QAnon/8Chan Sites Briefly Knocked Offline

A phone call to an Internet provider in Oregon on Sunday evening was all it took to briefly sideline multiple websites related to 8chan/8kun — a controversial online image board linked to several mass shootings — and QAnon, the far-right conspiracy theory which holds that a cabal of Satanic pedophiles is running a global child sex-trafficking ring and plotting against President Donald Trump. Following a brief disruption, the sites have come back online with the help of an Internet company based in St. Petersburg, Russia.

The IP address range in the upper-right portion of this map of QAnon and 8kun-related sites — 203.28.246.0/24 — is assigned to VanwaTech and briefly went offline this evening. Source: twitter.com/Redrum_of_Crows.

A large number of 8kun and QAnon-related sites (see map above) are connected to the Web via a single Internet provider in Vancouver, Wash. called VanwaTech (a.k.a. “OrcaTech“). Previous appeals to VanwaTech to disconnect these sites have fallen on deaf ears, as the company’s owner Nick Lim reportedly has been working with 8kun’s administrators to keep the sites online in the name of protecting free speech.

But VanwaTech also had a single point of failure on its end: The swath of Internet addresses serving the various 8kun/QAnon sites were being protected from otherwise crippling and incessant distributed-denial-of-service (DDoS) attacks by Hillsboro, Ore. based CNServers LLC.

On Sunday evening, security researcher Ron Guilmette placed a phone call to CNServers’ owner, who professed to be shocked by revelations that his company was helping QAnon and 8kun keep the lights on.

Within minutes of that call, CNServers told its customer — Spartan Host Ltd., which is registered in Belfast, Northern Ireland — that it would no longer be providing DDoS protection for the set of 254 Internet addresses that Spartan Host was routing on behalf of VanwaTech.

Contacted by KrebsOnSecurity, the person who answered the phone at CNServers asked not to be named in this story for fear of possible reprisals from the 8kun/QAnon crowd. But they confirmed that CNServers had indeed terminated its service with Spartan Host. That person added they weren’t a fan of either 8kun or QAnon, and said they would not self-describe as a Trump supporter.

CNServers said that shortly after it withdrew its DDoS protection services, Spartan Host changed its settings so that VanwaTech’s Internet addresses were protected from attacks by ddos-guard[.]net, a company based in St. Petersburg, Russia.

Spartan Host’s founder, 25-year-old Ryan McCully, confirmed CNServers’ report. McCully declined to say for how long VanwaTech had been a customer, or whether Spartan Host had experienced any attacks as a result of CNServers’ action.

McCully said while he personally doesn’t subscribe to the beliefs espoused by QAnon or 8kun, he intends to keep VanwaTech as a customer going forward.

“We follow the ‘law of the land’ when deciding what we allow to be hosted with us, with some exceptions to things that may cause resource issues etc.,” McCully said in a conversation over instant message. “Just because we host something, it doesn’t say anything about we do and don’t support, our opinions don’t come into hosted content decisions.”

But according to Guilmette, Spartan Host’s relationship with VanwaTech wasn’t widely known previously because Spartan Host had set up what’s known as a “private peering” agreement with VanwaTech. That is to say, the two companies had a confidential business arrangement by which their mutual connections were not explicitly stated or obvious to other Internet providers on the global Internet.

Guilmette said private peering relationships often play a significant role in a good deal of behind-the-scenes-mischief when the parties involved do not want anyone else to know about their relationship.

“These arrangements are business agreements that are confidential between two parties, and no one knows about them, unless you start asking questions,” Guilmette said. “It certainly appears that a private peering arrangement was used in this instance in order to hide the direct involvement of Spartan Host in providing connectivity to VanwaTech and thus to 8kun. Perhaps Mr. McCully was not eager to have his involvement known.”

8chan, which rebranded last year as 8kun, has been linked to white supremacism, neo-Nazism, antisemitism, multiple mass shootings, and is known for hosting child pornography. After three mass shootings in 2019 revealed the perpetrators had spread their manifestos on 8chan and even streamed their killings live there, 8chan was ostracized by one Internet provider after another.

The FBI last year identified QAnon as a potential domestic terror threat, noting that some of its followers have been linked to violent incidents motivated by fringe beliefs.

Further reading:

What Is QAnon?

QAnon: A Timeline of Violent Linked to the Conspiracy Theory

The Good, the Bad and the Ugly in Cybersecurity – Week 42

The Good

It has been a rather busy week for the good guys in cyber-land. In addition to the whittling of Trickbot’s infrastructure, this week a coordinated effort between Europol and several countries dealt a harsh blow to a well-established money laundering operation. Multiple members of the QQAAZZ group were charged in connection to their long-running “cash-out” service (aka money laundering).

This group advertised their services in high-traffic crime forums. They provided a critical service to operators of large botnets as well as those running cryptocurrency theft operations. Among their clients were many of the most prolific and high profile malware families, including actors behind Trickbot and Dridex.

