cloudflare said.

Cybercrime and DDoS

But DDoS isn’t just used to punish political opponents. It can also be a formidable tool in the hands of cyber criminals. The method is crude, but effective: Cybercriminals demand a ransom, threatening to unleash an attack that will knock a targeted victim offline for a considerable amount of time, costing it in terms of both traffic and associated revenue if it refuses to pay. A slightly more sophisticated business model was employed by vDOS—a now-defunct DDoS as a Service shop run by two young criminals from Israel. Arrested nearly four years ago, the pair was sentenced last week, having been given a mere 6 months of community service plus a meager fine and probation. While it’s extremely rare that DDoS enablers get caught and sentenced, the actual sentence is disappointing, given the scope of their crimes: they facilitated the launch of 2 million attacks and netted about USD $600,000.

But money isn’t the only criminal motive for launching DDoS attacks. Shame can also be a reason.

Naturalized US citizen Andrew Rakhshan, previously convicted in Canada for fraud in 2013, was sentenced last week to a maximum of five years in prison and ordered to pay over $500,000 after being found guilty of launching DDoS attacks against several websites. When one target—the website Leagle.com—refused to pay, Rakhshan next tried to bribe its operators. Finally, he threatened to DDoS the site—a threat he carried out by using a DDoS for hire service in January 2015.

A Global Decline in DDoS Attacks, But a Surge During Covid-19 Months

While DDoS attacks seem to be fewer in number, they’re getting bigger and more complicated. A new report suggests that DDoS attacks are bigger on average, longer and more sophisticated, with some combining up to 30 attack methods in one assault.

And while the overall trend is a decline in DDoS, Covid-19 has brought with it a surge of denial-related activities. There’s been a significant increase in DDOS attack volumes during March, April and May, with the aggregate volume of DDoS traffic now at 40% to 50% above pre-pandemic levels from February, according to telecom operator Nokia Deepfield.

New Techniques, Targets and Records

Traditional DDoS methods have been around for decades, and most attacks can be successfully mitigated by DDoS protection solutions.

But that may not be the case for much longer.

Researchers from Tel Aviv University and the Interdisciplinary Center of Herzliya in Israel discovered a new technique that could allow a relatively small number of computers to carry out DDoS attacks on a massive scale. The new technique, which the researchers called NXNSAttack, takes advantage of vulnerabilities in common DNS software. The NXNSAttack technique can cause a DNS server to perform hundreds of thousands of requests every time a hacker’s machine sends just one, effectively amplifying the attacker’s firepower tenfold. This means an attacker has to compromise a relatively small number of machines to achieve massive impact: something that up until now has required the creation of a huge botnet.

At this point, the race to the DDoS championship is wide open. The most prominent DDoS attack against a specific website—a large hosting provider used by a number of political and social sites—happened in early June, topping a bandwidth of 1.44 terabits per second and 385 million packets-per-second. Akamai, which repelled the attack, wouldn’t name the victim site, but it did mention that the provider was targeted for “social” reasons, which might indicate the motive was similar to the political attacks associated with the Black Lives Matter debate, as described above.

That attack was impressive, but it was topped by a record, three-day DDoS attack of 2.3 Tbps aimed at AWS servers in February. Amazon published the findings in its recent AWS Shield Threat Landscape Report – Q1 2020, stating that the massive attack was caused by a version of UDP reflection vector called CLDAP reflection.  It was observed with a previously unseen volume of 2.3 Tbps. This is approximately 44% larger than any network volumetric event previously detected on AWS.

Recruiting IoT Devices and Cloud to the Ranks

Last but not least, it’s not just computers taking part in DDoS attacks. Connected devices (also known as “IoT devices” or “smart devices”) are aggressively targeted and recruited into botnets for hire, later to be used for DDoS attacks. A newly discovered vulnerability in UPnP (Universal Plug and Play) can exacerbate this process. The vulnerability—CVE-2020-12695, aka “CallStranger”—allows attackers to subscribe to devices so they can force them to send traffic to any IP address. This enables attackers to launch large-scale, amplified TCP DDoS reflection attacks, by using a spoofed IP address to send a request to a third-party server. The response is much larger in size and is returned to the spoofed IP address of the unwitting victim, creating powerful DDoS attacks.

