The Good, the Bad and the Ugly in Cybersecurity – Week 39

The Good

This week, British national Nathan Wyatt received a sentence of five years in prison, along with a hefty fine, in connection with multiple breaches and operations attributed to the “The Dark Overlord” hacking group.

Wyatt, a 39 year old, held a pivotal role in numerous malicious campaigns carried out by TDO (The Dark Overlord). This result has been a long-time coming as Wyatt was taken into custody in 2017, and finally extradited to the United States in December of 2019. Lengthy legal documents, filed in 2017, detail many of the specific offenses, along with some of the related methodologies.

The court documents offer an inside look at a tactic that has become all-too commonplace in recent times. Wyatt, along with others in the TDO team, would attack high-value targets, exfiltrate swaths of valuable data, and then demand a ransom in return for not leaking the stolen data to the public. If victims failed to meet the demands, the TDO would leak breach details to the media, post the data for sale in hacker forums, or simply post it for all to see on the web.

One of Wyatt’s main responsibilities was to broker communications between the victims and TDO. Wyatt would register unique phone numbers and accounts and use those channels to communicate with victims to demand the ransom or negotiate where required.

The TDO have been linked to a large number of high-profile campaigns against Netflix, ABC, SMART, Gorilla Glue, and many others, so it’s pleasing to see the legal system catch up to these actors. Wyatt’s criminal endeavours cost him five years behind bars and nearly 1.5 million USD in fines.

The Bad

This week, CISA (US CERT Cybersecurity & Infrastructure Security Agency) released Alert AA20-266A. The agency has noticed a sizeable uptick in the distribution of LokiBot commodity malware, via their EINSTEIN IDS system, starting in July 2020.

LokiBot is a widely available tool, with nearly no barrier to entry for setup and use. This makes the framework very attractive to enterprising cybercriminals that lack the skills to create or manage more complex malware or the resources to buy into a more expensive toolset. Generally speaking, LokiBot contains keylogging, backdoor/remote access features, browser-based credential harvesting and information stealing features. It can also be used as a loader or dropper for additional code or malware.

While LokiBot is well-known, well-documented, and generally well-defended against, this week’s alert is a good reminder that even the less-sophisticated malware families will ebb and flow in use and effectiveness. There is never a time when we, as “cyber-defenders”, can let our guard down. We encourage all to have a look at CISA’s guidance and use this as an opportunity to review your security posture and make any changes needed to ensure protection against LokiBot and all the other nasty bits out there in the wild.

The Ugly

As we inch closer to the upcoming election in the United States, sensitivity around election security is at an all time high, and you know that things are taking a turn towards the ugly when when an election-related entity is targeted with ransomware. Tyler Technologies, a company which provides services to the United States government, recently reported that it was hit with a damaging ransomware infection.

Tyler Technologies’ services to the U.S. government include emergency management, disaster recovery assistance, and the collection and sharing of election data. The company describes itself as a “Leading provider of end-to-end information management solutions and services for local governments.”

Given the current modus operandi of ransomware actors is to leak victim data if the target fails to pay up, this ransomware attack is even more concerning. Current details suggest that the specific ransomware family was RansomExx. Tyler Technologies has indicated that no “personal data” was affected or accessed, and that the attack was limited to their internal corporate network. However, investigation into the matter is ongoing, and new details may emerge in the coming days and weeks.

Meanwhile, the company issued the following statement to their clients via email:

“I am writing to make you aware of a security incident involving unauthorized access to our internal phone and information technology systems by an unknown third party. We are treating this matter with the highest priority and working with independent IT experts to conduct a thorough investigation and response.”

We are certain that more stories like this will crop up as we approach the November election. Now, more than ever, trusted security controls are critical to protect the systems and data that we all rely upon and need to inherently trust.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

EasySend raises $16M from Intel, more for its no-code approach to automating B2C interfaces

No-code and low-code software have become increasingly popular ways for companies — especially those that don’t count technology as part of their DNA — to bring in more updated IT processes without the heavy lifting needed to build and integrate services from the ground up.

As a mark of that trend, today, a company that has taken this approach to speeding up customer experience is announcing some funding. EasySend, an Israeli startup which has built a no-code platform for insurance companies and other regulated businesses to build out forms and other interfaces to take in customer information and subsequently use AI systems to process it more efficiently, is announcing that it has raised $16 million.

