Salesforce has built a deep bench of executive talent via acquisition

When Salesforce acquired Quip in 2016 for $750 million, it gained CEO and co-founder Bret Taylor as part of the deal. Taylor has since risen quickly through the ranks of the software giant to become president and COO, second in command behind CEO Marc Benioff. Taylor’s experience shows that startup founders can sometimes play a key role in the companies that acquire them.

Benioff, 56, has been running Salesforce since its founding more than 20 years ago. While he hasn’t given any public hints that he intends to leave anytime soon, if he wanted to step back from the day-to-day running of the company or even job share the role, he has a deep bench of executive talent including many experienced CEOs, who like Taylor came to the company via acquisition.

One way to step back from the enormous responsibility of running Salesforce would be by sharing the role.

He and his wife Lynne have been active in charitable giving and in 2016 signed The Giving Pledge, an initiative from the The Bill and Melinda Gates Foundation, to give a majority of their wealth to philanthropy. One could see him wanting to put more time into pursuing these charitable endeavors just as Gates did 20 years ago. As a means of comparison, Gates founded Microsoft in 1975 and stayed for 25 years until he left in 2000 to run his charitable foundation full time.

Even if this remains purely speculative for the moment, there is a group of people behind him with deep industry experience, who could be well-suited to take over should the time ever come.

Resurrecting the co-CEO role

One way to step back from the enormous responsibility of running Salesforce would be by sharing the role. In fact, for more than a year starting in 2018, Benioff actually shared the top job with Keith Block until his departure last year. When they worked together, the arrangement seemed to work out just fine with Block dealing with many larger customers and helping the software giant reach its $20 billion revenue goal.

Before Block became co-CEO, he had a myriad other high-level titles including co-chairman, president and COO — two of which, by the way, Taylor has today. That was a lot of responsibility for one person inside a company the size of Salesforce, but promoting him to co-CEO from COO gave the company a way to reward his hard work and help keep him from jumping ship (he eventually did anyway).

As Holger Mueller, an analyst at Constellation Research points out, the co-CEO concept has worked out well at major enterprise companies that have tried it in the past, and it helped with continuity. “Salesforce, SAP and Oracle all didn’t miss a beat really with the co-CEO departures,” he said.

If Benioff wanted to go back to the shared responsibility model and take some work off his plate, making Taylor (or someone else) co-CEO would be one way to achieve that. Certainly, Brent Leary, lead analyst at CRM Essentials sees Taylor gaining increasing responsibility as time goes along, giving credence to the idea.

“Ever since Quip was acquired Taylor seemed to be on the fast track, becoming president and chief product officer less than a year-and-a-half after the acquisition, and then two years later being promoted to chief operating officer,” Leary said.

Who else could be in line?

While Taylor isn’t the only person who could step into Benioff’s shoes, he looks like he has the best shot at the moment, especially in light of the $27.7 billion Slack deal he helped deliver earlier this month.

“Taylor being publicly praised by Benioff for playing a significant role in the Slack acquisition, Salesforce’s largest acquisition to date, shows how much he has solidified his place at the highest levels of influence and decision-making in the organization,” Leary pointed out.

But Mueller posits that his rapid promotions could also show something might be lacking with internal options, especially around product. “Taylor is a great, smart guy, but his rise shows more the product organization bench depth challenges that Salesforce has,” he said.

How artificial intelligence will be used in 2021

Scale AI CEO Alexandr Wang doesn’t need a crystal ball to see where artificial intelligence will be used in the future. He just looks at his customer list.

The four-year-old startup, which recently hit a valuation of more than $3.5 billion, got its start supplying autonomous vehicle companies with the labeled data needed to train machine learning models to develop and eventually commercialize robotaxis, self-driving trucks and automated bots used in warehouses and on-demand delivery.

The wider adoption of AI across industries has been a bit of a slow burn over the past several years as company founders and executives begin to understand what the technology could do for their businesses.

In 2020, that changed as e-commerce, enterprise automation, government, insurance, real estate and robotics companies turned to Scale’s visual data labeling platform to develop and apply artificial intelligence to their respective businesses. Now, the company is preparing for the customer list to grow and become more varied.

How 2020 shaped up for AI

Scale AI’s customer list has included an array of autonomous vehicle companies including Alphabet, Voyage, nuTonomy, Embark, Nuro and Zoox. While it began to diversify with additions like Airbnb, DoorDash and Pinterest, there were still sectors that had yet to jump on board. That changed in 2020, Wang said.

Scale began to see incredible use cases of AI within the government as well as enterprise automation, according to Wang. Scale AI began working more closely with government agencies this year and added enterprise automation customers like States Title, a residential real estate company.