Summary

DDoS is one of the most established cyber threats. It’s been around for ages. Hence, there’s a general tendency to downplay its severity. It’s true that the overall number of attacks are decreasing, and that modern web infrastructure is more resilient to primitive DDoS attacks than ever before. But given the massive adoption of connected devices by consumers and enterprises, it wouldn’t surprise us to see this attack vector gaining in popularity. Another scenario worth keeping in mind is that DDoS attacks are a perfect smokescreen: they can be used by sophisticated attackers to divert the attention of security teams while the intruders infiltrate the organization in another way.

If you would like to see how SentinelOne can help protect your organization, contact us for a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Google Cloud launches Confidential VMs

At its virtual Cloud Next ’20 event, Google Cloud today announced Confidential VMs, a new type of virtual machine that makes use of the company’s work around confidential computing to ensure that data isn’t just encrypted at rest but also while it is in memory.

We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure,” the company notes in today’s announcement. “Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries.”

In the backend, Confidential VMs make use of AMD’s Secure Encrypted Virtualization feature, available in its second-generation EPYC CPUs. With that, the data will stay encrypted when used and the encryption keys to make this happen are automatically generated in hardware and can’t be exported — and with that, even Google doesn’t have access to the keys either.

Image Credits: Google

Developers who want to shift their existing VMs to a Confidential VM can do so with just a few clicks. Google notes that it built Confidential VMs on top of its Shielded VMs, which already provide protection against rootkits and other exploits.

“With built-in secure encrypted virtualization, 2nd Gen AMD EPYC processors provide an innovative hardware-based security feature that helps secure data in a virtualized environment,” said Raghu Nambiar, corporate vice president, Data Center Ecosystem, AMD. “For the new Google Compute Engine Confidential VMs in the N2D series, we worked with Google to help customers both secure their data and achieve performance of their workloads.”

That last part is obviously important, given that the extra encryption and decryption steps do incur at least a minor performance penalty. Google says it worked with AMD and developed new open-source drivers to ensure that “the performance metrics of Confidential VMs are close to those of non-confidential VMs.” At least according to the benchmarks Google itself has disclosed so far, both startup times and memory read and throughput performance are virtually the same for regular VMs and Confidential VMs.

New Acquia platform looks to bring together developers, marketers and data

Acquia, the commercial company built on top of the open source Drupal content management system has pushed to be more than a publishing platform in recent years, using several strategic acquisitions to move into managing customer experience, and today the company announced a new approach to developing and marketing on the Drupal Cloud.

This involves bringing together developers and marketers under the umbrella of the new Acquia Open DXP platform. This approach has two main components: “What we’ve been working on is deep integration across our suite and pulling together our new foundational Drupal Cloud offering, and our new foundational Marketing Cloud offering,” Kevin Cochrane, senior vice president of product marketing at Acquia said.

The offerings bring together a set of acquisitions the company made over the last year including Mautic for marketing automation in May 2019, Cohesion for low-code developing in September and AgileOne in December for a customer data platform (CDP).

Cochrane says that the company is leveraging these acquisitions along with tools they developed internally and the upcoming release of Drupal 9 to offer a platform approach for customers where they can build content on the Drupal Cloud side and leverage customer data on the Marketing Cloud side.

On the Drupal Cloud, the company is offering a set of tools that includes an integrated development environment (IDE) where developers can build services, while marketers get a low code offering, where they can drag and drop content and design components from a library of offerings that could come from internal sources or the open source community. It also includes other components like security and content management.

The Marketing Cloud is the data layer where companies collect and manage data about customers with the goal of offering a more personalized and meaningful experience in a digital context.

Marketing automation tooling has shifted in recent years with the goal of providing customers with a unique and meaningful experience using the vast amount of data available to build a more complete picture of the customer and give them what they need, when they need it in a digital context. This has involved building a digital experience platform (DXP) and a customer data platform (CDP).

By pulling together these different elements, Acquia is attempting to put itself in a position to compete directly with big players in this space like Adobe and Salesforce offering a similar unified approach.

Vista Equity Partners bought Acquia last September for $1 billion. At the time, company founder Dries Buytaert said one of the advantages of being part of Vista was to get the resources to compete with larger companies in this space, and today’s announcement could be seen in that light.

Macro just raised $4.3M to make your never-ending Zoom calls more useful

In this pandemic world, in-person meetings are a thing of the past. Most meetings these days are done via video conference, and no company has capitalized on the shift quite like Zoom.

