Ahead of Dell’s spin out, VMware appoints longtime exec Raghu Raghuram as its new CEO

Five months after it was announced that Pal Gelsinger would be stepping down as CEO of VMware to take the top job at Intel, the virtualization giant has finally appointed a permanent successor. Raghu Raghuram — a longtime employee of the company — has been appointed the new CEO. He will be taking on the new role on June 1. Until then, CFO Zane Rowe will continue in the role in the interim.

Raghuram has been with the company for 17 years in a variety of roles, most recently COO of products and cloud services. He’s also held positions at the company overseeing areas like data centers and VMware’s server business. Putting a veteran at the helm sends a clear message that VMware has picked someone clearly dedicated to the company and its culture. No drama here.

Indeed, the move is coming at a time when there is already a lot of other change underway and speaks to the company looking for stability and continuity to lead it through that. About a month ago, Dell confirmed long-anticipated news that it would be spinning out its stake in VMware in a deal that’s expected to bring Dell at least $9 billion — putting to an end a financial partnership that initially kicked off with an eye-watering acquisition of EMC in 2016. That partnership will not end the strategic relationship, however, which is set to continue and now Raghuram will be in charge of building and leading.

For that reason, you might look at this as a deal nodded through significantly by Dell.

“I am thrilled to have Raghu step into the role of CEO at VMware. Throughout his career, he has led with integrity and conviction, playing an instrumental role in the success of VMware,” said Michael Dell, chairman of the VMware board of directors, in a statement. “Raghu is now in position to architect VMware’s future, helping customers and partners accelerate their digital businesses in this multicloud world.”

Raghuram has not only been the person overseeing some of VMware’s biggest divisions and newer areas like software-defined networking and cloud computing, but he’s had a central role in building and driving strategy for the company’s core virtualization business, been involved with M&A and, as VMware points out, “key in driving partnerships with Dell Technologies,” among other partners.

“VMware is uniquely poised to lead the multicloud computing era with an end-to-end software platform spanning clouds, the data center and the edge, helping to accelerate our customers’ digital transformations,” said Raghuram in a statement. “I am honored, humbled and excited to have been chosen to lead this company to a new phase of growth. We have enormous opportunity, we have the right solutions, the right team and we will continue to execute with focus, passion and agility.”

The company also took the moment to update on guidance for its Q1 results, which will be coming out on May 27. Revenues are expected to come in at $2.994 billion, up 9.5% versus the same quarter a year ago. Subscription and SaaS and license revenue, meanwhile, is expected to be $1.387 billion, up 12.5%. GAAP net income per diluted share is expected to be $1.01 per diluted share, and non-GAAP net income per diluted share is expected to be $1.76 per diluted share, it said.

AWS releases tool to open source that turns on-prem software into SaaS

AWS announced today that it’s releasing a tool called AWS SaaS Boost as open source distributed under the Apache 2.0 license. The tool, which was first announced at the AWS re:Invent conference last year, is designed to help companies transform their on-prem software into cloud-based software as a service.

In the charter for the software, the company describes its mission this way: “Our mission is to create a community-driven suite of extensible building blocks for Software-as-a-Service (SaaS) builders. Our goal is to foster an open environment for developing and sharing reusable code that accelerates the ability to deliver and operate multi-tenant SaaS solutions on AWS.”

What it effectively does is provide the tools to turn the application into one that lets you sign up users and let them use the app in a multi-tenant cloud context. Even though it’s open source, it is designed to get you to move your application into the AWS system where you can access a number of AWS services such as AWS CloudFormation, AWS Identity and Access Management (IAM), Amazon Route 53, Elastic Load Balancing, AWS Lambda (Amazon’s serverless tool), and Amazon Elastic Container Service (Amazon’s Kubernetes Service). Although presumably you could use alternative services, if you were so inclined.

By making it open source, it gives companies that would need this kind of service access to the source code, giving them a comfort level and an ability to contribute to the project to expand upon the base product and give back to the community. That makes it a win for users who get flexibility and the benefit of a community behind the tool, and a win for AWS, which gets that community working on the tool to improve and enhance it over time.

“Our objective with AWS SaaS Boost is to get great quality software based on years of experience in the hands of as many developers and companies as possible. Because SaaS Boost is open source software, anyone can help improve it. Through a community of builders, our hope is to develop features faster, integrate with a wide range of SaaS software, and to provide a high quality solution for our customers regardless of company size or location,” Amazon’s Adrian De Luca wrote in a blog post announcing the intent to open source SaaS Boost.

This announcement comes just a couple of weeks after the company open-sourced its Deep Racer device software, which runs its machine-learning fueled mini race cars. That said, Amazon has had a complex relationship with the open source in the past couple of years, where companies like MongoDB, Elastic and CockroachDB have altered their open-source licenses to prevent Amazon from making their own hosted versions of these software packages.

Meet DarkSide and Their Ransomware – SentinelOne Customers Protected

The recent campaign targeting the Colonial Pipeline in the United States is a sobering example of the extent to which cybersecurity – specifically ransomware – threatens everyday life. There is a lot more to this than encrypted or stolen data. It’s hard to understand the economic reverberations of a disruptive attack on critical infrastructure, whether for financial gain or otherwise. With the pipeline being proactively shut down as of Sunday, May 9th, there are concerns around how this outage will affect ongoing fuel prices and for how long. How the coming weeks and months play out may serve as a template for predicting impact and risk associated with similar attacks that will inevitably follow.