Wang also saw an increase in uses around conversational AI, in both consumer and enterprise applications as well as growth in e-commerce as companies sought out ways to use AI to provide personalized recommendations for its customers that were on par with Amazon.

Robotics continued to expand as well in 2020, although it spread to use cases beyond robotaxis, autonomous delivery and self-driving trucks, Wang said.

“A lot of the innovations that have happened within the self-driving industry, we’re starting to see trickle out throughout a lot of other robotics problems,” Wang said. “And so it’s been super exciting to see the breadth of AI continue to broaden and serve our ability to support all these use cases.”

The wider adoption of AI across industries has been a bit of a slow burn over the past several years as company founders and executives begin to understand what the technology could do for their businesses, Wang said, adding that advancements in natural language processing of text, improved offerings from cloud companies like AWS, Azure and Google Cloud and greater access to datasets helped sustain this trend.

“We’re finally getting to the point where we can help with computational AI, which has been this thing that’s been pitched for forever,” he said.

That slow burn heated up with the COVID-19 pandemic, said Wang, noting that interest has been particularly strong within government and enterprise automation as these entities looked for ways to operate more efficiently.

“There was this big reckoning,” Wang said of 2020 and the effect that COVID-19 had on traditional business enterprises.

If the future is mostly remote with consumers buying online instead of in-person, companies started to ask, “How do we start building for that?,” according to Wang.

The push for operational efficiency coupled with the capabilities of the technology is only going to accelerate the use of AI for automating processes like mortgage applications or customer loans at banks, Wang said, who noted that outside of the tech world there are industries that still rely on a lot of paper and manual processes.

SentinelOne’s Cybersecurity Predictions 2021 | What Can We Expect After a Year Like This?

2020 was anything but ordinary. Here’s a look at what the world was thinking about over the last 12 months, and here’s some highlights of what occurred in cybersecurity, but we’re not going to dwell on the past right now. Instead, let’s take a look at what’s in store for 2021. We asked some of our experts at SentinelOne for their predictions for the coming year. While no one has a crystal ball, this is how they see things unfolding based on what we know today.

Ransomware – We Haven’t Seen Anything Yet

Not only will the ransomware epidemic continue, it will get worse. Attacks will become more sophisticated and attack frequency and associated ransom demands will increase for several reasons.

First, attackers have grown to understand the profile of an easy target, which has proved for now to be municipalities and local government organizations. These targets hold limited resources, are slow to patch, utilize legacy defense solutions and employ yesterday’s technology and best practices in an attempt to solve tomorrow’s problems.

The most effective way to combat a ransomware attack is not to get hit in the first place, which can only be achieved through closing the gap on attacker sophistication and modernizing defenses. Unfortunately, bureaucratic budgeting and procurement processes will make it impossible for government agencies and towns to keep up with today’s attackers. Public sector budgets for the following year are typically allocated by July 1st, which means that public sector organizations will firmly remain 18-24 months behind the security curve. Additional funding to replace outdated legacy systems will not be available in the short-term.

Second, ransomware is a profit-driven business and it’s a bull market. Following Baltimore, where a demand of $76,000 was not met resulting in damages of more than $18M, a trend of municipalities forgoing advice of the FBI to not pay attackers has emerged. This trend will likely continue as cyber insurance, which was once considered a nice-to-have, is now a necessity and paying attackers out under claims is far more appealing than damages totaling eight figures. Morgan Wright, Chief Security Officer at SentinelOne

Ransomware and The Perils of Paying

Attack Sophistication Will Become the New ‘Normal’

Anyone following the latest discoveries on the SolarWinds attacks understands that this kind of scale and sophistication is here to stay. While the line between nation state actors and financially motivated cybercrime organizations is getting blurry, the tactics being used these days have never been seen before.

Stealing a certificate to sign a malicious update for software widely used by federal and state entities to begin with, making a custom DLL for communications while using existing API calls and domains and remaining stealthy for months…these are TTPs that go beyond what most organizations and security software are currently built to resist.

That means all of us, as defenders, must reconsider how we protect. None of the above TTPs can be detected by traditional monitoring and security tools; to detect these one needs to establish a good baseline, to keep on looking for anomalies, to investigate each one and to make sure each and every endpoint has on-device detection mechanisms that are not dependent on traffic or network discovery. If one leaves an endpoint unprotected, it is likely to become an entry point to the rest of the network. In fact, one can find security solutions that rely on this aspect to detect incoming attempts, also known as the deception market.

