We Infiltrated a Counterfeit Check Ring! Now What?

Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and you’ve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be?

A counterfeit check image [redacted] that was intended for a person helping this fraud gang print and mail phony checks tied to a raft of email-based scams. One fraud-fighting group is intercepting hundreds to thousands of these per day.

Such is the curse of the fraud fighter known online by the handles “Brianna Ware” and “B. Ware” for short, a longtime member of a global group of volunteers who’ve infiltrated a cybercrime gang that disseminates counterfeit checks tied to a dizzying number of online scams.

For the past year, B. Ware has maintained contact with an insider from the criminal group that’s been sending daily lists of would-be victims who are to receive counterfeit checks printed using the real bank account information of legitimate companies.

“Some days we’re seeing thousands of counterfeit checks going out,” B. Ware said.

The scams used in connection with the fraudulent checks vary widely, from fake employment and “mystery shopper” schemes to those involving people who have been told they can get paid to cover their cars in advertisements (a.k.a. the “car wrap” scam).

A form letter mailed out with a counterfeit check urges the recipient to text a phone number after the check has been deposited.

Most of the counterfeit checks being disseminated by this fraud group are in amounts ranging from $2,500 to $5,000. The crimes that the checks enable are known variously as “advanced fee” scams, in that they involve tricking people into making payments in anticipation of receiving something of greater value in return.

But in each scheme the goal is the same: Convince the recipient to deposit the check and then wire a portion of the amount somewhere else. A few days after the check is deposited, it gets invariably canceled by the organization whose bank account information was on the check. And then person who deposited the phony check is on the hook for the entire amount.

“Like the car wrap scam, where they send you a check for $5,000, and you agree to keep $1,000 for your first payment and send the rest back to them in exchange for the car wrap materials,” B. Ware said. “Usually the check includes a letter that says they want you to text a specific phone number to let them know you received the check. When you do that, they’ll start sending you instructions on how and where to send the money.”

A typical confirmation letter that accompanies a counterfeit check for a car wrap scam.

Traditionally, these groups have asked recipients to transit money via wire transfer. But these days, B. Ware said, the same crooks are now asking people to forward the money via mobile applications like CashApp and Venmo.

B. Ware and other volunteer fraud fighters believe the fake checks gang is using people looped into phony employment schemes and wooed through online romance scams to print the counterfeit checks, and that other recruits are responsible for mailing them out each day.

“More often than not, the scammers creating the shipping labels will provide those to an unwitting accomplice, or the accomplice is told to log in to an account and print the labels,” B. Ware explained.

Often the counterfeit checks and labels forwarded by B. Ware’s informant come with notes attached indicating the type of scam with which they are associated.

“Sometimes they’re mystery shopper scams, and other times it’s overpayment for an item sold on Craigslist,” B. Ware said. “We don’t know how the scammers are getting the account and routing numbers for these checks, but they are drawn on real companies and always scan fine through a bank’s systems initially. The recipients can deposit them at any bank, but we try to get the checks to the banks when we can so they have a heads up.”


Roughly a year ago, B. Ware’s group started sharing its intelligence with fraud investigators at FedEx and the U.S. Postal Service — the primary delivery mechanisms for these counterfeit checks.

Both the USPS and FedEx have an interest in investigating because the fraudsters in this case are using stolen shipping labels paid for by companies who have no idea their FedEx or USPS accounts are being used for such purposes.

“In most cases, the name of the sender will be completely unrelated to what’s being sent,” B. Ware said. “For example, you’ll see a label for a letter to go out with a counterfeit check for a car wrap scam, and the sender on the shipping label will be something like XYZ Biological Resources.”

But B. Ware says a year later, there is little sign that anyone is interested in acting on the shared intelligence.

“It’s so much information that they really don’t want it anymore and they’re not doing anything about it,” B. Ware said of FedEx and the USPS. “It’s almost like they’re turning a blind eye. There are so many of these checks going out each day that instead of trying to drink from the firehouse, they’re just turning their heads.”

FedEx did not respond to requests for comment. The U.S. Postal Inspection Service responded with a statement saying it “does not comment publicly on its investigative procedures and operational protocols.”


Ronnie Tokazowski is a threat researcher at Agari, a security firm that has closely tracked many of the groups behind these advanced fee schemes [KrebsOnSecurity interviewed Tokazowski in 2018 after he received a security industry award for his work in this area].

Tokazowski said it’s likely the group B. Ware has infiltrated is involved in a myriad other email fraud schemes, including so-called “business email compromise” (BEC) or “CEO scams,” in which the fraudsters impersonate executives at a company in the hopes of convincing someone at the firm to wire money for payment of a non-existent invoice. According to the FBI, BEC scams netted thieves nearly $2 billion in 2020 — far more than any other type of cybercrime.

