Microsoft Teams gets breakout rooms, custom layouts and virtual commutes

Unsurprisingly, Teams has become a major focus for Microsoft during the COVID-19 pandemic, so it’s no surprise that the company is using its annual Ignite IT conference to announce a number of new features for the service.

Today’s announcements follow the launch of features like Together Mode and dynamic view earlier this summer.

Together Mode, which puts cutouts of meeting participants in different settings, is getting a bit of an update today with the launch of new scenes: auditoriums, coffee shops and conference rooms. Like before, the presenter chooses the scene, but what’s new now is that Microsoft is also using machine learning to ensure that participants are automatically centered in their virtual chairs, making the whole scene look just a little bit more natural (and despite what Microsoft’s research shows, I can never help but think that this all looks a bit goofy, maybe because it reminds me of the opening credits of The Muppet Show).

Image Credits: Microsoft

Also new in Teams is custom layouts, which allow presenters to customize how their presentations — and their own video feeds — appear. With this, a presenter can superimpose her own video image over the presentation, for example.

Image Credits: Microsoft

Breakout rooms, a feature that is getting a lot of use in Zoom these days, is now also coming to Teams. Microsoft calls it the most requested feature in Teams and, like in similar products, it allows meeting organizers to split participants into smaller groups — and the meeting organizer can then go from room to room. Unsurprisingly, this feature is especially popular with teachers, though companies, too, often use it to facilitate brainstorming sessions, for example.

Image Credits: Microsoft

After exhausting all your brainstorming power in those breakout rooms and finishing up your meeting, Teams can now also send you an automatic recap of a meeting that includes a recording, transcript, shared files and more. These recaps will automatically appear on your Outlook calendar. In the future, Microsoft will also enable the ability to automatically store these recordings on SharePoint.

For companies that regularly host large meetings, Microsoft will launch support for up to 1,000 participants in the near future. Attendees in these meetings will get the full Teams experience, Microsoft promises. Later, Microsoft will also enable view-only meetings for up to 20,000 participants. Both of these features will become available as part of a new “Advanced Communications” plan, which is probably no surprise, given how much bandwidth and compute power it will likely take to manage a 1,000-person meeting.

Image Credits: Microsoft

Microsoft also made two hardware announcements related to Teams today. The first is the launch of what it calls “Microsoft Teams panels,” which are essentially small tablets that businesses can put outside of their meeting rooms for wayfinding. One cool feature here — especially as businesses start planning their post-pandemic office strategy — is that these devices will be able to use information from the cameras in the room to count how many people are attending a meeting in person and then show remaining room capacity, for example.

The company also today announced that the giant Surface Hub 2S 85-inch model will be available in January 2021.

And there is more. Microsoft is also launching new Teams features for front-line workers to help schedule shifts, alert workers when they are using Teams off-shift and praise badges that enable organizations to recognize workers (though those workers would probably prefer hard cash over a digital badge).

Also new is an integration between Teams and RealWear head-mounted devices for remote collaboration and a new Walkie Talkie app for Android.

And since digital badges aren’t usually enough to improve employee well-being, Microsoft is also adding a new set of well-being features to Teams. These provide users with personalized recommendations to help change habits and improve well-being and productivity.

Image Credits: Microsoft

That includes a new “virtual commute” feature that includes an integration with Headspace and an emotional check-in experience.

I’ve always been a fan of short and manageable commutes for getting some distance between work and home, but that’s not exactly a thing right now. Maybe Headspace works as an example, but there’s only so much Andy Puddicombe I can take. Still, I think I’ll keep my emotional check-ins to myself, though Microsoft obviously notes that it will keep all of that information private.

And while businesses now care about your emotional well-being (because it’s closely related to your productivity), managers mostly care about the work you get done. For them, Workplace Analytics is coming to Teams, giving “managers line of sight into teamwork norms like after-hours collaboration, focus time, meeting effectiveness, and cross-company connections. These will then be compared to averages among similar teams to provide managers with actionable insights.”

If that doesn’t make your manager happy, what will? Maybe a digital praise badge?

