6 Reasons Why Ransomware Is Not Going To Be Stopped

Everyone with access to the news already knows that Ransomware is bigger than ever before, and the public and private sectors are realizing that being the next target is not a matter of if but when.

How has it come to this? For twenty years, businesses have been buying anti-virus protection, and yet they still lost the game. In this blog, we discuss six critical reasons why we are only now seeing the beginning and not the end of the real ransomware pandemic.

1. Broken Windows Can’t Be Fixed

Microsoft Windows and associated enterprise software are full of vulnerabilities. In the previous three months alone, Microsoft has had to patch over 200 bugs, with 27 of those rated Critical and the vast majority of the rest rated as Important in severity. At least six were under active attack prior to the release of a patch.

In March of this year, four separate zero days in MS Exchange software led to breaches in thousands of organizations. One of these flaws had existed in Microsoft Exchange since 2013, while others date back to 2016 and 2019.

The recent remote code execution PrintNightmare vulnerability in the Windows Printer Spooler service was rapidly folded into popular hacking tools like Mimikatz and Metasploit. Even after being initially patched, researchers quickly discovered a full bypass. Similar vulnerabilities like FaxHell, Print Demon and Evil Printer were discoverd in 2020 and it is likely that attackers will continue to look for and find systems exposed to such vulnerabilities for years to come.

NTLM-relay attacks have been a particularly rich source of privilege escalation vulnerabilities over the years. The most recent, dubbed PetitPotam, allows attackers a simple way to achieve full environment takeover of exposed Domain Controllers.

Some bugs remain hidden for years, even decades at a time. CVE-2021-24092 is a privilege escalation vulnerability in Windows Defender – Microsoft’s own security software that’s supposed to keep attackers at bay. This privilege escalation bug lay unpatched for 12 years.

It’s tempting to think that it must just be a matter of time till all these bugs are eventually found and patched, but unfortunately that’s not the way it works. New bugs are introduced with new code, and just like every other product, Microsoft needs to create new features – and write new code – to remain attractive to enterprise users. The recent HiveNightmare (aka SeriousSAM) local privilege escalation vulnerability was actually introduced into Windows 10 in version 1809. It allowed any standard user to escalate to full SYSTEM privileges, with all the horror that that entails for security teams.

While HiveNightmare requires the attacker to have a foothold on the system in order to leverage it, chaining this flaw with others such as PrintNightmare can give a threat actor both access and full permissions.

In the hands of threat actors, any of these vulnerabilities could be used to aid a compromise and help spread a Ransomware attack.

2. Sophisticated Attacks Beat Simple Security, Everytime

Bugs aside, Windows Defender – the built-in security of Windows devices – is simply not good enough to stop today’s sophisticated attacks. Putting aside the inherent conflict of a security product that is sold by an OS vendor (should security really be an upsell for an operating system vendor?) the recent Sunburst/SolarWinds attack was not stopped by Windows Defender, according to NETRESEC. The same source shows that even some 3rd party vendors including CrowdStrike and Carbon Black were also bypassed by the malware and failed to provide the needed visibility for detecting the attack.

Of course, sophisticated attacks are designed to beat simple security controls, but the days when anything less was sufficient for businesses are long behind us. Sophisticated tools are no longer the sole provenance of nation-state backed threat actors, and they are no longer only used against targets nation-states want to spy on.

The modern threatscape of financial crime is all about leverage. Threat actors want your data – either to sell or to ransom back to you, or both – and they have the muscle to buy, develop and steal the tools required to get it. Ever since the Shadow Brokers leaked the NSA’s own powerful hacking tools – including EternalBlue, which was involved in the WannaCry and NotPetya attacks – crimeware gangs have not only had those particular tools at their disposal, they’ve had the knowledge of how such tools can be built.

Moreover, an entire ecosystem exists on the Dark Web for the less-sophisticated to access powerful tools developed by others. The Ransomware as a Service model means sophisticated malware developers can sell to a large number of clients, each paying a relatively low-price. It’s a simple economic model that threat actors have understood and exploited with aplomb.

With ransomware affiliates queuing up to breach organizations with powerful tools that defeat simple controls, the days when enterprise security could rely on humans to do the heavy lifting are a thing of the past. Sophisticated attacks require sophisticated tools that can respond autonomously at machine speed to keep ransomware attacks out. But while there remain so many organizations that still have this lesson to learn, we will continue to see high-profile ransomware attacks afflicting both our public and private enterprises.

3. The Rewards Are Greater Than The Risks

Buggy software and weak security controls also combine with low risk and high rewards to make ransomware an attractive proposition to criminals. Back in the day, cybercriminals did not realize the vast rewards that awaited them from attacking enterprises and organizations, and were focused primarily on consumers, who were sent demands for automated payments of $300. Back in 2010, one cybersecurity commentator was able to note that “Ransom on the internet may not garner much money per incident but patient extortionists can cast a wide net and haul in many innocent victims who have no recourse other than to pay.”

