SentinelOne to acquire high-speed logging startup Scalyr for $155M

SentinelOne, a late-stage security startup that helps customers make sense of security data using AI and machine learning, announced today that it is acquiring high-speed logging startup Scalyr for $155 million in stock and cash.

SentinelOne sorts through oodles of data to help customers understand their security posture, and having a tool that enables engineers to iterate rapidly in the data, and get to the root of the problem, is going to be extremely valuable for them, CEO and co-founder Tomer Weingarten explained. “We thought Scalyr would be just an amazing fit to our continued vision in how we secure data at scale for every enterprise [customer] out there,” he told me.

He said they spent a lot of time shopping for a company that could meet their unique scaling needs and when they came across Scalyr, they saw the potential pretty quickly with a company that has built a real-time data lake. “When we look at the scale of our technology, we obviously scoured the world to find the best data analytics technology out there. We [believe] we found something incredibly special when we found a platform that can ingest data, and make it accessible in real time,” Weingarten explained.

He believes the real time element is a game changer because it enables customers to prevent breaches, rather than just reacting to them. “If you’re thinking about mitigating attacks or reacting to attacks, if you can do that in real time and you can process data in real time, and find the anomalies in real time and then meet them, you’re turning into a system that can actually deflect the attacks and not just see them and react to them,” he explained.

The company sees Scalyr as a product they can integrate into the platform, but also one which will remain a standalone. That means existing customers should be able to continue using Scalyr as before, while benefiting from having a larger company contributing to its R&D.

While SentinelOne is not a public company, it is a pretty substantial private one, having raised over $695 million, according to Crunchbase data. The company’s most recent funding round came last November, a $267 million investment with a $3.1 billion valuation.

As for Scalyr, it was launched in 2011 by Steve Newman, who first built a word processor called Writely and sold it to Google in 2006. It was actually the basis for what became Google Docs. Newman stuck around and started building the infrastructure to scale Google Docs, and he used that experience and knowledge to build Scalyr. The startup raised $27 million along the way, according to Crunchbase data, including a $20 million Series A investment in 2017.

The deal will close this quarter, at which time Scalyr’s 45 employees will join SentinelOne.

Encrypted data handling startup DataFleets acquired by LiveRamp for over $68M

LiveRamp has acquired DataFleets, a fresh young startup that made it possible to take advantage of large volumes of encrypted data without the risk or fuss of decrypting or transferring it. LiveRamp, an enterprise data connectivity platform itself, paid more than $68 million for the company, a huge multiple on DataFleet’s $4.5 million seed announced just last fall.

DataFleets saw the increasing need for sensitive data like medical or financial records to be analyzed or used to train machine learning models. Not only are such databases bulky and complex, making transfers difficult, but allowing them to be decrypted and used elsewhere opens the door to errors, abuse and hacks.

The company’s solution was essentially to have software on both sides of the equation, the data provider (perhaps a hospital or bank) and the client (an analyst or AI developer), and act as a secure go-between. Not for the sensitive data itself, but for the systems of analysis and machine learning models that the client wanted to set loose on the data. This allows the client to perform an automated task on the data, such as harvesting and comparing values or building an ML model, without ever having direct access to it.

Clearly this approach seemed valuable to LiveRamp, which provides a number of data connectivity services to major enterprise customers, household names in fact. They announced in their earnings statement last night that they paid $68 million up front for DataFleets, though that price does not reflect the various other incentives and deferred payments that many such deals involve, and in this case seem likely to remain private.

The deal will probably result in the retiring of the DataFleets brand (young as it was), but their various customers will probably make the trip to LiveRamp. The most recent of those is HCA Healthcare, a major national provider that just announced a COVID-19 data sharing consortium that would be using DataFleets’s services. That’s a pretty powerful validation for an approach just commercialized late last year, and a nice catch for LiveRamp to add to its healthcare client collection.