In a report released in 2019 (PDF), Agari profiled a group it dubbed “Scattered Canary” that is operating principally out of West Africa and dabbles in a dizzying array of schemes, including BEC and romance scams, FEMA and SBA loans, unemployment insurance fraud, counterfeit checks and of course money laundering.

Image: Agari.

Tokazowski said he doesn’t know if the group B. Ware is watching has any affiliation with Scattered Canary. But he said his experience with Scattered Canary shows these groups tend to make money via any and all methods that reliably produce results.

“One of the things that came out of the Scattered Canary report was that the actors we saw doing BEC scams were the same actors doing the car wrap and various Craigslist scams involving fake checks,” he said. “The people doing this type of crime will have tutorials on how to run the scam, how to wire money out for unemployment fraud, how to target people on Craigslist, and so on. It’s very different from the way a Russian hacking group might go after one industry vertical or piece of software or focus on one or two types of fraud. They will follow any method they can that works.”

Tokazowski said he’s taken his share of flack from people on social media who say his focus on West African nations as the primary source of these advanced fee and BEC scams is somehow racist [KrebsOnSecurity experienced a similar response to the 2013 stories, Spy Service Exposes Nigerian ‘Yahoo Boys’, and ‘Yahoo Boys’ Have 419 Facebook Friends].

But Tokazowski maintains he has been one of the more vocal proponents of the idea that trying to fight these problems by arresting those involved is something of a Sisyphean task, and that it makes way more sense to focus on changing the economic realities in places like Nigeria, which has been a hotbed of advanced fee activity for decades.

Nigeria has the world’s second-highest unemployment rate — rising from 27.1 percent in 2019 to 33 percent in 2020, according to the National Bureau of Statistics. The nation also is among the world’s most corrupt, according to 2020 findings from Transparency International.

“Education is definitely one piece, as raising awareness is hands down the best way to get ahead of this,” Tokazowski said. “But we also need to think about ways to create more business opportunities there so that people who are doing this to put food on the table have more legitimate opportunities. Unfortunately, thanks to the level of corruption of government officials, there are a lot of cultural reasons that fighting this type of crime at the source is going to be difficult.”

GitHub previews new AI tool that makes coding suggestions

GitHub has unveiled a new product that leverages artificial intelligence to help you write code more efficiently. Named GitHub Copilot, today’s new product can suggest lines of code and even sometimes entire functions.

GitHub has partnered with OpenAI to develop this tool. It doesn’t replace developers, it’s just a tool that should improve productivity and make it easier to learn how to code. GitHub frames this new tool as an AI pair programmer.

The model behind GitHub Copilot has been trained on billions of lines of code — many of them are hosted and available publicly on GitHub itself. When you’re writing code, GitHub Copilot suggests code as you type. You can cycle through suggestions, accept or reject them.

In order to figure out what you’re currently coding, GitHub Copilot tries to parse the meaning of a comment, the name of the function you are writing or the past couple of lines. The company shows a few demos on its website.

Image Credits: GitHub

In particular, you can describe a function in plain English in a comment and then convert it to actual code. If you’re getting started with a new language or you’ve been using no-code or low-code tools in the past, that feature could be useful.

If you’re writing code every day, GitHub Copilot can be used to work with a new framework or library. You don’t have to read the documentation from start to finish as GitHub Copilot already knows the specific functions and features of the framework you’re working with. It could also replace many Stack Overflow queries.

GitHub Copilot integrates directly with Visual Studio Code. You can install it as an extension or use it in the cloud with GitHub Codespaces. Over time, the service should improve based on how you interact with GitHub Copilot. As you accept and reject suggestions, those suggestions should get better.

Currently available as a technical preview, GitHub plans to launch a commercial product based on GitHub Copilot. It currently works best with Python, JavaScript, TypeScript, Ruby and Go.

Image Credits: GitHub

Sources: SentinelOne expects to raise over $1B in NYSE IPO tomorrow, listing with a $10B market cap

After launching its IPO last week with an expected listing price range of $26 to $29 per share, cybersecurity company SentinelOne is going public tomorrow with some momentum behind it. Sources close to the deal tell us that the company, which will be trading under the ticker “S” on the New York Stock Exchange, is expecting to raise over $1 billion in its IPO, putting its valuation at around $10 billion.

Last week, when the company first announced the IPO, it was projected that it would raise $928 million at the top end of its range, giving SentinelOne a valuation of around $7 billion. Coming in at a $10 billion market capitalization would make SentinelOne the most valuable cybersecurity IPO to date.

A source said that the road show has been stronger than anticipated, in part because of the strength of one of its competitors, CrowdStrike, which is publicly traded and currently sitting at a market cap of $58 billion.

The other reason for the response is a slightly grimmer one: Cybersecurity continues to be a major issue for businesses of all sizes, public organizations, governments and individuals. “No one wants to see another SolarWinds, and there is no reason that there shouldn’t be more than one or two strong players,” a source said.