SentinelOne detects and protects against DarkSide ransomware. No action is required for our customers.

SentinelOne Protects from DarkSide Ransomware

In this post, we discuss the evolution of the DarkSide malware and affiliate networks, including the evolution of their feature sets and recruitment areas.

Watch How SentinelOne Mitigates DarkSide Ransomware
Beyond Protection, it’s important that your security tool can mitigate and rollback in the case of a Ransomware attack

Who is DarkSide?

The attack on the Colonial Pipeline has been attributed to DarkSide, a relatively new ransomware family that emerged on the crimeware market in November 2020.

DarkSide claims not to attack Medical, Educational, Non-Profit, or Government sectors

DarkSide launched as a RaaS (Ransomware-as-a-Service) with the stated goal of only targeting ‘large corporations.’ They are primarily focused on recruiting Russian (CIS) affiliates, and are very skeptical of partnerships or interactions outside of that region. From the onset, DarkSide was focused on choosing the ‘right’ targets and identifying their most valuable data. This speaks to their efficiency and discernment when choosing where to focus their efforts. From their inception, DarkSide claimed they’d avoid attacking the medical, educational, non-profit, or government sectors.

DarkSide affiliate recruitment post

At the time of launch, the features offered by DarkSide were fairly standard. They emphasized their speed of encryption and a wealth of options for dealing with anything that may inhibit the encryption process (i.e., security software). They also advertised a Linux variant with comparable features. Following in the footsteps of recently successful ransomware families like Maze and Cl0p, DarkSide established a victim data leaks blog as further leverage to encourage ransom payouts.

The original DarkSide 1.0 Feature set was advertised as follows:

Windows [
	full ASM, salsa20 + rsa 1024, 
	i / o, own implementation of salsa and rsa, 
	fast / auto (improved space) / full, 
	token impersonalization for working with balls, 
	slave table, freeing busy files, 
	changing file permissions, 
	arp scanner, 
	process termination, 
	service termination, 
	drag-and-drop and much more].

Linux [
	C ++, chacha20 + rsa 4096, 
	multithreading (including Hyper-threading, analog of i / o on windows), 
	support for truncated OS assemblies (esxi 5.0+), 
	fast / space, 
	directory configuration and much more].

Admin panel [
	full ajax, 
	automatic acceptance of Bitcoin, Monero, 
	generation of win / lin builds with indication of all parameters (processes, services, folders, extensions ...), 
	bots reporting and detailed statistics on the company’s performance, 
	automatic distribution and withdrawal of funds, 
	sub -accounts, 
	online chat and many others].

Leak site [
	hidden posts, 
	phased publication of target data and many more functionality].

CDN system for data storage [
	Receiving quotas, 
	fast data loading, 
	storage 6m from the moment of loading].

A Well-Organized Affiliate Network

Hopeful affiliates are subject to DarkSide’s rigorous vetting process, which examines the candidate’s ‘work history,’ areas of expertise, and past profits among other things. To get started, affiliates were required to deposit 20 BTC (at the time, that amounted to around $300,000 USD).

DarkSide announces improved CDN

Over the following months, DarkSide continued to improve its services, while also expanding its affiliate network. By late November 2020, DarkSide launched a more advanced Content Delivery Network (CDN) that allowed their operators to more efficiently store and distribute stolen victim data. Many of their high-value targets found themselves listed on the victim blog, including a number of financial, accounting, and legal firms, as well as technology companies.

Initial access can take many forms depending on the affiliate involved, their needs, and timeline. A majority of the campaigns observed were initiated only after the enterprise had been thoroughly scouted via Cobalt Strike beacon infections. After the initial reconnaissance phase, the operators would deploy the DarkSide ransomware wherever it would cause the greatest disruption.

DarkSide Decryption Tool – Is it Working?

In January 2021, Bitdefender released a DarkSide decryption tool. This tool was also posted to the NoMoreRansom project website. The tool had a reportedly high success rate.

DarkSide 2.0 performance comparisons

By March, the group announced the launch of the new and improved DarkSide 2.0. The new iteration included many improvements for both their Windows and Linux variants and is no longer subject to the decryption tool. DarkSide 2.0 reportedly encrypts data on disk twice as fast as the original.

Other updated features include:

  • Expanded multi-processor support (parallel/simultaneous encryption across volumes)
  • EXE and DLL-based payloads
  • Updated SALSA20+RSA1024 implementation with “proprietary acceleration”
  • New operating modes (Fast / Full / Auto)
  • 19 total build settings
  • Active account impersonation
  • Active Directory support (discovery and traversal)
  • New CMD-line parameter support

On the Linux side, DarkSide 2.0 offers the following updates:

  • Updated multithreading support
  • Updated CHACHA20 + RSA 4096 implementation
  • 2 new operating modes (Fast / Space)
  • 14 Total build settings
  • Support for all major ESXi versions
  • NAS support (Synology, OMV)

Along with this expanded feature set, SentinelLabs researchers have seen a shift in the deployment of the DarkSide ransomware, from standard packers like VMProtect and UPX to a custom packer internally referred to as ‘encryptor2.’

