Achieving digital transformation through RPA and process mining

Understanding what you will change is most important to achieve a long-lasting and successful robotic process automation transformation. There are three pillars that will be most impacted by the change: people, process and digital workers (also referred to as robots). The interaction of these three pillars executes workflows and tasks, and if integrated cohesively, determines the success of an enterprisewide digital transformation.

Robots are not coming to replace us, they are coming to take over the repetitive, mundane and monotonous tasks that we’ve never been fond of. They are here to transform the work we do by allowing us to focus on innovation and impactful work. RPA ties decisions and actions together. It is the skeletal structure of a digital process that carries information from point A to point B. However, the decision-making capability to understand and decide what comes next will be fueled by RPA’s integration with AI.

From a strategic standpoint, success measures for automating, optimizing and redesigning work should not be solely centered around metrics like decreasing fully loaded costs or FTE reduction, but should put the people at the center.

We are seeing software vendors adopt vertical technology capabilities and offer a wide range of capabilities to address the three pillars mentioned above. These include powerhouses like UiPath, which recently went public, Microsoft’s Softomotive acquisition, and Celonis, which recently became a unicorn with a $1 billion Series D round. RPA firms call it “intelligent automation,” whereas Celonis targets the execution management system. Both are aiming to be a one-stop shop for all things related to process.

We have seen investments in various product categories for each stage in the intelligent automation journey. Process and task mining for process discovery, centralized business process repositories for CoEs, executives to manage the pipeline and measure cost versus benefit, and artificial intelligence solutions for intelligent document processing.

For your transformation journey to be successful, you need to develop a deep understanding of your goals, people and the process.

Define goals and measurements of success

From a strategic standpoint, success measures for automating, optimizing and redesigning work should not be solely centered around metrics like decreasing fully loaded costs or FTE reduction, but should put the people at the center. To measure improved customer and employee experiences, give special attention to metrics like decreases in throughput time or rework rate, identify vendors that deliver late, and find missed invoice payments or determine loan requests from individuals that are more likely to be paid back late. These provide more targeted success measures for specific business units.

The returns realized with an automation program are not limited to metrics like time or cost savings. The overall performance of an automation program can be more thoroughly measured with the sum of successes of the improved CX/EX metrics in different business units. For each business process you will be redesigning, optimizing or automating, set a definitive problem statement and try to find the right solution to solve it. Do not try to fit predetermined solutions into the problems. Start with the problem and goal first.

Understand the people first

To accomplish enterprise digital transformation via RPA, executives should put people at the heart of their program. Understanding the skill sets and talents of the workforce within the company can yield better knowledge of how well each employee can contribute to the automation economy within the organization. A workforce that is continuously retrained and upskilled learns how to automate and flexibly complete tasks together with robots and is better equipped to achieve transformation at scale.

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software

Last week cybercriminals deployed ransomware to 1,500 organizations, including many that provide IT security and technical support to other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.

On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA).

According to this entry for CVE-2021-30116, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild.

Also on July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.

As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness.

The Kaseya customer support and billing portal. Image: Archive.org.

Mandiant notified Kaseya after hearing about it from Alex Holden, founder and chief technology officer of Milwaukee-based cyber intelligence firm Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, allowing him to download the site’s “web.config” file, a server component that often contains sensitive information such as usernames and passwords and the locations of key databases.

“It’s not like they forgot to patch something that Microsoft fixed years ago,” Holden said. “It’s a patch for their own software. And it’s not zero-day. It’s from 2015!”

The official description of CVE-2015-2862 says a would-be attacker would need to be already authenticated to the server for the exploit to work. But Holden said that was not the case with the vulnerability on the Kaseya portal that he reported via Mandiant.

“This is worse because the CVE calls for an authenticated user,” Holden said. “This was not.”

Michael Sanders, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal had been retired in 2018 in favor of a more modern customer support and ticketing system, yet somehow the old site was still left available online.

“It was deprecated but left up,” Sanders said.

In a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product.

“We worked with CERT on responsible disclosure and released patches for VSA versions V7, R8, R9 and R9 along with the public disclosure (CVEs) and notifications to our customers. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It has no access to customer endpoints and has been shut down – and will no longer be enabled or used by Kaseya.”

“At this time, there is no evidence this portal was involved in the VSA product security incident,” the statement continued. “We are continuing to do forensic analysis on the system and investigating what data is actually there.”

The REvil ransomware group said affected organizations could negotiate independently with them for a decryption key, or someone could pay $70 million worth of virtual currency to buy a key that works to decrypt all systems compromised in this attack.

But Sanders said every ransomware expert Kaseya consulted so far has advised against negotiating for one ransom to unlock all victims.

“The problem is that they don’t have our data, they have our customers’ data,” Sanders said. “We’ve been counseled not to do that by every ransomware negotiating company we’ve dealt with. They said with the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once.”

In a video posted to Youtube on July 6, Kaseya CEO Fred Voccola said the ransomware attack had “limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached.”

“While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated,” Voccola said.

The zero-day vulnerability that led to Kaseya customers (and customers of those customers) getting ransomed was discovered and reported to Kaseya by Wietse Boonstra, a researcher with the Dutch Institute for Vulnerability Disclosure (DIVD).

In a July 4 blog post, DIVD’s Victor Gevers wrote that Kaseya was “very cooperative,” and “asked the right questions.”

“Also, partial patches were shared with us to validate their effectiveness,” Gevers wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Still, Kaseya has yet to issue an official patch for the flaw Boonstra reported in April. Kaseya told customers on July 7 that it was working “through the night” to push out an update.

Gevers said the Kaseya vulnerability was discovered as part of a larger DIVD effort to look for serious flaws in a wide array of remote network management tools.

“We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote.

Cyber Insurance: Navigating A Tough New World In the Age of Ransomware

This week, REvil ransomware operators exploited a bug in Kaseya VSA software and then requested a lump sum of $50 million for a universal decryption key for all victims of the Kaseya attack. To put that in context, last year, all ransomware extortion payments were calculated at $350 million in cryptocurrency. Insurance carriers are paying those claims, but the increased cost and frequency/timeline to pay is outside the scope of traditional insurance.

No market segment or industry group has been spared by ransomware. In this threat environment, two things are certain: organizations need better security stacks/fewer bugs, and they need to transfer risk via cyber insurance. Unfortunately, a lot of companies viewed this as an “either/or” proposition and that has driven losses and dramatic change in the way that insurers price cyber risk.

Marsh Insurance reported a 35% increase in cyber insurance premiums last month, the largest in 5 years. Unsustainable loss ratios have led to higher premiums for less coverage and higher retentions (deductibles). Many companies will not qualify for renewal if their tech stack is not up to par. Brokers report all markets are requiring higher technical standards and many now require EDR. Companies that don’t present well will not qualify for coverage.

For those that are new to this area, Cyber insurance is a two-tiered market. You need a broker to purchase the coverage from a carrier (AXA, Chubb, etc.). The carriers use Reinsurance to share the losses, and now the reinsurers are tightening their guidelines under their ‘treaties’ with carriers and reducing capacity.

Brokers must navigate the risk management issues with each client as they attempt to secure coverage. It’s a lengthy process and ‘real-time’ network security reports are difficult to obtain. Most company-specific cyber analysis reports are from the outside of the network, looking in. While this data is useful, it doesn’t tell you what evil may be hiding on systems inside the company.

