Twitter taps AWS for its latest foray into the public cloud

/0 Comments/in /by

Twitter has a lot going on, and it’s not always easy to manage that kind of scale on your own. Today, Amazon announced that Twitter has signed a multi-year agreement with AWS to run its real-time timelines. It’s a major win for Amazon’s cloud arm.

While the companies have worked together in some capacity for over a decade, this marks the first time that Twitter is tapping AWS to help run its core timelines.

“This expansion onto AWS marks the first time that Twitter is leveraging the public cloud to scale their real-time service. Twitter will rely on the breadth and depth of AWS, including capabilities in compute, containers, storage and security, to reliably deliver the real-time service with the lowest latency, while continuing to develop and deploy new features to improve how people use Twitter,” the company explained in the announcement.

AWS announces new ARM-based instances with Graviton2 processors

Parag Agrawal, chief technology officer at Twitter, sees this as a way to expand and improve the company’s real-time offerings by taking advantage of AWS’s network of data centers to deliver content closer to the user. “The collaboration with AWS will improve performance for people who use Twitter by enabling us to serve Tweets from data centers closer to our customers at the same time as we leverage the Arm-based architecture of AWS Graviton2 instances. In addition to helping us scale our infrastructure, this work with AWS enables us to ship features faster as we apply AWS’s diverse and growing portfolio of services,” Agrawal said in a statement.

It’s worth noting that Twitter also has a relationship with Google Cloud. In 2018, it announced it was moving its Hadoop clusters to GCP.

This announcement could be considered a case of the rich getting richer as AWS is the leader in the cloud infrastructure market by far, with around 33% market share. Microsoft is in second with around 18% and Google is in third with 9%, according to Synergy Research. In its most recent earnings report, Amazon reported $11.6 billion in AWS revenue, putting it on a run rate of over $46 billion.

Twitter is moving a portion of its infrastructure to Google Cloud

AWS introduces new Chaos Engineering as a Service offering

/0 Comments/in /by

When large companies like Netflix or Amazon want to test the resilience of their systems, they use chaos engineering tools designed to help them simulate worst-case scenarios and find potential issues before they even happen. Today at AWS re:Invent, Amazon CTO Werner Vogels introduced the company’s Chaos Engineering as a Service offering called AWS Fault Injection Simulator.

The name may lack a certain marketing panache, but Vogels said that the service is designed to help bring this capability to all companies. “We believe that chaos engineering is for everyone, not just shops running at Amazon or Netflix scale. And that’s why today I’m excited to pre-announce a new service built to simplify the process of running chaos experiments in the cloud,” Vogels said.

As he explained, the goal of chaos engineering is to understand how your application responds to issues by injecting failures into your application, usually running these experiments against production systems. AWS Fault Injection Simulator offers a fully managed service to run these experiments on applications running on AWS hardware.

AWS Fault Injection Simulator workflow.

Image Credits: Amazon / Getty Images

“FIS makes it easy to run safe experiments. We built it to follow the typical chaos experimental workflow where you understand your steady state, set a hypothesis and inject faults into your application. When the experiment is over, FIS will tell you if your hypothesis was confirmed, and you can use the data collected by CloudWatch to decide where you need to make improvements,” he explained.

While the company was announcing the service today, Vogels indicated it won’t actually be available until some time next year.

It’s worth noting that there are other similar services out there by companies, like Gremlin, which are already providing a broad Chaos Engineering Service as a Service offering.

Gremlin brings Chaos Engineering as a Service to Kubernetes

Vista’s $3.5B purchase of Pluralsight signals a maturing edtech market

/0 Comments/in /by

On Monday, Pluralsight, a Utah-based startup that sells software development courses to enterprises, announced that it has been acquired by Vista for $3.5 billion.

The deal, yet to close, is one of the largest enterprise buys of the year: Vista is getting an online training company that helps retrain techies with in-demand skills through online courses in the midst of a booming edtech market. Additionally, the sector is losing one of its few publicly traded companies just two years after it debuted on the stock market.

The Pluralsight acquisition is largely a positive signal that shows the strength of edtech’s capital options as the pandemic continues.