As is the bigger trend in cybersecurity, Israel-hatched, Mountain View-based SentinelOne‘s approach to combat that is artificial intelligence — and in its case specifically, a machine-learning-based solution that it sells under the brand Singularity that focuses on endpoint security, working across the entire edge of the network to monitor and secure laptops, phones, containerised applications and the many other devices and services connected to a network.

Last year, endpoint security solutions were estimated to be around an $8 billion market, and analysts project that it could be worth as much as $18.4 billion by 2024 — another reason why SentinelOne may have moved up the timetable on its IPO (last year the company’s CEO Tomer Weingarten had told me he thought the company had one or two years left as a private company before considering an IPO, a timeline it clearly decided was worth speeding up).

SentinelOne raised $267 million on a $3.1 billion valuation led by Tiger Global as recently as last November, but it has been expanding rapidly. Growth last quarter was 116% compared to the same period a year before, and it now has more than 4,700 customers and annual recurring revenue of $161 million, according to its S-1 filing. It is also still not profitable, posting a net loss of $64 million in the last quarter.

Feature Spotlight: Gain Intelligence & Insight With Threat Center

Most organizations today have adopted cyber threat intelligence (CTI) capabilities with the goal of leveraging evidence-based knowledge about existing and emerging threats to defend against attacks faster and more proactively. But as a security professional, chances are your eyes glaze over when you hear “threat intelligence reporting”. This is probably because most intelligence reports you’ve read have lacked insight, weren’t actionable, and were delivered too late to be effective. Today’s approach to threat intelligence reporting is no longer sustainable against an evolving threat landscape.

We need to rethink how we build and utilize threat intelligence reporting as an industry. CTI reports should help security professionals understand the full context around a threat and take tangible steps to mitigate risk.

This includes an understanding of how an attack’s kill chain maps to tactics, techniques, and procedures (TTPs), relevant Indicators of Compromise (IOCs), relevant Indicators of Attack (IOAs), attribution where appropriate, and most importantly, actionable guidance in the form of sample queries for threat hunting and other preventative steps to close gaps and fine-tune.

Rather than growing the mountain of information they deliver to their customers, it’s time that cyber threat intelligence (CTI) solutions help teams achieve their ultimate goal: keeping their organizations protected in the face of evolving threats by outsmarting, outmaneuvering, and outpacing attackers.

To help you tackle the challenges of today’s threat intelligence reporting, we’re excited to introduce Threat Center to Singularity Signal’s suite of threat intelligence capabilities.

Gain Intelligence & Insight With Threat Center

Threat Center, the newest Singularity Signal threat intelligence capability available on the Singularity Platform, centralizes all of the actionable threat intelligence reporting published by SentinelOne’s leading threat researchers and analysts in one simple view.

These threat intelligence reports are designed to provide security professionals everything they need to respond to emerging threats as they arise, including targeted campaigns from known adversaries, new global outbreaks, critical vulnerabilities, and newly-discovered attack patterns. The Singularity Signal AI engine draws from commercial sources, OSINT projects, SIGINT operations, dark web research, and our own user base to identify these emergent threats.

With Threat Center, you gain direct access to a contemporary library of reports that are focused on helping you understand and outsmart even the most advanced, prolific adversaries. This includes Singularity Signal Threat Intelligence Reports, which are regularly published as new adversaries, global campaigns, and attack patterns arise, and retrospective Monthly Digests published by WatchTower, our intelligence-driven threat hunting service.

The threat intelligence reports showcased in Threat Center are designed to be more insightful, contextualized, and—most importantly—actionable than many intelligence reports available today. Rather than providing information for information’s sake and hyper-focusing on threat attribution, threat intelligence reporting powered by Singularity Signal distils intelligence down to its most relevant details and arms security professionals with the guidance and tools they need to take immediate action in their environment—before attackers have a chance to strike.

See It In Action: Threat Center

From the SentinelOne Singularity Platform console, you can access rich threat intelligence reporting and proactive guidance in just a few clicks.

Threat Center features Singularity Signal Reports, which are designed to give you a continuous look into the evolving threat landscape and provide actionable guidance on how to pre-empt advanced cyber attackers as they emerge. Each Singularity Signal Report outlines relevant background and details on advanced persistent threats (APTs), nation-state groups, or novel attacker techniques, and how they might affect your organization; this includes relevant IOC and TTP details to be leveraged for hunting, investigation, and more.

Singularity Signal Reports are published on a weekly cadence in Threat Center, in addition to Singularity Signal Flash Reports that may be published as emergent, critical threats arise. These reports are available to all Singularity Complete customers at no additional cost.

Inside Threat Center, you can also find our Monthly WatchTower Threat Hunting Digests.

WatchTower is SentinelOne’s intelligence-driven threat hunting service targeting global APT campaigns, novel attacker techniques, and emerging trends in cybercrime. Leveraging the Singularity Signal AI engine, WatchTower analyzes all-source intelligence data at scale to hunt for (and help remediate) rising threats in your environment. Every month, our WatchTower analysts publish a digest of key trends and takeaways observed in hunts performed over the previous month across the global threat landscape.

