When JBS Met REvil Ransomware | Why We Need to Beef Up Critical Infrastructure Security

The steady drumbeat of news about ransomware attacks continued this week, with the world’s biggest meat processor JBS being hit, as well as the New York Metropolitan Transit Authority and the Massachusetts Steamship Authority. Ransomware attacks are nothing new of course – unscrupulous criminals have been locking the data and demanding payment of individuals and entities for years – but recent attacks represent a significant escalation in scale and kind as attackers increasingly hit essential public services.

Essential Public Services – An Easy Mark for Ransomware Attacks

Two weeks ago a criminal hacker gang calling itself DarkSide attacked the Colonial Pipeline, which supplies much of the East Coast with nearly half of its fuel. The news of the pipeline’s shutdown caused panic buying throughout much of the country resulting in major gasoline shortages in several states.

It wasn’t the first time that ransomware has hit energy suppliers either. In February 2020, CISA advised all operational technology owners to take action after a ransomware attack on a natural gas plant forced it to shutdown for two days. Although that attack was instigated from a spear-phishing email, ransomware operators are increasingly infecting targets through other vectors, including stolen credentials, brute force attacks and installation through desktop sharing apps.

Critical infrastructure such as food and energy suppliers along with schools and healthcare institutions are often easy targets for criminals. Many organizations in those sectors are public-funded and often lack both the budget and the expertise of large, well-resourced private enterprises. For that reason, Government facilities, education and the healthcare sector tend to be the most frequent victims of ransomware among the 16 sectors that CISA designates as ‘critical infrastructure’. The spate of ransomware attacks since 2018 on hospitals, schools and cities like Atlanta, Greenville, Baltimore and Riviera Beach City Council being some of the more high-profile cases in point.

While attacks in the Food and Agriculture sector are not as common, there have reportedly been at least 40 cases in the last twelve months of ransomware targeting food companies. And unfortunately, as we have seen this past week with JBS, the effect of hitting a major food distributor with ransomware can have consequences far beyond that of monetary loss for the organization itself.

Food Suppliers Are Tempting Targets For Ransomware

The attack on JBS represents a massive assault on the food supply not just in the U.S. but in countries around the world. JBS is the world’s largest meat supplier with more than 150 plants and over 150,000 workers employed in fifteen countries. In the US, the company is the second-largest producer of beef, pork and chicken, processing around a quarter of the nation’s beef and about a fifth of its pork.

In a statement last Monday, JBS said that it had been “the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems.” Meanwhile, the U.S. Department of Agriculture said it had reached out to other major meat processors and encouraged them to accommodate additional capacity where possible. The USDA stressed the importance of keeping supply moving and mitigating any potential price issues.

By Thursday, the company released a further statement claiming it was able to limit the loss of food produced during the attack to less than one days’ worth of production and that lost production across the company’s global business would be “fully recovered by the end of next week”.

JBS Attack Attributed to REvil (Sodinokibi)

Meanwhile, the FBI attributed the attack to the REvil gang in a tweet on Thursday.

The REvil ransomware group has been in operation since at least mid 2019. Earlier this year they made headlines with two high-profile attacks on tech companies Acer in March and Apple supplier Quanta in April, demanding ransom payments to the tune of $50 million (it is not known if either of these were paid).

The operators have also been fine-tuning their RaaS (Ransomware-as-a-Service) offering in a bid to evade weak security controls. A recent version attempts to reboot an infected computer into Windows Safe Mode with Networking using the -smode argument. The ransomware changes the user’s password to a hard-coded value then automatically logs in with the new credentials. The SentinelOne platform protects against this (and all other) versions of the REvil ransomware.

The dust hasn’t yet settled on this attack and many facts remain unknown, including whether the company paid a ransom. JBS projected optimism that production would be restored quickly in places where it had been interrupted, but even a short disruption to a fifth of the U.S. beef harvesting capacity could have large knock-on effects in the market, potentially causing short term supply shortages and raising prices for beef and other proteins. A longer disruption could have had massive impacts on the entire food supply chain.

Criminal hackers have deftly probed for new vulnerabilities and found new opportunities in places that we previously haven’t thought of as being particularly cyber-dependent. At least on its face, few things could seem less vulnerable to hacking than beef harvesting, but every person and every entity is potentially, and increasingly, vulnerable.

What’s Next For Ransomware and Our Critical Infrastructure?

These attacks raise the specter of even more destructive events down the road. What if criminal hackers managed to strike a major blow to the electrical grid, or a sustained attack on a large energy supplier or big city utility?  Previously these kinds of major attacks on civilian critical infrastructure have been the preserve of nation-state actors, and at least in the United States, they’ve been more a threat that we know exists than an everyday reality that we must deal with.

This is the reality of our interconnected world: cyber threats are whole-of-society threats. High-impact attacks are no longer simply a geopolitical concern – they are an ever-present threat from both state and non-state actors. Both are relentlessly searching out vulnerabilities and pain points, and properly dealing with either requires that we recognize the scale and immediacy of the threat. Protecting our food supply, electrical grid, hospital systems and so many other elements of critical infrastructure requires that every public and private entity step up and meet this threat.