How things have changed since then. Today, ransomware extortionists collect far more revenue through double extortion: good-old file encryption on the one hand, coupled with exfiltrating data and blackmailing victims on the other. It’s a numbers game. REvil ransomware operators recently exploited a bug in Kaseya VSA software and then requested a lump sum of $50 million for a universal decryption key. Last year, all ransomware extortion payments were believed to total around $350 million in cryptocurrency.

The history of crime teaches us that people will take big risks for much lower rewards. A bank heist can carry a sentence of life imprisonment and is much more likely to go awry. A ransomware attack on a U.S. institution – conducted from home in a nation that is not particularly concerned about cracking down on such computer crimes – is less risky than a late night walk in the park.

The upshot? It’s not just nation-state backed threat actors that we have to worry about but nation-state tolerated criminal gangs, too. And for your average business anywhere in the West, the latter is a very much more real and present danger.

What is the True Cost of a Ransomware Attack? | 6 Factors to Consider
The ransom demand may be the headline figure, but it’s not the only, or the biggest, cost to bear.

4. Cryptocurrency Makes Payment Easy

Cryptocurrency is booming. While naysayers keep on talking up the risks of the ‘cryptocurrency bubble’, criminals are more than happy to use it as a means of anonymity, easy cash transfer and – as prices soar – a fast route to riches.

Prior to the pandemic, Bitcoin was trading at a little over $7,000, but when the economy shut down around the world, Bitcoin boomed. By December 2020, it was trading at $24,000, hit a peak of $64,000 in April 2021 and is currently hovering at around $46,000. The bubble doesn’t look like it’s about to burst, and for cybercriminals extorting businesses, every price rise is just more incentive to keep attacking.

It’s not just the rising prices, of course, that makes cryptocurrency attractive to criminals. Cryptocurrency offers anyone involved in crime an easy way to get paid with far more anonymity than a bank account, since the blockchain technology it is based on uses hashes of public keys rather than people’s names to record ownership.

While there is a whole art and industry behind trying to track criminal payments, there’s plenty of invention on the criminals’ side, too, to obscure “cashing out” – the conversion of cryptocurrency to hard cash. Some of that innovation is technological, some of it is just the tried and tested method of laundering funds through bank accounts for shell corporations. Are there gangs of finance criminals offering their services to the cyber criminals for just this purpose? You bet there are.

5. Business Inertia Means Legacy AVs Just Won’t Die

While cybercriminals cash in on modern technologies, the vast majority of businesses are hanging on to legacy AV technologies that were defeated long ago. AV security suites like Symantec, Avast and McAfee continue to hold market share because many businesses were locked in years ago to aging technologies relying on malware file signatures and hashes.

Despite the prevalence of these legacy AV security controls, there were an estimated 9.9 billion malware attacks in 2019 alone, up from 8.2 billion in 2015. While this can be regarded as a huge success for cybercriminals, it is a damning indictment of the failure of cybersecurity’s incumbent vendors.

If there’s one statistic more than any other that says business leaders need to rethink their approach to securing the enterprise, we can’t think of a better one than that.

The evidence is clear: Threat actors have adapted to and evaded these old approaches to security. Supply chain attacks, fileless attacks, and exploit kits with known bypasses or evasions for such security controls are common fare among ransomware operators and their affiliates, who swap news, tricks and techniques in darknet forums on how to bypass AV software. Some even offer prizes in research competitions.

6. Attacks Happen on Devices, Not in the Cloud

If legacy AV hasn’t really changed that much, our network infrastructure certainly has. The cloud – on-prem, hybrid, IaaS, PaaS, containerized workloads and more – have changed our environments beyond recognition since those old AVs were first thought of. In response, both old and new vendors have thought to exploit the cloud for the purposes of defense. What if you could send all your device (whether physical or virtual) telemetry to a vendor’s cloud resources and have it analysed there? The advantage? They say it’s all in the added compute power of the cloud.

It’s right to take advantage of technology where it helps us or supplements our core defenses, but the key to endpoint device security cannot lie on a remote server or with a remote analyst. When a thief enters your home, the last thing you want is to wait for a remote cop to decide whether or not the thief should be there. The burglar might have already made off with your goods, causing who knows what kind of damage in the meantime.

The same is certainly true for endpoint security. Whether you’re securing employees’ Windows or Linux workstations, macOS laptops or personal devices, your office IoT or your company’s servers – on prem or in the cloud – what you need at the heart of your endpoint security solution is an autonomous agent on that device that responds at machine speed to a threat.