The funding has actually come in two tranches, a $5 million seed round from Vertex Ventures and Menora Insurance that it never disclosed, and another $11 million round that closed more recently, led by Hanaco with participation from Intel Capital. The company is already generating revenue, and did so from the start, enough that it was actually bootstrapped for the first three years of its life.

Tal Daskal, EasySend’s CEO and co-founder, said that the funding being announced today will be used to help it expand into more verticals: up to now its primary target has been insurance companies, although organically it’s picked up customers from a number of other verticals, such as telecoms carriers, banks and more.

The plan will be now to hone in on specifically marketing to and building solutions for the financial services sector, as well as hiring and expanding in Asia, Europe and the US.

Longer term, he said, that another area EasySend might like to look at more in the future is robotic process automation (RPA). RPA, and companies that deal in it like UIPath, Automation Anywhere and Blue Prism, is today focused on the back office, and EasySend’s focus on the “front office” integrates with leaders in that area. But over time, it would make sense for EasySend to cover this in a more holistic way, he added.

Menora was a strategic backer: it’s one of the largest insurance providers in Israel, Daskal said, and it used EasySend to build out better ways for consumers to submit data for claims and apply for insurance.

Intel, he said, is also strategic although how is still being worked out: what’s notable to mention here is that Intel has been building out a huge autonomous driving business in Israel, anchored by MobileEye, and not only will insurance (and overall risk management) play a big part in how that business develops, but longer term you can see how there will be a need for a lot of seamless customer interactions (and form filling) between would-be car owners, operators, and passengers in order for services to operate more efficiently.

Intel Capital chose to invest in EasySend because of its intelligent and impactful approach to accelerating digital transformation to improve customer experiences,” said Nick Washburn, senior managing director, Intel Capital, in a statement. “EasySend’s no-code platform utilizes AI to digitize thousands of forms quickly and easily, reducing development time from months to days, and transforming customer journeys that have been paper-based, inefficient and frustrating. In today’s world, this is more critical than ever before.”

The rise and persistence of Covid-19 globally has had a big, multi-faceted impact how we all do business, and two of those ways have fed directly into the growth of EasySend.

First, the move to remote working has given organizations a giant fillip to work on digital transformation, refreshing and replacing legacy systems with processes that work faster and rely on newer technologies.

Second, consumers have really reassessed their use of insurance services, specifically health and home policies, respectively to make sure they are better equipped in the event of a Covid-19-precipitated scare, and to make sure that they are adequately covered for how they now use their homes all hours of the day.

EasySend’s platform for building and running interfaces for customer experience fall directly into the kinds of apps and services that are being identified and updated, precisely at a time when its initial target customers, insurers, are seeing a surge in business. It’s that “perfect storm” of circumstances that the startup wouldn’t have wished on the world, but which has definitely helped it along.

While there are a lot of companies on the market today that help organizations automate and run their customer interaction processes, the Daskal said that EasySend’s focus on using AI to process information is what makes the startup more unique, as it can be used not just to run things, but to help improve how things work.

It’s not just about taking in character recognition and organizing data, it’s “understanding the business logic,” he said. “We have a lot of data and we can understand [for example] where customers left the process [when filling out forms]. We can give insights into how to increase the conversion rates.”

It’s that balance of providing tools to do business better today, as well as to focus on how to build more business for tomorrow, that has caught the eye of investors.

“Hanaco is firmly invested in building a digital future. By bridging the gap between manual processes and digitization, EasySend is making this not only possible, but also easy, affordable, and practical,” said Hanaco founding partner Alon Lifshitz, in a statement.

The highest valued company in Bessemer’s annual cloud report has defied convention by staying private

This year’s Bessemer Venture Partners’ annual Cloud 100 Benchmark report was published recently and my colleague Alex Wilhelm looked at some broad trends in the report, but digging into the data, I decided to concentrate on the Top 10 companies by valuation. I found that the top company has defied convention for a couple of reasons.

Bessemer looks at private companies. Once they go public, they lose interest, and that’s why certain startups go in and out of this list each year. As an example, Dropbox was the most highly valued company by far with a valuation in the $10 billion range for 2016 and 2017, the earliest data in the report. It went public in 2018 and therefore disappeared.

While that $10 billion benchmark remains a fairly good measure of a solidly valued cloud company, one company in particular blew away the field in terms of valuation, an outlier so huge, its value dwarfs even the mighty Snowflake, which was valued at over $12 billion before it went public earlier this month.