The take-away for us as defenders is simple: “eat your vegetables” – meaning, start with the basics, ensure a good baseline and detect anomalies, put in layers of defense that can speak to one another and ensure your endpoints are protected with behavioral-based detection to catch it as it happens. Migo Kedem, Senior Director, Products & Marketing at SentinelOne

SolarWinds SUNBURST Backdoor: Inside the APT Campaign

Deepfake Is Coming of Age…And We’re Not Ready For It

Back in the far-far past, before The Fall, there was little yibber about a spesh story that many would have missed if they didn’t sivvy for it. It’s all true true, not a yarn I tell you.

Cloud Atlas and pandemic references aside, the story broke in, made a little noise and then seemed to disappear. This telling of the event by Forbes was published 3rd September 2019, almost a lifetime ago by todays standards.

But it is a significant one nonetheless. A UK based CEO was phoned by the German CEO of the parent company, and ordered to transfer €220,000 to the bank account of a Hungarian supplier. Sounds dodgy, right? Well the UK CEO wasn’t concerned because he happened to know the CEO personally, and recognised “the subtle German accent in his boss’s voice—and moreover that it carried the man’s ‘melody’.” The money was duly transferred.

It was only after a second and third subsequent call that the UK CEO became suspicious, picking up on other clues. The criminals had used what researchers believe to be the first instance of AI voice mimicry for fraud, or deepfake.

With us all working from home still for the foreseeable future, and even post pandemic, more likely to work from home for greater parts of the week anyway, this kind of fraud will become more commonplace. People won’t be able to chat to nearby workers, or shoulder tap someone to check if a request is legitimate or not.

The criminals will get better as the deepfake technology becomes cheaper, computers more powerful, and their targets more disenfranchised from their workplace. And so we come to my prediction…

In 2021, I believe we will see the first successful video based deepfake phishing attack, resulting in either significant financial or data loss. I really hope I am wrong, but I think all the pieces are in place.

And that right there is a scarysome yarn we can yibber about until the Next Fall. Thom Langford, Security Advocate at SentinelOne

What is Deepfake? (And Should You Be Worried?)

The Supply Chain Risk Becomes Real for Everyone

So the FireEye/Solarwinds breach at the end of 2020 is still evolving, but the scope of this supply chain attack is staggering. To add to that, the US DOD CMMC regulations really start to be enforced in 2021. Any company that supplies any product or service to the DOD and all of those company’s subcontractors and suppliers must meet CMMC standards. So expect much more robust controls and focus on cyber security in the supply chain. Chris Bates, CISO at SentinelOne

Here to Stay | May The Remote Workforce Be With You

The shift to a remote workforce in 2020 was one of the single biggest transformations in how people work in the past 100 years. As year compliance and certification audits and CMMC hit in 2021, cyber programs will have to change to really bake in processes in this remote work environment. Items like vulnerability management and visibility on remote internet-only machines will become a mandatory reality for many companies that have struggled to meet these requirements in 2020. Chris Bates, CISO at SentinelOne

A Change in Perspective | Security As Essential Infrastructure

Another prediction for next year is that security will continue to move away from being considered a liability on the business and growth and instead move toward being viewed as essential infrastructure that can ensure the sustainability of the business. Migo Kedem, Senior Director, Products & Marketing at SentinelOne

Judgement Day is Coming for Apple’s Approach to Security

There is a war going on in the Apple ecosystem, though you’d hardly know it from following the usual security feeds. This war revolves around a central philosophical debate in security about which approach is safer, open or closed technology? Apple argues that keeping everybody, including security researchers, out of certain areas of its hardware and software makes the macOS and iOS operating systems safer. Security researchers argue that determined attackers will find a way in anyway, but the closed nature of Apple’s systems means victims may never know they’ve been compromised.

If you’re on the ‘open’ side of the argument, then you’ll be relieved to hear that in the final week of 2020, a court judge ruled against Apple’s attempt to shutdown security research outfit Corellium, although the legal battle will undoubtedly continue into 2021 as Apple seeks to appeal that decision.

Arguably, history also favours the ‘open’ approach as there are countless examples of the failures of ‘security by obscurity’. A couple of examples from 2020: on macOS, Apple’s opaque Notarization system has been bypassed by commodity malware on a number of occasions; on iOS, a researcher wrote a 30,000 word paper earlier this month detailing a zero-click Wifi exploit that could steal user photos. Zero-click? No interaction needed, and the exploit can be triggered over the air.