Macro, a new FirstMark-backed company, is looking to capitalize on the capitalization. To Capitalism!

Sorry. Let’s get back on track. Macro is a native app that employs the Zoom SDK to add depth and analysis to your daily work meetings.

There are two modes. The first is essentially focused on collaboration, which turns the usual Zoom meeting into a light overlay, where folks are shown in small, circular bubbles at the top of the screen. This mode is to be used when folks are working on the same project, such as a wireframe or a collaborative document. The UI is meant to kind of fade into the background, allowing users to click on taps or objects behind other attendees’ bubbles.

The other mode is an Arena or Stadium mode, which is meant for hands-on meetings and presentations. It has two distinct features. The first is an Airtime feature, which shows how much different participants have ‘had the floor’ for the past five minutes, thirty minutes, or in total during the meeting. The second is a text-input system on the right side of the UI that lets people enter Questions, Takeaways, Action Items and Insights from the call.

Macro automatically adds that text to a Google Doc, and formats it into something instantly shareable.

There is no extra hassle involved in getting Macro up and running. When a user installs Macro on their computer, they’re instantly loaded into Macro each time they click a Zoom link, whether it’s in an email, a calendar invite, or in Slack.

Macro cofounders Ankith Harathi and John Keck explained to TechCrunch that this isn’t your usual enterprise play. The product is free to use and, with the Google Doc export, is still useful even as a single-player product. The Google Doc is auto-formatted with Macro messaging, explaining that it was compiled by the company with a link to the product.

In other words, Harathi and Keck want to see individuals within organizations get Macro for themselves and let the product grow organically within an organization, rather than trying to sell to large teams right off the bat.

“A lot of collaborative productivity SaaS applications need your whole team to switch over to get any value out of them,” said Harathi. “That’s a pretty big barrier, especially since so many new products are coming out and teams are constantly switching and that creates a lot of noise. So our plan was to ensure one person can use this and get value out of it, and nobody else is affected. They get the better interface and other team members will want to switch over without any requirement to do so.”

This is possible in large part to the cost of the Zoom SDK, which is $0. The heavy lifting of audio and video is handled by Zoom, as is the high compute cost. This means that Macro can offer its product for free at a relatively low cost to the company as it tries to grow.

Of course, there is some risk involved with building on an existing platform. Namely, one Zoom platform change could wreak havoc on Macro’s product or model. However, the team has plans to expand beyond Zoom to other video conferencing platforms like Google, BlueJeans, WebEx, etc. Roelof Botha told TechCrunch back in May that businesses built on other platforms have a much greater chance of success when there is platform across that sector, as there certainly is here.

And there seems to be some competition for Macro in particular — for one, Microsoft Teams just added some new features to its video conferencing UI to relieve brain fatigue and Hello is looking to offer app-free video chat via browser.

Macro is also looking to add additional functionality to the platform, such as the ability to integrate an agenda into the meeting and break up the accompanying Google doc by agenda item.

The company has raised a total of $4.8 million since launch, including a new $4.3 million seed round from FirstMark Capital, General Catalyst and Underscore VC. Other investors include NextView Ventures, Jason Warner (CTO GitHub), Julie Zhuo (former VP Design Facebook), Harry Stebbings (Founder/Host of 20minVC), Adam Nash (Dropbox, Wealthfront, LinkedIn), Clark Valberg (CEO Invision), among others.

Macro has more than 25,000 users and has been a part of 50,000 meetings to date.

Recurrency is taking on giants like SAP with a modern twist on ERP

Recurrency, a member of the Summer 2020 Y Combinator cohort, was started by a 21 year old just out of college. He decided to take on a highly established market that is led by giants like SAP, Infor, Oracle and Microsoft, but instead of taking a highly complex area of enterprise software in one big bite, he is starting by helping wholesale businesses.

Sole founder and company CEO Sam Oshay just graduated from the University of Pennsylvania with a dual degree that straddled engineering and business, before joining the summer batch. Oshay is bringing a modern twist to ERP by using machine learning to drive more data-driven decision making.

“What makes us different from other ERPs like SAP, Infor and Epicor is that we can tell the user something that they don’t already know.” He says these traditional ERPs are basically data entry systems. For example, you could enter a pricing list, but you can’t do anything with it in terms of predictions.

