The Good, the Bad and the Ugly in Cybersecurity – Week 32

The Good

Cybersecurity is a team sport and requires collaboration between different parties. But for government and federal entities, playing with civilians and, especially, white-hat hackers, has always been challenging. Historically, security researchers that have found bugs in government and federal systems found it difficult to report these out of fear (breaking into federal systems is a serious offense) or simply because there lacked a proper vulnerability reporting mechanism.

This is why initiatives to facilitate collaboration are very much welcome. CISA has launched a vulnerability disclosure platform (VDP) in conjunction with Bugcrowd and EnDyna. The platform enables researchers to submit bugs related to numerous agencies, including the DHS, the Department of Agriculture and nine others, with ease.

Source: Twitter

Across the pond, the UK NCSC invited 26 security researchers to participate in a Bug Bounty program (in collaboration with US company HackerOne). The 30-day challenge is aimed at identifying and fixing vulnerabilities in cyber systems to strengthen security and to ensure better resilience. Christine Maxwell, Ministry of Defence Chief Information Security Officer said: “The MOD has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process”.

The Bad

The Senate Committee on Homeland Security and Governmental Affairs has released a report named “Federal Cybersecurity: America’s Data Still at Risk”. The report follows a previous study released two years ago reviewing the state of cybersecurity at eight federal agencies. While all would have expected to see some improvement, the grades included in the report show otherwise, with four agencies earning a meagre “D”, three receiving a “C” and one a “B”. The report stated that it was “clear that the data entrusted to these eight key agencies remains at risk”, citing reasons such as operating without the required authorizations, using outdated (and sometime End of-Life) software, and failing to install security patches in a timely manner.

Source: CISA

Other issues included lack of proper inventory, access management records, numerous “Shadow IT devices”, serious vulnerabilities in public facing websites, and what is probably the worst finding of all, that seven of the eight agencies examined failed to secure PII properly. The Inspector General was able to extract hundreds of sensitive PII records from the Department of Education, including 200 credit card numbers, without the agency’s system identifying or blocking the attempt.

The report concluded that “it finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data”. Senator Rob Portman from Ohio said the report showed:

“a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers”.

The Ugly

Italy has fully vaccinated more than 60% of its eligible population, but it is facing a steady rise in cases and hospital admissions driven due to the Delta variant. In response, the Italian government has decided to double down on vaccinating the remaining population and is limiting access to activities such as indoor dining. However, just as these measures went into effect last Friday, Italy’s Lazio region, which includes the capital Rome, has suffered a ransomware attack. The attack affected the regions’ IT systems, including a public health website designated for scheduling Covid-19 vaccinations.

The website was offline from last weekend until this Thursday, resulting in delays for administering the vaccination.

Lazio Governor Nicola Zingaretti called it a “terrorist attack” and regional health councillor Alessio D’Amato said it was most serious cyberattack ever carried out on an Italian public administration. Italian news agency ANSA reported that the FBI and Europol were assisting in the investigation.

Source: BleepingComputer

It is yet unclear which ransomware operation was behind the attack. Some sources identified it as RansomEXX, while local security researcher JAMESWT claimed it was Conti. At the time of writing, it does not appear that the attackers have stolen any personal information or medical records.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

HiveNightmare | Protecting Windows 10 Security Account Manager Against CVE-2021-36934

It has been a tough few weeks for many enterprise security teams fighting a series of severe bugs in Microsoft Windows 10. Shortly after being ‘all hands on deck’ dealing with the remote code execution (RCE) vulnerability dubbed PrintNightmare, IT admins and security teams were plunged into another unexpected crisis thanks to the emergence of the unrelated but familiar sounding ‘HiveNightmare’ bug, aka SeriousSAM.

More formerly tracked as CVE-2021-36934, HiveNightmare is a local privilege escalation (LPE) that allows any standard user to achieve SYSTEM privileges, with all the security headaches that that entails: the ability to install malware, delete data, create new user accounts and pretty much conduct any other malicious behavior so desired.