That company is Stripe, which has an other-worldly valuation of $36 billion. Stripe began its ascent to the top of the charts in 2016 and 2017 when it sat behind Dropbox with a $6 billion valuation in 2016 and around $8 billion in 2017. By the time Dropbox left the chart in 2018, Stripe would have likely blown past it when its valuation soared to $20 billion. It zipped up to around $23 billion last year before taking another enormous leap to $36 billion this year.

Stripe remains an outlier not only for its enormous valuation, but also the fact that it hasn’t gone public yet. As TechCrunch’s Ingrid Lunden pointed out in an article earlier this year, the company has remained quiet about its intentions, although there has been some speculation lately that an IPO could be coming.

What Stripe has done to earn that crazy valuation is to be the cloud payment API of choice for some of the largest companies on the internet. Consider that Stripe’s customers include Amazon, Salesforce, Google and Shopify and it’s not hard to see why this company is valued as highly as it is.

Stripe came up with the idea of making it simple to incorporate a payments mechanism into your app or website, something that’s extremely time-consuming to do. Instead of building their own, developers tapped into Stripe’s ready-made variety and Stripe gets a little money every time someone bangs on the payment gateway.

When you’re talking about some of the biggest companies in the world being involved, and many others large and small, all of those payments running through Stripe’s systems add up to a hefty amount of revenue, and that revenue has led to this amazing valuation.

One other company you might want to pay attention to here is UIPath, the robotic process automation company, which was sitting just behind Snowflake with a valuation of over $10 billion. While it’s unclear if RPA, the technology that helps automate legacy workflows, will have the lasting power of a payments API, it certainly has come on strong the last couple of years.

Most of the companies in this report appear for a couple of years as they become unicorns, watch their values soar and eventually go public. Stripe up to this point has chosen not to do that, making it a highly unusual company.

Privacy data management innovations reduce risk, create new revenue channels

Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.

Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.

Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.

The first wave of innovation

A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:

Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.

Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.

Who is Tech Investor John Bernard?

John Bernard, the subject of a story here last week about a self-proclaimed millionaire investor who has bilked countless tech startups, appears to be a pseudonym for John Clifton Davies, a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared of murdering his wife on their honeymoon in India.

The Private Office of John Bernard, which advertises itself as a capital investment firm based in Switzerland, has for years been listed on multiple investment sites as the home of a millionaire who made his fortunes in the dot-com boom 20 years ago and who has oodles of cash to invest in tech startups.

But as last week’s story noted, Bernard’s investment company is a bit like a bad slot machine that never pays out. KrebsOnSecurity interviewed multiple investment brokers who all told the same story: After promising to invest millions after one or two phone calls and with little or no pushback, Bernard would insist that companies pay tens of thousands of dollars worth of due diligence fees up front.

However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

Neither Mr. Bernard nor anyone from his various companies responded to multiple requests for comment over the past few weeks. What’s more, virtually all of the employee profiles tied to Bernard’s office have since last week removed those firms from their work experience as listed on their LinkedIn resumes — or else deleted their profiles altogether.

Sometime on Thursday John Bernard’s main website — the-private-office.ch — replaced the content on its homepage with a note saying it was closing up shop.

“We are pleased to announce that we are currently closing The Private Office fund as we have reached our intended investment level and that we now plan to focus on helping those companies we have invested into to grow and succeed,” the message reads.

As noted in last week’s story, the beauty of a scam like the one multiple investment brokers said was being run by Mr. Bernard is that companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. What’s more, most victims will likely be too ashamed to come forward.

Also, John Bernard’s office typically did not reach out to investment brokers directly. Rather, he had his firm included on a list of angel investors focused on technology companies, so those seeking investments usually came to him.

Finally, multiple sources interviewed for this story said Bernard’s office offered a finders fee for any investment leads that brokers brought his way. While such commissions are not unusual, the amount promised — five percent of the total investment in a given firm that signed an agreement — is extremely generous. However, none of the investment brokers who spoke to KrebsOnSecurity were able to collect those fees, because Bernard’s office never actually consummated any of the deals they referred to him.

PAY NO ATTENTION TO THE EMPTY BOOKSHELVES

After last week’s story ran, KrebsOnSecurity heard from a number of other investment brokers who had near identical experiences with Bernard. Several said they at one point spoke with him via phone or Zoom conference calls, and that he had a distinctive British accent.

When questioned about why his staff was virtually all based in Ukraine when his companies were supposedly in Switzerland, Bernard replied that his wife was Ukrainian and that they were living there to be closer to her family.