The indictment against the QQAAZZ group outlines their activities. It is estimated that since 2016, the group facilitated the laundering of tens of millions of dollars in illicit funds. The group was extremely well distributed, leveraging “hundreds of corporate and personal bank accounts at financial institutions throughout the world”. These accounts were all used as repositories for funds extorted, or harvested, from victims of associated malware attacks. The QQAAZZ group members, spread all across the globe, would then filter or tunnel the funds, take a small ‘cut’ for their services, and then provide the newly-obfuscated monies to their clients…often in the form of cryptocurrency.

So called “cash out” or “bank drop” services are a dime a dozen in the cybercrime landscape; however, this group’s ties to top-tier malware operations put them in a unique and dangerous position. These legal victories are critical in the ongoing battle against sophisticated cybercriminals. Hopefully the momentum will increase as the law synchronizes more with the current state of cybercrime. Any effort that makes it more difficult for the bad guys to profit is a good thing!

The Bad

This week included the 2nd Tuesday of the month. Of course we all know what that means: Patch Tuesday! There are several critical flaws covered in this months’ release from Microsoft. While none of the newly-documented flaws are quite as severe as Zerologon, there are some vulnerabilities that definitely need to be reviewed and mitigated.

One in particular, CVE-2020-16898, seems to be getting a large portion of attention. This flaw affects the Windows TCP/IP stack and can potentially lead to a DoS (denial-of-service) or remote code execution. The issue specifically relates to the improper handling of ICMPv6 Router Advertisement (RA) packets. Exploitation of the vulnerability requires that an attacker send specially-crafted ICMPv6 RA packets to an exposed remote host. Due to the relative simplicity of exploitation, some are referring to this as a new variation on the ‘Ping of Death’.

As of this writing (October 15th), we have not yet observed true, in-the-wild, exploitation of this vulnerability. There are, however, multiple proof-of-concept exploits available, which suggests that it is only a matter of time before we see the arrival of in-the-wild attacks leveraging this flaw.

Microsoft’s October security release cycle addresses CVE–2020-16898, but there are also a few workarounds that may be helpful for interim mitigation. ICMPv6 RDNSS can be disabled, thus removing exposure to the flaw. For Windows 1709 and above, the following PowerShell command can be issued to disable ICMPcv6 RDNSS:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

It is also important to note that the vulnerability is not publically routable. Exploit-laden packets can only be transmitted via the local subnet. We recommend that organizations review the details around CVE-2020-16898, as well as all the other releases in this month’s update and take necessary action to mitigate risk and/or reduce exposure to this potentially dangerous flaw.

The Ugly

The debate over encryption “backdoors”, or whether governments and law enforcement should be able to circumvent encryption for their own needs is volatile and divisive. It is difficult to even discuss without taking, or appearing to take, a side. For today’s purposes, we do not wish to engage in, or add sparks to, that fiery debate. However, it is important to be aware of current events and developments pertaining to this issue. Recently, the Five Eyes intelligence-sharing collective along with government representation from multiple countries met to discuss this very topic. Specifically, the talks were focused on enabling governments, as well as law enforcement, to have special abilities to access otherwise-hardened end-to-end encrypted communications.

These talks, which included delegates from India and Japan, resulted in a statement urging large technology companies to cooperate with a solution that meets these needs. Part of the statement reads:

“…while encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online.”

The signatories to the statement, which include the UK’s Home Secretary Priti Patel and US AG William Barr, go on to state that:

“we challenge the assertion that public safety cannot be protected without compromising privacy or cyber security. We strongly believe that approaches protecting each of these important values are possible…”

Given the nature of this topic, most relevant technology companies are hesitant to entertain these requests. Adding further complexity to the debate, the current statement pertains not only to standard encrypted messaging but also more robust encrypted systems including “device encryption, custom encrypted applications, and encryption across integrated platforms”.

Regardless of where you may stand on this issue, we encourage you to review the newly-released press release, and stay abreast of the efforts of various governments and organizations as they relate to the ongoing safety, security and privacy of all global citizens.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Private equity firms can offer enterprise startups a viable exit option

Four years ago, Ping Identity was at a crossroads. A venerable player in the single sign-on market, its product was not a market leader, and after 14 years and $128 million in venture capital, it needed to find a new path.

While the company had once discussed an IPO, by 2016 it began putting out feelers for buyers. Vista Equity Partners made a $600 million offer and promised to keep building the company, something that corporate buyers wouldn’t guarantee. Ping CEO and co-founder Andre Durand accepted Vista’s offer, seeing it as a way to pay off his investors and employees and exit the right way. Even better, his company wasn’t subsumed into a large entity as likely would have happened with a typical M&A transaction.