If you would like to learn more about how the SentinelOne Singularity Platform can help protect your organization or business, please contact us, or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Naspers co-leads $14.5M extension round in mobility startup WhereIsMyTransport

Many people in emerging markets depend on informal public transport to move across cities. But while there are ride-hailing and bus-hailing applications in some of these cities, there’s a dire need for journey-planning apps to improve mobility for users and reduce the time they spend commuting.

South African-founded startup WhereIsMyTransport is one such company filling that gap for now. Today, it is announcing a $14.5 million Series A extension to continue its expansion across emerging markets; the company already has a presence in South Africa and Mexico.

Naspers, via its investment arm, Naspers Foundry, co-led the investment with Cathay AfricInvest Innovation Fund. According to Naspers, the size of its check was $3 million. Japan’s SBI Investment also participated in the round.

The extension round is coming a year after WhereIsMyTransport received a $7.5 million Series A investment from VC firms and strategic investment from Google, Nedbank and Toyota Tsusho Corporation (TTC).

Devin de Vries, Chris King and Dave New started the company in 2015. As a mobility startup, WhereIsMyTransport maps formal and informal public transport networks. The company then uses data gotten to improve the public transport experience, making commuting safe and accessible.

In addition to this, WhereIsMyTransport licenses some of this data to governments, DFIs, NGOs, operators, and third-party developers. It claims this is done for research, analytics, insights and consumer and enterprise solutions purposes.  

“WhereIsMyTransport started in South Africa, focused on becoming a central source of accurate and reliable public transport data for high-growth markets. We’re thrilled to welcome Naspers as an investor as our journey continues in megacities across the majority world,” said CEO Devin de Vries in a statement.

Last year when we covered the company, it had mapped 34 cities in Africa while actively mapping some in India, Southeast Asia and Latin America. Since then, it expanded into Mexico City last November and has completed multiple data production projects in the city alongside Lima, Bangkok, Gauteng and Dhaka. Right now, the company has worked in 41 cities across 28 countries. 

WhereIsMyTransport also launched its first consumer product Rumbo, which provides network information from all modes of public transport in Mexico with more than 100,000 users delivering over 750,000 real-time network alerts. The company says there are plans to launch Rumbo in Lima, Peru later this year.

Devin de Vries CEO_WhereIsMyTransport

Devin de Vries (CEO WhereIsMyTransport). Image Credits: WhereIsMyTransport

For co-lead investor Naspers Foundry, this is the firm’s first investment in mobility. So far, it has funded four other South African startups — Aerobotics, SweepSouth, Food Supply Network and The Student Hub — with a focus on edtech, food and cleaning sectors.

“We couldn’t pass on the opportunity to back an extraordinary South African founder who has built his business here in Cape Town to a global market leader in mapping formal and informal transportation with a strong focus on emerging markets,” head of Naspers Foundry Fabian Whate told TechCrunch

He also added that there is an overlap between mobility and the food and e-commerce businesses that seem to be the main focus from a Naspers perspective. “The global food and e-commerce businesses, often operating in emerging markets, are quite reliant on mobility solutions. So there’s a great overlap between what the Naspers Group does and the vision for WhereIsMyTransport.”

In South Africa, WhereIsMyTransport’s clients include Johannesburg commuter rail system Gautrain and Transport for Cape Town. On the other hand, its international client base includes Google, the World Bank and WSP, and others.

South Africa CEO of Naspers Phuthi Mahanyele-Dabengwa said: “Mobility remains an obstacle for billions of people in high-growth markets across the world. Our investment in WhereIsMyTransport is a testimony of our belief that great innovation and tech talent is found in South Africa, and with the right backing and support, these businesses can provide solutions to local challenges that can improve the lives of ordinary people in South Africa and abroad.”

Microsoft’s Windows Virtual Desktop is now Azure Virtual Desktop

As remote work became the default for many companies during the pandemic, it’s maybe no surprise that services like Microsoft’s Windows Virtual Desktop, which gives users access to a fully managed Windows 10 desktop experience from virtually anywhere, saw a lot of interest from large enterprises and a new crop of small businesses that suddenly had to find ways to better support their remote workers. That’s pretty much what Microsoft saw, too, which had originally targeted Windows Virtual Desktop at some of the world’s largest enterprises. And so as the user base changed, Microsoft’s vision for the product changed as well, leading it to now changing its name from Windows Virtual Desktop to Azure Virtual Desktop.

“When we first went GA with Windows Virtual Desktop, about a year and a half ago, the world was a very different place,” said Kam VedBrat, Microsoft’s general manager for Azure Virtual Desktop. “And to be blunt, we looked at the service and what we were building, who we were building it for, pretty differently. No one at that time had any idea that this global pandemic was going to happen and that it would cause so many organizations around the world and millions of people to have to essentially leave the office and work from home — and the role the service would play in enabling a lot of that.”

Image Credits: Microsoft

While the original idea was to help enterprises move their virtual desktop environments from their data centers to the cloud, the pandemic brought a slew of new use cases to Windows Azure Virtual Desktop. It now hosts anything from virtual school labs to the traditional remote enterprise use cases. These new users also have somewhat different needs and expertise from those users the service was originally meant for, so on top of today’s name change, the company is also launching a set of new features that should make it easier for new users to get started with using Azure Virtual Desktop.