The $64 million dollar question is: will we see threat actors exploiting macOS and iOS vulnerabilities in the wild during 2021? In my view, given the early state of vulnerability research into macOS Big Sur and unfixable vulnerabilities in a wide range of iOS devices due to checkra1n, 2021 would be an extraordinary year in cybersecurity if we didn’t. Protect your Apple devices in the same way as you would any others. There’s no magic, or security, in obscurity. Phil Stokes, macOS Threat Researcher at SentinelLabs

APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Happy 11th Birthday, KrebsOnSecurity!

Today marks the 11th anniversary of KrebsOnSecurity! Thank you, Dear Readers, for your continued encouragement and support!

With the ongoing disruption to life and livelihood wrought by the Covid-19 pandemic, 2020 has been a fairly horrid year by most accounts. And it’s perhaps fitting that this was also a leap year, piling on an extra day to a solar rotation that most of us probably can’t wait to see in the rearview mirror.

But it was hardly a dull one for computer security news junkies. In almost every category — from epic breaches and ransomware to cybercrime justice and increasingly aggressive phishing and social engineering scams — 2020 was a year that truly went to eleven.

Almost 150 stories here this past year generated nearly 9,000 responses from readers (although about 6 percent of those were on just one story). Thank you all for your thoughtful engagement, wisdom, news tips and support.

I’d like to reprise a note from last year’s anniversary post concerning ads. A good chunk of the loyal readers here are understandably security- and privacy-conscious, and many block advertisements by default — including the ads displayed here.

KrebsOnSecurity does not run third-party ads and has no plans to change that; all of the creatives you see on this site are hosted in-house, are purely image-based, and are vetted first by Yours Truly. Love them or hate ’em, these ads help keep the content at KrebsOnSecurity free to any and all readers. If you’re currently blocking ads here, please consider making an exception for this site.

In case you missed them, some of the most popular feature/enterprise stories on the site this year (in no particular order) included:

The Joys of Owning an ‘OG’ Email Account
Confessions of an ID Theft Kingpin (Part II)
Why and Where You Should Plant Your Flag
Thinking of a Career in Cybersecurity? Read This
Turn on MFA Before Crooks Do it for You
Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion
Who’s Behind the ‘Web Listings’ Mail Scam?
When in Doubt: Hang Up, Look Up, & Call Back
Riding the State Unemployment Fraud Wave
Would You Have Fallen for this Phone Scam?

AI chipmaker Graphcore raises $222M at a $2.77B valuation and puts an IPO in its sights

Applications based on artificial intelligence — whether they are systems running autonomous services, platforms being used in drug development or to predict the spread of a virus, traffic management for 5G networks or something else altogether — require an unprecedented amount of computing power to run. And today, one of the big names in the world of designing and building processors fit for the task has closed a major round of funding as it takes its business to the next level.

Graphcore, the Bristol, U.K.-based AI chipmaker, has raised $222 million, a Series E that CEO and co-founder Nigel Toon said in an interview will be used for a couple of key purposes.

First, Graphcore will use the money to continue expanding its technology, based around an architecture it calls “IPU” (intelligence processing unit), which competes against chips from the likes of Nvidia and Intel also optimized for AI applications. And second, Graphcore will use the funding to shore up its finances ahead of a possible public listing.

The funding, Toon said, gives Graphcore $440 million in cash on the balance sheet and a post-money, $2.77 billion valuation to start 2021.

“We’re in a strong position to double down and grow fast and take advantage of the opportunity in front of us,” he added. He said it could be “premature” to describe this Series E as a “pre-IPO” round. “We have enough cash and this puts us in a position to take that next step,” he added. The company has in recent weeks been rumored to be eyeing up a listing not in the U.K. but on Nasdaq in the U.S.

This latest round of funding is coming from a roster of financial investors. Led by the Ontario Teachers’ Pension Plan, it also includes participation from Fidelity International and Schroders, as well as previous investors Baillie Gifford and Draper Esprit. Graphcore has now raised some $710 million to date.

This Series E gives Graphcore a definite step up in its valuation — the company last raised money back in February of this year, a $150 million extension to its Series D that valued the company at $1.95 billion — but all the same, it closes off what Toon described as a “challenging” year for the company (and indeed, the world at large). 

“I view this year as a speed bump,” he said. “It has been challenging and we’ve realigned to speed things up.”

As it has been for many companies, the year came in different parts.

On one side, Graphcore’s hardware and software product development continued apace with ever-faster processors in ever-smaller packages. In July, Graphcore launched the second generation of its flagship chip, the GC200, and a new IPU Machine that runs on it, the M2000, which the company described at the time as the first AI computer to achieve a petaflop of processing power “in the size of a pizza box.”