Investors and founders told Techcrunch that the Pluralsight acquisition is largely a positive signal that shows the strength of edtech’s capital options as the pandemic continues.

“What’s happening in edtech is that capital markets are liquidating,” said Deborah Quazzo, managing partner of GSV Advisors.

Quazzo, a seed investor in Pluralsight, said the ability to move fluidly between privately held and publicly held companies is a characteristic of tech sectors with deep capital markets, which is different from edtech’s “old days, where the options to exit were very narrow.”

SolarWinds Hack Could Affect 18K Customers

/0 Comments/in /by

The still-unfolding breach at network management software firm SolarWinds may have resulted in malicious code being pushed to nearly 18,000 customers, the company said in a legal filing on Monday. Meanwhile, Microsoft should soon have some idea which and how many SolarWinds customers were affected, as it recently took possession of a key domain name used by the intruders to control infected systems.

On Dec. 13, SolarWinds acknowledged that hackers had inserted malware into a service that provided software updates for its Orion platform, a suite of products broadly used across the U.S. federal government and Fortune 500 firms to monitor the health of their IT networks.

In a Dec. 14 filing with the U.S. Securities and Exchange Commission (SEC), SolarWinds said roughly 33,000 of its more than 300,000 customers were Orion customers, and that fewer than 18,000 customers may have had an installation of the Orion product that contained the malicious code. SolarWinds said the intrusion also compromised its Microsoft Office 365 accounts.

The initial breach disclosure from SolarWinds came five days after cybersecurity incident response firm FireEye announced it had suffered an intrusion that resulted in the theft of some 300 proprietary software tools the company provides to clients to help secure their IT operations.

On Dec. 13, FireEye published a detailed writeup on the malware infrastructure used in the SolarWinds compromise, presenting evidence that the Orion software was first compromised back in March 2020. FireEye didn’t explicitly say its own intrusion was the result of the SolarWinds hack, but the company confirmed as much to KrebsOnSecurity earlier today.

Also on Dec. 13, news broke that the SolarWinds hack resulted in attackers reading the email communications at the U.S. Treasury and Commerce departments.

On Dec. 14, Reuters reported the SolarWinds intrusion also had been used to infiltrate computer networks at the U.S. Department of Homeland Security (DHS). That disclosure came less than 24 hours after DHS’s Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing an emergency directive ordering all federal agencies to immediately disconnect the affected Orion products from their networks.

ANALYSIS

Security experts have been speculating as to the extent of the damage from the SolarWinds hack, combing through details in the FireEye analysis and elsewhere for clues about how many other organizations may have been hit.

And it seems that Microsoft may now be in perhaps the best position to take stock of the carnage. That’s because sometime on Dec. 14, the software giant took control over a key domain name — avsvmcloud[.]com — that was used by the SolarWinds hackers to communicate with systems compromised by the backdoored Orion product updates.



Armed with that access, Microsoft should be able to tell which organizations have IT systems that are still trying to ping the malicious domain. However, because many Internet service providers and affected companies are already blocking systems from accessing that malicious control domain or have disconnected the vulnerable Orion services, Microsoft’s visibility may be somewhat limited.

Microsoft has a long history of working with federal investigators and the U.S. courts to seize control over domains involved in global malware menaces, particularly when those sites are being used primarily to attack Microsoft Windows customers.

Microsoft dodged direct questions about its visibility into the malware control domain, suggesting those queries would be better put to FireEye or GoDaddy (the current domain registrar for the malware control server). But in a response on Twitter, Microsoft spokesperson Jeff Jones seemed to confirm that control of the malicious domain had changed hands.

“We worked closely with FireEye, Microsoft and others to help keep the internet safe and secure,” GoDaddy said in a written statement. “Due to an ongoing investigation and our customer privacy policy, we can’t comment further at this time.”

FireEye declined to answer questions about exactly when it learned of its own intrusion via the Orion compromise, or approximately when attackers first started offloading sensitive tools from FireEye’s network. But the question is an interesting one because its answer may speak to the motivations and priorities of the hackers.

Based on the timeline known so far, the perpetrators of this elaborate hack would have had a fairly good idea back in March which of SolarWinds’ 18,000 Orion customers were worth targeting, and perhaps even in what order.