What should companies expect during the new underwriting process? We spoke with several Cyber insurance brokers to determine how companies can qualify for cyber insurance given the stringent new guidelines.

Our panel of experts include:

  • Chris Keegan, Sr. Managing Director of Beecher Carlson
  • Anthony Dagostino, EVP at Lockton Companies
  • David Lewison, EVP of AmWINS Insurance
  • Jesus Gonzalez, Cyber Chief of Staff, Aon Insurance

Are your clients able to keep their Cyber policy coverage intact? How has coverage and policies changed?

David: The main reaction to the ransomware pandemic is to cut limits. A small handful of insurers are pushing coinsurance for all ransomware related expenses. The rates are unpredictable at the moment. The underwriters don’t want to lose good risks – at least those they think are good. Retentions are rising. Brokers would rather sell higher premiums than restrict coverage. The last thing we want is to see premiums paid, but losses not covered. Many markets are making their ransomware applications mandatory. Any answers that they don’t like and they won’t quote or stay on a renewal. They used to just charge more if a risk didn’t look as locked up. Now they walk. It’s made it tougher to find a home for the companies that are behind on their security posture.

Anthony: Many are in-line but some high, much higher, and some lower. It depends on the industry, loss history and controls in place. Capacity is getting a bit more strict and large clients are seeing a push to higher retentions in some cases.

Chris: As we started the first quarter of 2021, we were aware the frequency and severity of ransomware claims would require cyber insurance markets to make major adjustments to their books. Directionally this meant reducing limits, increasing premiums by 30% to 40%, and in some cases, reducing their exposure to ransomware through sub-limits and coinsurance.

All relatively manageable, but as we come towards the end of Q2, the landscape has changed dramatically with increases for large clients in the 40% to 50% range and some smaller clients seeing increases of over 100%. Markets have contacted us that they are pulling out of the cyber insurance market entirely. Furthermore, insurance carriers are informing us they have a limit to how much business they can write. In other words, once they’ve reached a total number of exposed limits, they are done for the year. BCS, who support us on a number of large accounts that renew in Q4, contacted us to say they have only half the limits available and to reserve those limits now; and as for the large leading markets, namely AIG, Chubb and Axis, be prepared to have limits reduced by half.

Whether we continue to see carriers leaving the market or not, one thing is for sure, the underwriting process is much more intense and we need to be prepared to help assess our clients risk, determine where our clients are in their cybersecurity maturity lifecycle, and assist in creating a plan forward towards a comprehensive solution.

Jesus: On January 1, 2021 many reinsurance treaties renewed albeit at a significantly higher cost due to loss ratios and coupled with more stringent underwriting requirements. The term ‘hardening’ insurance market took on new meaning for network security and privacy liability (cyber) space due to recent events including SolarWinds and MSFT exchange server vulnerabilities. In terms of coverage changes, a handful of insurers are injecting coinsurance as part of the cyber extortion (ransomware) insuring agreement. This has not previously been seen in the cyber insurance space.

As far as capacity is concerned, we are seeing a vast range of behaviors; from many insurance market partners reducing their limits on any particular risk to non-renewing terms and conditions even for risks that have no claims history and better than average cyber controls. As far as business interruption coverage is concerned, many are pulling back on contingent business interruption (BI) coverage extended to cover an insured’s loss of income due to a vendors’ cyber event. Ensuring that the client has a strong vendor due diligence program in place is key to maintaining this coverage.

How does the Broker help the client maintain/secure coverage? Are you utilizing network scans or similar to meet with carrier underwriting requirements?

David: We don’t have any scan technology of our own so we rely on the offerings of the insuretech’s and carriers that have been doing that. One thing I’ve been watching is what scan is being used. A few insurtech’s have built their own scan while many other insurers are outsourcing, often to the same one or two vendors. If they all use the same vendor, do they get a competitive edge? If they don’t scan, are they going to be victims of bad risk selection? What if the scan is looking at the wrong things? I believe scans are good for assessing a portfolio of risks for the carriers.

Another interesting thing is who gets to see the scan. The insuretech’s share the scan data so clients can work on their weaknesses. Other carriers use the scan as part of risk selection, but don’t share it. The best way we have to maintain coverage is to be in tune with the huge range of insurers and their appetites. With 100+ insurers and fluctuating appetites, it’s very challenging to find the perfect carrier partner for every unique risk. We get there by collaborating and sharing what we are seeing across industry groups, revenue sizes, insurer appetites, loss trends, etc.

Anthony: We’ve really shifted over the past 12 months or so to more cyber risk management in addition to just the placement of the policy. We utilize risk quantification tools and network scans in some cases to preempt the underwriting response.

Chris: We are utilizing external network scans (Binary Edge) to allow our clients to see what the underwriters are seeing. For us, its advising where the most critical issues are from, combined with the underwriter’s perspective in helping our clients develop a narrative for those areas where there are weaknesses and helping them to express where they’re strong.

Will your larger enterprise accounts be able to keep their coverage at current levels or will the renewal costs be prohibitive or cause a reduction in coverage?

David: We are definitely seeing cases where the insurers are reducing their limits on larger risks and there aren’t enough insurers jumping in to fill those gaps. We’ve had some challenging placements higher up on towers as insurers have reduced limits and dropped lower where the premiums are higher. Higher retentions are one way for the client to share in the risk and find more interested insurers. Accepting a level of coinsurance for ransomware is another.

Anthony: It depends on the client, the program, and their approach to risk. Some have bought more limit in the environment given the exposures while others manage to budgets and explore higher self insured retentions, loss corridors, and increased captive use.

Chris: This is a work in progress at the moment. The capacity available is shrinking so towers are reducing. We are often working to replace gaps with Co-insurance from the clients captive. Decisions on risk transfer versus self-insurance are being made on a case by case basis looking at cost benefit. Going forward we think the market will find some level of equilibrium so we find many of our clients continuing to purchase the cover rather than self-insure where they can in the hope that they will be able to hold onto their programs through this period to a point where the market normalizes.

Jesus: Larger enterprise accounts, those defined by annual revenues of $2B or greater, can expect a 10-fold effort to renew their program and should allocate a sufficient amount of time by aligning internal resources including CISO, legal, compliance, and procurement to successfully address all insurance market inquiries surrounding their E&O/Cyber program. Cyber insurance markets are now requiring baseline application, supplementals (including ransomware), and a formal underwriting meeting to address any/all questions surrounding their cybersecurity hygiene. We are advising clients to start four to six months in advance of their renewal date.

Even if the large enterprise entity addresses all required underwriting information, we are still seeing renewal costs surge. All sensitivity analysis that were previously provided for budgeting purposes to clients have been completely blown, due to primary programs experiencing greater than 50% YoY premium increases in the second quarter for expiring terms and conditions on various risk profiles. As a broker, we have to provide the client options including raising the self-insured retention level, a reduction in total capacity, or removing some insuring agreements. We are seeing a significant increase in the use of captives to address capacity shortfalls or to maintain a reasonable pricing structure from the more sophisticated risk managers.

What is your best guidance for companies seeking new policies or renewals in this environment?