Ransomware encryption speeds are a source of great pride among crimeware developers, with each new service claiming to encrypt and exfiltrate faster than competitors. When the endpoint itself cannot respond automatically and without minimum delay, the problem of ransomware will not go away. When vendors speak about remediation after 60 seconds or 1 hour, they are talking about entering a game that is already over. There is no remediation when you’re relying on human labor to defeat machine-speed attacks.

Don’t Despair, The Answer Is Out There

But there is hope. More people are figuring out how to win this war and that time – or more accurately, speed – is of the essence. For too long, attackers have had the element of surprise in their favor, easily beating defenses that rely on either having seen an attack before or waiting for a human analyst to return a verdict.

There is nothing wrong with either of those strategies if they are supplemental to a more robust, behavioral AI that is trained to act autonomously on the battlefield. It might sound like science fiction, but the reality is already here and defending some of the world’s leading and largest enterprises today.

We believe our Singularity XDR platform is part of the solution that will free us from the threat of ransomware. If you’d like to learn more about how SentinelOne can help defend your organization from ransomware and other threats, contact us for more information or request a free demo.

Ebook: Understanding Ransomware in the Enterprise
This guide will help you understand, plan for, respond to and protect against this now-prevalent threat. It offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Apeel bites into another $250M funding round, at a $2B valuation, to accelerate fresh food supply chains

Apeel Sciences, a food system innovation company, is out to prevent food produced globally from ending up in the landfill, especially as pressures from the global pandemic affect the food supply chain.

The company just added $250 million in Series E funding, giving it a valuation of $2 billion, to speed up the availability of its longer-lasting produce in the U.S. (where approximately 40% of food is wasted), the U.K. and Europe.

Existing investor Temasek led the round and was joined by a group of new and existing investors, including Mirae Asset Global Investments, GIC, Viking Global Investors, Disruptive, Andreessen Horowitz, Tenere Capital, Sweetwater Private Equity, Tao Capital Partners, K3 Ventures, David Barber of Almanac Insights, Michael Ovitz of Creative Artists Agency, Anne Wojcicki of 23andMe, Susan Wojcicki of YouTube and Katy Perry.

With the new funding, Apeel has now raised over $635 million since the company was founded in 2012. Prior to this round, the company brought in $250 million in Series D funding in May 2020.

Santa Barbara-based Apeel developed a plant-based layer for the surface of fruits and vegetables that is tasteless and odorless and that keeps moisture in while letting oxygen out. It is those two factors in particular that lead to grocery produce lasting twice as long, James Rogers, CEO of Apeel, told TechCrunch.

Apeel installs its application at the supplier facilities where the produce is packed into boxes. In addition to that technology, the company acquired ImpactVision earlier this year to add another layer of quality by integrating imaging systems on individual pieces as they move through the supply chain to optimize routing so more produce that is grown is eaten.

“One in nine people are going hungry, and if three in nine pieces of produce are being thrown away, we can be better stewards of the food we are throwing away,” Rogers said. “This is a solvable problem, we just have to get the pieces to the right place at the right time.”

The company is not alone in tackling food waste. For example, Shelf Engine, Imperfect Foods, Mori and Phood Solutions are all working to improve the food supply chain and have attracted venture dollars to go after that mission.

Prior to the pandemic, the amount of food people were eating was growing each year, but that trend is reversed, Rogers explained. Consumers are more aware of the food they eat, they are shopping less frequently, buying more per visit and more online. At the same time, grocery stores are trying to sort through all of that.

“We can’t create these supply networks alone, we do it in concert with supply and retail partners,” he said. “Grocery stores are looking at the way shoppers want to buy things, while we look at how to partner to empower the supply chain. What started with longer-lasting fruits and vegetables, is becoming how we provide information to empower them to do it without adding to food waste.”

Since 2019, Apeel has prevented 42 million pieces of fruit from going to waste at retail locations; that includes up to 50% reduction in avocado food waste with corresponding sales growth. Those 42 million pieces of saved fruit also helped conserve nearly 4.7 billion liters of water, Rogers said.

Meanwhile, over the past year, Apeel has amassed a presence in eight countries, operating 30 supply networks and  distributing produce to 40 retail partners, which then goes out to tens of thousands of stores around the world.

The new funding will accelerate the rollout of those systems, as well as co-create another 10 supply networks with retail and supply partnerships by the end of the year. Rogers also expects to use the funding to advance Apeel’s data and insights offerings and future acquisitions.

Thomas Park, president and head of alternative investments at Mirae Asset Global Investments, said his firm has been investing in environmental, social and governance-related companies for awhile, targeting companies that “make a huge impact globally and in a way that is easy for us to understand.”

The firm, which is part of Mirae Asset Financial Group, often partners with other investors on venture rounds, and in Apeel’s case with Temasek. It also invested with Temasek in Impossible Foods, leading its Series F round last year.