Threat Center will provide Vigilance & WatchTower customers with the first look at the Monthly Threat Hunting Digest in its TLP: Amber edition. One week later, the TLP: White report, which excludes any sensitive TTPs or adversary details, will become generally available in Threat Center to all SentinelOne customers.


Starting this week, SentinelOne customers will start receiving unique, actionable threat intelligence reports in the Singularity Platform through Threat Center. Threat Center is your hub for proactive and reactive threat intelligence reports that are relevant, reliable, and recovery-focused, all curated by the industry’s most knowledgeable researchers and analysts.

With Singularity Signal Reports, you can take proactive steps to stay ahead of rising threats from within the Singularity platform, then understand overall trends in the global threat landscape—including impact by industry, region, and more—with the WatchTower Monthly Threat Hunting digests.

Now that you’re equipped with the right insights and tools, we wish you happy hunting!

Singularity Signal
Join our webinar to learn more about data-driven intelligence.

About Singularity Signal

Singularity Signal is an open threat intelligence platform that combines artificial- and human-based intelligence to provide context, enrichment, and actionability to cyber data, empowering organizations to stay a step ahead with unparalleled insight into the attacker mindset.

To explore more ways Singularity Signal is helping enterprises around the world take a new approach to threat intelligence, read more here.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

The Good, the Bad and the Ugly in Cybersecurity – Week 26

The Good

We always applaud international cooperation on fighting cybercrime. This week, the EU and the US announced a joint operation to fight ransomware. Secretary of Homeland Security Alejandro Mayorkas said that a new ransomware working group would address “the scourge of ransomware that has hurt the U.S” and many other countries.

The new trans-Atlantic cyber cooperation will work across several fronts. Known and would-be cyber criminals can look forward to increased law enforcement action, no matter where in the world they are hiding. The working group will seek to put increased pressure on states that harbor known criminals or turn a blind eye to cyber crime activity, either through extradition or local prosecution. At the same time, the group plans to raise public awareness on how to protect networks from ransomware and to discourage payments by highlighting the increased risk that rewarding criminals brings.

Meanwhile, the EU is also developing resources to boost regional collaboration across the bloc with the launch of a multi-national, rapid-response Joint Cyber Unit. The EU-wide task force will aim to launch operations against ongoing attacks by pooling the cyber security resources of its member states. Based in Brussels, Belgium, at the EU’s cybersecurity agency, the Joint Cyber Unit is expected to be fully operational in early 2023.

The Bad

This week’s good news didn’t come soon enough for the Belgian city of Liege, unfortunately. The country’s third largest city has been hit by Ryuk ransomware, according to local radio and TV stations.

The attack has disrupted the municipality’s IT network and online services, including public services and police. At the time of writing, services such as town hall appointments, birth registrations, weddings and burial services are either canceled or postponed as municipality employees struggle to access the relevant IT systems.

A statement on the municipality website said that the city was suffering from “a large-scale targeted computer attack, obviously of a criminal nature”. Analysis on the scale of the attack and its consequences is ongoing. The statement went on to say that the City authorities were “doing everything to restore the situation as soon as possible”.

If recent incidents are anything to go by, the outage could last several weeks. The recent ransomware attack on fellow EU-member Ireland’s healthcare systems occurred six weeks ago and left the country’s publicly funded healthcare system severely disrupted. At this time, the Irish Health Services Executive (HSE) has decrypted 75% of the affected servers, but it is likely to take months to effect a full recovery. This Wednesday, HSE said that the cost of recovery so far amounted to $120 million, but the total damage could rise to as high as $600 million.

The Ugly

Police in the coastal resort of Benidorm, Spain, arrested a British man this week after a tip off from Australian police led them to discover he was in possession of 1,000 videos of naked children, which the alleged perpetrator had obtained by hacking into home security cameras around the world. The accused, working as a babysitter and private tutor, was also engaged in sexually harassing youngsters online and acting as a facilitator for the exchange of child porn on the darkweb. Reports said the police had found evidence of Bitcoin transfers to Romania to people involved in child pornography.

In Florida, another tip led to the arrest of Donnie Pearce. Google tipped off local law authorities after Pearce allegedly uploaded 38 images of child sexual abuse to the web. Google sent Pearce’s details to the National Center for Missing and Exploited Children, and St. Johns County Sheriff’s Office (FL) seized 15 electronic devices belonging to the accused. Pearce has been charged with 13 counts of possessing obscene materials.

We usually include cases of cyber offenders being apprehended under the “Good” category, but sadly, these cases are just the tip of the iceberg in the cyber child porn pandemic. Just this week, law enforcement authorities arrested men in Cape Coral (FL), Blasdell (NY), Hendersonville (Tenn), Joliet (IL), Fulton (Missouri), Upper Allen (Pa), Mechanicsburg (PA), Layton (Utah), Barstow (CA), and Hatboro (Pa) for child pornography-related offenses.