“We can scan historical data and make pricing recommendations and predictions. So we are an ERP that not only does data analysis, but also imports external data and matches it to internal data to make recommendations and predictions,” Oshay explained.

While he doesn’t expect to remain confined to just the wholesale side of the business, it makes sense that he started with it because his family has a history of running these kinds of businesses. In fact, his grandfather immigrated to the U.S. after World War II and started a hardware wholesale business that his uncle still runs today. His dad started his own business selling wholesale shipping supplies, and he grew up in the family business, giving him some insight that most recent college grads probably wouldn’t have.

“I learned about the wholesale business at a very deep level. And what I observed is that so many of the issues with my dad’s business came down to issues with his ERP system. It occurred to me that if someone were to build an ERP extension or a better ERP, they could unlock so much of the value that is currently locked inside these legacy systems,” he said.

So he did what good entrepreneurs do, and began building it. For starters, his system plugs into legacy systems like SAP or NetSuite, but the plan is to build a better ERP, one step at a time. For now, it’s about wholesale, but he has a much broader vision for his company.

He originally applied to YC during the Fall 2019 semester of his junior year, and was admitted to the winter batch, but deferred to the Summer 2020 group to complete his studies. He spent his remaining time at UPenn sprinting to early graduation, taking 10 classes to come close to finishing his studies (with just a dissertation standing between him and his degree).

With this batch being delivered remotely, he says that the YC team has taken that into account and is still offering a meaningful experience for the summer group. “All of the events that YC would normally be doing are still happening, just remotely. And to my knowledge, some of the events we’re doing are designed specifically for this weird set of circumstances. The YC team has put quite a bit of thought into making this batch meaningful and I think they’ve succeeded,” he said.

While the pandemic has created new challenges for an early-stage business, he says that in some ways it’s helped him focus better. Instead of going out with friends, he’s home with his head down working on his company with little distraction.

As you would expect, it’s early days for the product, but he has three customers who are operational and two more in the implementation phase. He also has two employees so far, a front end and back end engineer.

For now, he’s going to continue building his product and his business, and he sees the pandemic as a time when businesses might be more open to changing a system like a legacy ERP. “If they want to try something new, and you can make it easier for them to try that, I’ve found that’s a place where you can make a sale,” he said.

BlueOcean uses automation to deliver affordable brand audits in seven days

BlueOcean is a new startup offering companies a relatively fast and affordable way to see how their brands are performing and what they can do to improve.

CEO Grant McDougall and COO/President Liza Nebel (the pair founded BlueOcean with Chief Data Scientist Matthew Gross) told me they’ve been developing the technology for two years. And although the startup is only officially launching now, it has already worked with prominent brands like Microsoft, Panda Express and Pabst Blue Ribbon.

BlueOcean is focused specifically on the world of brand audits, which are basically detailed analyses of the aspects of a brand that are and aren’t working — and according to Nebel (whose experience includes working on brand and digital strategy at Ogilvy), a single audit can cost brands millions of dollars, often resulting in reports “that aren’t even actionable.”

With BlueOcean, on the other hand, a brand provides only two things — their website and a list of their competitors. Then they get their brand audit one week later, for just $17,000, including recommendations for how to improve.

To do this, the company says it’s applying an “automation-first approach.” McDougall said BlueOcean is pulling from hundreds of different data sources, which will vary from industry to industry, and applying algorithms to understand things like, “What’s the right taxonomy? How do we acquire that data?”

BlueOcean founders Grant McDougall and Liza Nebel

BlueOcean founders Grant McDougall and Liza Nebel (Image Credits: BlueOcean)

He added, “Strategically, we tend to move up in the organization,” giving both marketing teams and C-level executives the advice they need.

For example, Nebel said that one of BlueOcean’s clients include a large alcohol holding company, which recently launched a line of hard seltzer under an existing alcohol brand. The startup’s brand audit recommended that the company (which Nebel declined to identify) launch a separate hard seltzer brand instead — and now, the company will be launching three different brands.

Nebel also walked me through what she called the “five-minute version” of a brand audit for TechCrunch, which looked at our performance in terms of potential customers, positioning, messaging, offerings and existing customers. Ultimately, BlueOcean gave us a “moderate” score of 97 (but hey, we scored well on being “memorable” and “inspiring”) and recommended steps like publishing a more “steady drumbeat” of content on social media and improving our app experience.