Microsoft launches new Cortana features for business users

Cortana may have failed as a virtual assistant for consumers, but Microsoft is still betting on it (or at least its brand) for business use cases, now that it has rebranded it as a “personal productivity assistant” as part of Microsoft 365. Today, at its Ignite conference, Microsoft launched and announced a number of new Cortana services for business users.

These include the general availability of Cortana for the new Microsoft Teams displays the company is launching in partnership with a number of hardware vendors. You can think of these as dedicated smart displays for Teams that are somewhat akin to Google Assistant-enabled smart displays, for example — but with the sole focus on meetings. These days, it’s hard to enable a device like this without support for a voice assistant, so there you go. It’ll be available in September in English in the U.S. and will then roll out to Australia, Canada, the U.K. and India in the coming months.

In addition to these Teams devices, which Microsoft is not necessarily positioning for meeting rooms but as sidekicks to a regular laptop or desktop, Cortana will also soon come to Teams Rooms devices. Once we go back to offices and meeting rooms, after all, few people will want to touch a shared piece of hardware, so a touchless experience is a must.

For a while now, Microsoft has also been teasing more email-centric Cortana services. Play My Emails, a service that reads you your email out aloud and that’s already available in the U.S. on iOS and Android, is coming to Australia, Canada, the U.K. and India in the coming months. But more importantly, later this month, Outlook for iOS users will be able to interact with their inbox by voice, initiate calls to email senders and play emails from specific senders.

Cortana can now also send you daily briefing emails if you are a Microsoft 365 Enterprise user. This feature is now generally available and will get better meeting preparation, integration with Microsoft To Do and other new features in the coming months.

And if you’re using Cortana on Windows 10, this chat-based app now lets you compose emails, for example (at least if you speak English and are in the U.S.). And if you so desire, you can now use a wake word to launch it.

Microsoft brings data services to its Arc multi-cloud management service

Microsoft today launched a major update to its Arc multi-cloud service that allows Azure customers to run and manage workloads across clouds — including those of Microsoft’s competitors — and their on-premises data centers. First announced at Microsoft Ignite in 2019, Arc was always meant to not just help users manage their servers but also allow them to run data services like Azure SQL and Azure Database for PostgreSQL, close to where their data sits.

Today, the company is making good on this promise with the preview launch of Azure Arc-enabled data services with support for, as expected, Azure SQL and Azure Database for PostgreSQL.

In addition, Microsoft is making the core feature of Arc, Arc-enabled servers, generally available. These are the tools at the core of the service that allow enterprises that use the standard Azure Portal to manage and monitor their Windows and Linux servers across their multi-cloud and edge environments.

Image Credits: Microsoft

“We’ve always known that enterprises are looking to unlock the agility of the cloud — they love the app model, they love the business model — while balancing a need to maintain certain applications and workloads on premises,” Rohan Kumar, Microsoft’s corporate VP for Azure Data said. “A lot of customers actually have a multi-cloud strategy. In some cases, they need to keep the data specifically for regulatory compliance. And in many cases, they want to maximize their existing investments. They’ve spent a lot of CapEx.”

As Kumar stressed, Microsoft wants to meet customers where they are, without forcing them to adopt a container architecture, for example, or replace their specialized engineered appliances to use Arc.

“Hybrid is really [about] providing that flexible choice to our customers, meeting them where they are, and not prescribing a solution,” he said.

He admitted that this approach makes engineering the solution more difficult, but the team decided the baseline should be a container endpoint and nothing more. And for the most part, Microsoft packaged up the tools its own engineers were already using to run Azure services on the company’s own infrastructure to manage these services in a multi-cloud environment.

“In hindsight, it was a little challenging at the beginning, because, you can imagine, when we initially built them, we didn’t imagine that we’ll be packaging them like this. But it’s a very modern design point,” Kumar said. But the result is that supporting customers is now relatively easy because it’s so similar to what the team does in Azure, too.

Kumar noted that one of the selling points for the Azure Data Services is also that the version of Azure SQL is essentially evergreen, allowing them to stop worrying about SQL Server licensing and end-of-life support questions.

Microsoft challenges Twilio with the launch of Azure Communication Services

Microsoft today announced the launch of Azure Communication Services, a new set of features in its cloud that enable developers to add voice and video calling, chat and text messages to their apps, as well as old-school telephony.