One investment broker who recently got into a deal with Bernard shared a screen shot from a recent Zoom call with him. That screen shot shows Bernard bears a striking resemblance to one John Clifton Davies, a 59-year-old from Milton Keynes, a large town in Buckinghamshire, England about 50 miles (80 km) northwest of London.

John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

In 2015, Mr. Davies was convicted of stealing more than GBP 750,000 from struggling companies looking to restructure their debt. For at least seven years, Davies ran multiple scam businesses that claimed to provide insolvency consulting to distressed companies, even though he was not licensed to do so.

“After gaining the firm’s trust, he took control of their assets and would later pocket the cash intended for creditors,” according to a U.K. news report from 2015. “After snatching the cash, Davies proceeded to spend the stolen money on a life of luxury, purchasing a new upmarket home fitted with a high-tech cinema system and new kitchen.”

Davies disappeared before he was convicted of fraud in 2015. Two years before that, Davies was released from prison after being held in custody for 16 months on suspicion of murdering his new bride in 2004 on their honeymoon in India.

Davies’ former wife Colette Davies, 39, died after falling 80 feet from a viewing point at a steep gorge in the Himachal Pradesh region of India. Mr. Davies was charged with murder and fraud after he attempted to collect GBP 132,000 in her life insurance payout, but British prosecutors ultimately conceded they did not have enough evidence to convict him.

THE SWISS AND UKRAINE CONNECTIONS

While the photos above are similar, there are other clues that suggest the two identities may be the same person. A review of business records tied to Davies’ phony insolvency consulting businesses between 2007 and 2013 provides some additional pointers.

John Clifton Davies’ former listing at the official U.K. business registrar Companies House show his company was registered at the address 26 Dean Forest Way, Broughton, Milton Keynes.

A search on that street address at 4iq.com turns up several interesting results, including a listing for senecaequities.com registered to a John Davies at the email address john888@myswissmail.ch.

A Companies House official record for Seneca Equities puts it at John Davies’ old U.K. address at 26 Dean Forest Way and lists 46-year-old Iryna Davies as a director. “Iryna” is a uniquely Ukrainian spelling of the name Irene (the Russian equivalent is typically “Irina”).

A search on John Clifton Davies and Iryna turned up this 2013 story from The Daily Mirror which says Iryna is John C. Davies’ fourth wife, and that the two were married in 2010.

A review of the Swiss company registrar for The Inside Knowledge GmbH shows an Ihor Hubskyi was named as president of the company. This name is phonetically the same as Igor Gubskyi, a Ukrainian man who was listed in the U.K.’s Companies House records as one of five officers for Seneca Equities along with Iryna Davies.

KrebsOnSecurity sought comment from both the U.K. police district that prosecuted Davies’ case and the U.K.’s National Crime Agency (NCA). Neither wished to comment on the findings. “We can neither confirm nor deny the existence of an investigation or subjects of interest,” a spokesperson for the NCA said.

APTs and Defending the Enterprise in an Age of Cyber Uncertainty

In recent months, there has been a marked uptick in nation-state cyber activity. During the last week alone, we’ve learned that Chinese hackers stole information from Spanish centers working on COVID-19 vaccines, that the US Justice Department have indicted five Chinese nationals (and two Malaysian ones) who targeted over 100 companies, organizations, and individuals in 14 countries, that three Iranian nationals have been indicted on charges of hacking US aerospace and satellite companies, and that APT39 has been spying on Iranian dissidents. Last week, two other Iranian hackers were also indicted for defacing multiple websites with pro-Iranian propaganda.

This surge in nation-state hacking activity is not a blip but a discernible trend. Attacks attributed to nation-state backed APTs have increased not only in terms of volume but also in scope and sophistication. The problem has been exacerbated because of COVID-19 and its impact on the global economy and international relations.

Concerns about APTs used to be a niche topic discussed primarily by Homeland security experts and the cybersecurity industry, but now it has reached mainstream awareness, as can be seen by statements from US, UK and other Western government officials. Most recently, the Australian Defence Minister Linda Reynolds made a public statement expressing concerns that malicious cyber attacks against Australian businesses and government agencies from a state-based actor, believed to be China, had increased over the past two months.

Making Sense of a Chaotic World

Reading all these headlines can be confusing. Who is attacking who, why and how? Let’s try to break down the different nation-state activities in cyberspace.