It seems that the combination of the relative anonymity of the darknet, cryptocurrencies, social networks, messaging applications and smartphones makes the production, storage and distribution of such obscene materials too easy, extending the number of people participating in child-related crimes.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Edge Delta raises $15M Series A to take on Splunk

Seattle-based Edge Delta, a startup that is building a modern distributed monitoring stack that is competing directly with industry heavyweights like Splunk, New Relic and Datadog, today announced that it has raised a $15 million Series A funding round led by Menlo Ventures and Tim Tully, the former CTO of Splunk. Previous investors MaC Venture Capital and Amity Ventures also participated in this round, which brings the company’s total funding to date to $18 million.

“Our thesis is that there’s no way that enterprises today can continue to analyze all their data in real time,” said Edge Delta co-founder and CEO Ozan Unlu, who has worked in the observability space for about 15 years already (including at Microsoft and Sumo Logic). “The way that it was traditionally done with these primitive, centralized models — there’s just too much data. It worked 10 years ago, but gigabytes turned into terabytes and now terabytes are turning into petabytes. That whole model is breaking down.”

Image Credits: Edge Delta

He acknowledges that traditional big data warehousing works quite well for business intelligence and analytics use cases. But that’s not real-time and also involves moving a lot of data from where it’s generated to a centralized warehouse. The promise of Edge Delta is that it can offer all of the capabilities of this centralized model by allowing enterprises to start to analyze their logs, metrics, traces and other telemetry right at the source. This, in turn, also allows them to get visibility into all of the data that’s generated there, instead of many of today’s systems, which only provide insights into a small slice of this information.

While competing services tend to have agents that run on a customer’s machine, but typically only compress the data, encrypt it and then send it on to its final destination, Edge Delta’s agent starts analyzing the data right at the local level. With that, if you want to, for example, graph error rates from your Kubernetes cluster, you wouldn’t have to gather all of this data and send it off to your data warehouse where it has to be indexed before it can be analyzed and graphed.

With Edge Delta, you could instead have every single node draw its own graph, which Edge Delta can then combine later on. With this, Edge Delta argues, its agent is able to offer significant performance benefits, often by orders of magnitude. This also allows businesses to run their machine learning models at the edge, as well.

Image Credits: Edge Delta

“What I saw before I was leaving Splunk was that people were sort of being choosy about where they put workloads for a variety of reasons, including cost control,” said Menlo Ventures’ Tim Tully, who joined the firm only a couple of months ago. “So this idea that you can move some of the compute down to the edge and lower latency and do machine learning at the edge in a distributed way was incredibly fascinating to me.”

Edge Delta is able to offer a significantly cheaper service, in large part because it doesn’t have to run a lot of compute and manage huge storage pools itself since a lot of that is handled at the edge. And while the customers obviously still incur some overhead to provision this compute power, it’s still significantly less than what they would be paying for a comparable service. The company argues that it typically sees about a 90 percent improvement in total cost of ownership compared to traditional centralized services.

Image Credits: Edge Delta

Edge Delta charges based on volume and it is not shy to compare its prices with Splunk’s and does so right on its pricing calculator. Indeed, in talking to Tully and Unlu, Splunk was clearly on everybody’s mind.

“There’s kind of this concept of unbundling of Splunk,” Unlu said. “You have Snowflake and the data warehouse solutions coming in from one side, and they’re saying, ‘hey, if you don’t care about real time, go use us.’ And then we’re the other half of the equation, which is: actually there’s a lot of real-time operational use cases and this model is actually better for those massive stream processing datasets that you required to analyze in real time.”

But despite this competition, Edge Delta can still integrate with Splunk and similar services. Users can still take their data, ingest it through Edge Delta and then pass it on to the likes of Sumo Logic, Splunk, AWS’s S3 and other solutions.

Image Credits: Edge Delta

“If you follow the trajectory of Splunk, we had this whole idea of building this business around IoT and Splunk at the Edge — and we never really quite got there,” Tully said. “I think what we’re winding up seeing collectively is the edge actually means something a little bit different. […] The advances in distributed computing and sophistication of hardware at the edge allows these types of problems to be solved at a lower cost and lower latency.”

The Edge Delta team plans to use the new funding to expand its team and support all of the new customers that have shown interest in the product. For that, it is building out its go-to-market and marketing teams, as well as its customer success and support teams.


MyBook Users Urged to Unplug Devices from Internet

Hard drive giant Western Digital is urging users of its MyBook Live brand of network storage drives to disconnect them from the Internet, warning that malicious hackers are remotely wiping the drives using a critical flaw that can be triggered by anyone who knows the Internet address of an affected device.

One of many similar complaints on Western Digital’s user forum.

Earlier this week, Bleeping Computer and Ars Technica pointed to a heated discussion thread on Western Digital’s user forum where many customers complained of finding their MyBook Live and MyBook Live Duo devices completely wiped of their data.