David: As is always the case in insurance, any uncertainty leads to higher prices and fewer options. Come prepared to be transparent with underwriters. They are being selective on risks and want to be sure they are getting good risks. If you hide details, they’ll just take a pass.

Anthony: Know the marketplace, know the key controls needed to get the best coverage, and work with your broker. If renewing coverage, start the process very early.

Chris: Start preparing your submission for the insurance well in advance. For large companies that may mean six months or more in advance of the renewal. Critically review key controls for ransomware attacks and prepare your ID security team to be able to talk to those controls and provide a well-crafted presentation to the underwriting community.

Jesus: For new placements, our advice is that you work with an experienced broker to ensure that your company is prepared for the barrage of underwriting questions that will come across various domains including but not limited to:

  • Operational IT
    • Security Organization
    • Software/Network Connectivity (MFA in place across the firm)
    • Access Management (limited Domain Admin accounts)
  • Security Controls/Procedures
    • Intrusion Testing, Detection and Prevention (think endpoint protection, firewalls, etc.)
    • Policies & Procedures (documented and tested)
    • Hosting of Information + Encryption (DLPs)
  • Business Continuity & Incident Response Planning (documented, tested, updated)
  • Vendor Management (think SolarWinds)

For renewals, our recommendation is to start early. The risk manager should query the firm and gather as much intelligence in preparation for the renewal cycle from internal stakeholders to ensure the company’s risk profile has not changed significantly from the previous year, including a new acquisition/divestiture, new vendor partner providing key services (new MSSP perhaps), or new contract requirements stipulated a certain level of coverage and/or limits.

With an updated risk profile in hand, the risk manager should reach out to the broker to query all existing insurance partners for their concerns, appetite, and upcoming requirements but most importantly for their continued support of the risk transfer solution. Finally, the risk manager should confirm that the risk transfer program is in alignment with the corporate strategy especially since this ‘hardening’ market will impact budgeting.

What are your clients saying about the ransomware threat? Do they believe they are sufficiently protected? Do they expect insurance will cover their losses?

David: As a wholesaler, we don’t often get to talk to the clients. I know the clients are concerned about ransomware based upon the increase in first time buyers across the SME and middle market space. We’re not seeing companies dropping coverage, which they would do if they didn’t see value in the policy.

Anthony: It’s the biggest concern because it’s so real and in the news hitting all industries. Education and transparency is critical so they understand what’s covered, what isn’t, and how coverage may have changed upon renewal.

Chris: The more we are seeing ransomware events the more that our clients are becoming concerned about the threat. There are still companies out there who think that they are not likely to be a target even though some have controls that are less than they should be in this environment. They do believe that the insurance coverage will help them respond to ransomware attacks and cover their losses . The history has been very good in insurance markets making payments for ransomware.

Which industry groups are most concerned with the latest iteration of double ransom with data exfiltration? Do they expect the threat actor to delete data if ransom demands are met?

David: I would think any industry that holds a lot of PII and PHI or confidential corporate information would be the most concerned. Does anyone fully trust a threat actor?

Chris: Most companies are only now becoming aware of the double ransom and triple ransom in some instances where the threat actors are reaching out to the people whose personal information has been released and seeking extortion money from them. It seems that all groups of companies are concerned. Those companies without a large database of third party personal information are still concerned for their employee information.

What are Board Directors saying to management about steps they should take…most expedient way to get back online or follow the FBI guidance?

Chris: Almost all of the companies that we deal with are most concerned about the direct business impact and are taking whatever steps they deem necessary to most efficiently get their businesses back up. They are concerned about the OFAC and regulatory issues but are most concerned about their employees, clients and reputation.

Could the Federal Govt outlaw paying of Ransom demands in such a way as to not harm the victims further?

David: I’m concerned about this. The business interruption risk is already much larger than the ransom, otherwise why would anyone pay the ransom? If a company can’t pay the ransom, what’s the alternative? If the Govt wants to help, they need to counterattack or regulate cryptocurrencies. Without anonymous payments, the bad guys could get tracked down faster.

Chris: I don’t think so.

How does the recent Executive Order impact your clients? Are municipal governments able to secure coverage at reasonable rates?

David: We are already reeling from the majority of insurers getting out of municipal risks. By majority I’m talking about 95%+ of the market has left. I’d like to see the insuretech’s that purport to offer valuable risk management services come in and risk manage this class of business and insure them.

Chris: So far we have not seen any impact from the executive order. Municipalities is one class that is very difficult to find coverage for in the current market.

We would like to thank our expert panel for sharing their views. SentinelOne works closely with insurance carriers and brokers, to develop and deliver risk mitigation solutions. We believe the ransomware problem can be defeated and as our broker colleagues have stated, all solutions require a coordinated approach. If you would like to learn more about the SentinelOne insurance partners, contact us here.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

AnyVision, the controversial facial recognition startup, has raised $235M led by SoftBank and Eldridge

Facial recognition has been one of the more conflicted applications of artificial intelligence in the wider world: using computer vision to detect faces and subsequent identities of people has raised numerous questions about privacy, data protection, and the ethics underpinning the purposes of the work, and even the systems themselves. But on the other hand, it’s being adopted widely in a wide variety of use cases. Now one of the more controversial, but also successful, startups in the field has closed a big round of funding.

AnyVision — an Israeli startup that has built AI-based techniques to identify people by their faces, but also related tech such as temperature checks to detect higher temperatures in a crowd — has raised $235 million in funding, the company has confirmed.

This Series C, one of the bigger rounds for an AI startup, is being co-led by SoftBank’s Vision Fund 2 and Eldridge, with previous investors also participating. (They are not named but the list includes Robert Bosch GmbH, Qualcomm Ventures and Lightspeed.) The company is not disclosing its valuation but we are asking. However, it has to be a sizable hike for the company, which had previously raised around $116 million, according to PitchBook, and has racked up a big list of customers since its last round in 2020.

Worth noting, too, that AnyVision’s CEO Avi Golan is a former operating partner at SoftBank’s investment arm.

AnyVision said the funding will be used to continue developing its SDKs, specifically to work in edge computing devices — smart cameras, body cameras, and chips that will be used in other devices — to increase the performance and speed of its systems.

Its systems, meanwhile, are used in video surveillance, watchlist alerts, and scenarios where an organization is looking to monitor crowds and control them, for example to keep track of numbers, to analyse dwell times in retail environments, or to flag illegal or dangerous behavior.

“AnyVision’s innovations in Recognition AI helped transform passive cameras into proactive security systems and empowered organizations take a more holistic view to advanced security threats,” Golan said in a statement in the investment announcement. “The Access Point AI platform is designed to protect people, places, and privacy while simultaneously reducing costs, power, bandwidth, and operational complexity.”

You may recognize the name AnyVision because of how much it has been in the press.

The startup was the subject of a report in 2019 that alleged that its technology was being quietly used by the Israeli government to run surveillance on Palestinians in the West Bank.

The company denied it, but the story quickly turned into a huge stain on its reputation, while also adding more scrutiny overall to the field of facial recognition.

That led to Microsoft, which had invested in AnyVision via its M12 venture arm, to run a full audit of the investment and its position on facial recognition investments overall. Ultimately, Microsoft divested its stake and pledged not to invest in further technology like it.

Since then, AnyVision has been working hard to spin itself as the “ethical” player in this space, acknowledging that there is a lot of work and shortcomings in the bigger market of facial recognition. But controversy has continued to court the company.