“When we saw them double-down on their investment, it gave us confidence to invest in Apeel and an opportunity to do so,” Park said. “Food waste is a global problem, and after listening to James, we definitely feel like Apeel is the next wave of how to attack these huge problems in an impactful way.”

 

Stacker raises $20M Series A to help business units build software without coding

No code platforms have developed into a hot market, and Stacker, a London-based no-code platform is attempting to bring the concept to a new level. Not only can you create a web application from a spreadsheet, you can pull data from a variety of sources to create a sophisticated business application automatically (although some tweaking may be required).

Today the company announced a $20 million Series A led by Andreessen Horowitz with participation from existing investors Initialized Capital, Y Combinator and Pentech. Today’s investment brings the total raised to $23 million, according to Crunchbase data.

Michael Skelly, CEO and co-founder at Stacker, says that the idea is to take key business data and turn it into a useful app to help someone do their job more efficiently. “[We enable] people in business to create apps to help them in their working life — so things like customer portals, internal tools and things that take the data they’re already using, often to run a process, and turn that into an app,” Skelly explained.

“We really think that in order to actually be useful for business, you need to be hooked into the data that a business cares about. And so we let people bring their spreadsheets, SQL databases, Salesforce data, bring all the data that they use to run their business, and automatically turn it into an app,” he said.

Once the company pulls that data in and creates an app, the user can begin to tweak how things look, but Stacker gives them a big head start toward creating something usable from the get-go, Skelly said.

Jennifer Li,  a partner at lead investor Andreessen Horowitz likes the startup’s approach to no code. “We’ve been watching the no-code space for a while, and Stacker stands apart from the rest because of its thoughtful product approach, allowing business operators to instantly generate a functional app that perfectly fits existing business processes,” she said in a blog post announcing the funding round.

The company currently has 19 employees with plans to put the new capital to work to reach 30-40 by the end of the year. Skelly sees building a diverse company as a key goal and is proactive and thoughtful about finding ways to achieve that. In fact, he has identified three ways to approach diversity.

“Firstly is just making sure that we get a diverse pipeline of people. I really think that the ratio of the people you talk to is probably going to be the biggest indicator of the people you hire. Secondly we try to find ways we can hire people who are maybe further down their career profile, but [looking] to grow,” he said.

Thirdly, and I think this is something that is not talked about enough, there are plenty of people who would like to get into programming roles, and who are under represented, and so we have members of our team who are converting from various non-technical roles to DevOps — and I think it’s just like a really great route to add to the overall pool [of diverse candidates],” he said.

The company is remote first with Skelly in London and his co-founder based in Geneva and they intend to stay that way. They founded the company in 2017 and originally created a different product that was much more complex and required a lot of hand holding before eventually concluding that making it simple was the way to go, They released the first version of the current product at the end of 2019.

The company has a big vision to be the software development tool for business units. “We really think that in the future just like everyone’s got email, a chat tool, a spreadsheet and a video conferencing tool nowadays, they will also have a software tool, where they write and run the custom software that they run their business on,” he said.

Enable bags $45M for B2B rebate management platform

Enable, a startup developing a cloud-based software tool for business-to-business rebate management, announced Wednesday a $45 million Series B funding round.

The round is led by Norwest Venture Partners with participation from existing investors Menlo Ventures and Sierra Ventures, and a group of angel investors. Including the new round, the company has raised a total of $62 million, which includes a $13 million Series A raised in 2020.

The company, which started in the U.K. and moved to San Francisco in 2020, was co-founded by Andrew Butt and Denys Shortt in 2015 but launched fully in 2016. Its technology automates how distributors and manufacturers create, execute and track rebates. These types of trading programs are a common industry practice and are relied on by distributors as a way to turn a profit.

Since raising its Series A last year, Butt, chief executive officer, moved to the Bay Area, grew its North American operations to 60 people, tripled revenue and more than tripled its customer base, he told TechCrunch. The new funding will be used for product innovation and building sales and go-to-market teams.

“The Series A was proving traction in the U.S. and Canada and gave us the ability to hire a U.S. leadership team,” he added. “When we saw that momentum, the market size was large and the opportunity was now getting bigger and bigger, we started scaling up the business.”

As customer needs changed and incentives were growing in terms of revenue and profitability, Enable saw that they were more critical to manage; the incentives needed to be more dynamic and easy to make targeted and personalized. In a sense, incentives have “gone from being blunt instruments to very sharp in size and volume,” Butt said.

Reaching the year over year revenue doubling was a milestone for the company, and his immediate next steps are to get a fully ramped team so Enable can continue on that growth trajectory. The market for incentives is big, but “there is no credible competition,” so the company is also working to build that distribution and sales team now, he added.

It was also over the past year that Butt met Sean Jacobsohn, partner at Norwest Venture Partners, who, as part of the investment, joined Enable’s board of directors.