Among those is a new Quickstart experience, which will soon launch in public preview. “One piece of feedback that we saw is that as so many organizations are looking at Azure Virtual Desktop to enable new scenarios for hybrid work, they want to get these environments up and running quickly to understand how they work, how their apps behave in them, how to think about app groups and host pools and some of the new concepts that are there,” VedBrat explained. Ideally, it should now only take a few clicks to set up a full virtual desktop environment from the Azure portal.

Also new in Azure Virtual Desktop is support for managing multi-session virtual machines (VMs) with Microsoft Endpoint Manager, Microsoft’s unified service for device management. This marks the first time Endpoint Manager is able to handle multi-session VMs, which are one of the biggest selling points for Azure Virtual Desktop, since it allows a business to host multiple users on the same machine running Windows 10 Enterprise in the cloud.

In addition, Azure Virtual Desktop now offers enhanced support for Azure Active Directory, in addition to a new per-user access pricing option (in addition to the cost of running on the Azure infrastructure) that will allow users to deliver apps to external users. This, Microsoft argues, will allow software vendors to deliver their apps as a SaaS solution, for example.

As for the name change, VedBrat argues that while Windows is obviously at the core of the experience, a lot of the service’s users care about the underlying Azure infrastructure as well, be that storage or networking, for example. “They look at that broader environment that they’re creating — that window estate that they’re creating in the cloud — and they see that as a larger thing and they look at a lot of Azure as part of that. So we felt like the right thing to do at this point, in order to address that broader view that our customers are taking, was to look at the new name,” he explained.

I thought Windows Virtual Desktop explained the core concept just fine, but nobody has ever accused me of being a marketing genius.

Adventures in Contacting the Russian FSB

KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI). In the process of doing so, I encountered a small snag: The FSB’s website said in order to communicate with them securely, I needed to download and install an encryption and virtual private networking (VPN) appliance that is flagged by at least 20 antivirus products as malware.

The FSB headquarters at Lubyanka Square, Moscow. Image: Wikipedia.

The reason I contacted the FSB — one of the successor agencies to the Russian KGB — ironically enough had to do with security concerns raised by an infamous Russian hacker about the FSB’s own preferred method of being contacted.

KrebsOnSecurity was seeking comment from the FSB about a blog post published by Vladislav “BadB” Horohorin, a former international stolen credit card trafficker who served seven years in U.S. federal prison for his role in the theft of $9 million from RBS WorldPay in 2009. Horohorin, a citizen of Russia, Israel and Ukraine, is now back where he grew up in Ukraine, running a cybersecurity consulting business.

Horohorin’s BadB carding store, badb[.]biz, circa 2007. Image: Archive.org.

Visit the FSB’s website and you might notice its web address starts with http:// instead of https://, meaning the site is not using an encryption certificate. In practical terms, any information shared between the visitor and the website is sent in plain text and will be visible to anyone who has access to that traffic.

This appears to be the case regardless of which Russian government site you visit. According to Russian search giant Yandex, the laws of the Russian Federation demand that encrypted connections be installed according to the Russian GOST cryptographic algorithm.

That means those who have a reason to send encrypted communications to a Russian government organization — including ordinary things like making a payment for a government license or fine, or filing legal documents — need to first install CryptoPro, a Windows-only application that loads the GOST encryption libraries on a user’s computer.

But if you want to talk directly to the FSB over an encrypted connection, you can just install their own client, which bundles the CryptoPro code. Visit the FSB’s site and select the option to “transfer meaningful information to operational units,” and you’ll see a prompt to install a “random number generation” application that is needed before a specific contact form on the FSB’s website will load properly.

Mind you, I’m not suggesting anyone go do that: Horohorin pointed out that this random number generator was flagged by 20 different antivirus and security products as malicious.

“Think well before contacting the FSB for any questions or dealing with them, and if you nevertheless decide to do this, it is better to use a virtual machine,” Horohorin wrote. “And a spacesuit. And, preferably, while in another country.”

Antivirus product detections on the FSB’s VPN software. Image: VirusTotal.

It’s probably worth mentioning that the FSB is the same agency that’s been sanctioned for malicious cyber activity by the U.S. government on multiple occasions over the past five years. According to the most recent sanctions by the U.S. Treasury Department, the FSB is known for recruiting criminal hackers from underground forums and offering them legal cover for their actions.

“To bolster its malicious cyber operations, the FSB cultivates and co-opts criminal hackers, including the previously designated Evil Corp., enabling them to engage in disruptive ransomware attacks and phishing campaigns,” reads a Treasury assessment from April 2021.

While Horohorin seems convinced the FSB is disseminating malware, it is not unusual for a large number of security tools used by VirusTotal or other similar malware “sandbox” services to incorrectly flag safe files as bad or suspicious — an all-too-common condition known as a “false positive.”

Late last year I warned my followers on Twitter to put off installing updates for their Dell products until the company could explain why a bunch of its software drivers were being detected as malware by two dozen antivirus tools. Those all turned out to be false positives.