“BlueOcean has become a great addition to further enable us to sharpen our ability to monitor, understand and act through the lens of brand across all of our commercial offerings,” said Microsoft’s director of brand strategy Tim Hoppin in a statement. “We’re excited to work with BlueOcean and use their tools and expertise to strengthen our relationship with the millions of global customers we connect with daily.”

Breached Data Indexer ‘Data Viper’ Hacked

Data Viper, a security startup that provides access to some 15 billion usernames, passwords and other information exposed in more than 8,000 website breaches, has itself been hacked and its user database posted online. The hackers also claim they are selling on the dark web roughly 2 billion records Data Viper collated from numerous breaches and data leaks, including data from several companies that likely either do not know they have been hacked or have not yet publicly disclosed an intrusion.

The apparent breach at St. Louis, Mo. based Data Viper offers a cautionary and twisted tale of what can happen when security researchers seeking to gather intelligence about illegal activity online get too close to their prey or lose sight of their purported mission. The incident also highlights the often murky area between what’s legal and ethical in combating cybercrime.

Data Viper is the brainchild of Vinny Troia, a security researcher who runs a cyber threat intelligence company called Night Lion Security. Since its inception in 2018, Data Viper has billed itself as a “threat intelligence platform designed to provide organizations, investigators and law enforcement with access to the largest collection of private hacker channels, pastes, forums and breached databases on the market.”

Many private companies sell access to such information to vetted clients — mainly law enforcement officials and anti-fraud experts working in security roles at major companies that can foot the bill for these often pricey services.

Data Viper has sought to differentiate itself by advertising “access to private and undisclosed breach data.” As KrebsOnSecurity noted in a 2018 story, Troia has acknowledged posing as a buyer or seller on various dark web forums as a way to acquire old and newly-hacked databases from other forum members.

But this approach may have backfired over the weekend, when someone posted to the deep web a link to an “e-zine” (electronic magazine) describing the Data Viper hack and linking to the Data Viper user base. The anonymous poster alleged he’d been inside Data Viper for months and had exfiltrated hundreds of gigabytes of breached data from the service without notice.

The intruder also linked to several dozen new sales threads on the dark web site Empire Market, where they advertise the sale of hundreds of millions of account details from dozens of leaked or hacked website databases that Data Viper allegedly acquired via trading with others on cybercrime forums.

An online post by the attackers who broke into Data Viper.

Some of the databases for sale tie back to known, publicly reported breaches. But others correspond to companies that do not appear to have disclosed a security incident. As such, KrebsOnSecurity is not naming most of those companies and is currently attempting to ascertain the validity of the claims.

KrebsOnSecurity did speak with Victor Ho, the CEO of Fivestars.com, a company that helps smaller firms run customer loyalty programs. The hackers claimed they are selling 44 million records taken from Fivestars last year. Ho said he was unaware of any data security incident and that no such event had been reported to his company, but that Fivestars is now investigating the claims. Ho allowed that the number of records mentioned in the dark web sales thread roughly matches the number of users his company had last year.

But on Aug. 3, 2019, Data Viper’s Twitter account casually noted, “FiveStars — 44m breached records added – incl Name, Email, DOB.” The post, buried among a flurry of similar statements about huge caches of breached personal information added to Data Viper, received hardly any attention and garnered just one retweet.

GNOSTIC PLAYERS, SHINY HUNTERS

Reached via Twitter, Troia acknowledged that his site had been hacked, but said the attackers only got access to the development server for Data Viper, and not the more critical production systems that power the service and which house his index of compromised credentials.

Troia said the people responsible for compromising his site are the same people who hacked the databases they are now selling on the dark web and claiming to have obtained exclusively from his service.

What’s more, Troia believes the attack was a preemptive strike in response to a keynote he’s giving in Boston this week: On June 29, Troia tweeted that he plans to use the speech to publicly expose the identities of the hackers, who he suspects are behind a large number of website break-ins over the years.

Hacked or leaked credentials are prized by cybercriminals engaged in “credential stuffing,” a rampant form of cybercrime that succeeds when people use the same passwords across multiple websites. Armed with a list of email addresses and passwords from a breached site, attackers will then automate login attempts using those same credentials at hundreds of other sites.

Password re-use becomes orders of magnitude more dangerous when website developers engage in this unsafe practice. Indeed, a January 2020 post on the Data Viper blog suggests credential stuffing is exactly how the group he plans to discuss in his upcoming talk perpetrated their website compromises.