The company describes the new set of services as the “first fully managed communication platform offering from a major cloud provider,” and that seems right, given that Google and AWS offer some of these features, including the AWS notification service, for example, but not as part of a cohesive communication service. Indeed, it seems Azure Communication Service is more of a competitor to the core features of Twilio or up-and-coming MessageBird.

Over the course of the last few years, Microsoft has built up a lot of experience in this area, in large parts thanks to the success of its Teams service. Unsurprisingly, that’s something Microsoft is also playing up in its announcement.

“Azure Communication Services is built natively on top a global, reliable cloud — Azure. Businesses can confidently build and deploy on the same low latency global communication network used by Microsoft Teams to support over 5 billion meeting minutes in a single day,” writes Scott Van Vliet, corporate vice president for Intelligent Communication at the company.

Microsoft also stresses that it offers a set of additional smart services that developers can tap into to build out their communication services, including its translation tools, for example. The company also notes that its services are encrypted to meet HIPPA and GDPR standards.

Like similar services, developers access the various capabilities through a set of new APIs and SDKs.

As for the core services, the capabilities here are pretty much what you’d expect. There’s voice and video calling (and the ability to shift between them). There’s support for chat and, starting in October, users will also be able to send text messages. Microsoft says developers will be able to send these to users anywhere, with Microsoft positioning it as a global service.

Provisioning phone numbers, too, is part of the services and developers will be able to provision those for in-bound and out-bound calls, port existing numbers, request new ones and — most importantly for contact-center users — integrate them with existing on-premises equipment and carrier networks.

“Our goal is to meet businesses where they are and provide solutions to help them be resilient and move their business forward in today’s market,” writes Van Vliet. “We see rich communication experiences – enabled by voice, video, chat, and SMS – continuing to be an integral part in how businesses connect with their customers across devices and platforms.”

HubSpot’s new end-to-end sales hub aims to simplify CRM for midmarket customers

HubSpot, the Boston firm that made its name by helping to define the in-bound marketing concept, sees a pandemic landscape that’s changing the way companies sell, forcing more inside sales. Today, the company announced the HubSpot Sales Hub Enterprise at Inbound, their annual conference being held virtually this year.

While the company has been offering a CRM tool for five years now, where they feel they have addressed ease-of-use issues for salespeople, the new tool is about bringing a new end-to-end approach addressing not only the needs of sales people, but management and system admins, as well, says Lou Orfanos, GM and VP of Sales Hub at HubSpot.

“So, this is about [providing customers with a more powerful set of tools] and also just making sure that you can run your sales process end-to-end in our platform. We feel really good about being able to offer that out of the box natively and being able to do everything you need to do [in one tool], which is, I think, pretty unique given the state of the market and having to [cobble] a bunch of things together yourself,” Orfanos explained.

While the previous product was aimed more at smaller businesses, Chief Customer Officer Yamini Rangan, who previously worked at Dropbox, Workday and SAP, says this product is aimed more at midmarket companies with more complex sales workflows.

“What we find is that the customer experience for a 500-person company or for a 1,000-person company is quite different and their expectations are quite different than a 10-person small business. What the Sales Hub Enterprise specifically brings is the ease of use, as well as the powerful features [ … ] to a larger midmarket organization,” Rangan said.

HubSpot specifically sees larger companies in this space, like Adobe, Salesforce and SAP, acquiring different pieces of the stack, then incorporating them into a solution, or customers pulling together different pieces of the stack themselves. The company believes that by building a single integrated solution themselves, it’s going to be naturally easier to use.

“We also find that that’s the size of the company where the tech stack, the sales stack and the marketing stack gets super complex, and they’re spending a lot of time trying to integrate a lot of different point solutions and what we find is having all of this — marketing, CMS, sales underlined by a CRM platform — that gives them visibility that they need to run their entire go-to-market operations,” she said.

While the lower end of the market where HubSpot is targeting probably won’t interest larger competitors, especially Salesforce, as they move up in that market to larger companies, they expect to compete with those companies. Rangan says that she believes by providing this new offering, they are giving customers options they didn’t have before.

But she also sees this as a way into companies as they grow, and if HubSpot can catch them earlier in their evolution, they can grow with them and become their vendor of choice, rather than the usual suspects.