To really figure out what this FSB software was doing, I turned to Lance James, the founder of Unit221B, a New York City based cybersecurity firm. James said each download request generates a new executable program. That is because the uniqueness of the file itself is part of what makes the one-to-one encrypted connection possible.

“Essentially it is like a temporary, one-time-use VPN, using a separate key for each download” James said. “The executable is the handshake with you to exchange keys, as it stores the key for that session in the exe. It’s a terrible approach. But it’s what it is.”

James said the FSB’s program does not appear to be malware, at least in terms of the actions it takes on a user’s computer.

“There’s no sign of actual trojan activity here except the fact it self deletes,” James said. “It uses GOST encryption, and [the antivirus products] may be thinking that those properties look like ransomware.”

James says he suspects the antivirus false-positives were triggered by certain behaviors which could be construed as malware-like. The screenshot below — from VirusTotal — says some of the file’s contents align with detection rules made to find instances of ransomware.

Some of the malware detection rules triggered by the FSB’s software. Source: VirusTotal.

Other detection rules tripped by this file include program routines that erase event logs from the user’s system — a behavior often seen in malware that is trying to hide its tracks.

On a hunch that just including the GOST encryption routine in a test program might be enough to trigger false positives in VirusTotal, James wrote and compiled a short program in C++ that invoked the GOST cipher but otherwise had no networking components. He then uploaded the file for scanning at VirusTotal.

Even though James’ test program did nothing untoward or malicious, it was flagged by six antivirus engines as potentially hostile. Symantec’s machine learning engine seemed particularly certain that James’ file might be bad, awarding it the threat name “ML.Attribute.HighConfidence” — the same designation it assigned to the FSB’s program.

KrebsOnSecurity installed the FSB’s software on a test computer using a separate VPN, and straight away it connected to an Internet address currently assigned to the FSB (213.24.76.xxx).

The program prompted me to click on various parts of the screen to generate randomness for an encryption key, and when that was done it left a small window which explained in Russian that the connection was established and that I should visit a specific link on the FSB’s site.

The FSB’s random number generator in action.

Doing so opened up a page where I could leave a message for the FSB. I asked them if they had any response to their program being broadly flagged as malware.

The contact form that ultimately appeared after installing the FSB’s software and clicking a specific link at fsb[.]ru.

After all the effort, I’m disappointed to report that I have not yet received a reply. Nor did I hear back from S-Terra CSP, the company that makes the VPN software offered by the FSB.

James said that given their position, he could see why many antivirus products might think it’s malware.

“Since they won’t use our crypto and we won’t use theirs,” James said. “It’s a great explanation on political weirdness with crypto.”

Still, James said, a number of things just don’t make sense about the way the FSB has chosen to deploy its one-time VPN software.

“The way they have set this up to suddenly trust a dynamically changing exe is still very concerning. Also, why would you send me a 256 random number generator seed in an exe when the computer has a perfectly valid and tested random number generator built in? You’re sending an exe to me with a key you decide over a non-secure environment. Why the fuck if you’re a top intelligence agency would you do that?”

Why indeed. I wonder how many people would share information about federal crimes with the FBI if the agency required everyone to install an executable file first — to say nothing of one that looks a lot like ransomware to antivirus firms?

After doing this research, I learned the FSB recently launched a website that is only reachable via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Unlike the FSB’s clear web site, the agency’s Tor site does not ask visitors to download some dodgy software before contacting them.

“The application is running for a limited time to ensure your safety,” the instructions for the FSB’s random number generator assure, with just a gentle nudge of urgency. “Do not forget to close the application when finished.”

Yes, don’t forget that. Also, do not forget to incinerate your computer when finished.

Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang

The U.S. Department of Justice said today it has recovered $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists last month. The funds had been sent to DarkSide, a ransomware-as-a-service syndicate that disbanded after a May 14 farewell message to affiliates saying its Internet servers and cryptocurrency stash were seized by unknown law enforcement entities.

On May 7, the DarkSide ransomware gang sprang its attack against Colonial, which ultimately paid 75 Bitcoin (~$4.4 million) to its tormentors. The company said the attackers only hit its business IT networks — not its pipeline security and safety systems — but that it shut the pipeline down anyway as a precaution [several publications noted Colonial shut down its pipeline because its billing system was impacted, and it had no way to get paid].

On or around May 14, the DarkSide representative on several Russian-language cybercrime forums posted a message saying the group was calling it quits.

“Servers were seized, money of advertisers and founders was transferred to an unknown account,” read the farewell message. “Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information.”

A message from the DarkSide and REvil ransomware-as-a-service cybercrime affiliate programs.

Many security experts said they suspected DarkSide was just laying low for a while thanks to the heat from the Colonial attack, and that the group would re-emerge under a new banner in the coming months. And while that may be true, the seizure announced today by the DOJ certainly supports the DarkSide administrator’s claims that their closure was involuntary.

Security firms have suspected for months that the DarkSide gang shares some leadership with that of REvil, a.k.a. Sodinokibi, another ransomware-as-a-service platform that closed up shop in 2019 after bragging that it had extorted more than $2 billion from victims. That suspicion was solidified further when the REvil administrator added his comments to the announcement about DarkSide’s closure (see screenshot above).