In that post, Troia wrote that the hacker group, known variously as “Gnostic Players” and “Shiny Hunters,” plundered countless website databases using roughly the same method: Targeting developers using credential stuffing attacks to log into their GitHub accounts.

“While there, they would pillage the code repositories, looking for AWS keys and similar credentials that were checked into code repositories,” Troia wrote.

Troia said the intrusion into his service wasn’t the result of the credential re-use, but instead because his developer accidentally left his credentials exposed in documents explaining how customers can use Data Viper’s application programming interface.

“I will say the irony of how they got in is absolutely amazing,” Troia said. “But all of this stuff they claim to be selling is [databases] they were already selling. All of this is from Gnostic players. None of it came from me. It’s all for show to try and discredit my report and my talk.”

Troia said he didn’t know how many of the databases Gnostic Players claimed to have obtained from his site were legitimate hacks or even public yet.

“As for public reporting on the databases, a lot of that will be in my report Wednesday,” he said. “All of my ‘reporting’ goes to the FBI.”

SMOKE AND MIRRORS

The e-zine produced by the Data Viper hackers claimed that Troia used many nicknames on various cybercrime forums, including the moniker “Exabyte” on OGUsers, a forum that’s been closely associated with account takeovers.

In a conversation with KrebsOnSecurity, Troia acknowledged that this Exabyte attribution was correct, noting that he was happy about the exposure because it further solidified his suspicions about who was responsible for hacking his site.

This is interesting because some of the hacked databases the intruders claimed to have acquired after compromising Data Viper correspond to discoveries credited to Troia in which companies inadvertently exposed tens of millions of user details by leaving them publicly accessible online at cloud services like Amazon’s EC2.

For example, in March 2019, Troia said he’d co-discovered a publicly accessible database containing 150 gigabytes of plaintext marketing data — including 763 million unique email addresses. The data had been exposed online by Verifications.io, an email validation firm.

On Oct 12, 2019, a new user named Exabyte registered on RaidForums — a site dedicated to sharing hacked databases and tools to perpetrate credential stuffing attacks. That Exabyte account was registered less than two weeks after Troia created his Exabyte identity on OGUsers. The Exabyte on RaidForums posted on Dec. 26, 2019 that he was providing the community with something of a belated Christmas present: 200 million accounts leaked from Verifications.io.

“Verifications.io is finally here!” Exabyte enthused. “This release contains 69 of 70 of the original verifications.io databases, totaling 200+ million accounts.”

Exabyte’s offer of the Verifications.io database on RaidForums.

In May 2018, Troia was featured in Wired.com and many other publications after discovering that sales intelligence firm Apollo left 125 million email addresses and nine billion data points publicly exposed in a cloud service. As I reported in 2018, prior to that disclosure Troia had sought my help in identifying the source of the exposed data, which he’d initially and incorrectly concluded was exposed by LinkedIn.com. Rather, Apollo had scraped and collated the data from many different sites, including LinkedIn.

Then in August 2018, someone using the nickname “Soundcard” posted a sales thread to the now-defunct Kickass dark web forum offering the personal information of 212 million LinkedIn users in exchange for two bitcoin (then the equivalent of ~$12,000 USD). Incredibly, Troia had previously told me that he was the person behind that Soundcard identity on the Kickass forum.

Soundcard, a.k.a. Troia, offering to sell what he claimed was all of LinkedIn’s user data, on the Dark Web forum Kickass.

Asked about the Exabyte posts on RaidForums, Troia said he wasn’t the only one who had access to the Verifications.io data, and that the full scope of what’s been going on would become clearer soon.

“More than one person can have the same name ‘Exabyte,” Troia said. “So much from both sides you are seeing is smoke and mirrors.”

Smoke and mirrors, indeed. It’s entirely possible this incident is an elaborate and cynical PR stunt by Troia to somehow spring a trap on the bad guys. Troia recently published a book on threat hunting, and on page 360 (PDF) he describes how he previously staged a hack against his own site and then bragged about the fake intrusion on cybercrime forums in a bid to gather information about specific cybercriminals who took the bait — the same people, by the way, he claims are behind the attack on his site.

MURKY WATERS

While the trading of hacked databases may not technically be illegal in the United States, it’s fair to say the U.S. Department of Justice (DOJ) takes a dim view of those who operate services marketed to cybercriminals.