Sabotage – The virtual can break out into the physical when nations use cyber means to cause damage to computer systems or physical systems of other nations. Attacks on critical infrastructure have increased sharply in the last two years. Among them, a tit-for-tat between Israel and Iran: an Iranian attack on Israel’s water infrastructure led to Israeli retaliation against the port of Shahid Rajaee, a reminder—should anyone have forgotten stuxnet—that nations are not averse to launching cyber attacks with destructive force on those they perceive as enemies.

If you’re in any one of the 16 critical infrastructure sectors, you could find yourself directly or indirectly in the line of fire from sabotage attempts.

Learn more about the 16 critical infrastructure sectors here.

Classic Espionage – Good old-fashioned spying is a much-more common activity than sabotage. Nations have been spying on each other since forever, but today much of the old ‘spy-craft’ activities are conducted in cyberspace. Data theft is easier, cheaper and relatively risk-free when you’re behind a keyboard hacking into a server in a different country and protected by the laws and security services of your own government.

Organizations holding data that could be sensitive to national security issues or working with personnel or contractors who have high profiles need to harden their security to prevent unauthorized access or leakage.

Global Political Influence – Nations have long-used psyops to gain an advantage over other countries, but cyberspace has given them the means to do so on a scale that was never dreamt of before. Nations can interfere with political processes in other countries with little regard and great reward. For example, nation-state actors meddling in the Scottish independence referendum, UK Brexit referendum, US 2016 elections, and, inevitably, the upcoming 2020 US elections are well-documented.

Combating this kind of interference has to be undertaken at a national security level, but organizations can also step up their vigilance to ensure that they are fully aware of partners’, contractors’, and clients’ backgrounds and credentials.

Regional Politics – Nations also want to exert strength in cyberspace to resolve (or escalate) regional conflicts. Chinese cyber attacks on Indian entities followed a skirmish between the two nations resulting in dozens of casualties in the mountainous border region of Ladakh. Ukrainian security services reported in 2019 that Russian-backed Gamaredon APT had repeatedly targeted Ukrainian military and law enforcement agencies and individuals. Gamaredon reportedly launched at least 482 cyber attacks against Ukrainian critical infrastructure targets in a Russian-backed campaign to pursue a proxy-war in cyberspace without incurring the political fallout of an actual, boots-on-the-ground, military campaign.

Businesses and organizations with political links should follow similar guidelines for protecting data as federal contractors.

Learn more about guidelines for federal contractors here.

Industrial Espionage – Unlike ‘classic’ espionage, this activity is specifically aimed at closing the economic gap between nations, by stealing Intellectual Property and then using it to either copy and reproduce technology or gain other unfair commercial advantage. China has been widely accused of engaging in spying on Western businesses, government agencies and technology companies for just this purpose. For example, desiring to build its own stealth jet, the oriental superpower is believed to have stolen the proven design of the US F-35 to shorten development and “time to market”. It’s been estimated that theft of American trade secrets by China costs the US somewhere in the region of $300 billion to $600 billon every year.

While high-tech organizations are likely well-aware of the value of their IP, universities and other academic institutions with low-budgets for cyber security may not be aware of the threat of IP and research data theft.

Learn more about the threat to educational institutions and how to defend them here.

Crime – Some nations are under extreme financial burden, made worse by international sanctions, so they resort to cybercrime to fill their coffers. North Korea is notorious for utilizing cyber crime for such purposes, and recently launched yet another campaign aimed at stealing money from US banks and ATMs. Other APT Lazarus campaigns have focused on stealing cryptocurrencies and impersonating cryptocurrency exchanges. Unlike many other APTs, Lazarus writes malware that targets macOS users, too, as Apple’s platform is increasingly used by C-suite executives and others wary of the plethora of Windows malware.

Ebook: macOS Threat Hunting & Incident Response
This guide will arm you with the knowledge you need to defend your organization’s macOS fleet.

APTs have learned lessons from cyber criminals and vice versa. SentinelLabs recently uncovered how Lazarus APT leverages TrickBot crimeware to target organizations for financial gain.

Learn more about how APTs partner with cyber criminals to target organizations here.

APTs: Opportunities in 2020 and Beyond

The present COVID-19 pandemic has created powerful opportunities for nations to hack and spy on one another. Quite aside from the power of phishing lures related to Coronavirus themes, the race to be first to obtain a vaccine has led to a number of incidents of espionage related to stealing IP from research laboratories. Based on recent evidence, it is likely that we will see further APT campaigns trying to take advantage of the security vulnerabilities brought about by workplace disruption – from office to home and back again – that at present do not seem to have any end in sight, and will certainly extend into 2021 at least.