For its part LiveRamp plans to use its augmented services to expand its operations and offerings in Europe, Asia and Latin America over the coming year. The company has also called for a federal data privacy law, something that hopefully that will be achieved under the new administration.

Is overseeing cloud operations the new career path to CEO?

When Amazon announced last week that founder and CEO Jeff Bezos planned to step back from overseeing operations and shift into an executive chairman role, it also revealed that AWS CEO Andy Jassy, head of the company’s profitable cloud division, would replace him.

As Bessemer partner Byron Deeter pointed out on Twitter, Jassy’s promotion was similar to Satya Nadella’s ascent at Microsoft: in 2014, he moved from executive VP in charge of Azure to the chief exec’s office. Similarly, Arvind Krishna, who was promoted to replace Ginni Rometti as IBM CEO last year, also was formerly head of the company’s cloud business.

Could Nadella’s successful rise serve as a blueprint for Amazon as it makes a similar transition? While there are major differences in the missions of these companies, it’s inevitable that we will compare these two executives based on their former jobs. It’s true that they have an awful lot in common, but there are some stark differences, too.

Replacing a legend

For starters, Jassy is taking over for someone who founded one of the world’s biggest corporations. Nadella replaced Steve Ballmer, who had taken over for the company’s face, Bill Gates. Holger Mueller, an analyst at Constellation Research, says this notable difference could have a huge impact for Jassy with his founder boss still looking over his shoulder.

“There’s a lot of similarity in the two situations, but Satya was a little removed from the founder Gates. Bezos will always hover and be there, whereas Gates (and Ballmer) had retired for good. [ … ] It was clear [they] would not be coming back. [ … ] For Jassy, the owner could [conceivably] come back anytime,” Mueller said.

But Andrew Bartels, an analyst at Forrester Research, says it’s not a coincidence that both leaders were plucked from the cloud divisions of their respective companies, even if it was seven years apart.

“In both cases, these hyperscale business units of Microsoft and Amazon were the fastest-growing and best-performing units of the companies. [ … ] In both cases, cloud infrastructure was seen as a platform on top of which and around which other cloud offerings could be developed,” Bartels said. The companies both believe that the leaders of these two growth engines were best suited to lead the company into the future.

Microsoft Patch Tuesday, February 2021 Edition

Microsoft today rolled out updates to plug at least 56 security holes in its Windows operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws.

Nine of the 56 vulnerabilities earned Microsoft’s most urgent “critical” rating, meaning malware or miscreants could use them to seize remote control over unpatched systems with little or no help from users.

The flaw being exploited in the wild already — CVE-2021-1732 — affects Windows 10, Server 2016 and later editions. It received a slightly less dire “important” rating and mainly because it is a vulnerability that lets an attacker increase their authority and control on a device, which means the attacker needs to already have access to the target system.

Two of the other bugs that were disclosed prior to this week are critical and reside in Microsoft’s .NET Framework, a component required by many third-party applications (most Windows users will have some version of .NET installed).

Windows 10 users should note that while the operating system installs all monthly patch roll-ups in one go, that rollup does not typically include .NET updates, which are installed on their own. So when you’ve backed up your system and installed this month’s patches, you may want to check Windows Update again to see if there are any .NET updates pending.

A key concern for enterprises is another critical bug in the DNS server on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker’s choice. CVE-2021-24078 earned a CVSS Score of 9.8, which is about as dangerous as they come.

Recorded Future says this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before (e.g. by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain). Kevin Breen of Immersive Labs notes that CVE-2021-24078 could let an attacker steal loads of data by altering the destination for an organization’s web traffic — such as pointing internal appliances or Outlook email access at a malicious server.

Windows Server users also should be aware that Microsoft this month is enforcing the second round of security improvements as part of a two-phase update to address CVE-2020-1472, a severe vulnerability that first saw active exploitation back in September 2020.