Jacobsohn had noticed Enable and asked for an introduction to the company when it hired Jerry Brooner as its president of global field operations. Jacobsohn was tracking Brooner’s next moves after leaving Scout, a Workday company, and the hire got his attention.

Enable checks all of the boxes Jacobsohn said he looks for in a company: strong CEO, a good team and good customer feedback — many of them were dissatisfied with the legacy software, he said.

“I also love companies going after a big market where there is no credible competition,” Jacobsohn added. “There is a lot of greenfield space here. What’s great about a player like that is they can come in, create a category and be the new generation cloud player. This isn’t something someone can wake up and start. You need deep domain expertise.”

 

Tropic picks up $25M to streamline software procurement experiences

The pandemic was a catalyst for showing companies looking to cut costs just how much they were spending on their software tools. New York-based Tropic’s platform not only uncovers those savings, but also brings a click-and-approve approach to buying software. Today, the company announced a $25 million Series A round of funding.

Canaan Partners led the round, with participation from Founder Collective and Mo Koyfman’s new fund, Shine. It gives Tropic $27.1 million in total funding since the company emerged from stealth in 2020, CEO David Campbell told TechCrunch.

Prior to founding the company with Justin Etkin, Campbell was in technology and sales roles, selling software contracts of every size, and realized how complex and rigid the contracts were getting as companies grew larger and the lack of price transparency increased. The complexity of some contracts can cause companies to overpay, even locking companies into payments they can’t afford, Campbell said.

On top of that, more buyers are younger now and their experience with purchasing software is pulling out their phone to download an app, while buying a customer relationship management tool will take six months to buy and cost thousands of dollars.

“Looking at the space, we are in a mirror maze of software, including companies using software to build products that they then sell back to the software companies,” Campbell said. “Companies are only buying software once a year, yet the process can be so complex.”

Tropic’s SaaS procurement model gathers the whole process under one platform. Unlike some competitors’ approaches, it takes on the heavy lifting so when companies have to buy or renew a contract, users can access Tropic’s one-click purchasing service to outsource the transaction. After the contracts are signed, its platform manages the technology and ensures financing is in order. This approach saves companies 23%, on average, on the software purchases, which Campbell said “moves the needle” for many companies where software is the No. 1 cost after salary.

In recent years, cloud software has become a fast-growing spend category across most businesses. Campbell said the average company can have more than 100 software contracts, while that jumps to over 500 for enterprise organizations. Meanwhile, global spend on enterprise software is forecasted to reach $599 billion by the end of 2021, a 13.2% increase over the previous year, according to Statista.

In the last 12 months, the company added over 60 customers, counting Qualtrics, Vimeo, Zapier and Intercom, surpassed $250 million in managed spend and processed transactions for over 1,200 vendors. The company is seeing 100% quarter over quarter growth, and in the last quarter, doubled its annual recurring revenue, Campbell said.

Tropic will use the funding for R & D and to deepen integrations with existing procurement tools in the cloud software ecosystem. Over the past year, the company’s headcount has grown to 50 and Campbell has “aggressive hiring plans between now and the rest of the year” focused on the tech side with engineering and product management.

Hootan Rashidifard, principal from Canaan Partners, said his firm was tracking the software procurement sector and learned about Tropic through Founder Collective, which led the company’s seed round.

“We’re seeing software and financial services converge and Tropic sits squarely at the intersection of both in a category with massive tailwinds,” Rashidifard said via email. “Software is accelerating the share of expenses while also penetrating every part of an organization, and software purchasing is becoming more decentralized. Tropic’s platform is in a fragmented market with high payment volume, which is ripe for layering on all kinds of adjacent services.”

 

Salesforce announces first integrations with Slack after closing $28B sale

When Salesforce acquired Slack at the end of last year for almost $28 billion, you had to figure that they had some big plans for the company, and today the CRM giant announced some initial integrations that should prove useful for Salesforce customers.

Rob Seaman, SVP for Slack at Salesforce sees Slack as the communications platform for Salesforce moving forward. “We really want Slack to be the primary engagement surface for our users, their communications, their work, their workflows and the processes and the apps they support,” he said.

“What we’re announcing are these new capabilities to support that Slack vision for sales, service, marketing and analytics. And for each of those areas what we’re doing is a combination of articulating, both in best practices and codifying, how you can and should model your sales, service and marketing organizations in this new world,” he said.

The hope is that by taking advantage of Slack’s ability to integrate external enterprise apps inside the application, working together they can find ways to speed up and automate various Salesforce tasks, making it faster and easier to use without switching context to make it happen.

For starters, the Sales Cloud gets dedicated deal rooms, where all of the parties involved in a complex sale, whether internal departments like finance and product people or external partners, can come together in Slack throughout the sales cycle and stay on top of the ebb and flow of all the sales activity.