A Battle for Territory

With the release of DarkSide 2.0, the group has continued to increase its footprint in the Ransomware landscape. Along with their territorial expansion throughout 2021, DarkSide also increased their ‘pressure campaigns’ on victims to include DDoS attacks along with the threat of data leakage. They are able to invoke L3/L7 DDoS attacks if their victims choose to resist ‘cooperation’.

More recently, DarkSide operators have been attempting to attract more expertise around assessing data and network value, along with seeking others to provide existing access or newer methods of initial access. These efforts are meant to make operations more streamlined and increase efficiency.

New methods and talent areas

The Colonial Pipeline attack is only the latest in a slew of increasingly daring ransomware attacks. The absolute best defense against a severe ransomware attack (and the nightmare that follows) is preparation and prevention. Technology is a huge part of that, but one must not discount user hygiene and education. It is vital to keep end users up to date on what threats are out there and how to spot them. Vigilant users, along with robust preventative controls are key. Business continuity planning and disaster recovery drills are not fun, but they are critical and necessary to ensure readiness and resilience against these threats.

The SentinelOne platform is fully capable of preventing and detecting the malware and artifacts associated with DarkSide ransomware. We hope that the pipeline starts flowing again soon; our society depends on it to live.

Indicators of Compromise

SHA256

b9d60d450664c1e8fbfd6b2ec58fdeb2fd81797e183906a4536b59bc4f79846f
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9
b09cb9d531931fb4725b0e49d85bb81cfc2691ce19ff3567ca0f7b44af6594a1
ca77f63a08f4e01e7e7294695eb300610e65f22333256d547d0125075bed2cc8
6184e4c8915a3924a9a12e26c42cffef35a1d1380a8c0a236ef65df71b20c217
7375adedb82fd62cefc6b6fd20a704a164e056022f3b8c2e1b94f3a9b8361478
f7eda7111ac0f95dfbd817bd0962defe35412de12964f178421122e96c72495b
b43bde75780244aeee719ae926c1f901291574c9400b5e6d0c2fdc135d0c6fe5
2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32
9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
459d655c416cc429a7661c0dddc3826a6b34cce0c662ccd8db735934858aa010
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7
bafa2efff234303166d663f967037dae43701e7d63d914efc8c894b3e5be9408
48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
b1c7872598053eb2fd07b0eabe223cbccef2edd2e403255b5ab8646e32124862
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
61ca175c2f04cb5279f8507e69385577cf04e4e896a01d0b5357746a241c7846
bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210
2dcac9f48c3989619e0abd200beaae901852f751c239006886ac3ec56d89e3ef
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975
5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7
78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134
dc4b8dfff72ff08ec4daa8db4c096a350a9a1bf5434ba7796ab10ec1322ac38c
8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc
4edb883d1ac97824ee42d9f92917cc84b52995abcd17b2852a7e3d5bb567ffbe
e9417cb1baec2826e3f5a6f64ade26c1374d74d8aa41bfabd29ea20ea5894b14
fb76b4a667c6d790c39fcc93a3aac8cd2a224f0eb9ece4ecfd7825f606c2a8b6
36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24
2aa1bbbe47f04627a8ea4e8718ad21f0d50adf6a32ba4e6133ee46ce2cd13780
7d57e0ba8b36ec221b16807ce4e13a1125d53922fa50c3827a5ebd6811736ffd
e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173

SHA1

08d1da979f8d568b62701d7cedf1d0e81b7bab4d
c511ae4d80aaa281c610190aa13630de61ca714c
ff9da8ec309210e2324dbe4a79d416f90de285c0
2269cdc706b412d55749dd7b8a8b7cc14ce83532
06856cab5b85104788d679bbbb75d270a90eabb0
e5b0a0f4a59d6d5377332eece20f8f3df5cebe4e
3ed7c6f0f90e176eeca091ebe8528fba10603d51
62d8735539d102f92a8a30b15a94e242bff3613e
5f1cbc3d99558307bc1250d084fa968521482025
d1dfe82775c1d698dd7861d6dfa1352a74551d35
9d39c0d21b96ebb210fe467ad50604f05543db8e
e6b47869caa776840ab79856b04096152103c71d
666a451867ce40c1bd9442271ef3be424e2d9b17
4bd6437cd1dc77097a7951466531674f80c866c6
e50d9e3bd91908e13a26b3e23edeaf577fb3a095
142ab367d5f83018d30c3d17b9dd87f2e35eba08
2715340f82426f840cf7e460f53a36fc3aad52aa
86ca4973a98072c32db97c9433c16d405e4154ac
7944ae1d281bbeeb6f317e2ececf6b4c83e63a06
a4e2deb65f97f657b50e48707b883ce2b138e787
f90f83c3dbcbe9b5437316a67a8abe6a101ef4c3
483c894ee5786704019873b0fc99080fdf1a0976
7ae73b5e1622049380c9b615ce3b7f636665584b
2fc8514367d4799d90311b1b1f277b3fca5ca731
d3495ac3b708caeceffab59949dbf8a9fa24ccef
7a29a8f5e14da1ce40365849eb59487dbb389d08
1f90eb879580faef3c37e10d0a0345465eebd4ee
88fc623483f7ffe57f986ed10789e6723083fcd8
996567f5e84b7666ff3182699da0de894e7ea662
21145fd2cc8767878edbd7d1900c4c4f926a6d5b
076d0d8d07368ef680aeb0c08f7f2e624c46cbc5
33a6b39fbe8ec45afab14af88fd6fa8e96885bf1
47ee1b6f495db98143f821f9f8dd49448fe607c8
b16a1eb8bc2e5d4ded04bfaa9ee2b861ead143ba
539c228b6b332f5aa523e5ce358c16647d8bbe57