A report from Reuters in April of this year highlighted just how many companies were using AnyVision’s technology today, ranging from hospitals like Cedars Sinai in Los Angeles to major retailers like Macy’s and energy giant BP. AnyVision’s connections to power go beyond simply having big customers: it also turns out that the White House Press Secretary, Jen Psaki, once served as a communications consultant to the startup.

Then, a report published just yesterday in The Markup, combed through various public records for AnyVision, including a user guidebook from 2019, which also painted a pretty damning picture of just how much information the company can collect, and what it has been working on. (One pilot, and subsequent report resulting from it, involved tracking children in a school district in Texas: AnyVision collected 5,000 student photos and ran more than 164,000 detections in just seven days.)

There are other cases where you might imagine, however, that AnyVision’s technology might be deemed helpful or useful, maybe even welcomed. Its ability to detect temperatures, for example, and identify who may have been in contact with high-temperature people, could go a long way towards controlling less obvious cases of Covid-19, for example, helping contain the virus at mass events, providing a safeguard to enable those events to go ahead.

And to be completely clear, AnyVision is not the only company building and deploying this technology, nor the only one coming under scrutiny. Another, the U.S. company Clearview AI, is used by thousands of governments and law enforcement agencies, but earlier this year it was deemed “illegal” by Canadian privacy authorities.

Indeed, it seems that the story is not complete, either in terms of how these technologies will develop, how they will be used, and how the public comes to view them. For now, the traction AnyVision has had, even despite the controversy and ethical questions, seems to have swayed SoftBank.

“The visual recognition market is nascent but has large potential in the Western world,” said Anthony Doeh, a partner for SoftBank Investment Advisers, in a statement. “We have witnessed the transformative power of AI, biometrics and edge computing in other categories, and believe AnyVision is uniquely placed to redefine physical environment analytics across numerous industries.”

Opaque raises $9.5M seed to secure sensitive data in the cloud

Opaque, a new startup born out of Berkeley’s RISELab, announced a $9.5 million seed round today to build a solution to access and work with sensitive data in the cloud in a secure way, even with multiple organizations involved. Intel Capital led today’s investment with participation by Race Capital, The House Fund and FactoryHQ.

The company helps customers work with secure data in the cloud while making sure the data they are working on is not being exposed to cloud providers, other research participants or anyone else, says company president Raluca Ada Popa.

“What we do is we use this very exciting hardware mechanism called Enclave, which [operates] deep down in the processor — it’s a physical black box — and only gets decrypted there. […] So even if somebody has administrative privileges in the cloud, they can only see encrypted data,” she explained.

Company co-founder Ion Stoica, who was a co-founder at Databricks, says the startup’s solution helps resolve two conflicting trends. On one hand, businesses increasingly want to make use of data, but at the same time are seeing a growing trend toward privacy. Opaque is designed to resolve this by giving customers access to their data in a safe and fully encrypted way.

The company describes the solution as “a novel combination of two key technologies layered on top of state-of-the-art cloud security—secure hardware enclaves and cryptographic fortification.” This enables customers to work with data — for example to build machine learning models — without exposing the data to others, yet while generating meaningful results.

Popa says this could be helpful for hospitals working together on cancer research, who want to find better treatment options without exposing a given hospital’s patient data to other hospitals, or banks looking for money laundering without exposing customer data to other banks, as a couple of examples.

Investors were likely attracted to the pedigree of Popa, a computer security and applied crypto professor at UC Berkeley and Stoica, who is also a Berkeley professor and co-founded Databricks. Both helped found RISELabs at Berkeley where they developed the solution and spun it out as a company.

Mark Rostick, vice president and senior managing director at lead investor Intel Capital says his firm has been working with the founders since the startup’s earliest days, recognizing the potential of this solution to help companies find complex solutions even when there are multiple organizations involved sharing sensitive data.

“Enterprises struggle to find value in data across silos due to confidentiality and other concerns. Confidential computing unlocks the full potential of data by allowing organizations to extract insights from sensitive data while also seamlessly moving data to the cloud without compromising security or privacy,” Rostick said in a statement

He added, “Opaque bridges the gap between data security and cloud scale and economics, thus enabling inter-organizational and intra-organizational collaboration.”

 

The single vendor requirement ultimately doomed the DoD’s $10B JEDI cloud contract

When the Pentagon killed the JEDI cloud program yesterday, it was the end of a long and bitter road for a project that never seemed to have a chance. The question is why it didn’t work out in the end, and ultimately I think you can blame the DoD’s stubborn adherence to a single vendor requirement, a condition that never made sense to anyone, even the vendor that ostensibly won the deal.

In March 2018, the Pentagon announced a mega $10 billion, decade-long cloud contract to build the next generation of cloud infrastructure for the Department of Defense. It was dubbed JEDI, which aside from the Star Wars reference, was short for Joint Enterprise Defense Infrastructure.

The idea was a 10-year contract with a single vendor that started with an initial two-year option. If all was going well, a five-year option would kick in and finally a three-year option would close things out with earnings of $1 billion a year.

While the total value of the contract had it been completed was quite large, a billion a year for companies the size of Amazon, Oracle or Microsoft is not a ton of money in the scheme of things. It was more about the prestige of winning such a high-profile contract and what it would mean for sales bragging rights. After all, if you passed muster with the DoD, you could probably handle just about anyone’s sensitive data, right?

Regardless, the idea of a single-vendor contract went against conventional wisdom that the cloud gives you the option of working with the best-in-class vendors. Microsoft, the eventual winner of the ill-fated deal acknowledged that the single vendor approach was flawed in an interview in April 2018:

Leigh Madden, who heads up Microsoft’s defense effort, says he believes Microsoft can win such a contract, but it isn’t necessarily the best approach for the DoD. “If the DoD goes with a single award path, we are in it to win, but having said that, it’s counter to what we are seeing across the globe where 80% of customers are adopting a multicloud solution,” Madden told TechCrunch.

Perhaps it was doomed from the start because of that. Yet even before the requirements were fully known there were complaints that it would favor Amazon, the market share leader in the cloud infrastructure market. Oracle was particularly vocal, taking its complaints directly to the former president before the RFP was even published. It would later file a complaint with the Government Accountability Office and file a couple of lawsuits alleging that the entire process was unfair and designed to favor Amazon. It lost every time — and of course, Amazon wasn’t ultimately the winner.

While there was a lot of drama along the way, in April 2019 the Pentagon named two finalists, and it was probably not too surprising that they were the two cloud infrastructure market leaders: Microsoft and Amazon. Game on.

The former president interjected himself directly in the process in August that year, when he ordered the Defense Secretary to review the matter over concerns that the process favored Amazon, a complaint which to that point had been refuted several times over by the DoD, the Government Accountability Office and the courts. To further complicate matters, a book by former defense secretary Jim Mattis claimed the president told him to “screw Amazon out of the $10 billion contract.” His goal appeared to be to get back at Bezos, who also owns the Washington Post newspaper.

In spite of all these claims that the process favored Amazon, when the winner was finally announced in October 2019, late on a Friday afternoon no less, the winner was not in fact Amazon. Instead, Microsoft won the deal, or at least it seemed that way. It wouldn’t be long before Amazon would dispute the decision in court.