“What we find is that companies will start as a 100-person company and grow to become a 500- or a 1,000-person company, and as they grow up on HubSpot we become their growth suite and we become the core platform of record for them to continue to grow,” she said.

Mirakl raises $300 million for its marketplace platform

French startup Mirakl has raised a $300 million funding round at a $1.5 billion valuation — the company is now a unicorn. Mirakl helps you launch and manage a marketplace on your e-commerce website. Many customers also rely on Mirakl-powered marketplaces for B2B transactions.

Permira Advisers is leading the round, with existing investors 83North, Bain Capital Ventures, Elaia Partners and Felix Capital also participating.

“We’ve closed this round in 43 days,” co-founder and U.S. CEO Adrien Nussenbaum told me. But the due diligence process has been intense. “[Permira Advisers] made 250 calls to clients, leads, partners and former employees.”

Many e-commerce companies rely on third-party sellers to increase their offering. Instead of having one seller selling to many customers, marketplaces let you sell products from many sellers to many customers. Mirakl has built a solution to manage the marketplace of your e-commerce platform.

300 companies have been working with Mirakl for their marketplace, such as Best Buy Canada, Carrefour, Darty and Office Depot. More recently, Mirakl has been increasingly working with B2B clients as well.

These industry-specific marketplaces can be used for procurement or bulk selling of parts. In this category, clients include Airbus Helicopters, Toyota Material Handling and Accor’s Astore. 60% of Mirakl’s marketplace are still consumer-facing marketplaces, but the company is adding as many B2B and B2C marketplaces these days.

“We’ve developed a lot of features that enable platform business models that go further than simple marketplaces,” co-founder and CEO Philippe Corrot told me. “For instance, we’ve invested in services — it lets our clients develop service platforms.”

In France, Conforama can upsell customers with different services when they buy some furniture for instance. Mirakl has also launched its own catalog manager so that you can merge listings, add information, etc.

The company is using artificial intelligence to do the heavy-lifting on this front. There are other AI-enabled features, such as fraud detection.

Given that Mirakl is a marketplace expert, it’s not surprising that the company has also created a sort of marketplace of marketplaces with Mirakl Connect.

“Mirakl Connect is a platform that is going to be the single entry point for everybody in the marketplace ecosystem, from sellers to operators and partners,” Corrot said.

For sellers, it’s quite obvious. You can create a company profile and promote products on multiple marketplaces at once. But the company is also starting to work with payment service providers, fulfillment companies, feed aggregators and other partners. The company wants to become a one-stop shop on marketplaces with those partners.

Overall, Mirakl-powered marketplaces have generated $1.2 billion in gross merchandise volume (GMV) during the first half of 2020. It represents a 111% year-over-year increase, despite the economic crisis.

With today’s funding round, the company plans to expand across all areas — same features, same business model, but with more resources. It plans to hire 500 engineers and scale its sales and customer success teams.

Daily Crunch: Microsoft launches Azure Communication Services

Microsoft takes on Twilio, Google launches a work-tracking tool and Mirakl raises $300 million. This is your Daily Crunch for September 22, 2020.

The big story: Microsoft launches Azure Communication Services

Microsoft announced today that it’s ready to compete with Twilio by launching a set of features that allow developers to add voice and video calling, chat, text messages and old-school telephony to their apps.

“Azure Communication Services is built natively on top a global, reliable cloud — Azure,” wrote Microsoft’s Scott Van Vliet. “Businesses can confidently build and deploy on the same low latency global communication network used by Microsoft Teams to support 5B+ meeting minutes daily.”

This is just one of a number of announcements that Microsoft made at its Ignite conference this morning. Other additions include a platform for detecting biological threats and the Azure Orbital service for satellite operators.

The tech giants

Google launches a work-tracking tool and Airtable rival, Tables — Tables’ bots help users do things like scheduling recurring email reminders when tasks are overdue and messaging a chat room when new form submissions are received.

Amazon adds support for Kannada, Malayalam, Tamil and Telugu in local Indian languages push ahead of Diwali — The company said this move should help it reach an additional 200-300 million users in India.