MITRE ATT&CK

T1112 Modify Registry
T1012 Query Registry
T1082 System Information Discovery
T1120 Peripheral Device Discovery
T1005 Data from Local System
T1486 Data Encrypted for Impact
T1543.003 Create or Modify System Process: Windows Service
T1490 Inhibit System Recovery
T1553.004 Subvert Trust Controls: Install Root Certificate
T1078 Valid Accounts


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Cycode raises $20M to secure DevOps pipelines

Israeli security startup Cycode, which specializes in helping enterprises secure their DevOps pipelines and prevent code tampering, today announced that it has raised a $20 million Series A funding round led by Insight Partners. Seed investor YL Ventures also participated in this round, which brings the total funding in the company to $24.6 million.

Cycode’s focus was squarely on securing source code in its early days, but thanks to the advent of infrastructure as code (IaC), policies as code and similar processes, it has expanded its scope. In this context, it’s worth noting that Cycode’s tools are language and use case agnostic. To its tools, code is code.

“This ‘everything as code’ notion creates an opportunity because the code repositories, they become a single source of truth of what the operation should look like and how everything should function, Cycode CTO and co-founder Ronen Slavin told me. “So if we look at that and we understand it — the next phase is to verify this is indeed what’s happening, and then whenever something deviates from it, it’s probably something that you should look at and investigate.”

Cycode Dashboard

Cycode Dashboard. Image Credits: Cycode

The company’s service already provides the tools for managing code governance, leak detection, secret detection and access management. Recently it added its features for securing code that defines a business’ infrastructure; looking ahead, the team plans to add features like drift detection, integrity monitoring and alert prioritization.

“Cycode is here to protect the entire CI/CD pipeline — the development infrastructure — from end to end, from code to cloud,” Cycode CEO and co-founder Lior Levy told me.

“If we look at the landscape today, we can say that existing solutions in the market are kind of siloed, just like the DevOps stages used to be,” Levy explained. “They don’t really see the bigger picture, they don’t look at the pipeline from a holistic perspective. Essentially, this is causing them to generate thousands of alerts, which amplifies the problem even further, because not only don’t you get a holistic view, but also the noise level that comes from those thousands of alerts causes a lot of valuable time to get wasted on chasing down some irrelevant issues.”

What Cycode wants to do then is to break down these silos and integrate the relevant data from across a company’s CI/CD infrastructure, starting with the source code itself, which ideally allows the company to anticipate issues early on in the software life cycle. To do so, Cycode can pull in data from services like GitHub, GitLab, Bitbucket and Jenkins (among others) and scan it for security issues. Later this year, the company plans to integrate data from third-party security tools like Snyk and Checkmarx as well.

“The problem of protecting CI/CD tools like GitHub, Jenkins and AWS is a gap for virtually every enterprise,” said Jon Rosenbaum, principal at Insight Partners, who will join Cycode’s board of directors. “Cycode secures CI/CD pipelines in an elegant, developer-centric manner. This positions the company to be a leader within the new breed of application security companies — those that are rapidly expanding the market with solutions which secure every release without sacrificing velocity.”

The company plans to use the new funding to accelerate its R&D efforts, and expand its sales and marketing teams. Levy and Slavin expect that the company will grow to about 65 employees this year, spread between the development team in Israel and its sales and marketing operations in the U.S.

DataRobot expands platform and announces Zepl acquisition

DataRobot, the Boston-based automated machine learning startup, had a bushel of announcements this morning as it expanded its platform to give technical and nontechnical users alike something new. It also announced it has acquired Zepl, giving it an advanced development environment where data scientists can bring their own code to DataRobot. The two companies did not share the acquisition price.

Nenshad Bardoliwalla, SVP of Product at DataRobot says that his company aspires to be the leader in this market and it believes the path to doing that is appealing to a broad spectrum of user requirements, from those who have little data science understanding to those who can do their own machine learning coding in Python and R.

“While people love automation, they also want it to be [flexible]. They don’t want just automation, but then you can’t do anything with it. They also want the ability to turn the knobs and pull the levers,” Bardoliwalla explained.

To resolve that problem, rather than building a coding environment from scratch, it chose to buy Zepl and incorporate its coding notebook into the platform in a new tool called Composable ML. “With Composable ML and with the Zepl acquisition, we are now providing a really first-class environment for people who want to code,” he said.

Zepl was founded in 2016 and raised $13 million along the way, according to Crunchbase data. The company didn’t want to reveal the number of employees or the purchase price, but the acquisition gives it advanced capabilities, especially a notebook environment to call its own to attract those more advanced users to the platform. The company plans to incorporate the Zepl functionality into the platform, while also leaving the standalone product in place.