Alan Paller, director of research for the SANS Institute, a security education and training company based in Maryland, said the attackers likely chose to prioritize their targets based on some calculation of risk versus reward.

Paller said the bad guys probably sought to balance the perceived strategic value of compromising each target with the relative likelihood that exploiting them might result in the entire operation being found out and dismantled.

“The way this probably played out is the guy running the cybercrime team asked his people to build a spreadsheet where they ranked targets by the value of what they could get from each victim,” Paller said. “And then next to that they likely put a score for how good the malware hunters are at the targets, and said let’s first go after the highest priority ones that have a hunter score of less than a certain amount.”

The breach at SolarWinds could well turn into an existential event for the company, depending on how customers react and how SolarWinds is able to weather the lawsuits that will almost certainly ensue.

“The lawsuits are coming, and I hope they have a good general counsel,” said James Lewis, senior vice president at the Center for Strategic and International Studies. “Now that the government is telling people to turn off [the SolarWinds] software, the question is will anyone turn it back on?”

According to its SEC filing, total revenue from the Orion products across all customers — including those who may have had an installation of the Orion products that contained the malicious update — was approximately $343 million, or roughly 45 percent of the firm’s total revenue. SolarWinds’ stock price has fallen 25 percent since news of the breach first broke.

Some of the legal and regulatory fallout may hinge on what SolarWinds knew or should have known about the incident, when, and how it responded. For example, Vinoth Kumar, a cybersecurity “bug hunter” who has earned cash bounties and recognition from multiple companies for reporting security flaws in their products and services, posted on Twitter that he notified SolarWinds in November 2019 that the company’s software download website was protected by a simple password that was published in the clear on SolarWinds’ code repository at Github.

Andrew Morris, founder of the security firm GreyNoise Intelligence, on said that as of Tuesday evening SolarWinds still hadn’t removed the compromised Orion software updates from its distribution server.

Another open question is how or whether the incoming U.S. Congress and presidential administration will react to this apparently broad cybersecurity event. CSIS’s Lewis says he doubts lawmakers will be able to agree on any legislative response, but he said it’s likely the Biden administration will do something.

“It will be a good new focus for DHS, and the administration can issue an executive order that says federal agencies with regulatory authority need to manage these things better,” Lewis said. “But whoever did this couldn’t have picked a better time to cause a problem, because their timing almost guarantees a fumbled U.S. response.”

German Bionic raises $20M led by Samsung for exoskeleton tech to supercharge human labor

/0 Comments/in /by

Exoskeleton technology has been one of the more interesting developments in the world of robotics: Instead of building machines that replace humans altogether, build hardware that humans can wear to supercharge their abilities. Today, German Bionic, one of the startups designing exoskeletons specifically aimed at industrial and physical applications — it describes its Cray X robot as “the world’s first connected exoskeleton for industrial use,” that is, to help people lifting and working with heavy objects, providing more power, precision and safety — is announcing a funding round that underscores the opportunity ahead.

The Augsburg, Germany-based company has raised $20 million, funding that it plans to use to continue building out its business, as well as its technology, both in terms of the hardware and the cloud-based software platform, German Bionic IO, that works with the exoskeletons to optimize them and help them “learn” to work better.

The Cray X currently can compensate up to 30 kg for each lifting movement, the company says.

“With our groundbreaking robotic technology that combines human work with the industrial Internet of Things (IIoT), we literally strengthen the shop floor workers’ backs in an immediate and sustainable way. Measurable data underscores that this ultimately increases productivity and the efficiency of the work done,” says Armin G. Schmidt, CEO of German Bionic, in a statement. “The market for smart human-machine systems is huge and we are now perfectly positioned to take a major share and substantially improve numerous working lives.”

The Series A is being co-led by Samsung Catalyst Fund, a strategic investment arm from the hardware giant, and German investor MIG AG, one of the original backers of BioNtech, the breakthrough company that’s developed the first COVID-19 vaccine to be rolled out globally.

Storm Ventures, Benhamou Global Ventures (founded and led by Eric Benhamou, who was the founding CEO of Palm and before that the CEO of 3com) and IT Farm also participated. Previously, German Bionic had only raised $3.5 million in seed funding (with IT Farm, Atlantic Labs and individual investors participating).