As it turned out, the IPO-or-acquisition question wasn’t an either/or proposition. Vista continued to invest in the company, using small acquisitions like UnboundID and Elastic Beam to fill in its roadmap, and Ping went public last year. The company’s experience shows that private equity offers a reasonable way for mature enterprise startups with decent but not exceptional growth — like the 100% or more venture firms tend to favor — to exit, pay off investors, reward employees and still keep building the company.

But not everyone that goes this route has a tidy outcome like Ping’s. Some companies get brought into the P/E universe where they replace the executive team, endure big layoffs or sell off profitable pieces and stop investing in the product. But the three private equity firms we spoke to — Vista Equity, Thoma Bravo and Scaleworks — all wanted to see their acquisitions succeed, even if they each go about it differently.

Viable companies with good numbers

Lawmatics raises $2.5M to help lawyers market themselves

Lawmatics, a San Diego startup that’s building marketing and CRM software for lawyers, is announcing that it has raised $2.5 million in seed funding.

CEO Matt Spiegel used to practice law himself, and he told me that even though tech companies have a wide range of marketing tools to choose from, “lawyers have not been able to adopt them,” because they need a product that’s tailored to their specific needs.

That’s why Spiegel founded Lawmatics with CTO Roey Chasman. He said that a law firm’s relationship with its clients can be divided into three phases — intake (when a client is deciding whether to hire a firm); the active legal case; and after the case has been resolved. Apparently most legal software is designed to handle phase two, while Lawmatics focuses on phases one and three.

The platform includes a CRM system to manage the initial client intake process, as well as tools that can automate a lot of what Spiegel called the “blocking and tackling” of marketing, like sending birthday messages to former clients — which might sound like a minor task, but Spiegel said it’s crucial for law firms to “nurture” those relationships, because most of their business comes from referrals.

Lawmatics’ early adopters, Spiegel added, have consisted of the firms in areas where “if you need a lawyer, you go to Google and start searching ‘personal injury,’ ‘bankruptcy,’ ‘estate planning,’ all these consumer-driven law firms.” And the pandemic led to accelerated the startup’s growth, because “lawyers are at home now, their business is virtual and they need more tools.”

Spiegel’s had success selling technology to lawyers in the past, with his practice management software startup MyCase acquired by AppFolio in 2012 (AppFolio recently sold MyCase to a variety of funds for $193 million). He said that the strategies for growing both companies are “almost identical” — the products are different, but “it’s really the same segment, running the same playbook, only with additional go-to-market strategies.”

The funding was led by Eniac Ventures and Forefront Venture Partners, with participation from Revel Ventures and Bridge Venture Partners.

“In my 10 years investing I have witnessed few teams more passionate, determined, and capable of revolutionizing an industry,” said Eniac’s Tim Young in a statement. “They have not only created the best software product the legal market has seen, they have created a movement.”

 

Cloud Security | Understanding the Difference Between IaaS and PaaS

Digital transformation initiatives have pushed an ever-increasing number of organizations to migrate to the cloud. Realizing the advantages of moving data and services to the cloud, the overwhelming majority of organizations have embraced a multi-cloud strategy, choosing between the available cloud delivery models of Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS).

While SaaS models such as Office 365 are the most widely used and understood, IaaS and PaaS models have also seen rapid adoption in the enterprise. The objective of this article is to understand the benefits and the differences between IaaS and PaaS to form a useful guide for all businesses, especially small-medium enterprises starting their journey towards digital transformation and to the cloud.

What is IaaS?

Infrastructure as a Service (IaaS) platforms are scalable and automated computing resources providing self-service capabilities for accessing and monitoring computers, networking, storage, and other services. The platforms allow businesses to purchase resources on-demand and as-needed rather than having to shop for on-premises hardware.

IaaS delivers cloud computing infrastructure through virtualization technology. Access to these cloud services is achieved through a dashboard or an API, giving IaaS customers complete control over the whole infrastructure. In effect, IaaS provides identical technologies and capabilities as a conventional on-premises data center without having to physically manage it.

IaaS Pros and Cons

IaaS platforms benefit organizations in multiple ways. They help businesses scale their infrastructure up or down, in response to changing demand. Organizations purchase IaaS resources as needed, for as long as they need them, without lengthy procurement and deployment cycles. Additionally, hosting the hardware and the required services in the cloud reduces the labor required for hosting and maintaining those on-premises.

In comparison to the other delivery models, IaaS platforms offer the greatest level of control over software and hardware. IaaS is effective for workloads that are temporary. For example, it might be more cost-effective to host and test an application under development in an IaaS platform rather than overloading on-premises environments. Once the application is tested and validated, the business may progress to either an on-premises deployment or to a long-term IaaS deployment.

Despite its flexible, pay-as-you-go model, IaaS customers may find costs to be higher than expected. Businesses should actively monitor their IaaS environments to understand how they are being used, and to avoid being charged for idle, orphaned, or otherwise unused services.