Bardoliwalla said that they see the Zepl acquisition as an extension of the automated side of the house, where these tools can work in conjunction with one another with machines and humans working together to generate the best models. “This [generates an] organic mixture of the best of what a system can generate using DataRobot AutoML and the best of what human beings can do and kind of trying to compose those together into something really interesting […],” Bardoliwalla said.

The company is also introducing a no-code AI app builder that enables nontechnical users to create apps from the data set with drag and drop components. In addition, it’s adding a tool to monitor the accuracy of the model over time. Sometimes, after a model is in production for a time, the accuracy can begin to break down as the data on which the model is based is no longer valid. This tool monitors the model data for accuracy and warns the team when it’s starting to fall out of compliance.

Finally, the company is announcing a model bias monitoring tool to help root out model bias that could introduce racist, sexist or other assumptions into the model. To avoid this, the company has built a tool to identify when it sees this happening both in the model-building phase and in production. It warns the team of potential bias, while providing them with suggestions to tweak the model to remove it.

DataRobot is based in Boston and was founded in 2012. It has raised more than $750 million and has a valuation of over $2.8 billion, according to PitchBook.

SightCall raises $42M for its AR-based visual assistance platform

Long before COVID-19 precipitated “digital transformation” across the world of work, customer services and support was built to run online and virtually. Yet it too is undergoing an evolution supercharged by technology.

Today, a startup called SightCall, which has built an augmented reality platform to help field service teams, the companies they work for, and their customers carry out technical and mechanical maintenance or repairs more effectively, is announcing $42 million in funding, money that it plans to use to invest in its tech stack with more artificial intelligence tools and expanding its client base.

The core of its service, explained CEO and co-founder Thomas Cottereau, is AR technology (which comes embedded in their apps or the service apps its customers use, with integrations into other standard software used in customer service environments including Microsoft, SAP, Salesforce and ServiceNow). The augmented reality experience overlays additional information, pointers and other tools over the video stream.

This is used by, say, field service engineers coordinating with central offices when servicing equipment; or by manufacturers to provide better assistance to customers in emergencies or situations where something is not working but might be repaired quicker by the customers themselves rather than engineers that have to be called out; or indeed by call centers, aided by AI, to diagnose whatever the problem might be. It’s a big leap ahead for scenarios that previously relied on work orders, hastily drawn diagrams, instruction manuals and voice-based descriptions to progress the work in question.

“We like to say that we break the barriers that exist between a field service organization and its customer,” Cottereau said.

The tech, meanwhile, is unique to SightCall, built over years and designed to be used by way of a basic smartphone, and over even a basic mobile network — essential in cases where reception is bad or the locations are remote. (More on how it works below.)

Originally founded in Paris, France before relocating to San Francisco, SightCall has already built up a sizable business across a pretty wide range of verticals, including insurance, telecoms, transportation, telehealth, manufacturing, utilities and life sciences/medical devices.

SightCall has some 200 big-name enterprise customers on its books, including the likes of Kraft-Heinz, Allianz, GE Healthcare and Lincoln Motor Company, providing services on a B2B basis as well as for teams that are out in the field working for consumer customers, too. After seeing 100% year-over-year growth in annual recurring revenue in 2019 and 2020, SightCall’s CEO says it’s looking like it will hit that rate this year as well, with a goal of $100 million in annual recurring revenue.

The funding is being led by InfraVia, a European private equity firm, with Bpifrance also participating. The valuation of this round is not being disclosed, but I should point out that an investor told me that PitchBook’s estimate of $122 million post-money is not accurate (we’re still digging on this and will update as and when we learn more).

For some further context on this investment, InfraVia invests in a number of industrial businesses, alongside investments in tech companies building services related to them such as recent investments in Jobandtalent, so this is in part a strategic investment. SightCall has raised $67 million to date.

There has been an interesting wave of startups emerging in recent years building out the tech stack used by people working in the front lines and in the field, a shift after years of knowledge workers getting most of the attention from startups building a new generation of apps.

Workiz and Jobber are building platforms for small business tradespeople to book jobs and manage them once they’re on the books; BigChange helps manage bigger fleets; and Hover has built a platform for builders to be able to assess and estimate costs for work by using AI to analyze images captured by their or their would-be customers’ smartphone cameras.

And there is Streem, which I discovered is a close enough competitor to SightCall that they’ve acquired AdWords ads based on SightCall searches in Google. Just ahead of the COVID-19 pandemic breaking wide open, General Catalyst-backed Streem was acquired by Frontdoor to help with the latter’s efforts to build out its home services business, another sign of how all of this is leaping ahead.

What’s interesting in part about SightCall and sets it apart is its technology. Co-founded in 2007 by Cottereau and Antoine Vervoort (currently SVP of product and engineering), the two are long-time telecoms industry vets who had both worked on the technical side of building next-generation networks.

SightCall started life as a company called Weemo that built video chat services that could run on WebRTC-based frameworks, which emerged at a time when we were seeing a wider effort to bring more rich media services into mobile web and SMS apps. For consumers and to a large extent businesses, mobile phone apps that work “over the top” (distributed not by your mobile network carrier but the companies that run your phone’s operating system, and thus partly controlled by them) really took the lead and continue to dominate the market for messaging and innovations in messaging.