By the time AWS re:Invent hit a couple of months after the announcement, former AWS CEO Andy Jassy was already pushing the idea that the president had unduly influenced the process.

“I think that we ended up with a situation where there was political interference. When you have a sitting president, who has shared openly his disdain for a company, and the leader of that company, it makes it really difficult for government agencies, including the DoD, to make objective decisions without fear of reprisal,” Jassy said at that time.

Then came the litigation. In November the company indicated it would be challenging the decision to choose Microsoft charging that it was was driven by politics and not technical merit. In January 2020, Amazon filed a request with the court that the project should stop until the legal challenges were settled. In February, a federal judge agreed with Amazon and stopped the project. It would never restart.

In April the DoD completed its own internal investigation of the contract procurement process and found no wrongdoing. As I wrote at the time:

While controversy has dogged the $10-billion, decade-long JEDI contract since its earliest days, a report by the DoD’s inspector general’s office concluded today that, while there were some funky bits and potential conflicts, overall the contract procurement process was fair and legal and the president did not unduly influence the process in spite of public comments.

Last September the DoD completed a review of the selection process and it once again concluded that Microsoft was the winner, but it didn’t really matter as the litigation was still in motion and the project remained stalled.

The legal wrangling continued into this year, and yesterday the Pentagon finally pulled the plug on the project once and for all, saying it was time to move on as times have changed since 2018 when it announced its vision for JEDI.

The DoD finally came to the conclusion that a single-vendor approach wasn’t the best way to go, and not because it could never get the project off the ground, but because it makes more sense from a technology and business perspective to work with multiple vendors and not get locked into any particular one.

“JEDI was developed at a time when the Department’s needs were different and both the CSPs’ (cloud service providers) technology and our cloud conversancy was less mature. In light of new initiatives like JADC2 (the Pentagon’s initiative to build a network of connected sensors) and AI and Data Acceleration (ADA), the evolution of the cloud ecosystem within DoD, and changes in user requirements to leverage multiple cloud environments to execute mission, our landscape has advanced and a new way ahead is warranted to achieve dominance in both traditional and nontraditional warfighting domains,” said John Sherman, acting DoD chief information officer in a statement.

In other words, the DoD would benefit more from adopting a multicloud, multivendor approach like pretty much the rest of the world. That said, the department also indicated it would limit the vendor selection to Microsoft and Amazon.

“The Department intends to seek proposals from a limited number of sources, namely the Microsoft Corporation (Microsoft) and Amazon Web Services (AWS), as available market research indicates that these two vendors are the only Cloud Service Providers (CSPs) capable of meeting the Department’s requirements,” the department said in a statement.

That’s not going to sit well with Google, Oracle or IBM, but the department further indicated it would continue to monitor the market to see if other CSPs had the chops to handle their requirements in the future.

In the end, the single vendor requirement contributed greatly to an overly competitive and politically charged atmosphere that resulted in the project never coming to fruition. Now the DoD has to play technology catch-up, having lost three years to the histrionics of the entire JEDI procurement process and that could be the most lamentable part of this long, sordid technology tale.

Microsoft Issues Emergency Patch for Windows Flaw

Microsoft on Tuesday issued an emergency software update to quash a security bug that’s been dubbed “PrintNightmare,” a critical vulnerability in all supported versions of Windows that is actively being exploited. The fix comes a week ahead of Microsoft’s normal monthly Patch Tuesday release, and follows the publishing of exploit code showing would-be attackers how to leverage the flaw to break into Windows computers.

At issue is CVE-2021-34527, which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target’s system. Microsoft says it has already detected active exploitation of the vulnerability.

Satnam Narang, staff research engineer at Tenable, said Microsoft’s patch warrants urgent attention because of the vulnerability’s ubiquity across organizations and the prospect that attackers could exploit this flaw in order to take over a Windows domain controller.

“We expect it will only be a matter of time before it is more broadly incorporated into attacker toolkits,” Narang said. “PrintNightmare will remain a valuable exploit for cybercriminals as long as there are unpatched systems out there, and as we know, unpatched vulnerabilities have a long shelf life for attackers.”

In a blog post, Microsoft’s Security Response Center said it was delayed in developing fixes for the vulnerability in Windows Server 2016, Windows 10 version 1607, and Windows Server 2012. The fix also apparently includes a new feature that allows Windows administrators to implement stronger restrictions on the installation of printer software.

“Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server,” reads Microsoft’s support advisory. “After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”

Windows 10 users can check for the patch by opening Windows Update. Chances are, it will show what’s pictured in the screenshot below — that KB5004945 is available for download and install. A reboot will be required after installation.

Friendly reminder: It’s always a good idea to backup your data before applying security updates. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Microsoft’s out-of-band update may not completely fix the PrinterNightmare vulnerability. Security researcher Benjamin Delpy posted on Twitter that the exploit still works on a fully patched Windows server if the server also has Point & Print enabled — a Windows feature that automatically downloads and installs available printer drivers.

Delpy said it’s common for organizations to enable Point & Print using group policies because it allows users to install printer updates without getting approval first from IT.

This post will be updated if Windows users start reporting any issues in applying the patch.

REvil’s Grand Coup | Abusing Kaseya Managed Services Software for Massive Profits

Executive Summary

  • A suspected zero-day exploit was used to deliver REvil’s Sodinokibi ransomware to thousands of corporate endpoints.
  • Attackers targeted Kaseya VSA servers commonly used by Managed Security Service Providers and IT management firms in order to reach the breadth of their respective customers.
  • The attackers abused a variety of benign components, such as certutil.exe, Microsoft Defender, and stolen digital certificates as part of their execution chain.
  • At this point, this appears to be the largest mass-scale ransomware incident to date. In an unexpected twist, the attackers are offering a universal decryption tool for all victims at a lump sum of $50 million (originally $70 million).
  • In this post, we cover the attack’s execution chain, provide a video showing SentinelOne Singularity’s response against the attack, and provide indicators as well as hunting rules to assist defenders.

What Happened?

On Friday, July 2nd, 2021 a well-orchestrated, mass-scale, ransomware campaign was discovered targeting customers of Kaseya’s managed services software and delivering REvil ransomware. It was initially considered a supply chain attack, a safe assumption at that scale, but with time it became apparent that the attackers were instead leveraging a zero-day exploit against internet-facing Kaseya VSA servers.

Kaseya’s initial advisory underscored the severity of the situation as the company instructed customers to shut down VSA servers until further notice.

Initial statement from Kaseya

Since then, Kaseya has engaged the security community and triaged the root cause of this incident. This post seeks to unravel the infection chain, highlight relevant indicators, and clarify protections for our customers.

Malware execution chain

Kaseya VSA Exploit and Infection Chain

Current findings show logic flaws in one of the VSA components (dl.asp) may have led to an authentication bypass. The attackers could then use KUpload.dll to drop multiple files including ‘agent.crt’, a fake certificate that contains the malware dropper. Another dropped artifact, Screenshot.jpg, appears to be a JavaScript file and has only been partially recovered at this time. Specific details regarding the exact nature of the exploit used are still being discovered as the analysis is ongoing.