German Bionic’s rise comes at an interesting moment in terms of how automation and cloud technology are sweeping the world of work. When people talk about the next generation of industrial work, the focus is usually on more automation and the rise of robots to replace humans in different stages of production.

But at the same time, some robotics technologists have worked on another idea. Because we’re probably still a long way away from being able to make robots that are just like humans, but better in terms of cognition and all movements, instead, create hardware that doesn’t replace, but augments, live laborers, to help make them stronger while still being able to retain the reliable and fine-tuned expertise of those humans.

The argument for more automation in industrial settings has taken on a more pointed urgency in recent times, with the rise of the COVID-19 health pandemic: Factories have been one of the focus points for outbreaks, and the tendency has been to reduce physical contact and proximity to reduce the spread of the virus.

Exoskeletons don’t really address that aspect of COVID-19 — even if you might require less of them as a result of using exoskeletons, you still require humans to wear them, after all — but the general focus that automation has had has brought more attention to the opportunity of using them.

And in any case, even putting the pandemic to one side, we are still a long way away from cost-effective robots that completely replace humans in all situations. So, as we roll out vaccinations and develop a better understanding of how the virus operates, this still means a strong market for the exoskeleton concept, which analysts (quoted by German Bionic) predict could be worth as much as $20 billion by 2030.

In that context, it’s interesting to consider Samsung as an investor: The company itself, as one of the world’s leading consumer electronics and industrial electronics providers, is a manufacturing powerhouse in its own right. But it also makes equipment for others to use in their industrial work, both as a direct brand and through subsidiaries like Harman. It’s not clear which of these use cases interests Samsung: whether to use the Cray X in its own manufacturing and logistics work, or whether to become a strategic partner in manufacturing these for others. It could easily be both.

“We are pleased to support German Bionic in its continued development of world-leading exoskeleton technology,” says Young Sohn, corporate president and chief strategy officer for Samsung Electronics and chairman of the board, Harman, in a statement. “Exoskeleton technologies have great promise in enhancing human’s health, wellbeing and productivity. We believe that it can be a transformative technology with mass market potential.”

German Bionic describes its Cray X as a “self-learning power suit” aimed primarily at reinforcing lifting movements and to safeguard the wearer from making bad calls that could cause injuries. That could apply both to those in factories, or those in warehouses, or even sole trader mechanics working in your local garage. The company is not disclosing a list of customers, except to note that it includes, in the words of a spokesperson, “a big logistics player, industrial producers and infrastructure hubs.” One of these, the Stuttgart Airport, is highlighted on its site.  

Roam debuts a robotic exoskeleton for skiers

“Previously, efficiency gains and health promotion in manual labor were often at odds with one another. German Bionic Systems managed to not only break through this paradigm, but also to make manual labor a part of the digital transformation and elegantly integrate it into the smart factory,” says Michael Motschmann, managing partner with MIG in a statement. “We see immense potential with the company and are particularly happy to be working together with a first-class team of experienced entrepreneurs and engineers.”

Exoskeletons as a concept have been around for over a decade already — MIT developed its first exoskeleton, aimed to help soldiers carrying heavy loads — back in 2007, but advancements in cloud computing, smaller processors for the hardware itself and artificial intelligence have really opened up the idea of where and how these might augment humans. In addition to industry, some of the other applications have included helping people with knee injuries (or looking to avoid knee injuries!) ski better, and for medical purposes, although the recent pandemic has put a strain on some of these use cases, leading to indefinite pauses in production.

Vista acquires IT education platform Pluralsight for $3.5B

/0 Comments/in /by

The hectic M&A cycle we have seen throughout 2020 continued this weekend when Vista Equity Partners announced it was acquiring Pluralsight for $3.5 billion.

That comes out to $20.26 per share. The company stock closed on Friday at $18.50 per share on a market cap of over $2.7 billion.

With Pluralsight, Vista gets an online training company that helps educate IT professionals, including developers, operations, data and security, with a suite of online courses. As the pandemic has taken hold, it has breathed new life into edtech, but even before that, there was a market for upskilling IT Pros online.