After a time, Weemo pivoted and renamed itself as SightCall, focusing on packaging the tech that it built into whichever app (native or mobile web) where one of its enterprise customers wanted the tech to live.

The key to how it works comes by way of how SightCall was built, Cottereau explained. The company has spent 10 years building and optimizing a network across data centers close to where its customers are, which interconnects with Tier 1 telecoms carriers and has a lot of latency in the system to ensure uptime. “We work with companies where this connectivity is mission critical,” he said. “The video solution has to work.”

As he describes it, the hybrid system SightCall has built incorporates its own IP that works both with telecoms hardware and software, resulting in a video service that provides 10 different ways for streaming video and a system that automatically chooses the best in a particular environment, based on where you are, so that even if mobile data or broadband reception don’t work, video streaming will. “Telecoms and software are still very separate worlds,” Cottereau said. “They still don’t speak the same language, and so that is part of our secret sauce, a global roaming mechanism.”

The tech that the startup has built to date not only has given it a firm grounding against others who might be looking to build in this space, but has led to strong traction with customers. The next steps will be to continue building out that technology to tap deeper into the automation that is being adopted across the industries that already use SightCall’s technology.

“SightCall pioneered the market for AR-powered visual assistance, and they’re in the best position to drive the digital transformation of remote service,” said Alban Wyniecki, partner at InfraVia Capital Partners, in a statement. “As a global leader, they can now expand their capabilities, making their interactions more intelligent and also bringing more automation to help humans work at their best.”

“SightCall’s $42M Series B marks the largest funding round yet in this sector, and SightCall emerges as the undisputed leader in capital, R&D resources and partnerships with leading technology companies enabling its solutions to be embedded into complex enterprise IT,” added Antoine Izsak of Bpifrance. “Businesses are looking for solutions like SightCall to enable customer-centricity at a greater scale while augmenting technicians with knowledge and expertise that unlocks efficiencies and drives continuous performance and profit.”

Cottereau said that the company has had a number of acquisition offers over the years — not a surprise when you consider the foundational technology it has built for how to architect video networks across different carriers and data centers that work even in the most unreliable of network environments.

“We want to stay independent, though,” he said. “I see a huge market here, and I want us to continue the story and lead it. Plus, I can see a way where we can stay independent and continue to work with everyone.”

SaaS companies can grow to $20M+ ARR by selling exclusively to developers

With more than 200,000 customers, a market cap of nearly $56 billion, and the recent acquisition of Segment for $3.2 billion, Twilio is a SaaS behemoth.

It’s hard to imagine companies like Twilio as anything but a giant. But everybody starts out small, and you can usually trace success back to key decisions made in the early days.

First, you need to have a product that developers can actually sign up for. This means ditching demos for real-time free trials or freemium tools.

For Twilio, a big differentiator was being one of the first technology-focused SaaS organizations that focused on empowering and building for the end user (which in their case is developers) with a self-service function. Another differentiator was, the executive team designed the organization to create tight feedback loops between sales and product with national roadshows, during which CEO Jeff Lawson frequently met with users.

Moreover, Twilio’s “secret sauce” per their S-1 is a developer-focused model and a strong belief in the future of software. They encourage developers to explore and innovate with Twilio’s flexible offering, which led to an incredible 155% net-dollar expansion rate at the time of the IPO.

Most importantly, Twilio put the product in the hands of teams before the sale happened, standing by to answer hard questions about how Twilio would fit into their infrastructure. This was pretty rare at the time — sales engineering resources aren’t cheap — and it was a strong differentiating factor. So much so that when the company went public, they were growing at 106% annually.

Twilio sells to developers at large enterprises by solving a problem that developers come up against regularly: Getting in touch with customers.

But as more successful public software companies emerge, it’s clear that Twilio’s secret sauce can and will be replicated.

Why traditional marketing doesn’t work on developers

Before I started looking at successful developer-focused businesses, I understood the developer-focused playbook to look a little like this:
  1. Don’t hire marketing (or sales, either). If you do, hire someone super experienced from an enterprise sales background. And then fire them within three to six months.
  2. Just hire someone who’s passionate about the product to “manage the community.” What is community management? Lots of swag. Cool meetups. Publish 1–2 articles as a stab at content (bonus points if they’re listicles). Oh, wait. How can we show the ROI here? Make the community manager do that until she quits. Repeat.

Jamf snags zero trust security startup Wandera for $400M

Jamf, the enterprise Apple device management company, announced that it was acquiring Wandera, a zero trust security startup, for $400 million at the market close today. Today’s purchase is the largest in the company’s history.

Jamf provides IT at large organizations with a set of management services for Apple devices. It is the leader in the market, and snagging Wandera provides a missing modern security layer for the platform.

Jamf CEO Dean Hager says that Wandera’s zero trust approach fills in an important piece in the Jamf platform tool set. “The combination of Wandera and Jamf will provide our customers a single source platform that handles deployment, application lifecycle management, policies, filtering and security capabilities across all Apple devices while delivering zero trust network access for all mobile workers,” Hager said in a statement.

Zero trust, as the name implies, is an approach to security where you don’t trust anybody regardless of whether they are inside or outside your network. It requires that you force everyone to provide multiple forms of authentication to prove their identity before they can access company resources.