“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a statement June 24. “In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live and My Book Live Duo devices received its final firmware update in 2015. We understand that our customers’ data is very important. We are actively investigating the issue and will provide an updated advisory when we have more information.”

Western Digital’s brief advisory includes a link to an entry in the National Vulnerability Database for CVE-2018-18472. The NVD writeup says Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug.

“It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” NVD wrote.

Examine the CVE attached to this flaw and you’ll notice it was issued in 2018. The NVD’s advisory credits VPN reviewer Wizcase.com with reporting the bug to Western Digital three years ago, back in June 2018.

In some ways, it’s remarkable that it took this long for vulnerable MyBook devices to be attacked: The 2018 Wizcase writeup on the flaw includes proof-of-concept code that lets anyone run commands on the devices as the all-powerful “root” user.

Western Digital’s response at the time was that the affected devices were no longer supported and that customers should avoid connecting them to the Internet. That response also suggested this bug has been present in its devices for at least a decade.

“The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012,” reads a reply from Western Digital that Wizcase posted to its blog. “These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.”

A local administration page for the MyBook Live Duo.

Wizcase said the flaw it found in MyBook devices also may be present in certain models of WD MyCloud network attached storage (NAS) devices, although Western Digital’s advisory makes no mention of its MyCloud line being affected.

The vulnerable MyBook devices are popular among home users and small businesses because they’re relatively feature-rich and inexpensive, and can be upgraded with additional storage quite easily. But these products also make it simple for users to access their files remotely over the Internet using a mobile app.

I’m guessing it is primarily users who’ve configured their MyBooks to be remotely accessible who are experiencing these unfortunate drive wipes. Regardless, it’s probably safest to observe Western Digital’s advice and disconnect any MyBooks you have from ethernet access.

If you’d still like to keep your MyBook connected to your local network (at least until you can find a suitable backup for your backups), please make double sure remote access is not enabled in your device settings (see screenshot above).

Firebolt raises $127M more for its new approach to cheaper and more efficient Big Data analytics

Snowflake changed the conversation for many companies when it comes to the potentials of data warehousing. Now one of the startups that’s hoping to disrupt the disruptor is announcing a big round of funding to expand its own business.

Firebolt, which has built a new kind of cloud data warehouse that promises much more efficient, and cheaper, analytics around whatever is stored within it, is announcing a major Series B of $127 million on the heels of huge demand for its services.

The company, which only came out of stealth mode in December, is not disclosing its valuation with this round, which brings the total raised by the Israeli company to $164 million. New backers Dawn Capital and K5 Global are in this round, alongside previous backers Zeev Ventures, TLV Partners, Bessemer Venture Partners and Angular Ventures.

Nor is it disclosing many details about its customers at the moment. CEO and co-founder Eldad Farkash told me in an interview that most of them are U.S.-based, and that the numbers have grown from the dozen or so that were using Firebolt when it was still in stealth mode (it worked quietly for a couple of years building its product and onboarding customers before finally launching six months ago). They are all migrating from existing data warehousing solutions like Snowflake or BigQuery. In other words, its customers are already cloud-native, Big Data companies: it’s not trying to proselytize on the basic concept but work with those who are already in a specific place as a business.

“If you’re not using Snowflake or BigQuery already, we prefer you come back to us later,” he said. Judging by the size and quick succession of the round, that focus is paying off.

The challenge that Firebolt set out to tackle is that while data warehousing has become a key way for enterprises to analyze, update and manage their big data stores — after all, your data is only as good as the tools you have to parse it and keep it secure — typically data warehousing solutions are not efficient, and they can cost a lot of money to maintain.

The challenge was seen firsthand by the three founders of Firebolt, Farkash (CEO), Saar Bitner (COO) and Ariel Yaroshevich (CTO) when they were at a previous company, the business intelligence powerhouse Sisense, where respectively they were one of its co-founders and two members of its founding team. At Sisense, the company continually came up against an issue: When you are dealing in terabytes of data, cloud data warehouses were straining to deliver good performance to power their analytics and other tools, and the only way to potentially continue to mitigate that was by piling on more cloud capacity. And that started to become very expensive.

Firebolt set out to fix that by taking a different approach, rearchitecting the concept. As Farkash sees it, while data warehousing has indeed been a big breakthrough in Big Data, it has started to feel like a dated solution as data troves have grown.

“Data warehouses are solving yesterday’s problem, which was, ‘How do I migrate to the cloud and deal with scale?’” he told me back in December. Google’s BigQuery, Amazon’s RedShift and Snowflake are fitting answers for that issue, he believes, but “we see Firebolt as the new entrant in that space, with a new take on design on technology. We change the discussion from one of scale to one of speed and efficiency.”