“I think the deal room is an expression of an opportunity from Salesforce into Slack in a way that makes it very simple to connect with everybody to effectively get a deal done, including customers and partners,” Seaman explained. “That’s where Slack Connect is extremely powerful [to connect with external partners]. We think we should be able to dramatically reduce sales cycle lengths as a result of this…” he said. Slack Connect is the service introduced last year that enables Slack users to connect with people outside of a company.

In addition, through integrations members of the sales team involved in a more complex deal can get daily updates, which are automatically pulled together in Slack and include personalized daily task lists, meetings and priority deals.

Service teams can meet together in a room Salesforce is calling a swarm, a place for the team to help one another with specific questions or problems they may be having. In a company with a large product catalogue this could be particularly helpful to get an answer quickly. While Einstein recommendations helps with related content, a swarm can come in handy when there is a more specific question involved and a human with that knowledge may be just the ticket. Service team members will also be able to search for experts to invite to the swarm, who may be able to help answer the question or solve the problem more quickly.

Not to be left out, marketing gets intelligent insights delivered with the help of Datorama, the company Salesforce bought in 2018. Marketers also get regular updates inside of Slack when a change is made to a marketing campaign.

Finally there are integrations with Tableau, the company that Salesforce bought in 2018 for $6.5 billion — Salesforce is a highly acquisitive company. In a similar way that marketers get updates to campaigns, other users can get Slack updates whenever data they consider important gets updated in Tableau, and they can also get daily digests of key metrics that matter to them right in Slack.

Seaman promised that these announcements were just the start, and we will be hearing about more integrations with Slack at the Dreamforce customer conference next month — and in the coming months. “This is just the beginning, and so you’ll continue to see expansion of the integrations between Salesforce and Slack for the four areas that we’re announcing today around sales, service, marketing and analytics, but also every single cloud and industry solution in [the] Salesforce [family of products] is working on this,” he said.

T-Mobile Investigating Claims of Massive Data Breach

Communications giant T-Mobile said today it is investigating the extent of a breach that hackers claim has exposed sensitive personal data on 100 million T-Mobile USA customers, in many cases including the name, Social Security number, address, date of birth, phone number, security PINs and details that uniquely identify each customer’s mobile device.

On Sunday, Vice.com broke the news that someone was selling data on 100 million people, and that the data came from T-Mobile. In a statement published on its website today, the company confirmed it had suffered an intrusion involving “some T-Mobile data,” but said it was too soon in its investigation to know what was stolen and how many customers might be affected.

A sales thread tied to the allegedly stolen T-Mobile customer data.

“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” T-Mobile wrote.

“We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the statement continued. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”

The intrusion came to light on Twitter when the account @und0xxed started tweeting the details. Reached via direct message, Und0xxed said they were not involved in stealing the databases but was instead in charge of finding buyers for the stolen T-Mobile customer data.

Und0xxed said the hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes.

They claim one of those databases holds the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.

The hacker(s) claim the purloined data also includes IMSI and IMEI data for 36 million customers. These are unique numbers embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number.

“If you want to verify that I have access to the data/the data is real, just give me a T-Mobile number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently attached to the number and any other details,” @und0xxed said. “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”

Other databases allegedly accessed by the intruders included one for prepaid accounts, which had far fewer details about customers.

“Prepaid customers usually are just phone number and IMEI and IMSI,” Und0xxed said. “Also, the collection of databases includes historical entries, and many phone numbers have 10 or 20 IMEIs attached to them over the years, and the service dates are provided. There’s also a database that includes credit card numbers with six digits of the cards obfuscated.”

T-Mobile declined to comment beyond what the company said in its blog post today.

In 2015, a computer breach at big three credit bureau Experian exposed the Social Security numbers and other data on 15 million people who applied for financing from T-Mobile.

Like other mobile providers, T-Mobile is locked in a constant battle with scammers who target its own employees in SIM swapping attacks and other techniques to wrest control over employee accounts that can provide backdoor access to customer data. In at least one case, retail store employees were complicit in the account takeovers.

WHO HACKED T-MOBILE?

The Twitter profile for the account @Und0xxed includes a shout out to @IntelSecrets, the Twitter account of a fairly elusive hacker who also has gone by the handles IRDev and V0rtex. Asked if @IntelSecrets was involved in the T-Mobile intrusion, @und0xxed confirmed that it was.

The IntelSecrets nicknames correspond to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted. Like Kenny “NexusZeta” Schuchmann, who pleaded guilty in 2019 to operating the Satori botnet. Two other young men have been charged in connection with Satori — but not IntelSecrets.

How do we know all this about IntelSecrets/IRDev/V0rtex? That identity has acknowledged as much in a series of bizarre lawsuits filed by a person who claims their real name is John Erin Binns. The same Binns identity operates the website intelsecrets[.]su. 

On that site, Binns claims he fled to Germany and Turkey to evade prosecution in the Satori case, only to be kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his alleged capture and torture by the Turks.