First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.

According to an analysis published May 18 by cryptocurrency security firm Elliptic, 47 cybercrime victims paid DarkSide a total of $90 million in Bitcoin, putting the average ransom payment of DarkSide victims at just shy of $2 million.

HOW DID THEY DO IT?

The DoJ’s announcement left open the question of how exactly it was able to recover a portion of the payment made by Colonial, which shut down its Houston to New England fuel pipeline for a week and prompted long lines, price hikes and gas shortages at filling stations across the nation.

The DOJ said law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins (~$3.77 million on May 8), “representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.”

A passage from the DOJ’s press release today.

How it came to have that private key is the key question. Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said the most likely explanation is that law enforcements agent seized money from a specific DarkSide affiliate responsible for bringing the crime gang the initial access to Colonial’s systems.

“The ‘obtained the private key’ part of their statement is doing a lot of work,” Weaver said, point out that the amount the FBI recovered was less than the full amount Colonial paid.

“It is ONLY the Colonial Pipeline ransom, and it looks to be only the affiliate’s take.”

Experts at Elliptic came to the same conclusion.

“Any ransom payment made by a victim is then split between the affiliate and the developer,” writes Elliptic’s co-founder Tom Robinson. “In the case of the Colonial Pipeline ransom payment, 85% (63.75 BTC) went to the affiliate and 15% went to the DarkSide developer.”

The Biden administration is under increasing pressure to do something about the epidemic of ransomware attacks. In conjunction with today’s action, the DOJ called attention to the wins of its Ransomware and Digital Extortion Task Force, which have included successful prosecutions of crooks behind such threats as the Netwalker and SamSam ransomware strains.

The DOJ also released a June 3 memo from Deputy Attorney General Lisa O. Monaco instructing all federal prosecutors to adhere to new guidelines that seek centralize reporting about ransomware victims.

Having a central place for law enforcement and intelligence agencies to gather and act on ransomware threats was one of the key recommendations of a ransomware task force being led by some of the world’s top tech firms. In an 81-page report, the industry led task force called for an international coalition to combat ransomware criminals, and for a global network of investigation hubs. Their recommendations focus mainly on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.

The Good, the Bad and the Ugly in Cybersecurity – Week 23

The Good

Browsers are the means by which almost all of us interact with the internet and are one of the few applications on any device that a user is almost guaranteed to use. Given their central role in our digital lives, anything that improves browser security is more than good news. This week saw two major browsers roll out updates with added security features.

Google’s Chrome browser is being given a new download protection feature that not only allows it to scan files for malware but to send the file to Google to be scanned for deeper analysis in real time. On top of that, Chrome 91’s Enhanced Safe Browsing feature offers additional protection when installing extensions from the Chrome Web store, a known vector for all sorts of adware and other malicious software. New developers will also not be given automatic trust by Enhanced Safe Browsing either, preventing malware authors circumventing detections just by spinning up a new developer identity.

This week also saw the release of Firefox 89. While the new ‘Proton’ UI was the headline news, it may have slipped under the radar that the new version extends protection against cross-site cookie tracking to Private Browsing windows by default. Mozilla claims that “Firefox’s Private Browsing windows have the most advanced privacy protections of any major browser’s private browsing mode.” Good to know.

The Bad

This week’s raft of ransomware attacks includes incidents affecting the Steamship Authority of Massachusetts, FujiFilm, and JBS. While details of the first two are still incoming, according to the FBI, the REvil ransomware family is behind the recent attack on JBS. “We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice”, the Bureau tweeted on Thursday.

The ransomware attack affected operations in North America and Australia, igniting fears of product shortages and price increases. The REvil ransomware group has been in operation (in current form) since mid 2019. Their ransomware is distributed via multiple methods including Exploit Kits, exploitation, and partnerships with other malware ‘frameworks’. SentinelOne customers have been protected from REvil since the onset of their activity.

SentinelLabs’ senior threat researcher Jim Walter noted that REvil were something of a ‘pioneer’ in the modern ransomware threatscape, “being one of the early adopters of publicly blogging victims and leaning heavily into the ‘double-extortion’ side of things.” Copied by many ransomware operators that followed, Walter said that the actors behind REvil were “early experimenters with auctioning off stolen data. Some auctions were successful, some were not, but potentially data stolen from select victims would have been available to the highest bidder.”

The Ugly

If there’s anyone still out there that doesn’t understand that computer crime is now such big business that it is effectively run in the same way as legitimate businesses, this week’s latest news from the criminal underground should serve to ram home the point.

In a bid to boost knowledge on ways to steal private keys and cryptocurrency wallets, members of a cybercrime forum are being offered over $100,000 in prize money in a competition calling for research papers on cryptocurrency-related topics.

Among the papers submitted were entries showing how to create a phishing website to harvest cryptocurrency wallet keys and seed phrases and how to manipulate cryptocurrency services’ APIs to steal private keys. Incentivising innovation through cash prizes not only shows how developed cybercrime is as an industry but also just how much stolen cash is floating around for investment in further crime.