The vulnerability, dubbed “Zerologon,” is a bug in the core “Netlogon” component of Windows Server devices. The flaw lets an unauthenticated attacker gain administrative access to a Windows domain controller and run any application at will. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

Microsoft’s initial patch for CVE-2020-1472 fixed the flaw on Windows Server systems, but did nothing to stop unsupported or third-party devices from talking to domain controllers using the insecure Netlogon communications method. Microsoft said it chose this two-step approach “to ensure vendors of non-compliant implementations can provide customers with updates.” With this month’s patches, Microsoft will begin rejecting insecure Netlogon attempts from non-Windows devices.

A couple of other, non-Windows security updates are worth mentioning. Adobe today released updates to fix at least 50 security holes in a range of products, including Photoshop and Reader. The Acrobat/Reader update tackles a critical zero-day flaw that Adobe says is actively being exploited in the wild against Windows users, so if you have Adobe Acrobat or Reader installed, please make sure these programs are kept up to date.

There is also a zero-day flaw in Google’s Chrome Web browser (CVE-2021-21148) that is seeing active attacks. Chrome downloads security updates automatically, but users still need to restart the browser for the updates to fully take effect. If you’re a Chrome user and notice a red “update” prompt to the right of the address bar, it’s time to save your work and restart the browser.

Standard reminder: While staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re less likely to pull your hair out when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Keep in mind that Windows 10 by default will automatically download and install updates on its own schedule. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches, see this guide.

And as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Bringing IoT Out of the Shadows

When it comes to security, what you don’t know can hurt you. For many CISOs and security teams, this is embodied by IoT and connected devices. An estimated 41.6 billion IoT devices will be connected to businesses within the next five years. This explosion of connected devices has created a huge – and often hidden – attack surface for threat actors to exploit. Attack surface reduction is an imperative part of modern cybersecurity programs.

Security teams have long struggled to gain and maintain visibility into the devices that are being connected to corporate networks. In many organizations, it’s relatively easy for employees to connect devices to the network without notifying IT teams. Personal assistants, like Alexa and Google Home, wearables, mobile phones, and even novelty items, like fish tanks, are being added to networks every day, without security teams being notified.

When combined with a multitude of office devices that are now Internet connected – printers, cameras, thermostats, and more – the result is a dramatic expansion of “endpoints” that increase the attackable surface of an organization and create backdoors into enterprise networks.

Compounding the problem is the fundamental lack of industry standards and government regulations for IoT security – few IoT devices are developed with security in mind. Attackers have and will continue to exploit this – industry data shows that roughly 25% of attacks on enterprises involve IoT devices.

This is why gaining visibility into everything on a network, and having the means to control every device, is a foundational aspect of a strong security posture. Historically, one approach to gaining visibility into IoT devices on the network was for security teams to install software agents on the devices themselves as they were discovered. But this approach fails to address the underlying problem of hidden devices and is incredibly hard to scale in organizations with multiple network types.

The solution to the growing IoT security problem is centered on the power of AI to gain full visibility of the network, continuously monitor devices, and enforce security and privacy policies across all connected devices to reduce, monitor, and control the attack surface.

Network Visibility: Bringing IoT Out of the Shadows

The first step towards IoT security is visibility and understanding exactly what’s connected to the network. Organizations not only need to accurately map the network and fingerprint devices to see what’s connected, but they also need to understand what’s unprotected and open to attack. Trying to accomplish this through manual practices sets security teams up for failure. Additional hardware and software are not acceptable or scalable solutions either.

This is where AI can automate the process. By using AI on approved endpoint devices to serve as a type of sonar, these approved devices can ‘ping,’ identify, and detect every additional device connected to the network. This provides deep visibility into the hidden devices that may be connected to a network. The ‘approved’ machines can also provide autonomous protection and notification for any device that has vulnerabilities or demonstrates anomalous behavior.

Ranger® IoT
Network Visibility & Control. A cloud
delivered, software-defined network discovery solution designed to add global network visibility and control with minimal friction.