This trend certainly didn’t escape Monti Saroya, co-head of the Vista Flagship Fund and senior managing director at Vista. “We have seen firsthand that the demand for skilled software engineers continues to outstrip supply, and we expect this trend to persist as we move into a hybrid online-offline world across all industries and interactions, with business leaders recognizing that technological innovation is critical to business success,” he said in a statement.

Pluralsight prices its IPO at $15 per share, raising over $300M

As is typical for acquired companies, Pluralsight CEO Aaron Skonnard sees this as a way to grow the company more quickly. “The global Vista ecosystem of leading enterprise software companies provides significant resources and institutional knowledge that will open doors and help fuel our growth. We’re thrilled that we will be able to leverage Vista’s expertise to further strengthen our market leading position,” Skonnard said in a statement.

In a 2017 interview with TechCrunch’s Sarah Buhr, Skonnard described the company as an enterprise SaaS learning platform. It goes beyond simply offering the courses by giving professionals in a given category such as developer or IT operations the ability to measure their skills and abilities against other pros in that category. He saw this assessment capability as a big differentiator.

“Our platform is ultimately focused on closing the technology skills gap throughout the world,” Skonnard told Buhr.

Pluralsight, which was founded in 2004, raised more than $190 million before going public in 2018. The company has 1,700 employees and more than 17,000 customers. The acquisition is subject to standard regulatory oversight, but is expected to close in the first half of next year. Once that happens, the company will go private once again.

Private equity firms can offer enterprise startups a viable exit option

iCIMS acquires video recruiting startup Altru for $60M

/0 Comments/in /by

Enterprise recruiting company iCIMS is announcing that it has acquired Altru.

ICIMS declined to comment on the terms of the deal, but a source with knowledge of the companies told us that the price is a combination of cash and stock, totaling around $60 million.

Founded in 2000, iCIMS offers a “talent cloud” used by more than 4,000 employers to attract, engage and hire new employees, and to help existing employees continue to develop their careers.

Former Marketo chief executive Steve Lucas became CEO in February, and he told me that the recruiting world is overdue for reinvention. After all, every company says they want to hire the most talented people around, so he wondered, “Well, okay, if you want that, why do you create such boring content? Why do you take a job that is exciting and should demand amazing human beings and create this super boring job description?”

Lucas sees video as a key piece of the solution, allowing companies to bring more “authenticity” to what can be a stuffy and bureaucratic process. Just over a month ago, iCIMS announced another acquisition in this area — Paris-based Easyrecrue.

Altru raises $1.3M to improve recruiting with employee videos

Lucas said that while Easyrecrue has created tools to enrich video interviews, Altru can be most helpful earlier in the recruiting process, when companies are trying to stay connected with the most promising candidates and get them excited about a potential job.

Altru CEO Alykhan Rehmatullah (who founded the startup with CTO Vincent Polidoro — they’re both pictured above) told me that while the company started out with a focus on recording and sharing employee videos for recruitment, its asynchronous videos are becoming used more broadly across companies. He suggested that’s particularly true this year, while teams are working from home and everyone’s looking for ways to communicate that are more expressive than Slack and don’t require putting “another 30-minute Zoom call on your calendar.”

In fact, Lucas said that before talking to me, he’d actually been recording videos on Altru to explain the acquisition to his own team. He praised the platform’s ease of use, joking, “If I can use this thing, anybody can use it.”

Rehmatullah said the entire Altru team will be joining iCIMS, where he’ll become vice president of content strategy. The goal is to continue operating Altru as a standalone product while also finding new ways to integrate it into the iCIMS platform.

Altru previously raised a total of $1.3 million from Birchmere Ventures, Active Capital and Techstars.

Why CEOs should spend up to half their time recruiting

5 questions every IT team should be able to answer

/0 Comments/in /by
Christy Wyatt
Contributor

Christy Wyatt is Chief Executive Officer and a member of the board of directors at Absolute, a leader in endpoint resilience solutions and the industry’s only undeletable defense platform embedded in over a half-billion devices.