The need for a zero trust approach became even more acute during the pandemic when employees  have often been working from home and have needed access to applications and other company resources from wherever they happened to be, a trend that was happening even prior to COVID, and is likely to continue after it ends.

Wandera, which is based in London, was founded in 2012 by brothers Roy and Eldar Tuvey, who had previously co-founded another security startup called ScanSafe. Cisco acquired that company, which helped protect web gateways as a service for $183 million back in 2009. The brothers raised over $53 million along the way for Wandera. Investors included Bessemer Venture Partners, 83North and Sapphire Ventures.

Sapphire co-founder and managing director Andreas Weiskam had this to say about the deal: “[Wandera] created a unique security product which addresses mobile threats by leveraging the increasingly important zero trust network. By joining the Jamf family, the two will help shape the future of the zero trust cloud. And it goes without saying that this is a big win for the customers, especially for those in the Apple ecosystem.”

Jamf now has access to all of that technology and everything else the company has developed since. Under the terms of the deal, Jamf is paying Wandera $350 million in cash, then paying them two $25 million payments on October 1, 2021 and December 15, 2021. The deal is expected to close in the third quarter assuming it passes regulatory scrutiny.

 

A Closer Look at the DarkSide Ransomware Gang

The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Here’s a closer look at the DarkSide cybercrime gang, as seen through their negotiations with a recent U.S. victim that earns $15 billion in annual revenue.

Colonial Pipeline has shut down 5,500 miles of fuel pipe in response to a ransomware incident. Image: colpipe.com

New York City-based cyber intelligence firm Flashpoint said its analysts assess with a moderate-strong degree of confidence that the attack was not intended to damage national infrastructure and was simply associated with a target which had the finances to support a large payment.

“This would be consistent with DarkSide’s earlier activities, which included several ‘big game hunting’ attacks, whereby attackers target an organization that likely possesses the financial means to pay the ransom demanded by the attackers,” Flashpoint observed.

In response to public attention to the Colonial Pipeline attack, the DarkSide group sought to play down fears about widespread infrastructure attacks going forward.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” reads an update to the DarkSide Leaks blog. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.

Like other ransomware platforms, DarkSide adheres to the current badguy best practice of double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.

At its launch, DarkSide sought to woo affiliates from competing ransomware programs by advertising a victim data leak site that gets “stable visits and media coverage,” as well as the ability to publish victim data by stages. Under the “Why choose us?” heading of the ransomware program thread, the admin answers:

An advertisement for the DarkSide ransomware group.

“High trust level of our targets. They pay us and know that they’re going to receive decryption tools. They also know that we download data. A lot of data. That’s why the percent of our victims who pay the ransom is so high and it takes so little time to negotiate.”

In late March, DarkSide introduced a “call service” innovation that was integrated into the affiliate’s management panel, which enabled the affiliates to arrange calls pressuring victims into paying ransoms directly from the management panel.

In mid-April the ransomware program announced new capability for affiliates to launch distributed denial-of-service (DDoS) attacks against targets whenever added pressure is needed during ransom negotiations.

DarkSide also has advertised a willingness to sell information about upcoming victims before their stolen information is published on the DarkSide victim shaming blog, so that enterprising investment scammers can short the company’s stock in advance of the news.

“Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges,” DarkSide explains. “If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”

DarkSide also started recruiting new affiliates again last month — mainly seeking network penetration testers who can help turn a single compromised computer into a full-on data breach and ransomware incident.

Portions of a DarkSide recruitment message, translated from Russian. Image: Intel 471.

“We have grown significantly in terms of the client base and in comparison to other projects (judging by the analysis of publicly available information), so we are ready to grow our team and a number of our affiliates in two fields,” DarkSide explained. The advertisement continued:

“Network penetration testing. We’re looking for one person or a team. We’ll adapt you to the work environment and provide work. High profit cuts, ability to target networks that you can’t handle on your own. New experience and stable income. When you use our product and the ransom is paid, we guarantee fair distribution of the funds. A panel for monitoring results for your target. We only accept networks where you intend to run our payload.”

DarkSide has shown itself to be fairly ruthless with victim companies that have deep pockets, but they can be reasoned with. Cybersecurity intelligence firm Intel 471 observed a negotiation between the DarkSide crew and a $15 billion U.S. victim company that was hit with a $30 million ransom demand in January 2021, and in this incident the victim’s efforts at negotiating a lower payment ultimately reduce the ransom demand by almost two-thirds.

The DarkSide ransomware note.

The first exchange between DarkSide and the victim involved the usual back-and-forth establishing of trust, wherein the victim asks for assurances that stolen data will be deleted after payment.

Image: Intel 471.

When the victim counter-offered to pay just $2.25 million, DarkSide responded with a lengthy, derisive reply, ultimately agreeing to lower the ransom demand to $28.7 million.

“The timer it [sic] ticking and in in next 8 hours your price tag will go up to $60 million,” the crooks replied. “So, you this are your options first take our generous offer and pay to us $28,750 million US or invest some monies in quantum computing to expedite a decryption process.”

Image: Intel 471.