Monitor All Devices with Vigilance MDR

As connected devices are brought out of the shadows and detected, security teams can now ensure that the organizational security and privacy policies that are used to provide network access are fully enforced on each device.

This can range from simple policies, such as making sure devices are patched or isolated from the network to identifying devices that require deeper analysis. More complex policies enforce device segmentation from networks based on trust and activities.

Monitoring all devices enables security teams to ensure that every device on the network has an owner, business function, or broader impact associated. This is critical information that can be used in the decision-making process around risk reduction and incident response. As each device is assigned an owner and function, security teams can continuously monitor the devices to identify suspicious behavior, while putting the organization in a better position to respond if such activity is detected.

Focus on Attack Surface Management – Not Merely Compliance

The historical lack of security on IoT devices has led many states and regulators to start taking action into their own hands. States like California recently passed legislation to establish new security requirements that address the risks of using IoT devices in the enterprise.

It’s critical to remember that the end goal of gaining full visibility and continuous monitoring of all devices connected to networks should be strengthening security and privacy – not just achieving compliance. Many organizations that have certified compliance with regulations have suffered a ransomware attack or data breach at some point.

Focusing on compliance is a common pitfall for many organizations – checked boxes do not always equate to better security. Compliance is generally met over time, as a lesson-learned mechanism from other failed organizations. The benchmark for compliance is not typically overly ambitious, instead focusing on common failures.

In addition, compliance metrics can quickly become outdated. A good example of this is found in the payment card industry standard that requires companies to have scheduled AV scans. The problem is that this reinforces an antiquated approach that many security conscious organizations have moved away from. Modern security technologies operate with continuous scanning at their core. Attackers can exploit vulnerabilities and weaknesses in an instant – scheduled scans belie the speed at which today’s attacks occur. Machine speed attacks require a machine speed response.

Ebook: Understanding Ransomware in the Enterprise
This Guide will help you understand, plan for, respond to and protect against this now-prevalent threat. This guide offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.

Attack Surface Management – An Extension of Your Endpoint Security Strategy

Endpoint security can be challenging for any organization – but the problem becomes more complex with the introduction of billions of connected devices. Threats continue to evolve to exploit the growth mechanisms of business, targeting these machines with increasing alacrity.

Equipping security teams with complete visibility, categorization, and automated alerting regarding rogue devices and vulnerabilities is the best way to ensure that enterprises proactively prepare themselves to the imminent threat presented by IoT devices.

Learn more about how endpoint protection can help protect your company, network, and sensitive information. Contact us for more information or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Nexthink nabs $180M Series D on $1.1B valuation

We often hear about companies working to improve the customer experience, but for IT their customers are the company’s employees. Nexthink, a late-stage startup that wants to help IT serve its internal constituents better, announced a $180 million Series D today on a healthy $1.1 billion valuation.

The firm, which was founded in Lausanne, Switzerland and has offices outside of Boston, received funding from Permira with help from Highland Europe and Index Ventures. The company has now raised more than $336 million, according to Crunchbase data.

As you might imagine, understanding how folks are using a company’s technology choices internally is always going to be useful, but when the pandemic hit and offices closed, having access to this type of data became even more important.

Nexthink CEO and co-founder Pedro Bados says that most monitoring tools are focused on figuring out if the systems are working correctly and finding ways to fix them. Nexthink takes a different approach, looking at how employees are adopting the tools a company is offering.

“What we do at Nexthink is to take the [monitoring] problem from a completely different perspective. We say that we’re going to give your IT department a real-time understanding of how employees are experiencing IT [at your company],” Bados told me.

He says they do this by looking at the problem from the employees’ perspective. “At the end of the day we’re giving all the insights to IT departments to make sure they can improve the digital experience of their employees,” he said.

This could involve querying the user base in the same way that HR and marketing survey tools allow companies to check the pulse of employees or customers. By gathering this type of data, it helps IT understand how employees are using the company’s technology choices.