Now more than ever, IT teams play a vital role in keeping their businesses running smoothly and securely. With all of the assets and data that are now broadly distributed, a CEO depends on their IT team to ensure employees remain connected and productive and that sensitive data remains protected.

CEOs often visualize and measure things in terms of dollars and cents, and in the face of continuing uncertainty, IT — along with most other parts of the business — is facing intense scrutiny and tightening of budgets. So, it is more important than ever to be able to demonstrate that they’ve made sound technology investments and have the agility needed to operate successfully in the face of continued uncertainty.

For a CEO to properly understand risk exposure and make the right investments, IT departments have to be able to confidently communicate what types of data are on any given device at any given time.

Here are five questions that IT teams should be ready to answer when their CEO comes calling:

What have we spent our money on?

Or, more specifically, exactly how many assets do we have? And, do we know where they are? While these seem like basic questions, they can be shockingly difficult to answer … much more difficult than people realize. The last several months in the wake of the COVID-19 outbreak have been the proof point.

With the mass exodus of machines leaving the building and disconnecting from the corporate network, many IT leaders found themselves guessing just how many devices had been released into the wild and gone home with employees.

One CIO we spoke to estimated they had “somewhere between 30,000 and 50,000 devices” that went home with employees, meaning there could have been up to 20,000 that were completely unaccounted for. The complexity was further compounded as old devices were pulled out of desk drawers and storage closets to get something into the hands of employees who were not equipped to work remotely. Companies had endpoints connecting to corporate network and systems that they hadn’t seen for years — meaning they were out-of-date from a security perspective as well.

This level of uncertainty is obviously unsustainable and introduces a tremendous amount of security risk. Every endpoint that goes unaccounted for not only means wasted spend but also increased vulnerability, greater potential for breach or compliance violation, and more. In order to mitigate these risks, there needs to be a permanent connection to every device that can tell you exactly how many assets you have deployed at any given time — whether they are in the building or out in the wild.

Are our devices and data protected?

Device and data security go hand in hand; without the ability to see every device that is deployed across an organization, it becomes next to impossible to know what data is living on those devices. When employees know they are leaving the building and going to be off network, they tend to engage in “data hoarding.”

U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise

/0 Comments/in /by

Communications at the U.S. Treasury and Commerce Departments were reportedly compromised by a supply chain attack on SolarWinds, a security vendor that helps the federal government and a range of Fortune 500 companies monitor the health of their IT networks. Given the breadth of the company’s customer base, experts say the incident may be just the first of many such disclosures.

Some of SolarWinds’ customers. Source: solarwinds.com

According to a Reuters story, hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments. Reuters reports the attackers were able to surreptitiously tamper with updates released by SolarWinds for its Orion platform, a suite of network management tools.

In a security advisory, Austin, Texas based SolarWinds acknowledged its systems “experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.”

In response to the intrusions at Treasury and Commerce, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing an emergency directive ordering all federal agencies to immediately disconnect the affected Orion products from their networks.

“Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed,” CISA advised.

A blog post by Microsoft says the attackers were able to add malicious code to software updates provided by SolarWinds for Orion users. “This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials,” Microsoft wrote.

From there, the attackers would be able to forge single sign-on tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts on the network.

“Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application,” Microsoft explained.

Malicious code added to an Orion software update may have gone undetected by antivirus software and other security tools on host systems thanks in part to guidance from SolarWinds itself. In this support advisory, SolarWinds says its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions.

The Reuters story quotes several anonymous sources saying the intrusions at the Commerce and Treasury departments could be just the tip of the iceberg. That seems like a fair bet.

SolarWinds says it has over 300,000 customers including:

-more than 425 of the U.S. Fortune 500
-all ten of the top ten US telecommunications companies
-all five branches of the U.S. military
-all five of the top five U.S. accounting firms
-the Pentagon
-the State Department
-the National Security Agency
-the Department of Justice
-The White House.

It’s unclear how many of the customers listed on SolarWinds’ website are users of the affected Orion products. But Reuters reports the supply chain attack on SolarWinds is connected to a broad campaign that also involved the recently disclosed hack at FireEye, wherein hackers gained access to a slew of proprietary tools the company uses to help customers find security weaknesses in their computers and networks.