Pinterest breaks daily download record due to user interest in iOS 14 design ideas — Following the release of iOS 14, the excitement around the ability to customize your iPhone home screen has been paying off for Pinterest.

Startups, funding and venture capital

Mirakl raises $300 million for its marketplace platform — Mirakl helps companies launch and manage a marketplace on their e-commerce websites.

Pure Watercraft ramps up its electric outboard motors with a $23 million series A — Pure Watercraft is building an electric outboard motor that can replace a normal gas one for most boating needs.

Morgan Beller, co-creator of the Libra digital currency, just joined the venture firm NFX — And yes, that means she’s leaving Facebook.

Advice and analysis from Extra Crunch

Despite a rough year for digital media, Blavity and The Shade Room are thriving — A recap of my Disrupt discussion with Morgan DeBaun of Blavity and Angelica Nwandu of The Shade Room.

Big tech has 2 elephants in the room: Privacy and competition — There’s clearly a nervousness among even well-established tech firms to discuss this topic.

How has Corsair Gaming posted such impressive pre-IPO numbers? — The company was founded in 1994, making it more of a mature business than a startup.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)

Everything else

TikTok, WeChat and the growing digital divide between the US and China — Catherine Shu discusses the dramatic shift in the relationship between tech companies in both countries.

Tech must radically rethink how it treats independent contractors — Just as COVID-19 has accelerated the move to remote work, our current crisis has accelerated the trend toward hiring independent contractors.

Bose introduces a new pair of sleep-focused earbuds — The timing of the Sleepbuds II could hardly be better.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Revisiting the Pyramid of Pain | Leveraging EDR Data to Improve Cyber Threat Intelligence

Producing and consuming actionable Cyber Threat Intelligence is a large part of a security analyst’s daily work, but threat intelligence comes in many forms. As most experienced analysts’ know, some forms of threat intel are more useful than others, but that usefulness tends to be inversely proportional to availability. File hashes and IP addresses for the latest campaigns are usually the first to be shared among security researchers, but they are also rapidly changed by attackers, limiting their utility. This relationship between availability and usefulness was nicely illustrated by David J Bianco’s Pyramid of Pain. The general points of the Pyramid still hold true, but security solutions have not stood still in the intervening years, and with the right technology to hand, producing and consuming high-value indicators like TTPs can be a whole lot easier than it once was. Let’s see how.

Revisiting the Pyramid of Pain

Let’s recall how Bianco’s Pyramid of Pain works. The ‘pain’ here is supposed to be the pain felt by attackers once a particular kind of indicator for their attack becomes known. However, as we’ll see, the pyramid also describes parallel difficulties for defenders in terms of availability of each class of indicator.

At the base, or widest part, of the pyramid, we have file hashes – the kind of IoCs that we are all used to dealing with on a daily basis. These are easy to acquire and widely shared, so availability of these is typically good. The problem, though, is that it is also relatively painless for attackers to change a file’s hash; indeed, much modern malware even does this “autonomously” – so-called polymorphic malware – and it’s comparatively easy to write malicious software that creates copies of itself with a different file hash each time. Thus, as the pyramid graphic suggests, discovery of particular malicious file hashes causes the attacker virtually no pain at all in terms of adapting to and evading solutions that rely on detecting file hashes.

Source

Much the same can be said of IP addresses and even domain names, which nowadays can be changed even more easily and rapidly than back in 2013 when Bianco first developed the Pyramid of Pain concept.

Network and Host artifacts – distinguishing characteristics of network traffic or host activity – increase the pain for attackers somewhat once these become known. Defenders can use technologies such as Suricata rules and Snort to identify known malicious network traffic, and tools like Yara rules and ProcFilter can similarly match malicious patterns in files and processes executing on a device.

For attackers, getting around these kinds of “signatures” involves some work (aka ‘pain’). First, they have to determine what pattern matching rule or rules are being used; since different security solutions may employ different or multiple rules, that in itself can be a difficult process. Second, once the attackers have determined how they’re being detected, they need to refactor their code in order to avoid the patterns used in the signatures.