This software is aimed at larger organizations with at least 5,000 employees. Today, the company has more than 1,000 of these customers, including Best Buy, Fidelity, Liberty Mutual and 3M. What’s more, the company has surpassed $100 million in annual recurring revenue, a success benchmark for SaaS companies like Nexthink.

Nexthink currently has 700 employees with plans to reach 900 by the end of this year, and as a maturing startup, Bados has given a lot of thought on how to build a diverse workforce. Just being spread out in two countries gives an element of geographic diversity, but he says it takes more than that, and it all starts with recruitment.

“The way to make sure we get more diversity is we look at recruitment and make sure that we have a balanced pipeline. That’s something we measure as a company,” he said. They also have a diversity committee, which is charged with delivering diversity training and figuring out ways to hire a more diverse and inclusive workforce.

While the company has a healthy valuation and a good amount of money in the bank, Bados doesn’t see an IPO for at least a couple of years. He says he wants to double or triple the business before taking that step. For now, though, with $180 million in additional runway and a $100 million in ARR, the company is well-positioned for whatever future moves it chooses to make.

Automattic acquires analytics company Parse.ly

Automattic, the for-profit company tied to open-source web publishing platform WordPress, is announcing that it has acquired analytics provider Parse.ly.

Specifically, Parse.ly is now part of WPVIP, the organization within Automattic that offers enterprise hosting and support to publishers, including TechCrunch. (We use Parse.ly, too.)

WPVIP CEO Nick Gernert described this as the organization’s first large enterprise software acquisition, reflecting a strategy that has expanded beyond news and media organizations — businesses like Salesforce (whose venture arm invested $300 million in Automattic back in 2019), the NBA, Condé Nast, Facebook and Microsoft now use WPVIP for their content and marketing needs.

Both companies, Gernert said, come from similar backgrounds, with “roots” in digital publishing and a “heavy focus on understanding the impact of content.”

“We’ve really started to shift more towards content marketing and starting to think more deeply beyond just what traditional page analytics provide,” he continued. That means doing more than measuring pageviews and time on site and “really starting to look more deeply at things like conversation, attribution, areas … that from a marketer’s perspective are impactful.”

WordPress and Parse.ly already work well together, but the plan is to make WPVIP features available to Parse.ly customers while also making more Parse.ly data available to WPVIP publishers. And Gernert said there are also opportunities to add more commerce-related data to Parse.ly, since Automattic also owns WooCommerce.

The goal, he said, is to “make Parse.ly better for WordPress and best for WPVIP.”

At the same time, he added, “There’s no plans here to make Parse.ly the only analytics solution that runs on our platform. We want to preserve the flexibility and interoperability [of WordPress], and we want to make sure from a Parse.ly perspective that it still exists as a standalone product. That’s key to its future and we will continue to invest in it.”

Parse.ly was founded in 2009 and has raised $12.9 million in funding from investors including Grotech Ventures and Blumberg Capital, according to Crunchbase. Parse.ly founders Sachin Kamdar and Andrew Montalenti are joining WPVIP, with Kamdar leading go-to-market strategy for Parse.ly and Montalenti leading product.

“We’ve always had deep admiration for WPVIP’s market position as the gold standard for enterprise content teams, and we’re thrilled to be able to join together,” Kamdar said in a statement. “From the culture and people, to the product, market and vision, we’re in lockstep to create more value for our customers. This powerful combination of content and intelligence will push the industry forward at an accelerated pace.”

The financial terms of the acquisition were not disclosed.

BeyondID grabs $9M Series A to help clients implement cloud identity

BeyondID, a cloud identity consulting firm, announced a $9 million Series A today led by Tercera. It marked the first investment from Tercera, a firm that launched earlier this month with the goal of investing in service startups like Beyond.

The company focuses on helping clients manage security and identity in the cloud, taking aim specifically at Okta customers. In fact, the firm is a platinum partner for Okta. As they describe their goals, they help clients in a variety of areas, including identity and access management, secure app modernization, Zero Trust security, cloud migration and integration services.