But on the other side, the building and launch of those products was largely done with a remote workforce, with employees sent to work from home to help slow down the spread of the coronavirus that has gripped the world and rewritten how much of it operates.

Indeed, the industry at large, and how companies are spending and investing during a period of uncertainty, has also likely shifted. Some companies like Amazon, Apple and Google are all getting more serious about their own chipmaking efforts. Others are caught up in a wave of consolidation: Witness Nvidia’s efforts to acquire ARM in a $40 billion deal.  

All of these spell challenges for an upstart like Graphcore. Toon said Graphcore doesn’t have any plans to make acquisitions: Its strategy is based around organic growth.

And, no great surprises here, he is not excited about Nvidia’s acquisition of ARM: “If we’re not careful, things will consolidate too much and that could kill off innovation,” he said. “We have made our position clear to the U.K. government. We don’t think the Nvidia ARM deal is a good thing.” (Somewhat ironic, considering he and Graphcore co-founder Simon Knowles sold a previous startup to none other than Nvidia.)

He also declined to talk about new customers for Graphcore, but he said that there has been interest from financial services companies, and some from the world of healthcare, automotive and internet companies, “large hyperscalers” in his words, that require the kind of technology that Graphcore is building either to run their systems, or to complement processors that they are potentially also building themselves. (Strategic backers of the company include the likes of Microsoft, BMW, Bosch and Dell.)

Graphcore said that the company is shipping its newest products “in production volume” to customers, and Toon said that a couple of big names are likely to be announced in the coming year, one that some believe might actually be calmer overall for the chip industry compared to 2020.

It’s that pull of technology, and specifically the processing demands of the next generation of computing, that investors believe will continue to drive business to Graphcore as the dust settles on this year.

“The market for purpose-built AI processors is expected to be significant in the coming years because of computing megatrends like cloud technology and 5G and increased AI adoption, and we believe Graphcore is poised to be a leader in this space,” said Olivia Steedman, senior managing director, Teachers’ Innovation Platform (TIP) at Ontario Teachers’. “TIP focuses on investing in tech-enabled businesses like Graphcore that are at the forefront of innovation in their sector. We are excited to partner with Nigel and the strong management team to support the company’s continued growth and product development.”

VMware files suit against former exec for moving to rival company

Earlier this month, when Nutanix announced it was hiring former VMware COO Rajiv Ramaswami as CEO, it looked like a good match. What’s more, it pulled a key player from a market rival. Well, it seems VMware took exception to losing the executive, and filed a lawsuit against him yesterday for breach of contract.

The company is claiming that Ramaswami had inside knowledge of the key plans of his former company and that he should have told them that he was interviewing for a job at a rival organization.

Rajiv Ramaswami failed to honor his fiduciary and contractual obligations to VMware. For at least two months before resigning from the company, at the same time he was working with senior leadership to shape VMware’s key strategic vision and direction, Mr. Ramaswami also was secretly meeting with at least the CEO, CFO, and apparently the entire Board of Directors of Nutanix, Inc. to become Nutanix’s Chief Executive Officer. He joined Nutanix as its CEO only two days after leaving VMware,” the company wrote in a statement.

As you can imagine, Nutanix didn’t agree, countering in a statement of its own that, “VMware’s lawsuit seeks to make interviewing for a new job wrongful. We view VMware’s misguided action as a response to losing a deeply valued and respected member of its leadership team. Mr. Ramaswami and Nutanix have gone above and beyond to be proactive and cooperative with VMware throughout the transition.”

At the time of the hiring, analyst Holger Mueller from Constellation Research noted that the two companies were primary competitors and hiring Ramawami was was a big win for Nutanix. “So hiring Ramaswami brings both an expert for multicloud to the Nutanix helm, as well as weakening a key competitor from a talent perspective,” he told me earlier this month.

Mueller doesn’t see much chance of the suit succeeding. “It’s been a long time since the last lawsuit happened in Silicon Valley [involving] a tech exec jumping ship. Being an ’employment at will’ state, these suits are typically unsuccessful,” he told me this morning.

He added, “The interesting part of the VMware v. Nutanix lawsuit is, does a high-ranking executive interviewing with a competitor equal a break of confidentiality by itself, or does material information have to be breached to reach the point. Traditionally the right to (confidentially) interview has been protected by the courts,” he said.

It’s unclear what the end game would be in this type of legal action, but it does complicate matters for Nutanix as it transitions to a new chief executive. Ramaswami took over from co-founder Dheeraj Pandey, who announced plans to leave the post last summer.

The lawsuit was filed Monday in Superior Court of the State of California, County of Santa Clara.