The suspected exploit chain ends with a SQL injection in userFilterTableRpt.asp in order to queue up a series of VSA procedures that would execute the malware and purge the logs. This activity was seen originating from a hijacked AWS EC2 instance 18.223.199[.]234. Additional activity was observed originating from 161.35.239[.]148 (DigitalOcean), 162.253.124[.]16 (Sapioterra), and 35.226.94[.]113 (Google Cloud).

REvil malware infection chain

The malicious procedure was labeled ‘Kaseya VSA Agent Hot-fix’. This is a series of commands that check for internet access and use PowerShell to disable a sequence of native Operating System security measures including real-time monitoring, intrusion prevention, network protection, and sample auto-submission. The procedure then invokes the native certutil.exe application commonly used to validate certificates and uses it to decode the contents of ‘agent.crt’ into an executable, agent.exe.

The agent.exe binary was compiled on July 1st, 2021 and acts as a dropper for two embedded executable resources, ‘MODLIS’ and ‘SOFTIS’.

Resources embedded in agent.exe

Resource 101, SOFTIS is an outdated legitimate Microsoft Defender executable that is being used to sideload the malicious payload. It’s worth noting that this delivery mechanism of a sideloading dyad (a two-part execution chain) has been used to deliver REvil as early as April 2021.

The payload itself is contained in resource 102, under the resource name ‘MODLIS’.

SHA256
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

SHA1
e1d689bf92ff338752b8ae5a2e8d75586ad2b67b

MD5
7ea501911850a077cf0f9fe6a7518859

Compilation Timestamp
2021-07-01 12:39:06

Signature Date
2021-07-02 23:15:00

Size
788.88 KB

Digital Signature
PB03 TRANSPORT LTD.

In order for the malicious payload to be sideloaded by Microsoft Defender, the DLL is dropped at %WinDir%MpSvc.dll and exports the functions ServiceCrtMain, ServiceMain, and SvchostPushServiceGlobals. The file is signed with a stolen digital certificate from a Canadian transport company. It’s one of several stolen certificates recently employed by REvil. The ransomware employs statically-linked OpenSSL to conduct its cryptographic operations. ServiceCRTMain() creates a thread that will deobfuscate the main payload.

While the IOCs directly relevant to the Kaseya incident are a specific subset, we have collected samples for a cluster of similar execution chains including the Microsoft Defender sideloading dyad and still valid stolen digital certificates. We have provided hashes and YARA signatures at the end of this post to help identify additional files signed with these stolen certificates.

During this process, netsh.exe (as we have seen with prior REvil samples) is also called, making the following adjustment to local firewall rules:

netsh.exe netsh advfirewall firewall set rule "group=Network Discovery" new enable=Yes

The following are still valid signers. We have provided YARA signatures at the end of this post to help identify additional files signed with these stolen certificates.

  • BUKTBAI, OOO
    thumbprint = “282ebc0a99a6328343a7d7706465778c3925adb6”
  • PB03 TRANSPORT LTD
    thumbprint = “11ff68da43f0931e22002f1461136c662e623366”
  • OOO Saylent
    thumbprint = “0d61738e6407c01d5c9f477039fb581a5f81f436”

Encryption and Post Encryption Behavior

The Salsa20 encryption algorithm used by this variant of the REvil ransomware is incredibly fast compared to other common encryption algorithms and is an optimal choice for a ransomware operation of this magnitude. Other highly-prolific ransomware families have employed the same algorithm (e.g., DarkSide & later variations of Petya / GoldenEye).

Once the contents of the machine have been successfully encrypted, ransom notes are dropped alongside encrypted files and the machine’s wallpaper is changed to alert users to their predicament.

Ransom note displayed upon infection

The ransom note directs users to an .onion site and an alternative for those that don’t have access to TOR. The site asks for the key appended to the ransom note before providing a ransom amount for that specific endpoint, along with a timer that indicates how long the victim has to pay before the ransom demand increases. The standard demand for a non-corporate domain machine is the equivalent of $44,999 in Monero (XMR) or Bitcoin (BTC). Taking a broader view, the REvil gang has reportedly offered a universal decrypter for the eye-watering lump sum of $70 million (later amended to $50 million).

July 4th Update from the REvil gang

Latest Developments

On Monday, July 5, Kaseya announced they are developing a new patch for on-premise installations in order to assist customers in getting back to service. Kaseya also published a Compromise Detection Tool for customers to check if their on-premise installation had been actually compromised.

Since this outbreak, attackers have been scanning for Kaseya on-premise internet exposed servers using publicly available platforms such as Shodan.io. This time window allows attack groups besides REvil to obtain immediate access over the internet to customer-sensitive networks.

This attack proves again the necessity for a modern EDR solution which defends against improper use of built-in operating system executables (LOLBINs), such as detecting certutil.exe writing executables or usage of signed software such as MsMpEng.exe running from unexpected locations and executing unexpected software.

This threat is detected and mitigated by SentinelOne:

SentinelOne vs REvil (Sodinokibi)
Preventing the Kaseya Ransomware Attack

Conclusions

While the full impact of this attack is still unfolding, it’s a further escalation in the sophistication of cybercrime, not only on the technical side but also in how the attack was orchestrated. It’s clear that the perpetrators are well aware of the PR implications and will use widespread disruptions to try to maximize the payouts. This is yet another reminder of why security products need to leverage the power of data, specifically rich behavioral data, and AI. Malware and ransomware are increasingly cunning and novel in their techniques to compromise devices. A data-driven and AI-powered approach creates an autonomous posture to cybersecurity. It’s not enough to use signature-based or human-powered legacy solutions to protect your organization’s attack surfaces as every second counts when defending from advanced attacks like this one.

While we continue to uncover the full ramifications of this attack, our advice to defenders is to always act under the assumption that their networks are already host to malicious actors. The exorbitant profits realized by cyber criminals will only add to the sophistication of the attacks we’ll continue to see, the means and motivations are already there. Ransomware is a reality that every organization must face operating in the digital age. Cybersecurity today has become a critical part of corporate operations: the ability for malicious actors to disrupt and profit has reached new levels of relevance as a possible existential threat to businesses.

Indicators of Compromise

Samples

agent.crt encoded dropper
2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643

agent.exe dropper
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Payloads
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

Additional recent REvil activity including dyad droppers and payloads with still valid stolen digital signatures:

aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
f6908ef76b666157a13534db47652a845d8f7d985fdf944f7e43a3afd3f3d8c2
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471

MITRE TTPs Used in Kaseya Attack

T1112 – Modify Registry
T1012 – Query Registry
T1082 – System Information Discovery
T1120 – Peripheral Device Discovery
T1491 – Defacement
T1543.003 – Create or Modify System Process: Windows Service
T1036 – Masquerading
T1036.003 – Masquerading: Rename System Utilities
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1106 – Native API