Aside from pandemic-related matters, 2020 is a year that has seen widespread political, social, economic and climate disruption in the US, and to a certain extent in the UK and Europe, also. All these are grist to the mill for cyber threat actors, who will seize on any opportunity to leverage current events to further their campaigns. And of course, the upcoming US elections will likely result in an increase in related cyber activities, such as hacking attempts against politicians, political parties, voter registries, voting sites and voting machines.

Defending the Enterprise in an Era of Cyber Uncertainty

It sounds like a grim picture, but enterprises are far from helpless or alone. Recent sanctions imposed on Iranian hackers by the US and proposed EU sanctions against Russian hacking, joint announcements by officials in countries like US and UK (such as a recent statement blaming China, Iran and Russia in attempts to steal COVID-19 vaccine research) signal greater international cooperation that will hopefully help in reducing such destructive activities.

There are a number of initiatives to protect healthcare institutes during COVID-19 from cyber threats, and partnerships between nations, law enforcement agencies, and public-private collaboration efforts that are also being developed to improve enterprise cyber security against advanced persistent threat actors.

At an organizational level, the time when it was possible to believe your organization may not be “interesting” to advanced attackers is well and truly behind us. Nation-state actors are hoovering up masses of data related to organizations and individuals simply because they can and because they never know when it might be useful.

7 Lessons Every CISO Can Learn From the ANU Cyber Attack

These nation-state actors rely heavily on social engineering to obtain credentials, deliver their payloads via emails (usually hidden within documents or images) and infect endpoints in order to obtain access to data and then exfiltrate it.

Given the diverse and increasing number of threats, companies need to ensure that they conduct full risk assessment, develop a security plan, including incident response and business continuity contingencies, and deploy trusted technological solutions to ease the burden on staff.

With phishing the number one vector in most compromises, phishing awareness training backed by endpoint security software that can recognize known and unknown threats is a priority.

For the increasing number of companies that are utilising the cloud, Kubernetes and containers, and struggling to keep on top of the ever-changing hardening configuration needed, workload protection is also vital.

Automated Application Control for Cloud Workloads
Protect cloud-native workloads with advanced lockdown capabilities that guarantee the immutable state of containerized workloads.

Conclusion

It wasn’t all that long ago that the very existence of APTs was something shrouded in myth and secrecy, but with public disclosures and leaks of APT toolkits now in the public domain, it seems nation-state actors are not nearly so shy or retiring as they once were. Discussion of APT activity is now part of mainstream cyber discourse, with all sides seemingly content to openly acknowledge that cyber warfare between nations is part of the ‘new normal’ that will be with us for some time to come.

Businesses need to understand that in our interconnected world, there is no such thing as being either ‘invisible’ or ‘uninteresting’ to advanced cyber attackers. Know it or not, like it or not, if you’re online, storing and processing data, and engaged in any kind of commercial relationships, there’s an APT cyber threat actor out there interested in you, your data, your product, your clients and/or your providers.

While that might sound scary, fortunately APTs and their tactics, techniques and procedures are also no longer shrouded in mystery. APTs are just another threat actor we all have to deal with. We are not alone in this fight, and we are not defenceless, so long as we first recognize the threat and then take appropriate measures.

If you would like to see first hand how SentinelOne’s Singularity platform can help defend your organization against advanced threat actors, contact us today or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Microsoft’s Edge browser is coming to Linux in October

Microsoft’s Edge browser is coming to Linux, starting with the Dev channel. The first of these previews will go live in October.

When Microsoft announced that it would switch its Edge browser to the Chromium engine, it vowed to bring it to every popular platform. At the time, Linux wasn’t part of that list, but by late last year, it became clear that Microsoft was indeed working on a Linux version. Later, at this year’s Build, a Microsoft presenter even used it during a presentation.

Image Credits: Microsoft

Starting in October, Linux users will be able to either download the browser from the Edge Insider website or through their native package managers. Linux users will get the same Edge experience as users on Windows and macOS, as well as access to its built-in privacy and security features. For the most part, I would expect the Linux experience to be on par with that on the other platforms.

Microsoft also today announced that its developers have made more than 3,700 commits to the Chromium project so far. Some of this work has been on support for touchscreens, but the team also contributed to areas like accessibility features and developer tools, on top of core browser fundamentals.