CEO and co-founder Arun Shrestha has a deep background in technology, including working with Okta from its early days. Shrestha came on board in 2012 as the head of customer success. When he began, the startup was in early days, with just 50 customers. When he left five years later just before the IPO, it had more than 3,500.

Along the way, he gained a unique level of expertise in the Okta tool set, and he decided to put that to work to help Okta customers implement and maximize Okta usage, especially in companies with complex implementations. He launched BeyondID in 2018 with the intention of focusing on systems integrations and managing a company’s identity in the cloud.

“We believe we are becoming a managed identity service provider, so managing anything identity, anything related to cybersecurity. We’re helping these companies by being a one-stop shop for companies acquiring, deploying and managing identity services,” Shrestha explained.

It seems to be working. The last couple of years the company revenues grew at 300% and as it matures, and the growth rates settle a bit, it’s still expected to grow between 70 and 100% this year. The firm has 250 customers, including FedEx, Major League Baseball, Bain Capital and Biogen.

It currently has 75 employees serving those customers with plans to grow that number in the next year with the help from today’s investment. As Shrestha adds new employees, he sees building a diverse workforce as a crucial goal for his company.

“Diversity is absolutely critical to our long-term sustainable success, and it’s also the right thing to do,” he said. He says that building an organization that promotes women and people of color is a key goal of his as the leader of the company and something he is committed to.

Chris Barbin, who is managing partner and founder at lead investor Tercera, says that he chose BeyondID as the firm’s first investment because he believes identity is central to the notion of digital transformation. As more companies move to the cloud, they need help understanding how security and identity work differently in a cloud context, and he sees BeyondID playing a critical role in helping clients get there.

“BeyondID is in a rapidly growing space and has an impressive customer list that represents nearly every industry. Arun and the leadership team have a strong vision for the firm, deep ties into Okta and they’re incredibly passionate about what they do,” he said.

Container security acquisitions increase as companies accelerate shift to cloud

Last week, another container security startup came off the board when Rapid7 bought Alcide for $50 million. The purchase is part of a broader trend in which larger companies are buying up cloud-native security startups at a rapid clip. But why is there so much M&A action in this space now?

Palo Alto Networks was first to the punch, grabbing Twistlock for $410 million in May 2019. VMware struck a year later, snaring Octarine. Cisco followed with PortShift in October and Red Hat snagged StackRox last month before the Rapid7 response last week.

This is partly because many companies chose to become cloud-native more quickly during the pandemic. This has created a sharper focus on security, but it would be a mistake to attribute the acquisition wave strictly to COVID-19, as companies were shifting in this direction pre-pandemic.

It’s also important to note that security startups that cover a niche like container security often reach market saturation faster than companies with broader coverage because customers often want to consolidate on a single platform, rather than dealing with a fragmented set of vendors and figuring out how to make them all work together.

Containers provide a way to deliver software by breaking down a large application into discrete pieces known as microservices. These are packaged and delivered in containers. Kubernetes provides the orchestration layer, determining when to deliver the container and when to shut it down.

This level of automation presents a security challenge, making sure the containers are configured correctly and not vulnerable to hackers. With myriad switches this isn’t easy, and it’s made even more challenging by the ephemeral nature of the containers themselves.

Yoav Leitersdorf, managing partner at YL Ventures, an Israeli investment firm specializing in security startups, says these challenges are driving interest in container startups from large companies. “The acquisitions we are seeing now are filling gaps in the portfolio of security capabilities offered by the larger companies,” he said.

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” The operation was carried out in coordination with the FBI and authorities in Australia, which was particularly hard hit by phishing scams perpetrated by U-Admin customers.

The U-Admin phishing panel interface. Image: fr3d.hk/blog

The Ukrainian attorney general’s office said it worked with the nation’s police force to identify a 39-year-old man from the Ternopil region who developed a phishing package and special administrative panel for the product.