CommonGround raises $19M to rethink online communication

CommonGround, a startup developing technology for what its founders describe as “4D collaboration,” is announcing that it has raised $19 million in funding.

This isn’t the first time Amir Bassan-Eskenazi and Ran Oz have launched a startup together — they also founded video networking company BigBand Networks, which won two technology-related Emmy Awards, went public in 2007 and was acquired by Arris Group in 2011. Before that, they worked together at digital compression company Optibase, which Oz co-founded and where Bassan-Eskenazi served as COO.

Although CommonGround is still in stealth mode and doesn’t plan to fully unveil its first product until next year, Bassan-Eskenazi and Oz outlined their vision for me. They acknowledged that video conferencing has improved significantly, but said it still can’t match face-to-face communication.

“Some things you just cannot achieve through a flat video-conferencing-type solution,” Bassan-Eskenazi said. “Those got better over the years, but they never managed to achieve that thing where you walk into a bar … and there’s a group of people talking and you know immediately who is a little taken aback, who is excited, who is kind of ‘eh.’”

CommonGround founders Amir Bassan-Eskenazi and Ran Oz

CommonGround founders Amir Bassan-Eskenazi and Ran Oz. Image Credits: CommonGround

That, essentially, is what Bassan-Eskenazi, Oz and their team are trying to build — online collaboration software that more fully captures the nuances of in-person communication, and actually improves on face-to-face conversations in some ways (hence the 4D moniker). Asked whether this involves combining video conferencing with other collaboration tools, Oz replied, “Think of it as beyond video,” using technology like computer vision and graphics.

Bassan-Eskenazi added that they’ve been working on CommonGround for more than year, so this isn’t just a response to our current stay-at-home environment. And the opportunity should still be massive as offices reopen next year.

“When we started this, it was a problem we thought some of the workforce would understand,” he said. “Now my mother understands it, because it’s how she reads to the grandkids.”

As for the funding, the round was led by Matrix Partners, with participation from Grove Ventures and StageOne Ventures.

“Amir and Ran have a bold vision to reinvent communications,” said Matrix General Partner Patrick Malatack in a statement. “Their technical expertise, combined with a history of successful exits, made for an easy investment decision.”

12 Months of Fighting Cybercrime | SentinelLabs 2020 Review

SentinelLabs came into being at the back end of 2019 as a means of providing value to the cyber security community by focusing on research and threat intelligence unavailable elsewhere. In an action-packed 13 months or so since then, we have published 65 posts on malware, ransomware, phishing campaigns, threat actors, software vulnerabilities and cybercrime fighting tools, and we have plenty more research and intelligence coming in 2021, too!

Looking back over the last 12 months, we have seen the cybercrime story unsurprisingly dominated by social engineering and malware campaigns themed around the COVID-19 pandemic. But there was also a lot of other things going on this year, from an explosion in RaaS (ransomware as a service) offerings and victim data exploitation with operators like Maze and Egregor, to a unique macOS ransomware/spyware campaign and, notably, the SUNBURST SolarWinds Orion supply chain attack.

Of course, you can catch up on all our research and threat intelligence posts over at SentinelLabs, but for a quick recap on some of the main highlights, take a scroll through our 2020 timeline below.

January

Following on from SentinelLabs’ groundbreaking discovery of the TrickBot Anchor malware at the end of 2019, our first research post of 2020 broke news of a new TrickBot backdoor called “PowerTrick”. Built for stealth, persistence and reconnaissance, PowerTrick is deployed inside infected high-value targets such as financial institutions.

Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets

February

North Korean cybercrime actors, specifically the Lazarus group (aka ‘Hidden Cobra’), have a long and storied history of destructive cyber attacks. 2020 was no different for the APT group, with campaigns targeting macOS as well as the Windows platforms. SentinelLabs rounded up a collection of this adversary’s toolsets, including Bistromath, Hoplight, Slickshoes and more.

DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity

March

TA5050 is crimeware group that has been around since at least 2014 and associated with a variety of advanced malware families, including Dridex, FlawedAmmyy, SDBot, TrickBot and Get2, a downloader used to deliver any of the above (and others). SentinelLabs developed a unique unpacker for the crypter used to obfuscate Get2 DLLs utilizing SMT.

Breaking TA505’s Crypter with an SMT Solver

April

More generally known as a banking malware trojan, the IcedID botnet was also deployed during 2020 to take advantage of the COVID-19 pandemic and to engage in a spot of tax fraud. SentinelLabs was the first to uncover how the infamous IcedID botnet uses social engineering and custom PowerShell uploaders to steal documents related to the victim’s identity and tax returns.