Since then, Binns has filed a flood of lawsuits naming various federal agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA.

Speaking to the researcher Alon Gal (@underthebreach), the hackers responsible for the T-Mobile intrusion said they did it to “retaliate against the US for the kidnapping and torture of John Erin Binns in Germany by the CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure.”

Shopistry bags $2M to provide ‘headless commerce without the headaches’

Canada-based Shopistry wants to turn the concept of headless commerce, well, on its head. On Monday, the e-commerce startup announced $2 million in seed funding to continue developing its toolkit of products, integrations, services and managed infrastructure for brands to scale online.

Jaafer Haidar and Tariq Zabian started Shopistry in 2019. Haidar’s background is as a serial technology founder with exits and ventures in e-commerce and cloud software. He was working as a venture capitalist when he got the idea for Shopistry. Zabian is a former general manager at OLX, an online classified marketplace.

Shopistry enables customers to create personalized commerce experiences accessible to all. Haidar expects headless will become the dominant architecture over the next five years, though he isn’t too keen on calling it “headless.” He much prefers the term “modular.”

“It’s a modular system, we call it ‘headless without the headaches,’ where you grab the framework to manage APIs,” Haidar told TechCrunch. “After a company goes live, they can spend 50% of their budget just to keep the lights on. They use marketplaces like Shopify to do the tech, and we are doing the same thing, but providing way more optionality. We are not a monolithic system.”

Currently, the company offers five products:

  • Shopistry Console: Brands turn on their optimal stack and change anytime without re-platforming. There is support for multiple e-commerce administrative tools like Shopify or Square, payment providers, analytics and marketing capabilities.
  • Shopistry Cloud is a managed infrastructure spearheading performance, data management and orchestration across services.
  • Shopistry Storefront and Mobile to manage web storefronts and mobile apps.
  • Shopistry CMS, a data-driven, headless customer management system to create once and publish across channels.
  • Shopistry Services, an offering to brands that need design and engineering help.

Investors in the seed round include Shoptalk founder Jonathan Weiner, Hatch Labs’ Amar Varma, Garage Capital, Mantella Venture Partners and Raiven Capital.

“At MVP we love companies that can simplify complexity to bring the proven innovations of large, technically sophisticated retailers to the masses of small to midsize retailers trying to compete with them,” said Duncan Hill, co-founder and general partner at Mantella Venture Partners, in a written statement. “Shopistry has the team and tech to be a major player in this next phase of the e-commerce evolution. This was easy to get excited about.”

Shopistry is already working with retailers like Honed and Oura Ring to manage their e-commerce presences without the cost, complexity or need for a big technology team.

Prior to going after the seed funding, Haidar and Zabian spent two years working with high growth brands to build out its infrastructure. Haidar intends to use the new capital to future that development as well as bring on sales and marketing staff.

Haidar was not able to provide growth metrics just yet. He did say the company was growing its customer base and expects to be able to share that growth next year. He is planning to add more flexibility and integrations to the back end of Shopistry’s platform and add support for other platforms.

“We are focusing next on the go-to-market perspective while we gear up for our big launch coming in the fourth quarter,” he added. “There is also a big component to ‘after the sale,’ and we want to create some amazing experiences and focus on back office operations. We want to be the easiest way to control and manage data while maintaining a storefront.”

 

Cisco beefing up app monitoring portfolio with acquisition of Epsagon for $500M

Cisco announced on Friday that it’s acquiring Israeli applications monitoring startup Epsagon at a price pegged at $500 million. The purchase gives Cisco a more modern microservices-focused component for its growing applications monitoring portfolio.

The Israeli business publication Globes reported it had gotten confirmation from Cisco that the deal was for $500 million, but Cisco would not confirm that price with TechCrunch.

The acquisition comes on top of a couple other high profile app monitoring deals including AppDynamics, which the company bought in 2018 for $3.7 billion and ThousandEyes, which it nabbed last year for $1 billion.

With Epsagon, the company is getting a way to monitor more modern applications built with containers and Kubernetes. Epsagon’s value proposition is a solution built from the ground up to monitor these kinds of workloads, giving users tracing and metrics, something that’s not always easy to do given the ephemeral nature of containers.

As Cisco’s Liz Centoni wrote in a blog post announcing the deal, Epsagon adds to the company’s concept of a full-stack offering in their applications monitoring portfolio. Instead of having a bunch of different applications monitoring tools for different tasks, the company envisions one that works together.

“Cisco’s approach to full-stack observability gives our customers the ability to move beyond just monitoring to a paradigm that delivers shared context across teams and enables our customers to deliver exceptional digital experiences, optimize for cost, security and performance and maximize digital business revenue,” Centoni wrote.