“According to the analysis of foreign law enforcement agencies, more than 50% of all phishing attacks in 2019 in Australia were carried out thanks to the development of the Ternopil hacker,” the attorney general’s office said, noting that investigators had identified hundreds of U-Admin customers.

Brad Marden, superintendent of cybercrime operations for the Australian Federal Police (AFP), said their investigation into who was behind U-Admin began in late 2018, after Australian citizens began getting deluged with phishing attacks via mobile text messages that leveraged the software.

“It was rampant,” Marden said, noting that the AFP identified the suspect and referred the case to the Ukrainians for prosecution. “At one stage in 2019 we had a couple of hundred SMS phishing campaigns tied to just this particular actor. Pretty much every Australian received a half dozen of these phishing attempts.”

U-Admin, a.k.a. “Universal Admin,” is crimeware platform that first surfaced in 2016. U-Admin was sold by an individual who used the hacker handle “Kaktys” on multiple cybercrime forums.

According to this comprehensive breakdown of the phishing toolkit, the U-Admin control panel isn’t sold on its own, but rather it is included when customers contact the developer and purchase a set of phishing pages designed to mimic a specific brand — such as a bank website or social media platform.

Cybersecurity threat intelligence firm Intel 471 describes U-Admin as an information stealing framework that uses several plug-ins in one location to help users pilfer victim credentials more efficiently. Those plug-ins include a phishing page generator, a victim tracker, and even a component to help manage money mules (for automatic transfers from victim accounts to people who were hired in advance to receive and launder stolen funds).

Perhaps the biggest selling point for U-Admin is a module that helps phishers intercept multi-factor authentication codes. This core functionality is what’s known as a “web inject,” because it allows phishers to dynamically interact with victims in real-time by injecting content into the phishing page that prompts the victim to enter additional information. The video below, produced by the U-Admin developer, shows a few examples (click to enlarge).

A demonstration video showing the real-time web injection capabilities of the U-Admin phishing kit. Credit: blog.bushidotoken.net

There are multiple recent reports that U-Admin has been used in conjunction with malware — particularly Qakbot (a.k.a. Qbot) — to harvest one-time codes needed for multi-factor authentication.

“Paired with [U-Admin’s 2FA harvesting functionality], a threat actor can remotely connect to the Qakbot-infected device, enter the stolen credentials plus the 2FA token, and begin initiating transactions,” explains this Nov. 2020 blog post on an ongoing Qakbot campaign that was first documented three months earlier by Check Point Research.

In the days following the Ukrainian law enforcement action, several U-Admin customers on the forums where Kaktys was most active began discussing whether the product was still safe to use following the administrator’s arrest.

The AFP’s Marden hinted that the suspicions raised by U-Admin’s customer base might be warranted.

“I wouldn’t be unhappy with the crooks continuing to use that piece of kit, without saying anything more on that front,” Marden said.

While Kaktys’s customers may be primarily concerned about the risks of using a product supported by a guy who just got busted, perhaps they should be more worried about other crooks [or perhaps the victim banks themselves] moving in on their turf: It appears the U-Admin package being sold in the underground has long included a weakness that could allow anyone to view or alter data that was phished with the help of this kit.

The security flaw was briefly alluded to in a 2018 writeup on U-Admin by the SANS Internet Storm Center.

“Looking at the professionality of the code, the layout and the functionality I’m giving this control panel 3 out of 5 stars,” joked SANS guest author Remco Verhoef. “We wanted to give them 4 stars, but we gave one star less because of an SQL injection vulnerability” [link added].

That vulnerability was documented in more detail at exploit archive Packet Storm Security in March 2020 and indexed by Check Point Software in May 2020, suggesting it still persists in current versions of the product.

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. This advice is the same whether you’re using a mobile or desktop device. In fact, this phishing framework specialized in lures specifically designed to be loaded on mobile devices.

Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Further reading:

uAdmin Show & Tell
Gathering Intelligence on the Qakbot banking Trojan