So, you think you can tell what counts as a computer crime? In other controversial news this week, the U.S. Supreme Court has overturned a lower court’s verdict concerning the meaning and scope of the Computer Fraud and Abuse Act (CFAA). The decision limits the scope of the Act and essentially does not consider it a crime under the CFAA if, for example, a malicious insider abuses their own credentials to steal corporate IP (they may, of course, be guilty of committing offenses under other statutes in so doing).

This is not necessarily a bad thing: the new ruling would not have resulted in convictions such as that handed down to internet activist and campaigner Aaron Swartz, for example, and allays concerns of government overreach in using the CFAA to criminalize trivial computer misuses. However, the decision will undoubtedly prove contentious and could see a re-write of the CFAA as a result.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Xometry is taking its excess manufacturing capacity business public

Xometry, a Maryland-based service that connects companies with manufacturers with excess production capacity around the world, filed an S-1 form with the U.S. Securities and Exchange Commission announcing its intent to become a public company.

Growth aside, it’s clear that Xometry is no modern software business, at least from a revenue-quality profile.

As the global supply chain tightened during the pandemic in 2020, a company that helped find excess manufacturing capacity was likely in high demand. CEO and co-founder Randy Altschuler described his company to TechCrunch this way last September upon the announcement of a $75 million Series E investment:

“We’ve created a marketplace using artificial intelligence to power it, and provide an e-commerce experience for buyers of custom manufacturing and for suppliers to deliver that manufacturing,” Altschuler said at the time. Xometry raised nearly $200 million while private, per Crunchbase data.

With Xometry, companies looking to build custom parts now have the ability to do so in a digital way. Rather than working the phones or starting an email chain, they can go into the Xometery marketplace, define parameters for their project and find a qualified manufacturer who can handle the job at the best price.

As of last September, the company had built relationships with 5,000 manufacturers around the world and had 30,000 customers using the platform.

At the time of that funding round, perhaps it wasn’t a coincidence that the company’s lead investor was T. Rowe Price. When an institutional investor is involved in a late-stage round, it’s usually a sign that the company is ready to start thinking about an IPO. Altschuler said it was definitely something the company was considering and had brought on a CFO, too, another sign that a company is ready to take that next step.

So what do Xometry’s financials look like as it heads to the public markets? We took a look at the S-1 to find out.

The numbers

Xometry makes money in two ways. The first comes from one part of its marketplace, with the company generating “substantially all of [its] revenue” from charging “buyers on its platform.” The other way that Xometry engenders top line is seller-related services, including financial work. The company notes that seller-generated revenues were just 5% of its 2020 total, though it does expect that figure to rise.

Hack Chat | Meet Pedram Amini: Master at Fuzzing and Bootstrapping Companies

As many readers will already know, Hack Chat is SentinelOne’s very own podcast series with Marco Figueroa and leaders from the world of infosec. If you’ve yet to catch on, Hack Chat is now in Season 2, and Marco’s guests have included such security celebs as H.D. Moore and Chris Nickerson. You can catch up on earlier episodes of Hack Chat from both Season 1 and Season 2 here.

S02 E05: Prepare to Meet Pedram Amini

In episode 5 of Season 2, Marco interviews Pedram Amini, a world renowned expert in fuzzing and hacking. Pedram has presented a variety of research at different conferences such as BlackHat, DefCon, Microsoft Bluehat, and Virus Bulletin to name a few. He’s also taught numerous sold-out courses on reverse engineering.

In this episode, Marco and Pedram dive deep into finding bugs, fuzzing and how Pedram started ZDI. Pedram takes us through the mindset of bootstrapping companies and what it takes to make them successful.

Hack Chat | Master at Fuzzing and Bootstrapping Companies goes live Thursday June 3rd  at 10am PST, but in the meantime here’s a few of the highlights.

How Did You Get Into Reverse Engineering?

“From a young age, I’ve always been into puzzles, you know, and at some point I had gotten my hands on a laptop in the early years in high school. And as a matter of necessity, just to get access to the software, I picked up a copy of Soft Ice and I started cracking protection codes. And I found that that process actually of reverse engineering to crack those codes was more fun than any puzzles I’ve ever done. And so really, the debugger and the compiler are the last puzzle I ever picked up.”

How Did You Get Your First Opportunity in Infosec?

”During my time at Tulane, Blackboard was just released. It’s pretty popular curriculum management software now, but it was just released and they were using at Tulane. I found a couple of different ways of hacking into a blackboard. And so I published those advisories on full disclosure and bug track, which were the two mediums for getting information out there at the time. And so Dave Endler working for a company called iDefense, looking to launch…you know, we talked about being Tulane alum and he happened to be coming to campus…And so the timing was perfect. We spoke and we hit it off and I ended up being the first hire.”

What Was Your First Startup?

It was a garage startup. The two of us put our entire life savings on the line and, you know, literally just got together every day and packed that thing into into fruition…we were playing this game where we would buy these vulnerabilities. We reported to the vendor, but also tell our subscribers about it. And then later there would be a public disclosure…We could purchase the vulnerability, informed the vendor, not tell anybody about how to exploit this thing, but put in defensive logic into our product…It was a win win across the board. You know, the vendors got something, we got something. And of course, the researchers got something out of it as well.