YARA Hunting Rules for REvil/Kaseya Artifacts

import "pe"
import "math"

rule cw_REvil_Kaseya_BUKTBAI_stolenCert
{
	meta:
		desc = "Stolen digital certificate: BUKTAI"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20"
		hash = "d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f"
		hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
		hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=RU/L=Samara/O=BUKTBAI, OOO/CN=BUKTBAI, OOO"
			or
			signer.serial == "42:c1:64:9a:6b:80:64:0f:ad:7a:fb:b8:3e:29:81:52"
			or
			signer.thumbprint == "282ebc0a99a6328343a7d7706465778c3925adb6"
		)
}

rule cw_REvil_Kaseya_PB03TRANSPORT_stolenCert
{
	meta:
		desc = "Stolen digital certificate: PB03 TRANSPORT"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"
		hash = "e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2"
		hash = "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=CA/ST=Ontario/L=Brampton/O=PB03 TRANSPORT LTD./CN=PB03 TRANSPORT LTD."
			or
			signer.serial == "11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0"
			or
			signer.thumbprint == "11ff68da43f0931e22002f1461136c662e623366"
		)
}

rule cw_REvil_Kaseya_SAYLENT_stolenCert
{
	meta:
		desc = "Stolen digital certificate: PB03 TRANSPORT"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6"
		hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=RU/L=Cherepovetz/O=OOO Saylent/CN=OOO Saylent"
			or
			signer.serial == "00:bd:df:46:f3:a2:de:7d:2b:fb:f5:16:9a:e9:76:d9:7e"
			or
			signer.thumbprint == "0d61738e6407c01d5c9f477039fb581a5f81f436"
		)
}

rule cw_REvil_Kaseya_Dropper
{
	meta:
		desc = "Dropper for Microsoft Defender + Sodinokibi DLL Sideload"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
		hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
		hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
		hash = "81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471"
	strings:
		$drop_ransom = "mpsvc.dll" ascii wide fullword
		$drop_defender = "MsMpEng.exe" ascii wide fullword
		$drop_path = "C:Windows" wide fullword
	condition:
		uint16(0) == 0x5a4d
		and
		(
			2 of ($drop*) 
			and
			pe.number_of_resources == 2
			and
			for all rsrc in pe.resources:
				(
				math.entropy(rsrc.offset, rsrc.length) >= 6.7
				)
		)
}

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Box takes fight with activist investor public in SEC filing

The war between Box’s current leadership and activist shareholder Starboard took a new turn today with a detailed timeline outlining the two groups’ relationship, thanks to an SEC filing and companion press release. Box is pushing back against a slate of board candidates put forth by Starboard, which wants to shake up the company’s leadership and sell it.

The SEC filing details a lengthy series of phone calls, meetings and other communications between the technology company and Starboard, which has held a stake in Box greater than 5% since September of 2019. Since then shares of Box have risen by around $10 per share.

Today’s news is multi-faceted, but we’ve learned more concerning Starboard’s demands that Box sell itself; how strongly the investor wanted co-founder and CEO Aaron Levie to be fired; and that the company’s complaints about a KKR-led investment into Box that it used to repurchase its shares did not match its behavior, in that Starboard asked to participate in the transaction despite its public statements.

Activist investors, a bit like short-sellers, are either groups that you generally like or do not. In this case, however, we can learn quite a lot from the Box filing. Including the sheer amount of time and communication that it takes to manage such an investor from the perspective of one of its public-market investments.

What follows are key excerpts from Box’s SEC filing on the matter, starting with its early stake and early agreement with Starboard:

  • On September 3, 2019, representatives of Starboard contacted Mr. Levie to inform Mr. Levie that Starboard would be filing a
  • Schedule 13D with the SEC reporting a 7.5% ownership stake in the company.
  • On March 9, 2020, Mr. O’Driscoll and Ms. Barsamian had a call with representatives of Starboard to discuss entering into a settlement agreement with Starboard.
  • On March 22, 2020, the company and Starboard entered into an agreement[.]
    Also on March 23, 2020, Starboard reported beneficial ownership of 7.7% of the outstanding Class A common stock.

Then Box reported earnings, which Starboard appeared to praise:

  • On May 27, 2020, the company reported its fiscal first quarter results, noting a 13% increase in year-over-year revenue, a 900 basis point increase in year-over-year GAAP operating margin and a $36.4 million increase in year-over-year cash flow from operations. Peter Feld, a representative of Starboard, and Mr. Levie had an email conversation related to the company’s first quarter results in which Mr. Feld stated “you guys are on a good path…congrats to the team and keep it up.”
  • Also on May 29, 2020, Starboard reported that it had decreased its beneficial ownership to 6.0% of the outstanding Class A common stock.

The same pattern repeated during Box’s next earnings report:

  • On August 27, 2020, Mr. Levie, Mr. Smith and company IR discussed the company’s earnings release with Starboard. Starboard indicated it was pleased with the rate of margin expansion and where the company was heading. In an email exchange between Mr. Feld and Mr. Levie related to the company’s results, Mr. Feld stated that he was “thrilled to see the company breaking out and performing better both on the top and bottom line. Appreciate you guys working with us and accepting the counsel. Not everyone behaves that way and it is greatly appreciated. Shows your comfort as a leader and a willingness to adapt. Very impressive.”

Then Box reported its next quarter’s results, which was followed by a change in message from Starboard (emphasis TechCrunch):

  • On December 1, 2020, the company announced its fiscal third quarter results, noting an 11% increase in year-over-year revenue, an improvement of 2100 basis points in year-over-year GAAP operating margin and a $36 million increase in year-over-year cash flow from operations. The company also provided guidance regarding its fiscal fourth quarter results, noting that its revised revenue guidance was due to “lower professional services bookings than we noted previously, which creates a roughly $2 million headwind” and that the company was being “prudent in our growth expectations given the macroeconomic challenges that our customers are facing.” The revised guidance for revenue was 1.1% below analysts’ consensus estimates of $198.8 million.
  • On December 2, 2020, Box’s common stock declined approximately 9% from its prior close of $18.54 to $16.91. On December 2, 2020 and December 4, 2020, Mr. Levie, Mr. Smith and Box IR discussed the company’s earnings release with representatives of Starboard. Despite the prior support Mr. Feld communicated to the company, Starboard reversed course and demanded that the company explore a sale of the entire company or fire the company’s CEO, or otherwise face a proxy contest from Starboard. Mr. Feld further stated that the company should not turn down an offer from a third party to buy the entire company “in the low twenties” and that Starboard would be a seller at such a price.

Recall that Box shares are now in the mid-$26s. At the time, however, Box shares lost value (emphasis: TechCrunch)

  • On December 16, 2020, two weeks after earnings, the company’s stock price closed at $18.85, which was above where it was trading immediately prior to the announcement of the company’s fiscal third quarter results on December 1, 2020.
  • On January 11, 2021, Starboard disclosed that it had increased its beneficial ownership to 7.9% of the outstanding Class A common stock.
  • On January 15, 2021, Mr. Lazar and Ms. Barsamian had a call with representatives from Starboard. Mr. Feld expressed his view that, while the company’s Convertible Senior Notes were executed on favorable terms, he was not supportive of the transaction. He reiterated his demand that the company sell itself and indicated that if the company did not do so then it must replace its CEO or otherwise face a proxy contest from Starboard to replace the CEO.

Over the next few months, Box bought SignRequest, reported earnings, and engaged external parties to try to help it bolster shareholder value. Then the KKR deal came onto the table:

  • On March 31, 2021, the Strategy Committee met to discuss the status of the strategic review. At such time, the Strategy Committee was in receipt of a proposal from KKR pursuant to which KKR and certain partners would make an investment in the form of convertible preferred stock at an initial yield of 3%, which had been negotiated down from KKR’s proposal of 7% yield in its preliminary indication of interest in early March.