The victim complains that negotiations haven’t moved the price much, but DarkSide countered that the company can easily afford the payout. “I don’t think so,” they wrote. “You aren’t poor and aren’t children if you f*cked up you have to meet the consequences.”

Image: Intel 471.

The victim firm replies a day later saying they’ve gotten authority to pay $4.75 million, and their tormentors agree to lower the demand significantly to $12 million.

Image: Intel 471.

The victim replies that this is still a huge amount, and it tries to secure additional assurances from the ransomware group if it agrees to pay the $12 million, such as an agreement not to target the company ever again, or give anyone access to its stolen data. The victim also tried to get the attackers to hand over a decryption key before paying the full ransom demand.

Image: Intel 471.

The crime gang responded that its own rules prohibit it from giving away a decryption key before full payment is made, but they agree to the rest of the terms.

Image: Intel 471.

The victim firm agrees to pay an $11 million ransom, and their extortionists concur and promise not to attack or help anyone else attack the company’s network going forward.

Image: Intel 471

Flashpoint assesses that at least some of the criminals behind DarkSide hail from another ransomware outfit called “REvil,” a.k.a. “Sodinokibi” (although Flashpoint rates this finding at only “moderate” confidence). REvil is widely considered to be the newer name for GandCrab, a ransomware-as-a-service offering that closed up shop in 2019 after bragging that it had extorted more than $2 billion.

Experts say ransomware attacks will continue to grow in sophistication, frequency and cost unless something is done to disrupt the ability of crooks to get paid for such crimes. According to a report late last year from Coveware, the average ransomware payment in the third quarter of 2020 was $233,817, up 31 percent from the second quarter of last year. Security firm Emsisoft found that almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020.

Last month, a group of tech industry heavyweights lent their imprimatur to a task force that delivered an 81-page report to the Biden administration on ways to stymie the ransomware industry. Among many other recommendations, the report urged the White House to make finding, frustrating and apprehending ransomware crooks a priority within the U.S. intelligence community, and to designate the current scourge of digital extortion as a national security threat.

Further reading: Intel 471’s take on the Colonial Pipeline attack.

Microsoft Patch Tuesday, May 2021 Edition

Microsoft today released fixes to plug at least 55 security holes in its Windows operating systems and other software. Four of these weaknesses can be exploited by malware and malcontents to seize complete, remote control over vulnerable systems without any help from users. On deck this month are patches to quash a wormable flaw, a creepy wireless bug, and yet another reason to call for the death of Microsoft’s Internet Explorer (IE) web browser.

While May brings about half the normal volume of updates from Microsoft, there are some notable weaknesses that deserve prompt attention, particularly from enterprises. By all accounts, the most pressing priority this month is CVE-2021-31166, a Windows 10 and Windows Server flaw which allows an unauthenticated attacker to remotely execute malicious code at the operating system level. With this weakness, an attacker could compromise a host simply by sending it a specially-crafted packet of data.

“That makes this bug wormable, with even Microsoft calling that out in their write-up,” said Dustin Childs, with Trend Micro’s ZDI program. “Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.”

Kevin Breen from Immersive Labs said the fact that this one is just 0.2 points away from a perfect 10 CVSS score should be enough to identify just how important it is to patch.

“For ransomware operators, this kind of vulnerability is a prime target for exploitation,” Breen said. “Wormable exploits should always be a high priority, especially if they are for services that are designed to be public facing. As this specific exploit would not require any form of authentication, it’s even more appealing for attackers, and any organization using HTTP.sys protocol stack should prioritize this patch.”

Breen also called attention to CVE-2021-26419 — a vulnerability in Internet Explorer 11 — to make the case for why IE needs to stand for “Internet Exploder.” To trigger this vulnerability, a user would have to visit a site that is controlled by the attacker, although Microsoft also recognizes that it could be triggered by embedding ActiveX controls in Office Documents.

“IE needs to die – and I’m not the only one that thinks so,” Breen said. “If you are an organization that has to provide IE11 to support legacy applications, consider enforcing a policy on the users that restricts the domains that can be accessed by IE11 to only those legacy applications. All other web browsing should be performed with a supported browser.”

Another curious bug fixed this month is CVE-2020-24587, described as a “Windows Wireless Networking Information Disclosure Vulnerability.” ZDI’s Childs said this one has the potential to be pretty damaging.

“This patch fixes a vulnerability that could allow an attacker to disclose the contents of encrypted wireless packets on an affected system,” he said. “It’s not clear what the range on such an attack would be, but you should assume some proximity is needed. You’ll also note this CVE is from 2020, which could indicate Microsoft has been working on this fix for some time.”

Microsoft also patched four more security holes its Exchange Server corporate email platform, which recently was besieged by attacks on four other zero-day Exchange flaws that resulted in hundreds of thousands of servers worldwide getting hacked. One of the bugs is credited to Orange Tsai of the DEVCORE research team, who was responsible for disclosing the ProxyLogon Exchange Server vulnerability that was patched in an out-of-band release back in March.

Researcher Orange Tsai commenting that nobody guessed the remote zero-day he reported on Jan. 5, 2021 to Microsoft was in Exchange Server.

“While none of these flaws are deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organizations that have yet to update their systems should do so as soon as possible,” said Satnam Narang, staff research engineer at Tenable.

As always, it’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any kinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.