Closely related with the continuous monitoring of IaaS services is the lack of policy-based governance of configuration settings. The velocity and scale of change which the cloud enables presents a challenge to many organizations, as they wrestle with the lack of automation in bringing rogue configurations back into compliance.

Finally, visibility is often a concern for IT security teams, as developers strive to innovate ever faster, deploying more VMs, storage, and so on. Impaired visibility of IaaS resources increases risk; stated simply, security teams cannot secure or provide governance oversight of resources they do not know exist. IaaS security is a major concern for businesses of all sizes, which we will discuss further below.

What is PaaS?

Platform as a service (PaaS) provides developers with a complete environment for the development and deployment of apps in the cloud. With PaaS, developers can create anything from simple apps to complex cloud-based business software. Like SaaS, PaaS environments allow businesses to access up-to-date, powerful tools that they may not be able to afford.

In contrast to SaaS platforms, PaaS is not delivering software. Instead, it is an online platform accessible to developers to create software. PaaS environments give developers the ability to concentrate on developing software and apps without worrying about operating systems, software updates, storage, or infrastructure.

PaaS Pros and Cons

No matter the size of the company, PaaS platforms present numerous advantages. These scalable platforms allow for simple, cost-effective development and deployment of cloud-native apps. Developers can customize apps without the pain of maintaining the software, while a reduced amount of coding is required. Further, PaaS enables the automation of business policies and can streamline workflows when multiple developers are working on the same project. Finally, PaaS can reduce costs associated with app development and deployment, while also simplifying the challenges of agile and speedy DevOps cycles.

Despite the obvious benefits, vendor lock-in is an area of concern. Selection of a PaaS provider should be based on their relative strengths, languages and the frameworks they support for application development. Since migrating services and data from one platform to another is an arduous process, no one wants to find himself in a position where a PaaS platform fails to support the organization’s technology stack. As a result, selecting a PaaS provider should involve the evaluation of business risks due to service downtime and vendor lock-in.

Security in IaaS and PaaS platforms

With traditional on-premises data centers, the security of data and infrastructure was the sole responsibility of internal security teams. Clearly defined perimeters made the application of security controls a relatively straightforward process. Migrating to the cloud, those boundaries are blurred, and security teams must deal with infrastructure and services beyond traditional perimeter security, which complicates the establishment of a robust security strategy.

In the cloud, the cloud service provider (CSP) assumes some responsibility, especially to secure the underlying infrastructure, but it is the customer’s absolute responsibility to secure their own data and applications. Failure to do so will leave companies vulnerable to data breaches. In short, the CSP is responsible for security of the cloud, but the customer is responsible for securing their data in the cloud.

Security is the biggest concern of organizations using public cloud. Enforcing a robust security posture in the cloud is a challenge aggravated by many factors such as:

  • Complexity of cloud-based deployments
  • Impaired visibility across services, applications, and data in the cloud
  • Lack of automated, real-time configuration security posture assessments against recommended best practices, such as those published by the Center for Internet Security (CIS Benchmarks).

Manual methods of discovery, assessment, and remediation are doomed to failure because the speed and scale of agility which the cloud provides far outstrips the capacity of mere mortals to keep pace.

The key to a successful cloud security strategy is understanding the Shared Responsibility Model.

Figure 1: Shared Responsibility Model. Image courtesy of AWS.

In IaaS platforms, the CSP is responsible for securing the data centers and other hardware that support the infrastructure, including networks, storage disks, and VMs. IaaS customers must secure their own data, operating systems, and software stacks that run their applications. The PaaS model places more responsibility in the hands of the platform vendors, but it is the customer’s responsibility to secure their applications and associated data.

Automated Application Control for Cloud Workloads
Protect cloud-native workloads with advanced lockdown capabilities that guarantee the immutable state of containerized workloads.

How SentinelOne Can Help

A robust and effective cloud security strategy requires a different approach. Security teams must protect both the on-prem infrastructure and those in the cloud. While these servers physically reside  beyond the corporate boundaries, it is solely the customer’s responsibility to ensure cloud host security by constantly monitoring all processes to autonomously identify malicious events and thwart them before they spread their evil.

A prime example of malware in the public cloud is cryptojacking malware. If malicious actors can gain access to your VMs or containers and elevate privileges, they can inject cryptomining malware – and you get to pay for that compute load. To mitigate threats like this, consider investing in runtime EPP and EDR solutions which cover both VMs and containers.

While cloud providers do take their own security responsibilities seriously, the core of cloud security is for businesses to secure their own data and applications. To ensure the security of your cloud workloads, deploy a capable workload protection solution. For more information about how SentinelOne Cloud Workload Security can work for you, contact us or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Vivun announces $18M Series A to keep growing pre-sales platform

Vivun’s co-founder and CEO, Matt Darrow used to run pre-sales at Zuora and he saw that pre-sales team members had a lot of insight into customers. He believed if he could capture that insight, it would turn into valuable data to be shared across the company. He launched Vivun to build upon that idea in 2018, and today the company announced an $18 million Series A.