The startup claims that its performance is up to 182 times faster than that of other data warehouses with a SQL-based system that works on academic research that had yet to be applied anywhere, around how to handle data in a lighter way, using new techniques in compression and how data is parsed. Data lakes in turn can be connected with a wider data ecosystem, and what it translates to is a much smaller requirement for cloud capacity. And lower costs.

Fast forward to today, and the company says the concept is gaining a lot of traction with engineers and developers in industries like business intelligence, customer-facing services that need to parse a lot of information to serve information to users in real time and back-end data applications. That is proving out what investors suspected would be a shift before the startup even launched, stealthily or otherwise.

“I’ve been an investor at Firebolt since their Series A round and before they had any paying customers,” said Oren Zeev of Zeev Ventures. “What had me invest in Firebolt is mostly the team. A group of highly experienced executives mostly from the big data space who understand the market very well, and the pain organizations are experiencing. In addition, after speaking to a few of my portfolio companies and Firebolt’s initial design partners, it was clear that Firebolt is solving a major pain, so all in all, it was a fairly easy decision. The market in which Firebolt operates is huge if you consider the valuations of Snowflake and Databricks. Even more importantly, it is growing rapidly as the migration from on-premise data warehouse platforms to the cloud is gaining momentum, and as more and more companies rely on data for their operations and are building data applications.”

Feature Spotlight: Data-Driven Threat Intelligence with Singularity Signal

Many organizations today have adopted cyber threat intelligence (CTI) programs with the goal of using attacker insights to bolster their defenses. The reality is that most teams struggle to gain full value from their threat intelligence platforms because of their limited scalability to large datasets and lack of actionability. Singularity Signal is an open threat intelligence platform from SentinelOne that harnesses data and analyzes it at unmatched scale to address the threat intelligence data volume challenge. Singularity Signal combines artificial- and human-based intelligence to provide context, enrichment, and actionability to cyber data, empowering organizations to stay a step ahead with unparalleled insight into the attacker mindset.

What is Cyber Threat Intelligence?

The primary goal of a CTI provider is to gather intelligence on the tactics, techniques, and procedures (TTP) of adversaries so organizations can make more informed and data-driven decisions about their cybersecurity programs. These decisions ultimately drive more effective protection, detection, and response against modern cyber-attacks. According to Gartner:

“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

As a result, CTI can help organizations discover blind spots, provide decision-makers with informed insights into the threat landscape, and ultimately mitigate risk.

Effectively applying threat intelligence empowers security analysts to identify and understand the relationship between adversaries and their TTPs and take proactive steps in their environment accordingly.

Today’s Threat Intelligence Challenges

The cyber threat landscape continues to evolve in complexity and stakes, with recent examples being the DarkSide ransomware campaign against Colonial Pipeline, SUNBURST, the malware variant behind the SolarWinds corporate attack, and the Microsoft Exchange zero-day vulnerabilities that were rapidly exploited by HAFNIUM. And that’s just the tip of the iceberg.

In response, many organizations have implemented cyber threat intelligence over the past several years as an integral part of their information security programs. By integrating CTI, they hope to better prepare for emergent threats and take informed action against cyber risk.

Trouble is, many of these teams are sold on the promise of threat intelligence but rarely see its tangible value in practice. According to the Information Security Forum (ISF)’s research, 82% of their members have a cyber threat intelligence capability, with the remaining 18% planning to implement one in the next twelve months. However, only 25% of those members believe their current capability delivers the expected objectives. In other words, teams are dishing out significant investments but seeing dubious returns.

Many of the common pitfalls of modern threat intelligence are root-caused by the inability to effectively process, correlate, and analyze data, given the exponential growth of available telemetry and signals. Most threat intelligence solutions available today heavily depend on human analysts to consolidate, parse, enrich, and validate data, and their analyses focus too deeply on attribution and backstory versus remediation and action.

In addition, threat intelligence sources often exist in vacuums, and teams lack the right technology and processes to connect and correlate their data for a more complete picture. As a result, it has become costly and highly time-consuming to operationalize CTI, and threat researchers struggle to weed out meaningful insight from the noise.

At SentinelOne, we believe the key to modernizing CTI and maximizing its value is in combining the best of artificial intelligence (AI) with human intelligence. By doing so, organizations resolve two primary pain points: the amount of data that requires manual processing, and the time it takes to manually correlate and contextualize it.

How Can Singularity Signal Help My Organization?

Singularity Signal combines artificial intelligence (AI) and machine learning models with human-enriched intelligence and context to help you preempt even the most advanced attacks and derive tangible value from your threat intelligence investments.

This is achieved through the Singularity Signal AI engine, designed to process billions of signals in real-time. The Signal AI engine analyzes data gathered from the SentinelOne Singularity user base, as well as a global dataset of open source, commercial, and SIGINT feeds. This provides our researchers with unique insights into the probability of attacks and enables them to perform continuous threat modeling in an effort to predict adversaries’ next moves.