In January 2020, U.S. authorities seized the domain of WeLeakInfo.com, an online service that for three years sold access to data hacked from other websites. Two men were arrested in connection with that seizure. In February 2017, the Justice Department took down LeakedSource, a service that operated similarly to WeLeakInfo.

The DOJ recently released guidance (PDF) to help threat intelligence companies avoid the risk of prosecution when gathering and purchasing data from illicit sources online. The guidelines suggest that some types of intelligence gathering — particularly exchanging ill-gotten information with others on crime forums as a way to gain access to other data or to increase one’s status on the forum — could be especially problematic.

“If a practitioner becomes an active member of a forum and exchanges information and communicates directly with other forum members, the practitioner can quickly become enmeshed in illegal conduct, if not careful,” reads the Feb. 2020 DOJ document.

The document continues:

“It may be easier for an undercover practitioner to extract information from sources on the forum who have learned to trust the practitioner’s persona, but developing trust and establishing bona fides as a fellow criminal may involve offering useful information, services, or tools that can be used to commit crimes.”

“Engaging in such activities may well result in violating federal criminal law. Whether a crime has occurred usually hinges on an individual’s actions and intent. A practitioner must avoid doing anything that furthers the criminal objectives of others on the forums. Even though the practitioner has no intention of committing a crime, assisting others engaged in criminal conduct can constitute the federal offense of aiding and abetting.”

“An individual may be found liable for aiding and abetting a federal offense if her or she takes an affirmative act — even an act that is lawful on its own — that is in furtherance of the crime and conducted with the intent of facilitating the crime’s commission.”

UiPath reels in another $225M as valuation soars to $10.2B

Last year, Gartner found that robotic process automation (RPA) is the fastest growing category in enterprise software. So perhaps it shouldn’t come as a surprise that UiPath, a leading startup in the space, announced a $225 million Series E today on an eye-popping $10.2 billion valuation.

Alkeon Capital led the round with help from Accel, Coatue, Dragoneer, IVP, Madrona Venture Group, Sequoia Capital, Tencent, Tiger Global, Wellington and T. Rowe Price Associates, Inc. Today’s investment brings the total raised to $1.202 billion, according to the company.

It’s worth noting that the presence of institutional investors like Wellington is often a signal that a company could be thinking about going public at some point. CFO Ashim Gupta didn’t shy away from a future IPO, saying that co-founder and CEO Daniel Dines has discussed the idea in recent months and what it would take to become a public company.

“We’re evaluating the market conditions and I wouldn’t say this to be vague, but we haven’t chosen a day that says on this day we’re going public. We’re really in the mindset that says we should be prepared when the market is ready, and I wouldn’t be surprised if that’s in the next 12-18 months,” he said.

One of the factors that’s attracting so much investor interest is its growth rate, which Gupta says is continuing on an upward trajectory, even during the pandemic as companies look for ways to automate. In fact, he reports that recurring revenue has grown from $100 million to $400 million over the last 24 months.

RPA helps companies add a level of automation to manual legacy processes, bringing modernization without having to throw out existing systems. This approach appeals to a lot of companies not willing to rip and replace to get some of the advantages of digital transformation. The pandemic has only served to push this kind of technology to the forefront as companies look for ways to automate more quickly.

The company raised some eyebrows in the fall when it announced it was laying off 400 employees just six months after raising $568 million on a $7 billion valuation, but Gupta said that the layoffs represented a kind of reset for the company after it had grown rapidly in the prior two years.

“From 2017 to 2019, we invested in a lot of different areas. I think in October, the way we thought about it was, we really started taking a pause as we became more confident in our strategy, and we reassessed areas that we wanted to cut back on, and that drove those layoff decisions in October.

As for why the startup needs all that cash, Gupta says in a growing market, it is spending to grab as much market share as it can and that takes a lot of investment. Plus, it can’t hurt to have plenty of money in the bank as a hedge against economic uncertainty during the pandemic. Gupta notes that UiPath could also be looking at strategic acquisitions in the months ahead to fill in holes in the product roadmap more rapidly.

While the company doesn’t expect to go through the kind of growth it went through in 2017 and 2018, it will continue to hire, and Gupta says the leadership team is committed to building a diverse team at all levels of the organization. “We want to have the best people, but we really do believe that having the best people and the best team means that diversity has to be a part of that,” he said.