Accel led the round with participation from existing investor Unusual Ventures. With today’s investment, Vivun has raised a total of $21 million, according to the company.

Darrow says that the company has caught the attention of investors because this is a unique product category and there has been a lot of demand for it. “It turns out that businesses of all sizes, startups and enterprises, are really craving a solution like Vivun, which is dedicated to pre-sales. It’s a big, expensive department, and there’s never been software for it before,” Darrow told TechCrunch.

He says that a couple of numbers stand out in the company’s first year in business. First of all, the startup grew annual recurring revenue (ARR) six fold (although he wouldn’t share specific numbers) and tripled the workforce growing from 10 to 30, all while doing business as an early stage startup in the midst of a pandemic.

Darrow said while the business has grown this year, he found smaller businesses in the pipeline were cutting back due to the impact of COVID’s, but larger businesses like Okta, Autodesk and Dell Secureworks have filled in nicely, and he says the product actually fits well in larger enterprise organizations.

“If we look at our value proposition and what we do, it increases exponentially with the size of the company. So the larger the team, the larger the silos are, the larger the organization is, the bigger the value of solving the problem for pre-sales becomes,” he said.

After going from a team of 10 to 30 employees in the last year, Darrow wants to double the head count to reach around 60 employees in the next year, fueled in part by the new investment dollars. As he builds the company, the founding team, which is made up of two men and two women, is focused on building a diverse and inclusive employee base.

“It is something that’s really important to us, and we’ve been working at it. Even as we went from 10 to 30, we’ve worked to pay close attention to [diversity and inclusion], and we continue to do so just as part of the culture of how we build the business,” he said.

He’s been having to build that workforce in the middle of COVID, but he says that even before the pandemic shut down offices, he and his founding partners were big on flexibility in terms of time spent in the office versus working from home. “We knew that for mental health strength and stability, that being in the office nine to five, five days a week wasn’t really a modern model that would cut it,” he said.

Even pre-COVID the company was offering two quiet periods a year to let people refresh their batteries. In the midst of COVID, he’s trying to give people Friday afternoons off to go out and exercise and relax their minds.

As the startup grows, those types of things may be harder to do, but it’s the kind of culture Darrow and his founding partners hope to continue to foster as they build the company.

Application security platform NeuraLegion raises $4.7 million seed led by DNX Ventures

A video call group photo of NeuraLegion's team working remotely around the world

A video call group photo of NeuraLegion’s team working remotely around the world

Application security platform NeuraLegion announced today it has raised a $4.7 million seed round led by DNX Ventures, an enterprise-focused investment firm. The funding included participation from Fusion Fund, J-Ventures and Incubate Fund. The startup also announced the launch of a new self-serve, community version that allows developers to sign up on their own for the platform and start performing scans within a few minutes.

Based in Tel Aviv, Israel, NeuraLegion also has offices in San Francisco, London and Mostar, Bosnia. It currently offers NexDAST for dynamic application security testing, and NexPLOIT to integrate application security into SDLC (software development life cycle). It was launched last year by a founding team that includes chief executive Shoham Cohen, chief technology officer Bar Hofesh, chief scientist Art Linkov and president and chief commercial officer Gadi Bashvitz.

When asked who NeuraLegion views as its closest competitors, Bashvitz said Invicti Security and WhiteHat Security. Both are known primarily for their static application security testing (SAST) solutions, which Bashvitz said complements DAST products like NeuraLegion’s.

“These are complementary solutions and in fact we have some information partnerships with some of these companies,” he said.

Where NeuraLegion differentiates from other application security solutions, however, is that it was created specifically for developers, quality assurance and DevOps workers, so even though it can also be used by security professionals, it allows scans to be run much earlier in the development process than usual while lowering costs.

Bashvitz added that NeuraLegion is now used by thousands of developers through their organizations, but it is releasing its self-serve, community product to make its solutions more accessible to developers, who can sign up on their own, run their first scans and get results within 15 minutes.

In a statement about the funding, DNX Ventures managing partner Hiro Rio Maeda said, “The DAST market has been long stalled without any innovative approaches. NeuraLegion’s next-generation platform introduces a new way of conducting robust testing in today’s modern CI/CD environment.”

Temporal raises $18.75M for its microservices orchestration platform

Temporal, a Seattle-based startup that is building an open-source, stateful microservices orchestration platform, today announced that it has raised an $18.75 million Series A round led by Sequoia Capital. Existing investors Addition Ventures and Amplify Partners also joined, together with new investor Madrona Venture Group. With this, the company has now raised a total of $25.5 million.

Founded by Maxim Fateev (CEO) and Samar Abbas (CTO), who created the open-source Cadence orchestration engine during their time at Uber, Temporal aims to make it easier for developers and operators to run microservices in production. Current users include the likes of Box and Snap.