The compromises at the U.S. federal agencies are thought to date back to earlier this summer, and are being blamed on hackers working for the Russian government. FireEye said its breach was the work of APT 29, a.k.a. “Cozy Bear,” a Russian hacker group believed to be associated with one or more intelligence agencies of Russia.

In its own advisory, FireEye said multiple updates poisoned with a malicious backdoor program were digitally signed with a SolarWinds certificate from March through May 2020, and posted to the SolarWindws update website.

FireEye posits the impact of the hack on SolarWinds is widespread, affecting public and private organizations around the world.

“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” the company’s analysts wrote. “We anticipate there are additional victims in other countries and verticals.”

The Good, the Bad and the Ugly in Cybersecurity – Week 50

/0 Comments/in /by

The Good

Will the real APT32 please stand up? The OceanLotus APT group have been hitting the headlines a lot recently, but it’s reasonably unprecedented for an APT group’s identity to be outed in the way Facebook doxed the group this week.

The social media giant fingered Vietnamese IT company CyberOne Security as the entity behind APT32 activity that has targeted victims including human rights activists, news agencies, governmental and NGO agencies, as well as a wide range of businesses from agriculture and health to tech and IT. Researchers from Facebook identified Windows malware, a macOS backdoor and TTPs that include malicious Play Store apps, watering hole attacks, and fake FB and other social media personas to lure victims.

Facebook say they have disrupted the group’s behaviour by blocking associated domains from being posted on the platform, removing the group’s accounts and notifying suspected victims. As for the fake “CyberOne Security” company, journalists’ attempts to contact anyone via phone and email went, perhaps unsurprisingly, unanswered.

The Bad

It’s all about the APTs this week. While the security industry has rallied round to help enterprises defend against an APT attack on FireEye that resulted in the theft of offensive red teaming tools, it appears that Russian APT groups have been actively taking advantage of a vulnerability in VMware systems, according to a 3-page US National Security Agency advisory published this week.

Successfully exploiting the bug, CVE-2020-4006, allows threat actors to execute commands of choice on a compromised system running the vulnerable software. The agency reported that attackers have been exploiting the vulnerability via installing a web shell as a gateway into networks and accessing protected data by means of forged SAML assertions.

The VMware products affected by the security flaw are:

  • VMware Access 20.01 and 20.10 on Linux
  • VMware vIDM 3.3.1, 3.3.2, and 3.3.3 on Linux
  • VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
  • VMware Cloud Foundation 4.x
  • VMware vRealize Suite Lifecycle Manager 8.x

Malicious activity based on the flaw occurs within the TLS tunnel associated with the devices. Security teams that lack visibility into encrypted connections can hunt for post-compromise indicators in the configurator log (/opt/vmware/horizon/workspace/logs/configurator.log), specifically for an ‘exit’ statement followed by a 3-digit number, the NSA advised.


Source

Patches for the above have been available since December 3rd, and all users are advised to update as soon as possible. In addition, since exploitation of the bug requires password-based access to the web-based management interface of a targeted device, admins are urged to ensure that they follow best practice to avoid weak passwords and, where possible, to ensure the web-based management interface is not accessible from the internet. Other workarounds where patching is not immediately possible are suggested in the NSA advisory.

The Ugly

As we noted last week, there’s been a disturbing trend recently among both crimeware actors and sophisticated adversaries of targeting research data, organizations and infrastructure related to developing, manufacturing and distributing COVID-19 vaccines.

That trend continued this week with a cyberattack on the European Medicines Agency. The organization’s terse statement offered no further details other than to confirm an attack had taken place, but subsequent reports say documents relating to regulatory submission of the Pfizer/BioNTech vaccine, BNT162b2, had been accessed.

EMA is in the midst of the approval process for the vaccine and the documents were stored on an EMA server, according to a press release from BioNTech.

It is not clear whether such documents were the primary target of the attack or what other data may have been compromised, but there is no indication to date that any PPI belonging to staff or persons involved in vaccine trials was exposed. Reportedly, EMA have said the cyberattack will not delay regulatory approval of the vaccine in the EU, which is expected to be within the next few weeks.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security