The company was founded in 2005 in Bucharest, outsourcing automation libraries and software. In 2015, it began the pivot to RPA and has been growing in leaps and bounds ever since. When we spoke to the startup in September 2018 around its $225 million Series C investment (which eventually ballooned to $265 million), it had 1,800 customers. Today it has 7,000 and is growing.

Analog Devices to acquire rival chipmaker Maxim Integrated for $21 billion

Analog Devices didn’t waste any time kicking off the week with a bang when it announced this morning it was acquiring rival chipmaker Maxim Integrated Products for $20.91 billion (according to multiple reports). The company had a market cap of $17.09 billion as of Friday’s close.

The deal, which has already been approved by both company’s boards, would create a chip making behemoth worth $68 billion, according to Analog. The idea behind the transaction is that bigger is better and the combined companies will increase Analog’s revenue by $8.2 billion.

What’s more, the two companies should combine well in that there isn’t much overlap in their businesses. Maxim’s strength is in the automotive and data center spaces, while Analog is more concentrated in industrial and healthcare.

Vincent Roche, president and CEO of ADI, was enthusiastic about the potential of the combined organizations. “ADI and Maxim share a passion for solving our customers’ most complex problems, and with the increased breadth and depth of our combined technology and talent, we will be able to develop more complete, cutting-edge solutions,” he said in a statement.

Maxim was founded back in 1983 and went public in 1988. It made nine acquisitions between 2002 and 2013, with the most recent being Voltera in 2013, according to Crunchbase data.

As with all deals of this sort, it needs to pass regulator muster first, but the companies expect the deal to close by next summer.

Daily Crunch: Rackspace is going public again

We look at Rackspace’s finances, a Facebook code change causes numerous app issues and electric vehicle company Rivian raises $2.5 billion. Here’s your Daily Crunch for July 10, 2020.

The big story: Rackspace is going public again

The cloud computing company first went public in 2008, before accepting a $4.3 billion offer to go private from Apollo Global Management. Rackspace says it will use the proceeds from the IPO to lower its debt load.

Alex Wilhelm took a deep dive into Rackspace’s finances, concluding that the proper valuation is a “puzzle”:

The company is tech-ish, which means it will find some interest. But its slow growth rate, heavy debts and lackluster margins make it hard to pin a fair multiple onto.

The tech giants

New report outlines potential roadmap for Apple’s ARM-based MacBooks — Analyst Ming-Chi Kuo said that a 13.3-inch MacBook powered by Apple’s new processors will arrive in the fourth quarter of this year.

Facebook code change caused outage for Spotify, Pinterest and Waze apps — Looks like Facebook was responsible for some crashing apps this morning.

California reportedly launches antitrust investigation into Google — This makes California the 49th state to launch an antitrust investigation into the search giant, according to Politico.

Startups, funding and venture capital

Rivian raises $2.5 billion as it pushes to bring its electric RT1 pickup, R1S SUV to market — The company plans to bring its electric pickup truck and SUV, as well as delivery vans for Amazon, to market in 2021.

A glint of hope for India’s food delivery market as Zomato projects monthly cash burn of less than $1 million — “We’ll only lose $1 million this month” doesn’t feel like a huge accomplishment, but at least things seem to be headed in the right direction.

Advice and analysis from Extra Crunch

How Thor Fridriksson’s ‘Trivia Royale’ earned 2.5 million downloads in 3 weeks — The latest game from the QuizUp founder was (briefly) the top app in the App Store. We talk to Fridriksson about how he did it.

COVID-19 pivot: Travel unicorn Klook sees jump in staycations — With bookings for overseas experiences plummeting, Klook began offering do-it-yourself kits for stay-at-home projects and partnered with landmark sites to offer virtual tours.

Operator Collective brings diversity and inclusion to enterprise investing — The firm, founded last year, said it currently has 130 operator LPs, 90% of them women and 40% of them people of color.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)

Everything else

NASA signs agreement with Japan to cooperate across Space Station, Artemis and Lunar Gateway projects — Japan first expressed its intent to participate in the Lunar Gateway program in October 2019, making it one of the first countries to do so.

Equity: Silicon Valley is built on immigrant innovation — The latest episode of Equity discusses how recent visa changes will affect Silicon Valley.

Five reasons to attend TC Early Stage online — July 21 and 22! I will be there!

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.