“Before microservices, coding applications was much simpler,” Temporal’s Fateev told me. “Resources were always located in the same place — the monolith server with a single DB — which meant developers didn’t have to codify a bunch of guessing about where things were. Microservices, on the other hand, are highly distributed, which means developers need to coordinate changes across a number of servers in different physical locations.”

Those servers could go down at any time, so engineers often spend a lot of time building custom reliability code to make calls to these services. As Fateev argues, that’s table stakes and doesn’t help these developers create something that builds real business value. Temporal gives these developers access to a set of what the team calls “reliability primitives” that handle these use cases. “This means developers spend far more time writing differentiated code for their business and end up with a more reliable application than they could have built themselves,” said Fateev.

Temporal’s target use is virtually any developer who works with microservices — and wants them to be reliable. Because of this, the company’s tool — despite offering a read-only web-based user interface for administering and monitoring the system — isn’t the main focus here. The company also doesn’t have any plans to create a no-code/low-code workflow builder, Fateev tells me. However, since it is open-source, quite a few Temporal users build their own solutions on top of it.

The company itself plans to offer a cloud-based Temporal-as-a-Service offering soon. Interestingly, Fateev tells me that the team isn’t looking at offering enterprise support or licensing in the near future. “After spending a lot of time thinking it over, we decided a hosted offering was best for the open-source community and long-term growth of the business,” he said.

Unsurprisingly, the company plans to use the new funding to improve its existing tool and build out this cloud service, with plans to launch it into general availability next year. At the same time, the team plans to say true to its open-source roots and host events and provide more resources to its community.

“Temporal enables Snapchat to focus on building the business logic of a robust asynchronous API system without requiring a complex state management infrastructure,” said Steven Sun, Snap Tech Lead, Staff Software Engineer. “This has improved the efficiency of launching our services for the Snapchat community.”

Breach at Dickey’s BBQ Smokes 3M Cards

One of the digital underground’s most popular stores for peddling stolen credit card information began selling a batch of more than three million new card records this week. KrebsOnSecurity has learned the data was stolen in a lengthy data breach at more than 100 Dickey’s Barbeque Restaurant locations around the country.

An ad on the popular carding site Joker’s Stash for “BlazingSun,” which fraud experts have traced back to a card breach at Dickey’s BBQ.

On Monday, the carding bazaar Joker’s Stash debuted “BlazingSun,” a new batch of more than three million stolen card records, advertising “valid rates” of between 90-100 percent. This is typically an indicator that the breached merchant is either unaware of the compromise or has only just begun responding to it.

Multiple companies that track the sale in stolen payment card data say they have confirmed with card-issuing financial institutions that the accounts for sale in the BlazingSun batch have one common theme: All were used at various Dickey’s BBQ locations over the past 13-15 months.

KrebsOnSecurity first contacted Dallas-based Dickey’s on Oct. 13. Today, the company shared a statement saying it was aware of a possible payment card security incident at some of its eateries:

“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”

The confirmations came from Miami-based Q6 Cyber and Gemini Advisory in New York City.

Q6Cyber CEO Eli Dominitz said the breach appears to extend from May 2019 through September 2020.

“The financial institutions we’ve been working with have already seen a significant amount of fraud related to these cards,” Dominitz said.

Gemini says its data indicated some 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing malware, with the highest exposure in California and Arizona. Gemini puts the exposure window between July 2019 and August 2020.

“Low-and-slow” aptly describes the card breach at Dickie’s, which persisted for at least 13 months.

With the threat from ransomware attacks grabbing all the headlines, it may be tempting to assume plain old credit card thieves have moved on to more lucrative endeavors. Alas, cybercrime bazaars like Joker’s Stash have continued plying their trade, undeterred by a push from the credit card associations to encourage more merchants to install credit card readers that require more secure chip-based payment cards.

That’s because there are countless restaurant locations — usually franchise locations of an established eatery chain — that are left to decide for themselves whether and how quickly they should make the upgrades necessary to dip the chip versus swipe the stripe.

“Dickey’s operates on a franchise model, which often allows each location to dictate the type of point-of-sale (POS) device and processors that they utilize,” Gemini wrote in a blog post about the incident. “However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations.”

While there have been sporadic reports about criminals compromising chip-based payment systems used by merchants in the U.S., the vast majority of the payment card data for sale in the cybercrime underground is stolen from merchants who are still swiping chip-based cards.

This isn’t conjecture; relatively recent data from the stolen card shops themselves bear this out. In July, KrebsOnSecurity wrote about an analysis by researchers at New York University, which looked at patterns surrounding more than 19 million stolen payment cards that were exposed after the hacking of BriansClub, a top competitor to the Joker’s Stash carding shop.

The NYU researchers found BriansClub earned close to $104 million in gross revenue from 2015 to early 2019, and listed over 19 million unique card numbers for sale. Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.