The deal was unanimously approved by Box’s board, and announced on April 8th, 2021. Starboard was not stoked about the transaction, however:

  • Later on April 8, 2021, Ms. Mayer and Mr. Lazar had a call with representatives of Starboard. Mr. Feld expressed Starboard’s strong displeasure with the results of the strategic review. During the conversation, Mr. Feld indicated that he would stop the fight immediately if Mr. Levie were replaced.
  • On April 14, 2021, Ms. Mayer, Mr. Lazar and Ms. Barsamian had a call with Mr. Feld. Despite his prior statements, Mr. Feld now indicated that Starboard was not willing to sell its shares of Class A common stock at $21 or $22 per share. Mr. Feld requested that the company release KKR from its obligation to vote in favor of the company as a gesture of good faith. Mr. Feld reiterated Starboard’s desire to replace Mr. Levie as CEO and indicated that he would like to join the Board of Directors if the company did so. Ms. Mayer offered Mr. Feld the opportunity to execute a non-disclosure agreement to receive more information about the strategic review process, which Mr. Feld immediately declined.

Box was like, all right, but Feld doesn’t get to be on the board:

  • On April 20, 2021, Ms. Mayer and Mr. Lazar had a call with representatives of Starboard. Mr. Feld stated that Starboard would not move forward with its planned director nominations if Starboard were offered the opportunity to participate in the KKR-Led Transaction and Mr. Feld were appointed to the Board of Directors. Mr. Feld reiterated that he was not willing to sign a non-disclosure agreement.
  • On April 27, 2021, Mr. Park had a discussion with Mr. Feld. During this conversation, Mr. Feld reiterated his desire for Starboard to participate as an investor in the KKR-Led Transaction.
  • On April 28, 2021, Ms. Mayer and Mr. Lazar informed Mr. Feld that the Board of Directors was amenable to allowing Starboard to participate in the KKR-Led Transaction but would not appoint Mr. Feld as a director. Mr. Feld indicated that there is no path to a settlement that doesn’t include appointing him to the Board of Directors.

And then Starboard initiated a proxy war.

What to make of all of this? That trying to shake up a company from the position of a minority stake is not impossible, with Starboard able to exercise influence on Box despite having a sub-10% ownership position. And that Box was not willing to put a person on the board that wanted to fire its CEO.

What’s slightly silly about all of this is that the fight is coming at a time when Box is doing better than it has in some time. Its profitability has improved greatly, and in its most recent quarter the company topped expectations and raised its forward financial guidance.

There were times in Box’s history when it may have deserved a whacking for poor performance, but now? It’s slightly weird. Also recall that Starboard has already made quite a lot of money on its Box stake, with the company’s value appreciating sharply since the investor bought in.

Most media coverage is surrounding the public criticism by Starboard of the KKR deal and its private demand to be let into the deal. That dynamic is easily explained: Starboard thought that the deal wouldn’t make it money, but later decided that it could. So it changed its tune; if you are expecting an investor to do anything but try to maximize returns, you are setting yourself up for disappointment.

A person close to the company told TechCrunch that the current situation should be a win-win for everyone involved, but Starboard is not seeing it that way. “If you’re a near term shareholder, [like Starboard] then the path Box has taken has already been better. And if you’re a long term shareholder, Box sees significantly more upside. […] So overwhelmingly, the company believes this is the best path for shareholders and it’s already been proven out to be that,” the person said.

Alan Pelz-Sharpe, founder and principal analyst at the Deep Analysis, who has been watching the content management space for many years, says the battle isn’t much of a surprise given that the two have been at odds pretty much from the start of the relationship.

“Like any activist investor Starboard is interested in a quick increase in shareholder values and a flip. Box is in it for the long run. Further, it seems that Starboard may have mistimed or miscalculated their moves, Box clearly was not as weak as they appeared to believe and Box has been doing well over the past year. Bringing in KKR was the start of a big fight back, and the proposed changes couldn’t make it any clearer that they are fed up with Starboard and ready to fight back hard,” Pelz-Sharpe said.

He added that publicly revealing details of the two companies’ interactions is a bit unusual, but he thinks it was appropriate here.

“Actually naming and shaming, detailing Starboard’s moves and seemingly contradictory statements, is unusual but it may be effective. Starboard won’t back down without a fight, but from an investor relations/PR perspective this looks bad for them and it may well be time to walk away. That being said, I wouldn’t bet on Starboard walking away, as Silicon Valley has a habit of moving forward when they should be walking back from increasingly damaging situations”

What comes next is a vote on Box’s board makeup, which should happen later this summer. Let’s see who wins.

It’s worth noting that we attempted to contact Starboard Value, but as of publication they had not gotten back to us. Box indicated that the press release and SEC filing speak for themselves.

 

 

Nobody wins as DoD finally pulls the plug on controversial $10B JEDI contract

After several years of fighting and jockeying for position by the biggest cloud infrastructure companies in the world, the Pentagon finally pulled the plug on the controversial winner-take-all, $10 billion JEDI contract today. In the end, nobody won.

“With the shifting technology environment, it has become clear that the JEDI cloud contract, which has long been delayed, no longer meets the requirements to fill the DoD’s capability gaps,” a Pentagon spokesperson stated.

The contract procurement process began in 2018 with a call for RFPs for a $10 billion, decade-long contract to handle the cloud infrastructure strategy for The Pentagon. Pentagon spokesperson Heather Babb told TechCrunch why they were going with the. single-winner approach: “Single award is advantageous because, among other things, it improves security, improves data accessibility and simplifies the Department’s ability to adopt and use cloud services,” she said at the time.

From the start though, companies objected to the single-winner approach, believing that the Pentagon would be better served with a multi-vendor approach. Some companies, particularly Oracle believed the procurement process was designed to favor Amazon.

In the end it came down to a pair of finalists — Amazon and Microsoft — and in the end Microsoft won. But Amazon believed that it had superior technology and only lost the deal because of direct interference by the previous president who had open disdain for then-CEO Jeff Bezos (who is also the owner of the Washington Post newspaper).

Amazon decided to fight the decision in court, and after months of delay, the Pentagon made the decision that it was time to move on. In a blog post, Microsoft took a swipe at Amazon for precipitating the delay.

“The 20 months since DoD selected Microsoft as its JEDI partner highlights issues that warrant the attention of policymakers: When one company can delay, for years, critical technology upgrades for those who defend our nation, the protest process needs reform. Amazon filed its protest in November 2019 and its case was expected to take at least another year to litigate and yield a decision, with potential appeals afterward,” Microsoft wrote in its blog post about the end of the deal.

But in a statement of its own, Amazon reiterated its belief that the process was not fairly executed. “We understand and agree with the DoD’s decision. Unfortunately, the contract award was not based on the merits of the proposals and instead was the result of outside influence that has no place in government procurement. Our commitment to supporting our nation’s military and ensuring that our warfighters and defense partners have access to the best technology at the best price is stronger than ever. We look forward to continuing to support the DoD’s modernization efforts and building solutions that help accomplish their critical missions,” a company spokesperson said.

It seems like a fitting end to a project that I felt was doomed from the beginning. From the moment the Pentagon announced this contract with the cutesy twist on the Star Wars name, the procurement process has taken more twists and turns than a TV soap.

In the beginning, there was a lot of sound and fury and it led to a lot of nothing. We move onto whatever cloud procurement process happens next.