Currently, Microsoft Edge is available on Windows 7, 8 and 10, as well as macOS, iOS and Android.

Microsoft updates its Endpoint Manager with improved macOS support and more

At its Ignite conference today, Microsoft announced a number of new features for the Microsoft Endpoint Manager, the company’s unified platform for managing and securing devices in an enterprise environment. The service, which combines the features of the Microsoft System Center Configuration Manager with the cloud-based tools of Intune, launched just under a year ago. Today’s updates build on the foundation the team created at the time and add improved macOS and iPad support, as well as new tools for connecting mobile devices to on-premises apps and additional productivity tools based on the date the company gathers from the service. The company is also making it easier for corporate IT departments to provision devices for employees remotely.

If anything, the pandemic has only accelerated both the growth of this business for Microsoft and the need for companies to manage their remote devices.

“It really is about bringing this cloud and all the intelligence that we had in Intune together with Config Manager and making it act as one,” Brad Anderson, Microsoft corporate VP for the Commercial Management Experiences team, told me. “And it’s been so fascinating to see how the pandemic accelerated people wanting and needing to use that. When the pandemic first hit — and as I go back to March 8th or 10th, in the U.S., the calls that I was having almost every day with CIOs centered around, ‘my VPN is overwhelmed. How am I going to keep all my systems updated?’ ”

Today’s announcements build on the work Microsoft has done on this service over the course of the last year. After launching support for scripting on macOS earlier this year, for example, the company today announced a new “first-class management experience on macOS” that brings deploy scripts, but also improved enrollment experiences and app lifecycle management feature, to the platform.

Endpoint Manager now also supports Apple’s Shared iPad for Business functionality, and will help businesses deploy iPads to their users and allow them to log in with Azure Active Directory accounts. This gives users two separate portions on the device: one for work and one for everything else.

Another new feature is Microsoft Tunnel. This gives businesses a VPN that can cover the entire device or single apps to ensure that their employees’ devices are secure and compliant with their internal policy to access their networks.

“The key thing [with Microsoft Tunnel] is that this is all integrated into our conditional access,” Anderson explained. “And so when that VPN comes up, before access is granted to the data or to the apps, the conditional access engine that we’ve built inside of Microsoft 365 has that point of view on the trust of the identity and the trust of the device. That really is the key differentiator on that. I’ll tell you, between you and I, that one feature is probably the single feature that customers who are running another MDM and then the Microsoft Endpoint Manager — that’s the one they’re waiting for.”

Endpoint Manager now also supports the Windows Virtual Desktop (WVD) environment. That’s been a massive growth area for the company — one that has only been accelerated by the COVID-19 pandemic. As Anderson told me, the company saw 10x growth for WVD through the pandemic. “Now, Windows Virtual Desktop is that first-class citizen inside Microsoft Endpoint Manager. So you can manage your virtual endpoints just like you manage your physical endpoints. All your policies are applicable, all your apps are clickable. And it just makes it easier to be able to use that as one of the tools you have to empower your users,” he said.

Another area of Endpoint Manager, which may only seem tangentially related at first, is Microsoft’s Productivity Score. There are two aspects to this service, though: employee experience and technology experience. Productivity Score is meant to help businesses better understand how their employees are working — and identify areas where companies can improve. On the technology side, that also means understanding which apps crash, for example, or why laptops slow down.

“Here’s one of the key scenarios,” said Anderson. “We’ll get a call every once in a while that says, like, ‘hey, my users are all having a great experience with Office 365 but I’ve got a handful of users for whom it’s slow.’ More often than not, that’s a networking issue. And so every time a user, for example, opens a file or saves a file, opens an attachment, we get telemetry back that helps us understand the operations of that. We probably know when an ISP in the south of France sneezes, because Office 365 is so ubiquitous now.”

The other new feature here is what Microsoft calls Endpoint Analytics. With this, Microsoft can now provide businesses with detailed information about when apps on their employees’ devices crash — no matter whether that’s an internal app, a third-party service — or a Microsoft app.

In addition to these technology scores, Productivity Score is also getting new categories like meetings, so managers can see how many meetings their employees have, as well as a new teamwork category.

Microsoft brings new robotic process automation features to its Power Platform

Earlier this year, Microsoft acquired Softomotive, a player in the low-code robotic process automation space with a focus on Windows. Today, at its Ignite conference, the company is launching Power Automate Desktop, a new application based on Softomotive’s technology that lets anyone automate desktop workflows without needing to program.