IcedID Botnet | The Iceman Goes Phishing for US Tax Returns

May

Understanding how APT actors operate is key to protecting your organization. SentinelOne’s Vigilance MDR team revealed how their Incident Response procedure uncovered an APT actor’s entry point, lateral movement, and persistence mechanisms.

The Anatomy of an APT Attack and Cobalt Strike Beacon’s Encoded Configuration

June

This year, NetWalker ransomware, like many others, evolved into a RaaS (ransomware as a service) offering and also incorporated data leakage extortion into its repertoire. SentinelLabs revealed affiliate preconditions, technical details, and victim exploitation associated with the NetWalker RaaS.

NetWalker Ransomware: No Respite, No English Required

July

A rare case of ransomware came to the macOS platform in 2020, variously called ‘EvilQuest’, ‘ThiefQuest’ and ‘MacRansom.K’. SentinelLabs researchers were the first to reverse the encryption routine used in the malware and to release a public decryptor for any unfortunate victims.

Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine

August

Right up until August, Maze was one of the most widespread and successful ransomware threats out there. Maze’s success can in part be attributed to the fact that attacks are customized by human operators to exploit the particular environment of victims. SentinelLabs caught one in action and detailed the attacker’s moves.

Case Study: Catching a Human-Operated Maze Ransomware Attack In Action

September

From the earliest months of the pandemic, threat actors exploited the COVID-19 coronavirus in multiple ways. This rolling blog post began in February and details the phishing campaigns and other social engineering lures seen by SentinelLabs throughout the year.

Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic

October

In October, CISA released an urgent advisory warning that cybercriminals were targeting the Healthcare and Public Health (HPH) sector with Ryuk and Conti ransomware. The threat actors relied heavily on Anchor, a Trickbot derivative, as a loader to infect victims, and leveraged both DNS tunneling and ICMP for C2 communications. SentinelLabs was the first to uncover and reverse the ICMP component of the Anchor module.

Anchor Project for Trickbot Adds ICMP

November

Widely-believed to be the successor to the Maze ransomware, Egregor appeared around mid-September and has already been associated with cyberattacks against GEFCO and Barnes & Noble, Ubisoft, and numerous others. SentinelLabs detailed its payload, leveraging of Cobalt Strike and Rclone, and its post-compromise behavior.

Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone

December

The final month of 2020 revealed that a nation-state actor had been running a campaign since at least April via what may turn out to be one of the most damaging supply chain attacks of all time, the compromise of SolarWinds Orion, first detected in the environment of cyber security outfit FireEye. While we were able to validate that no SentinelOne customers were victims of this wide-ranging breach, many others were not so lucky and the fall out from SUNBURST is likely to continue into 2021. SentinelLabs took a look inside the SUNBURST backdoor and the dropped SUPERNOVA webshell trojan.

SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan

Conclusion

2020 turned out to be a busy twelve months for all those involved in fighting cybercrime, and for SentinelLabs’ researchers, there was no shortage of threats and threat intelligence to keep on top of. And of course, we’ll be right there with you throughout this coming year and beyond.

To all, we wish a happy and secure New Year and 2021. Ensure that you keep your organization, endpoints, network and cloud infrastructure safe with SentinelOne’s award-winning Singularity platform, and keep your security team up-to-date with SentinelLabs’ original and timely research.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

The Good, the Bad and the Ugly in Cybersecurity – Week 51

The Good

2020 has seen many international operations against cybercriminals and cybercrime infrastracture. This week, we were pleased to learn that law enforcement agencies continue the good fight with another impressive operation. Operation Nova, a coordinated law enforcement operation led by the German Police, Europol, the FBI and other law enforcement agencies from around the world, resulted in the takedown of Safe-Inet, a virtual private network (VPN) used by a number of prominent cybercrime groups.

The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States.

The VPN service was active for over a decade and was used by ransomware operators and other cybercriminals to cover their tracks. The service was sold at a high price and billed as “one of the best tools available to avoid law enforcement detection”, offering up to five layers of anonymous VPN connections.

The Head of Europol’s European Cybercrime Centre, Edvardas Šileris said:

“The strong working relationship fostered by Europol between the investigators involved in this case on either side of the world was central in bringing down this service. Criminals can run but they cannot hide from law enforcement, and we will continue working tirelessly together with our partners to outsmart them.”

The Bad

Cryptocurrencies are all the rage at the moment. The main currency, Bitcoin, has reached new heights, carrying with it the entire crypto market. But before these currencies can really become mainstream, there are several security challenges regarding the trade and safekeeping of cryptocurrency that remain to be solved. Case in point: cryptocurrency wallet company Ledger was breached earlier this year, and this week the details of 272,000 customers, including names, mailing addresses, and phone numbers were dumped online to Raidforums, a site for sharing hacked databases.