Visa and MasterCard instituted new rules in October 2015 that put retailers on the hook for all of the losses associated with counterfeit card fraud tied to breaches if they haven’t implemented chip-based card readers and enforced the dipping of the chip when a customer presents a chip-based card.

Dominitz said he never imagined back in 2015 when he founded Q6Cyber that we would still be seeing so many merchants dealing with magstripe-based data breaches.

“Five years ago I did not expect we would be in this position today with card fraud,” he said. “You’d think the industry in general would have made a bigger dent in this underground economy a while ago.”

Tired of having your credit card re-issued and updating your payment records at countless e-commerce sites every time some restaurant you frequent has a breach? Here’s a radical idea: Next time you visit an eatery (okay, if that ever happens again post-COVID, etc), ask them if they use chip-based card readers. If not, consider taking your business elsewhere.

Hiding in Plain Sight | The IoT Security Headache and How to Fix It

Within five years, some suggest there will be 41.6 million IoT devices connected to businesses, according to IDC, and these “things” will generate 79.4 zettabytes of data. The explosion of connected devices in the home, enterprise and industrial environments increase the attack surfaces of these entities many times over. Moreover, many of these devices are insecure by nature, and others, although possessing reasonable security mechanisms, are left exposed due to poor cyber hygiene and lack of IoT security know-how. In this post, we look at some of the dangers posed by IoT devices and how they can be addressed.

Enhanced DDoS Attacks with CallStranger

The quest to make connected devices cheap and easy to install and operate has resulted in the creation of less-than adequate security mechanisms – such is the case with the IP Cameras made by China-based HiChip, for example, which has sold around a 100,000 wireless cameras in the UK, all of which are vulnerable to hacking. But even if a device is made according to desired security standards, the protocols it relies on are sometimes seriously flawed.

Earlier this year, Turkish researcher, Yunus Çadırcı, identified a new vulnerability in UPnP (Universal Plug and Play), a set of networking protocols that permits devices to seamlessly discover each other’s presence on a network and establish functional services for data sharing. The vulnerability – CVE-2020-12695, akaCallStranger” – allows attackers to subscribe to devices and get them to send traffic to any IP address. This enables attackers to launch large-scale amplified TCP DDoS reflection attacks by sending a request to a third-party server, using a spoofed IP address. The response is much larger in size and is returned to the spoofed IP address of the unwitting victim, creating powerful DDoS attacks.

In addition, CallStranger allows attackers to bypass DLP and network security devices to exfiltrate data, and even scan internal network ports, those that are not otherwise exposed to the internet.

This vulnerability affects billions of UPnP devices on local networks and millions of UPnP devices on the Internet, almost all of which need to be updated. The following devices have been identified as among those that are known to be vulnerable to the CallStranger bug, although other devices could also be at risk:

  • Windows 10 (Probably all Windows versions including servers) – upnphost.dll 10.0.18362.719
  • Xbox One- OS Version 10.0.19041.2494
  • ADB TNR-5720SX Box (TNR-5720SX/v16.4-rc-371-gf5e2289 UPnP/1.0 BH-upnpdev/2.0)
  • Asus ASUS Media Streamer
  • Asus RT-N66U Firmware: 3.0.0.4.382_51640-g679a7e3
  • Asus Rt-N11
  • Belkin WeMo
  • Bose SoundTouch 10 (http://x.x.x.x:8091/QPlay/Event)
  • Broadcom ADSL Modems
  • Canon Canon SELPHY CP1200 Printer
  • Cisco X1000 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • Cisco X3500 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • D-Link DVG-N5412SP WPS Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Denon X3500H (LINUX UPnP/1.0 Denon-Heos/155415)
  • EPSON EP, EW, XP Series (EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0)
  • HP Deskjet, Photosmart, Officejet ENVY Series (POSIX, UPnP/1.0, Intel MicroStack/1.0.1347)
  • Huawei HG255s Router – Firmware HG255sC163B03 (ATP UPnP Core)
  • Huawei MyBox (Linux/3.4.67_s40 UPnP/1.0 HUAWEI_iCOS/iCOS V1R1C00)
  • JRiver DLNA Server 19.0.163 (Windows, UPnP/1.1 DLNADOC/1.50, JRiver/19)
  • LG webOS TV OLED55C9PLA (Linux/i686 UPnP/1,0 DLNADOC/1.50 LGE WebOS TV/Version 0.9)
  • Linksys router (http://x.x.x.x:49152/upnp/event/Layer3Forwarding)
  • NEC AccessTechnica WR8165N Router ( OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Philips 2k14MTK TV – Firmware TPL161E_012.003.039.001
  • Samsung UE55MU7000 TV – Firmware T-KTMDEUC-1280.5, BT – S
  • Samsung MU8000 TV
  • Synology NAS (Linux/3.10.105, UPnP/1.0, Portable SDK for UPnP devices/1.6.21)
  • TP-Link TL-WA801ND (Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
  • TP-Link Archer VR200 (Linux/2.6.32.42, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
  • Trendnet TV-IP551W (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Zyxel VMG8324-B10A (LINUX/2.6 UPnP/1.0 BRCM400-UPnP/1.0)

The Ripple20 Supply Chain Vulnerability

A problem that affects IoT devices in particular is the use of third-party code and libraries which may never be updated by the vendor after the device has shipped. In some cases, the vendor may not even have the means of updating such code without a device recall, which is often impossible as devices tend to remain in use for far longer than the minimal vendor support that is typically offered with cheap IoT devices.