“The big idea of Power Platform is that we want to go make it so development is accessible to everybody,” Charles Lamanna, Microsoft’s corporate VP for its low-code platform, told me. “And development includes understanding and reporting on your data with Power BI, building web and mobile applications with Power Apps, automating your tasks — whether it’s through robotic process automation or workflow automation — with Power Automate, or building chatbots and chat-based experiences with Power Virtual Agent.”

Power Automate already allowed users to connect web-based applications, similar to Zapier and IFTTT, but the company also launched a browser extension late last year to help users connect native system components to Power Automate. Now, with the integration of the Softomotive technology and the launch of this new low-code Windows application, it’s taking this integration into the native Windows user interface one step further.

“Everything still runs in the cloud and still connects to the cloud, but you now have a rich desktop application to author and record your UI automations,” Lamanna explained. He likened it to an “ultimate connector,” noting that the “ultimate API is just the UI.”

He also stressed that the new app feels like any other modern Office app, like Outlook (which is getting a new Mac version today, by the way) or Word. And like the modern versions of those apps, Power Automate Desktop derives a lot of its power from being connected to the cloud.

It’s also worth noting that Power Automate isn’t just a platform for automating simple two or three-step processes (like sending you a text message when your boss emails you), but also for multistep, business-critical workflows. T-Mobile, for example, is using the platform to automate some of the integration processes between its systems and Sprint.

Lamanna noted that for some large enterprises, adopting these kinds of low-code services necessitates a bit of a culture shift. IT still needs to have some insights into how these tools are used, after all, to ensure that data is kept safe, for example.

Another new feature the company announced today is an integration between the Power Platform and GitHub, which is now in public preview. The idea here is to give developers the ability to create their own software lifecycle workflows. “One of the core ideas of Power Platform is that it’s low code,” Lamanna said. “So it’s built first for business users, business analysts, not the classical developers. But pro devs are welcome. The saying I have is: we’re throwing a party for business users, but pro devs are also invited to the party.” But to get them onto the platform, the team wants to meet them where they are and let them use the tools they already use — and that’s GitHub (and Visual Studio and Visual Studio Code).

Five years after creating Traefik application proxy, open-source project hits 2B downloads

Five years ago, Traefik Labs founder and CEO Emile Vauge was working on a project deploying thousands of microservices and he was lacking a cloud-native application proxy that could handle this kind of scale. So like any good developer, he created one himself, and Traefik was born.

If you go back five years, the notion of cloud native was still in its infancy. Docker has been doing containers for just a couple of years, and Kubernetes would only be released that year. There wasn’t much cloud-native tooling around, so Vauge decided to build a cloud-native reverse proxy out of pure necessity.

“At that time, five years ago, there was no reverse proxy that was good at managing the complexity of microservices at cloud scale. So that was really the origin of Traefik. And one of the big innovations was its automation and its simplicity,” he said.

As he explained it, a reverse proxy needs to have several features, like traffic management, load balancing, observability and security, but much of this had to be done manually with the tools available at the time. As it turns out, Vauge had stumbled onto a major pain point.

“Initially I created Traefik for myself. It was a side project but it turned out that there was a huge interest and very quickly a community gathered around the project,” he said. After a few months, he realized he could build a company around this and left his job to start a company called Containous.

Today, he changed the name of that company to Traefik Labs and the open-source project he developed has become wildly popular. “Five years later we are at 2 billion downloads. It’s in the top 10 most downloaded projects on Docker. We have 30,000 stars on GitHub. So basically it’s one of the largest open-source projects in the world,” he said. In addition, he said there are more than 550 individuals contributing to the project today.

When he formed Containous, he developed an open core-based commercial project designed for enterprise needs around scaling, high availability and more security features. Today, that includes the Traefik Proxy and an open-source service mesh called Traefik Mesh.

Among the companies using the open-source project today are Conde Nast, eBay Classifieds and Mailchimp.

Vauge certainly was in the right place at the right time five years ago, which he modestly attributes to luck because he was working at one of the few companies at the time that was dealing with microservices at scale. “We had to build a lot of things, and Traefik was one of those things. So I was basically lucky because I created Traefik at the right time,” he said.

Not surprisingly, a company with that kind of open-source traction has attracted the interest of venture capitalists, and Vauge has raised $16 million since he launched his company in 2015, including $10 million led by Balderton Capital in January.