France-based Ledger reported back in July that it had discovered a breach of its e-commerce and marketing databases resulting in the theft of customer email addresses. The publishing of the database now increases the likelihood of Ledger customers becoming victims of phishing attacks by cybercriminals who will try to obtain their private keys. There have even been some reports of personal threats with violence.

There are crypto troubles on the other side of the English channel, too. British cryptocurrency exchange outfit EXMO disclosed Monday that its hot wallets had been compromised. It is unknown how the hackers were able to breach EXMO, but it is estimated that the company has lost over $10 million from the hot wallet breach, or about 6% of its total crypto assets.

In a statement, EXMO has notified its clients about the breach and warned them not to deposit any funds to existing wallets. Meanwhile, all withdrawal activity has been suspended.

The Ugly

The European Court of Human Rights has been hit by a cyberattack and taken offline since Tuesday. The attack came after the court published a ruling to release the incarcerated former leader of the pro-Kurdish Peoples’ Democratic Party (HDP), Selahattin Demirtaş. The Court found that the detention of 47-year-old Demirtaş, which has lasted more than four years, goes against “the very core of the concept of a democratic society.”

Anka Neferler Tim, a Turkish hacktivist group, took responsibility for the attack on their Facebook, Twitter and Youtube accounts:

“The website of the European Court of Human Rights, who wanted Selahattin Demirta aş’s release, has been closed due to our attacks. We are not opening the site until they make an apology statement!”

As of the time of writing, the site is still unavailable. It is unknown which type of attack took place, but given Anka Neferler Tim’s history, it’s most likely a DDoS attack.

The European Court of Human Rights provided this statement:

“Following the delivery of the Selahattin Demirtas v. Turkey (no. 2) judgment on 22 December, the website of the European Court of Human Rights was the subject of a large-scale cyberattack which has made it temporarily inaccessible. The Court strongly deplores this serious incident. The competent services are currently making every effort to remedy the situation as soon as possible.”

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Looking ahead after 2020’s epic M&A spree

When we examine any year in enterprise M&A, it’s tempting to highlight the biggest, gaudiest deals — and there were plenty of those in 2020. I’ve written about 34 acquisitions so far this year. Of those, 15 were worth $1 billion or more, 12 were small enough to not require that the companies disclose the price and the remainder fell somewhere in between.

Four deals involving chip companies coming together totaled over $100 billion on their own. While nobody does eye-popping M&A quite like the chip industry, other sectors also offered their own eyebrow-raising deals, led by Salesforce buying Slack earlier this month for $27.7 billion.

We are likely to see more industries consolidate the way chips did in 2020, albeit probably not quite as dramatically or expensively.

Yet in spite of the drama of these larger numbers, the most interesting targets to me were the pandemic-driven smaller deals that started popping up in May. Those small acquisitions are the ones that are so insignificant that the company doesn’t have to share the purchase price publicly. They usually involve early-stage companies being absorbed by cash-rich concerns looking for some combination of missing technology or engineering talent in a particular area like security or artificial intelligence.

It was certainly an active year in M&A, and we still might not have seen the last of it. Let’s have a look at why those minor deals were so interesting and how they compared with larger ones, while looking ahead to what 2021 M&A might look like.

Early-stage blues

It’s always hard to know exactly why an early-stage startup would give up its independence by selling to a larger entity, but we can certainly speculate on some of the reasons why this year’s rapid-fire dealing started in May. While we can never know for certain why these companies decided to exit via acquisition, we know that in April, the pandemic hit full force in the United States and the economy began to shut down.

Some startups were particularly vulnerable, especially companies low on cash in the April timeframe. Obviously companies fail when they run out of funding, and we started seeing early-stage startups being scooped up the following month.

We don’t know for sure of course if there is a direct correlation between April’s economic woes and the flurry of deals that started in May, but we can reasonably speculate that there was. For some percentage of them, I’m guessing it was a fire sale or at least a deal made under less than ideal terms. For others, maybe they simply didn’t have the wherewithal to keep going under such adverse economic conditions or the partnerships were just too good to pass up.

It’s worth noting that I didn’t cover any deals in April. But, beginning on May 7, Zoom bought Keybase for its encryption expertise; five days later Atlassian bought Halp for Slack integration; and the day after that VMware bought cloud native security startup Octarine — and we were off and running. Granted the big companies benefited from making these acquisitions, but the timing stood out.