Despite that, the pain isn’t that great if you’re a full-time threat actor outfit – it’s just part of the job. A good example of malware that continuously iterates in this way is the script-based Shlayer and ZShlayer malware that targets macOS. Part of the attraction of using scripts, from the malware authors’ point of view, is it’s much easier and much faster to iterate with shell scripts than compiled binaries. Scripting allows far more flexibility in achieving malware objectives than a lot of compiled programming languages, and many binary scanning engines don’t know how to handle scripts anyway, which can also be executed in memory with relative ease.

Things get tougher for threat actors when defenders have a good handle on what particular tools are being used to attack them – these can range from custom-made frameworks to publicly available and open-source toolkits. Switching out one tool – or more likely, set of tools – for another increases the burden on cyber threat actors because it is not always easy to find or introduce tools into a victim’s environment that have the desired capabilities.

For example, if the threat actor is making heavy use of LOLBins like PowerShell and CertUtil, or relying on publicly-available tools like Cobalt Strike or Mimikatz, it may be very a tough challenge to obtain the same functionality with different tools.

Finally, TTPs, which we’ll discuss in more detail in the next section, cause the greatest pain for threat actors because they hone in on the attacker’s actual objectives and seek to block behaviour that attempts to execute those objectives.

Intelligent Tools That Produce Actionable Intelligence

From the above discussion, it should be clear that, from a defender’s point of view, developing awareness of attackers’ tools and TTPs (Tactics, Techniques, and Procedures) – those which cause the threat actor the most pain – is where we should focus our efforts for the most gain. The problem is that Bianco’s Pyramid of Pain also paints a picture of just how easy-to-come by each of those threat intelligence indicators typically are for most enterprises: easy at the bottom, tough at the top.

File hashes are widely available in most threat intel reports but are time-consuming to digest and have a short shelf life. At the other end of the scale, TTPs return the most value, but they are not so widely known or distributed.

However, initiatives like MITRE ATT&CK have added a new dimension to cyber threat intelligence, and security tools with features like SentinelOne’s Rapid Threat Hunting put new-found power into the analyst’s hands.

In the image above, we can see how the SentinelOne Threat Center displays all the behavioral indicators associated with a particular detection, with links to MITRE ATT&CK TTPs, for the analyst’s convenience.

Similarly, suppose you have seen a new threat intelligence report indicating a particular TTP. You could immediately search your entire fleet for any process or event with behavioral characteristics that match that TTP simply by entering the MITRE ID in the SentinelOne console’s Deep Visibility query box.

Focusing on TTPs in particular gives you a great advantage when defining rulesets or watchlists for added protection. For example, you can automate hunts using particular behavioral indicators that belong to known attacks seen in your own environment or in the environment of others. Since Bianco published the influential Pyramid of Pain concept, many threat intelligence researchers, including SentinelOne’s own SentinelLabs, include MITRE ATT&CK TTPs at the end of their reports along with other IoCs. With the right tools to hand, you can easily consume this kind of threat intel directly into your solution for both automated detection and rapid threat hunting.

Rapid Threat Hunting with Storylines
Time always seems to be on the attacker’s side, but security analysts can get ahead by hunting threats faster than ever before.

Conclusion

Utilizing detailed, actionable and effective intelligence is key to thwarting cyber attacks. File hashes, IP addresses and domain names have increasingly limited use as both attackers and malware have evolved to produce campaigns in which these traditional IoCs are rapidly disposed. However, by focusing on indicators that are difficult for attackers to change with technology that can both consume and produce these much sought after indicators, we can increase the cost of business for attackers while improving our ability to detect and defeat the cyber menace.

If you would like to learn more about how SentinelOne’s Singularity platform can help improve your threat intelligence and protect your business, contact us today or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

The Good, the Bad and the Ugly in Cybersecurity – Week 38

The Good

If you’ve been following security news for the last couple of years you may well remember the CCleaner and ASUS ShadowHammer supply chain attacks. Great news this week: five Chinese individuals thought to be responsible for those and more than 100 other hacks have been indicted by the U.S. government. More formerly known as APT41, the group have also been behind ransomware attacks and cryptominer infections.

Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan and Fu Qiang remain at large, almost certainly in China, and the chances of arrest remain slim so long as they eschew international travel. However, two Malaysian businessmen, Wong Ong Hua and Ling Yang Ching, who helped the gang profit from stolen game currencies are facing extradition from Malaysia to the U.S. and could well see jail time.