With Singularity Signal, you gain a complete, tailored picture of how you are impacted by advanced persistent threats (APTs), nation-state groups, and emergent attacks such as zero-days through real-time enrichment of tactics, techniques, and procedures (TTPs), ongoing threat intelligence reporting curated by our experts, and easy integration of custom intelligence sources through the Singularity Marketplace.

Singularity Signal addresses the data problem in CTI and empowers human threat researchers and security analysts to make informed, data-backed decisions. This helps you take a more proactive, more automated, and more informed approach to your defenses.

Singularity Signal
Join our webinar to learn more about data-driven intelligence.


SentinelOne is committed to helping customers to become proactive with their cybersecurity programs. Recent attacks have demonstrated the importance of understanding adversaries and how they operate in order to reduce their attack surface. Singularity Signal empowers modern security teams to break down the common barriers to running a CTI program by optimizing both artificial- and human-based intelligence, and mastering swathes of cyber data at scale.

For more information, join the Singularity Signal webinar or request a demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Pequity, a compensation platform designed for more equitable pay, raises $19M

Diversity and inclusion have become central topics in the world of work. In the best considerations, improving them is a holistic effort, involving not just conceiving of products with this in mind, but hiring and managing talent in a diverse and inclusive way, too. A new startup called Pequity, which has built a product to help with the latter of these areas, specifically in equitable compensation, has now raised some funding — a sign of the demand in the market, as well as how tech is being harnessed in aid of helping it.

The San Francisco-based startup has raised $19 million in a Series A led by Norwest Venture Partners. First Round Capital, Designer Fund, and Scribble Ventures also participated in the fundraise, which will be used to continue investing in product and also hiring: the company has 20 on its own books now and will aim to double that by the end of this year, on the heels of positive reception in the market.

Since launching officially last year, Pequity has picked up over 100 customers, with an initial focus on fast-scaling companies in its own backyard, a mark of how D&I have come into focus in the tech industry in particular. Those using Pequity to compare and figure out compensation include Instacart, Scale.ai and ClearCo, and the company said that in the last four months, the platform’s been used to make more then 5,000 job offers.

Kaitlyn Knopp, the CEO who co-founded the company with Warren Lebovics (both pictured, right), came up for the idea for Pequity in much the same way that many innovations in the world of enterprise IT come to market: through her own first-hand experience.

She spent a decade working in employment compensation in the Bay Area, with previous roles at Google, Instacart, and Cruise. In that time, she found the tools that many companies used were lacking and simply “clunky” when it came to compensation analysis.

“The way the market has worked so far is that platforms had compensation as an element but not the focus,” she said. “It was the end of the tagline, the final part of a ‘CRM for candidates.’ But you still have to fill in all the gaps, you have to set the architecture the right way. And with compensation, you have to bake in your own analytics, which implies that you have to have some expertise.”

Indeed, as with other aspects of enterprise software, she added that the very biggest tech companies sometimes worked on their own tools, but not only does that leave smaller or otherwise other-focused businesses out of having better calculation tools, but it also means that those tools are siloed and miss out on being shaped by a bigger picture of the world of work. “We wanted to take that process and own it.”

The Pequity product essentially works by plugging into all of the other tools that an HR professional might be using — HRIS, ATS, and payroll products — to manage salaries across the whole of the organization in order to analyse and compare how compensation could look for existing and prospective employees. It combines a company’s own data and then compares it to data from the wider market, including typical industry ranges and market trends, to provide insights to HR teams.

All of this means that HR teams are able to make more informed decisions, which is step number one in being more transparent and equitable, but is also something that Pequity is optimized to cover specifically in how it measures compensation across a team.

And in line with that, there is another aspect of the compensation mindset that Knopp also wanted to address in a standalone product, and that is the idea of building a tool with a mission, one of providing a platform that can bring in data to make transparent and equitable decisions.

“A lot of the comp tools that I’ve interacted with are reactive,” she said. “You may have to do, say, a pay equity test, you do your promotion and merit cycles, and then you find all these issues that you have to solve. We’re flagging those things proactively with our analytics, because we’re plugging into those systems, which will give you those alerts before the decisions need to be made.”

As an added step in that direction, Knopp said that ultimately she believes the tool should be something that those outside of HR, such as managers and emploiyees themselves, should be able to access to better understand the logic of their own compensation and have more information going into any kind of negotiation.

Ultimately, it will be interesting to see whether modernized products like Pequity, which are tackling old problems with a new approach and point of view, find traction in the wider market. If one purpose in HR is to address diversity and inclusion, and part of the problem has been that the tools are just not fit for that purpose, then it seems a no-brainer that we’ll see more organizations trying out new things to see if they can help them in their own race to secure talent.

“Compensation reflects a company’s values, affects its ability to hire talent, and is the biggest expense on its P&L. And yet, most comp teams run on spreadsheets and emails,” said Parker Barrile, Partner at Norwest, in a statement. “Pequity empowers comp teams to design and manage equitable compensation programs with modern software designed by comp professionals, for comp professionals.”