What Are You Doing Now?

I’ve got my fingers in a couple of different things; I have a couple of technical advisory roles and investor roles and companies like a tech IQ and gray noise, ex intelligence. And I’ve always been a friend of the family there and I sit on their advisory board as well. And so that’s one of the things that keeps my sanity right. I’ve got a foot in the offensive space till I get to surround myself with that kind of thinking. Those lateral thinkers are my favorite kinds of folks to to interact with.

And Pedram’s Dream?

“My dream would be to create a think tank so we could spin ideas into companies and I nerd out about creating. This is why I have these advisory roles at companies.”

But There’s So Much More: Check It Out!

There’s a whole lot more to learn and enjoy from joining Marco and Chris in the latest episode of Hack Chat. Be sure not to miss it and bookmark the Hack Chat web page.

Hack Chat | Meet Pedram Amini
Master at Fuzzing and Bootstrapping Companies


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Gong going gangbusters, grabs $250M Series E on $7.25B valuation

Gong, the revenue intelligence startup, has been raising capital at a rapid pace, and today the company announced another $250 million on a $7.25 billion valuation, a number that triples its previous valuation from last summer.

Franklin Templeton led today’s festivities with participation from Coatue, Salesforce Ventures, Sequoia, Thrive Capital and Tiger Global. The company raised $200 million last August at a $2.2 billion valuation, and has now raised $584 million, $450 million coming in the last year.

What is making investors open their wallets and pull out such large sums of cash? The company is helping solve a hard problem on how to bring more intelligence to the revenue process. They do this by using artificial intelligence to listen to every customer interaction, whether that’s a sales or service call (or anything else), and use that information to determine valuable information like who is most likely to buy and who is most likely to churn.

It’s been going well and CEO Amit Bendov says the company’s performance really validates the valuation. While he wasn’t ready to discuss specific numbers, he did say that ARR grew 2.3x between Q1 last year and this year, and he says Q2 is on pace to triple ARR.

“The valuation is up about 3x from last summer, but sales are more than 3x. We have high logo customers. [Last year], it was still unclear how COVID was going to impact us. People believed [our business] was going to do well [during the pandemic], but it wasn’t as obvious. Now, it is obvious. And all the […] financials are way better, so from a pure financials [perspective] our multipliers are pretty reasonable for our revenue trajectory,” he said.

With all this growth, the company is adding employees at a rapid pace. It closed the year with 400 people, and is up to around 550 today with a goal of reaching 950 by year end. It has partnered with a consulting firm called ReadySet, which helps companies build diverse and inclusive organizations, and Bendov says they are an equal-pay company.

Women represent around 40% of the employees and around 4% are Black, a number he hopes to increase by growing the Atlanta office. In the office in Israel, he has set up employment and training programs to build bridges to the Arab community.

Bendov says he looks forward to meeting his U.S. employees in the coming weeks when he’ll be visiting the Atlanta office for the first time.

 

5 Questions to Consider Before Choosing the Right XDR Solution

The threat landscape continues to evolve and expand rapidly. As attack vectors multiply, from endpoints to networks to the cloud, many enterprises address each vector with a best-in-class solution to protect those specific vulnerabilities. However, these point tools don’t connect the dots across the entire technology stack. As a result, security data is collected and analyzed in isolation, without any context or correlation, creating gaps in what security teams can see and detect.

In addition, as the number of deployed security solutions grows in the enterprise, the capacity to manage them and effectively respond to their alerts also grows. Administrators can quickly become overwhelmed by the entirety of data produced from multiple locations and systems and manage a consistent stream security alert.

Extended Detection and Response (XDR)

XDR, Extended Detection and Response, is the evolution of EDR, Endpoint Detection, and Response. XDR unifies visibility and control across all endpoints, the network, and cloud workloads. This improved visibility provides contextualization of these threats to assist with remediation efforts. XDR automatically collects and correlates data across multiple security vectors, facilitating faster threat detection so that security analysts can respond quickly before the scope of the threat broadens. In short, XDR extends beyond the endpoint to make decisions based on data from more products and can take action across your stack by acting on email, network, identity, and beyond.

As XDR is gaining traction and emerging as a key next-generation security tool, here are five questions you should consider while looking at an XDR solution.

1. Does the XDR Solution Provide Rich, Cross-Stack Visibility With the Ability to Seamlessly Ingest From Multiple Data Sources?

EDR solutions are excellent in obtaining security-relevant information from endpoints. However, they lack telemetry to provide broad visibility for an accurate depiction of an attacker’s behavior and goals that may span other sources. A robust XDR platform solves the telemetric limitation problem by enabling telemetry from multiple security layers and possible attack points. This makes it possible to monitor and manage incoming alerts continuously. Additionally, with the help of threat intelligence feeds, XDR systems can proactively search for concealed threats.

Singularity XDR can enable enterprises to seamlessly ingest structured, unstructured, and semi-structured data in real-time from any technology product or platform, breaking down data silos and eliminating critical blind spots. With our recent Scalyr acquisition, the solution can empower security teams to see data collected by disparate security solutions from all platforms, including endpoints, cloud workloads, network devices, and more, within a single dashboard.