The identification of the Chinese gang members came along with the seizure of hundreds of accounts, servers, domain names and other internet assets. Neither the indictment nor the seizures are likely to stop the gang from engaging in further operations, but their identification and the insight gained into their close relationship with the Chinese Ministry of Public Security sends a strong signal to such actors that they can no longer be certain of anonymity or immunity from international sanction.

The Bad

Still with China, CISA issued an advisory this week that Chinese-affiliated nation-state actors are targeting U.S. government agencies in a new wave of attacks leveraging OSINT and publicly available tools. The hackers’ toolkits include pentester favorites such as Shodan, Cobalt Strike and Mimikatz.

On top of that, the threat actors have been exploiting well-known but unpatched networking software vulnerabilities such as CVE-2019-11510 (Pulse Secure VPN), CVE-2019-19781 (Citrix VPN), CVE-2020-0688 (MS Exchange Servers) and CVE-2020-5902 (F5 Networks Big-IP TMUI).

Unpatched VPN software has long been a cause of concern, and this isn’t the first time that CISA have warned companies about APTs targeting critical infrastructure sectors.

The latest advisory also notes that:

To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from “.rar” to “.jpg”) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ “recycle bins”.

CISA advise organizations to implement robust configuration and patch management programs to prevent attackers making easy use of common vulnerabilities and off-the-shelf tools. While that’s certainly a minimum, some robust EDR should be top of your priority list, too.

The Ugly

This week’s Ugly is a sad tale of how the unintended consequences of a cyber attack can end in real-life tragedy. What appears to have been an attempt at a ransomware attack on a German university by inexperienced hackers ended up encrypting 30 servers in a nearby hospital. The malware dropped a ransom note in the usual way, naming the university directly and providing a means of contact to arrange payment.

The operators were no doubt surprised to hear directly from Düsseldorf police rather than the university administrators. The police informed them that they had missed their intended target and had in fact put the lives of patients at the Düsseldorf University Clinic in jeopardy. The ransomware had crashed the hospital’s servers forcing administrators to redirect emergency admissions to other locations. One patient who needed urgent admission was redirected to a hospital 32km away; this caused an hour’s delay before doctors could treat her for a life-threatening condition. Sadly, due to the delay, there was little they could do and she passed away.

The hackers did provide the police with a decryption key without payment, but have otherwise remained uncontactable. It appears the compromise targeted a software vulnerability in “commercially available software”, which has since been patched. It is not known which strain of ransomware was used, but reportedly no data was exfiltrated.

The police continue to investigate and hope to bring charges of ‘negligent manslaughter’. If ever there was a lesson to make those who think hacking might be a “fun”, “easy way to make money” that “doesn’t do anyone any harm” step back and think again, then this is surely it.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Salesforce announces 12,000 new jobs in the next year just weeks after laying off 1,000

In a case of bizarre timing, Salesforce announced it was laying off 1,000 employees at the end of last month just a day after announcing a monster quarter with over $5 billion in revenue, putting the company on a $20 billion revenue run rate for the first time. The juxtaposition was hard to miss.

Earlier today, Salesforce CEO and co-founder Marc Benioff announced in a tweet that the company would be hiring 4,000 new employees in the next six months, and 12,000 in the next year. While it seems like a mixed message, it’s probably more about reallocating resources to areas where they are needed more.

While Salesforce wouldn’t comment further on the hirings, the company has obviously been doing well in spite of the pandemic, which has had an impact on customers. In the prior quarter, the company forecasted that it would have slower revenue growth due to giving some customers facing hard times with economic downturn time to pay their bills.

That’s why it was surprising when the CRM giant announced its earnings in August and that it had done so well in spite of all that. While the company was laying off those 1,000 people, it did indicate it would give those employees 60 days to find other positions in the company. With these new jobs, assuming they are positions the laid-off employees are qualified for, they could have a variety of positions from which to choose.

The company had 54,000 employees when it announced the layoffs, which accounted for 1.9% of the workforce. If it ends up adding the 12,000 news jobs in the next year, that would put the company at approximately 65,000 employees by this time next year.