Researchers from JSOF research lab discovered a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. The library, believed to have been first released in 1997, implements a lightweight TCP/IP stack. Companies have been using this library for decades to allow their devices or software to connect to the internet via TCP/IP connections. JSOF named the 19 vulnerabilities “Ripple20” (after the year 2020, not the number of vulnerabilities).

Because the flaw resides within the supply chain of hundreds of millions of IoT devices worldwide, with an unknown number either unpatchable or no longer supported by their manufacturers, this vulnerability is going to be with us for a long time to come. Attackers that discover a Ripple20 vulnerable device on a network can abuse it to achieve remote-code execution, allowing for data theft, malicious takeovers and more.

Botnets | Making The Most Out Of Insecure Devices

It’s not just specific vulnerabilities, however, that make IoT devices such a security concern. It’s also the fact that they tend to suffer from no or poorly configured security configurations, often existing on a network with known default credentials. This was famously exploited by the Mirai botnet back in 2016, which spread through 100s of thousands of IoT devices by using nothing more sophisticated than a hard coded list of known default credentials for particular devices.

In the time since the first Mirai attack, many other botnets have risen, but, even today, Mirai and its variants are still predominant. Mirai variant Echobot has 71 unique exploits, 13 previously unexploited. It surfaced a year ago and seen in the wild multiple times between October and December. Additional botnets, such as the IoTroop botnet, which shares an extensive code base with the leaked Mirai source, is also fairly active, especially in Japan, where it accounts for 87% of all botnet detections. Another botnet Dark Nexus, has also been active in the past year.

More recently, researchers at 360Netlab discovered a new IOT P2P botnet they dubbed, “HEH”. Written in Go and supporting multiple architectures, the HEH botnet is designed for destruction. While researchers say it is still very much in the early stages of development, one feature already built-in is the ability to wipe all data on the infected device. HEH spreads via brute force attacks across Telnet ports 23 and 2323.

That attackers are increasingly targeting IoT devices to recruit into botnets is evident. A recent study found a 46% increase in cyber attacks on smart homes and IoT devices in enterprise and industrial environments. Another study found that more than 50% of IoT devices are “protected” by the default password “12345”. Another research found many sellers on the darknet offering “ready to go” botnets for sale.

A Ponemon Institute study conducted in 2020 suggests that known data breaches caused by insecure devices have doubled since 2017. According to the study, an overwhelming number of security professionals – as many as 90% – expect their company to experience a cyber attack or data breach caused by insecure IoT devices or applications in the next two years. More than three-quarters of respondents in the Ponemon research said that IoT risks pose a serious threat to high-value data assets. Nearly 50% of responders reported that it was not possible to maintain an inventory of IoT devices in the workplace given their current security and auditing tools. From the devices that could have been identified, less than 50% have adequate security.

Solving the IoT Security Headache

In some cases, there are known remediations for specific vulnerabilities. For example, there is specific advice for the CallStranger vulnerability discussed above. You can also run this script to check against the CallStranger (CVE-2020-12695) vulnerability.

In other cases, there’s not much you can do other than take a vulnerable device off the network, assuming you can find it to start with, and of course, no amount of vulnerability patching is going to protect your devices from a botnet if the device configuration uses weak or default security controls.

Due to the complexity of the IoT problem and the amount of human effort required by admins to keep up with the ever-increasing load of new IoT devices joining the network, it’s essential to get some automated help from your security solution.

A solution like SentinelOne’s Ranger, for example, adds global network visibility to your armoury. It allows you to detect and alert on new IoT devices in your network, isolate device-based threats and even hunt for suspicious network devices across the entire network. Just as importantly, it can do this without needing any additional specialty hardware or software as Ranger is already built-in to the SentinelOne agent and uses protected endpoints themselves as distributed network sensors.

Conclusion

The proliferation of IoT ‘smart’ devices is only set to continue, and with a continuing lack of industry standards or government regulations for IoT device security, the risk presented by such devices on enterprise networks is similarly bound to increase. Gaining visibility into your network and having the means to control all devices on it is fundamental to your security posture. If you would like to learn more about how the SentinelOne platform and SentinelOne Ranger can help, contact us for more information or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security