Singularity XDR lets analysts take advantage of insights derived from aggregating event information from multiple different solutions into a single contextualized “incident.” It also provides customers with a central enforcement and analytics layer point hub for complete enterprise visibility and autonomous prevention, detection, and response, helping organizations address cybersecurity challenges from a unified standpoint.

2. Does the XDR Solution Provide Automated Context and Correlation Across the Different Security Layers?

Many EDR solutions require (human) security teams to conduct investigations. But given the volume of alerts generated, many security teams are not resourced to dwell into every single incident. A robust XDR solution should be augmented with AI and automated built-in context and correlation.

SentinelOne patented Storyline technology provides real-time, automated machine-built context and correlation across the enterprise security stack to transform disconnected data into rich stories and lets security analysts understand the full story of what happened in their environment. Storyline automatically links all related events and activities together in a storyline with a unique identifier. This allows security teams to see the full context of what occurred within seconds rather than needing to spend hours, days, or weeks correlating logs and linking events manually.

SentinelOne’s behavioral engine tracks all system activities across your environment, including file/registry changes, service start/stop, inter-process communication, and network activity. It detects techniques and tactics that are indicators of malicious behavior to monitor stealth behavior, effectively identify fileless attacks, lateral movement, and actively executing rootkits. Singularity XDR automatically correlates related activity into unified alerts that provide campaign-level insight and allows enterprises to correlate events across different vectors to facilitate the triage of alerts as a single incident.

3. Does the XDR Solution Auto-Enrich Threats With Integrated Threat Intelligence?

As new threats emerge, a lack of external context makes it difficult for analysts to determine whether an alert or indicator represents a real threat to their organization. Threat intelligence provides up-to-date information on threats, vulnerabilities, and malicious indicators freeing security teams to focus on what is most important. A well-built XDR solution enables threat intelligence integration from multiple sources to help security teams prioritize and triage alerts quickly and efficiently.

Singularity XDR integrates threat intelligence for detection and enrichment from leading 3rd party feeds and our proprietary sources that auto-enrich endpoint incidents with real-time threat intelligence. It empowers security teams to get additional contextual risk scores on indicators of compromise (IoCs) such as IPs, hashes, vulnerabilities, and domains. For example, with our Recorded Future integration, threats are auto enriched from 800,000+ sources, enabling customers to accelerate threat investigation and triage capabilities. Customers can also leverage a query library of hunts curated by SentinelOne research which continually evaluates new methodologies to uncover new IOCs and Tactics, Techniques, and Procedures (TTPs).

4. Does the XDR Solution Automate Response Across Different Domains?

Of course, incident detection and investigation need to trigger an effective response to mitigate the incident. The response needs to be pre-defined and repeatable to make remediation more efficient and intervene at any step in an attack that is in progress. The response should distinctively define both short-term and long-term measures that can be used to neutralize the attack. It is also essential to understand the cause of the threat to improve security and prevent attacks of a similar manner in the future. All necessary steps must be taken to ensure that similar attacks are not likely to happen again.

Singularity XDR enables analysts to take all the required actions to automatically resolve threats with one click, without scripting, on one, several, or all devices across the estate. With one click, the analyst can execute remediation actions such as network quarantine, auto-deploy an agent on a rogue workstation, or automate policy enforcement across cloud environments.

Singularity XDR also lets customers leverage the insights Storyline delivers to create custom automated detection rules specific to their environment with Storyline Active-Response (STAR). STAR allows enterprises to incorporate their business context and customize the EDR solution to their needs. With Storyline Active-Response (STAR) custom detection rules, you can turn queries into automated hunting rules that trigger alerts and responses when rules detect matches. STAR gives you the flexibility to create custom alerts and responses specific to your environment to automatically and rapidly detect and contain threats across your environment.

5. Does the XDR Solution Let You Easily Integrate With Leading SOAR Tools?

As you may have other security tools and technologies deployed in your SOC, your XDR solution should let you utilize your existing investments in security tools. Key features would be built-in integrations, including automated responses, integrated threat intelligence.

SentinelOne offers a growing portfolio of integrations to third-party systems like SIEM and SOAR via Singularity Marketplace. Singularity Apps are hosted on our scalable serverless Function-as-a-Service cloud platform and joined together with API-enabled IT and Security controls with a few clicks. Singularity Marketplace is part of the SentinelOne platform enabling customers to remove the barriers of writing complex code, making automation simple and scalable between vendors. Security teams can easily navigate the best course of action to remediate and defeat high-velocity threats by driving a unified, orchestrated response among security tools in different domains.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Conclusion: XDR is the Future of EDR

The future is an XDR-driven future. Specialized security products must work together to defend against an intensifying effort to overrun the digital barriers that protect our now technology-dependent lives. As with any new technology entering the marketplace, there is a lot of hype, and buyers need to be wise. The reality is, not all XDR solutions are alike. SentinelOne Singularity XDR unifies and extends detection and response capability across multiple security layers, providing security teams with centralized end-to-end enterprise visibility, powerful analytics, automated response across the complete technology stack.

If you would like to learn more about the SentinelOne Singularity Platform, contact us or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security