That experience point is particularly important because when an application isn’t working, it isn’t happening in a vacuum. It has a cascading impact across the company, possibly affecting the core business itself and certainly causing customer distress, which could put pressure on customer service to field complaints, and the site reliability team to fix it. In the worst case, it could result in customer loss and an injured reputation.

If the application monitoring system can act as an early warning system, it could help prevent the site or application from going down in the first place, and when it does go down, help track the root cause to get it up and running more quickly.

The challenge here for Cisco is incorporating Epsagon into the existing components of the application monitoring portfolio and delivering that unified monitoring experience without making it feel like a Frankenstein’s monster of a solution globbed together from the various pieces.

Epsagon launched in 2018 and has raised $30 million. According to a report in the Israeli publication, Calcalist, the company was on the verge of a big Series B round with a valuation in the range of $200 million when it accepted this offer. It certainly seems to have given its early investors a good return. The deal is expected to close later this year.

The Good, the Bad and the Ugly in Cybersecurity – Week 33

The Good

This week saw a number of security updates and fixes as part of Microsoft’s “Patch Tuesday” release on August 10th. Notable among them was the inclusion of a fix for the recently disclosed PetitPotam attack (aka CVE-2021-36942). This flaw was originally discovered by researcher Gilles Lionel (aka Topotam), and is a novel NTLM-relay attack which provides enterprising attackers a simple way to overtake exposed domain controllers. Once they have established a presence on the DCs, full environment takeover is trivial.

Essentially, “PetitPotam” provides quick access to the ‘keys to the kingdom’, or maybe a better analogy would be to the ‘battering ram to the kingdom’. According to Microsoft’s advisory, PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. Organizations are potentially vulnerable if they use AD CS with either Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

Seeing this fix included in the August patch cycle from Microsoft will be a welcome relief for many. We encourage all enterprise security teams to review the guidance from Microsoft and take appropriate action to reduce exposure and mitigate the risk of exploitation via CVE-2021-36942.

The Bad

This week saw another high-profile ransomware attack and another threatened leak of sensitive corporate data unless the victim pays a hefty sum, rumored to be around the $50 million mark. The attacker and victim in this case were criminals using LockBit ransomware and global consulting firm Accenture, respectively.

According to various news sources, Accenture was able to restore affected systems from backups by Wednesday, limiting disruption to services, but the threat to leak up to as much as 6TBs of the company’s data still stands.

In common with other ransomware groups, the LockBit operators publish a countdown timer to pressure victims to pay up within a few hours. Notably, the LockBit timer for Accenture has reset at least once, suggesting either that the operators were experiencing some technical issues or, perhaps, that negotiations are ongoing and require more time to resolve.

Meanwhile, the leaks site added ‘Dudos every day” to the Accenture entry, which some have interpreted to mean “DDoS every day”. At present, we have not been able to confirm if indeed Accenture is also being hit with DDoS attacks, but the tactic is not uncommon among ransomware threat actors.

LockBit 2.0 has been around since early 2020, and by some estimates has hit anywhere between 10,000 and 40,000 victims in that time. In order to attract affiliates (criminals who pay the operators for use of the ransomware), the operators have made various unconfirmed claims that LockBit 2.0 can encrypt and exfiltrate data much faster than competing ransomware services. Whether these claims are true or not is less important than whether they are believed and encourage others to buy the service and use it to attack organizations. Given the number of estimated incidents, it seems likely that the operators have been reasonably successful in that regard.

The Ugly

This week’s ‘Ugly’ could be the tale of a Robin Hood, or a bad guy caught red-handed and trying to change the narrative to avoid jail time. Whichever way you look at it though, it’s less than pretty from some angle. The story begins with what has been described as one of the “biggest heists to target the cryptocurrency industry” after an estimated $600 million worth of crypto coins were stolen from tens of thousands of wallets on Tuesday.

The heist involved a hacker exploiting a vulnerability to breach decentralized finance (DeFI) platform Poly Network. However, as of Thursday, it appears that around half of the coins had been returned and the remaining assets “gradually transferred”.

An individual claiming to be responsible for the attack said they had never intended to steal the money but were merely holding on to it for “safe keeping”. Hmmm.

A competing explanation goes like this. Having read Poly Network’s later tweet stating that “Law enforcement in any country will regard this as a major economic crime and you will be pursued”, and their advice that the hacker should “return the hacked assets” and “talk to us to work out a solution”, that that is exactly what the hacker did.

Realizing that cashing out that kind of haul would have been impossible and that, indeed, the chances of getting away with such a huge crime were incredibly low, the hacker may well have decided to take up the offer and try to change the narrative of what happened.

“White hat” researcher? We don’t think so. That’s not the way good guys operate. On the other hand, despite what appears to be the safe return of the money, trust in Poly Networks could now be seriously dented. The company will have some serious PR work to do convincing current and prospective members that their digital assets are safe from now on.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security