Although HiveNightmare requires an attacker to have gained a foothold on a target system, what makes CVE-2021-36934 of particular concern is that having done so, this bug is trivial to exploit. An attacker that either accesses the target locally or remotely (such as via SSH) can very quickly and easily take advantage of a vulnerable system. Consequently, it is imperative that admins and security teams understand the details of the HiveNightmare vulnerability, how it can be exploited, and how it can be mitigated.

What Is The HiveNightmare Vulnerability?

“HiveNightmare” is an NTFS-centric, access control list (ACL) flaw which affects Windows 10 builds 1809 up to and including 21H1. Upon exploitation, non-privileged users may potentially gain access to execute arbitrary code or read sensitive data. Specifically, attackers may leverage this vulnerability to extract registry hive data, including hashed passwords, which can in turn be used to further elevate privilege.

Attempts to attack hive data files have typically required the attacker to target the registry databases in an inactive or ‘offline’ Windows session. HiveNightmare greatly simplifies the attack, allowing (amongst other things) for the extraction of sensitive registry data from Volume Shadow Copies. Attackers can potentially execute arbitrary code with SYSTEM privileges, allowing for full control.

The heart of the problem lies in any user’s ability to read files in the C:WINDOWSSYSTEM32CONFIG folder. This folder includes the private system-wide  Windows registry files, as well as the frequently-targeted SAM (System Account Manager) file, which contains all the local user NTLM password hashes.

When the following command is run, vulnerable systems will show BUILTINUsers group having RX (Read + Execute) permissions on the config folder:

> icacls C:WindowsSystem32configSAM
Output from icacls on a vulnerable system

Attackers can leverage this insecure ACL permission to elevate privileges to local admin/SYSTEM. In organizations managed by image templates containing local users, this can be exploited for automatic lateral movement or to kickstart a worm infection mechanism.

How Is HiveNightmare Used In Attacks?

At the time of writing, the majority of activity around HiveNightmare is academic or ‘proof-of-concept’ in nature. Having said that, we have observed some examples of malware based on (or around) the code snippets that have cropped up. Dozens of such examples have already been submitted to VirusTotal in recent days.

Some of the many HiveNightmare exploits uploaded to VirusTotal

Even though exploitation is trivial, multiple exploits have been published in a variety of source code languages:

  1. C# exe: https://github.com/GossiTheDog/HiveNightmare
  2. Ps1: https://github.com/romarroca/SeriousSam
  3. Nim: https://github.com/HuskyHacks/ShadowSteal

As noted above, it is in general not possible to access hive data files when the system is ‘live’ as these files are locked when in use. However, since Windows 10 keeps system restore points (aka Volume Shadow Copies) that contain copies of the hive data files, an attacker can extract copies of these files from any existing snapshots.

The command

> vssadmin list shadows

lists saved snapshots for the device.

Listing the available Volume Shadow Copies

The built-in CERTUTIL command can then be used to dump the SAM database to the TEMP folder.

Dumping hive data files from a snapshot to TEMP

It is important to note that while the concept of exfiltrating credentials via stolen SAM data is not novel, HiveNightmare goes a long way towards simplifying the process for attackers. This observation is further solidified by the uptick in submissions  to public malware repositories of ‘commodity’ malware attempting to incorporate this exploit.

General Mitigations and Workarounds

The HiveNightmare vulnerability was disclosed in mid-July 2021 and officially addressed by Microsoft on July 20, 2021. This first disclosure from Microsoft included possible workaround and manual mitigation steps.

Microsoft Workarounds:

  1. Delete any Restore Points and VSS Volumes
  2. Restrict user access to %windir%system32config via ICACLS:
    icacls %windir%system32config*.* /inheritance:e

Monitoring & Threat Hunting:

  1. Any access to a path containing regex:
    ".*?HarddiskVolumeShadowCopy[0-9]+WindowsSystem32configSAM.*?"
  2. Suspicious creation of symbolic links containing HarddiskVolumeShadowCopy, cmdline regex:
    ".*?cmd.*?mklink.*?HarddiskVolumeShadowCopy.*?"

    (as well as other variants such as PowerShell, fsutil.exe etc.)

It has also been noted that enabling periodic backup of the system registry to the “RegBack” folder will restore the ACL permissions to the more secure setting after a reboot. This was, in fact, Windows 10 default behavior until version 1803. As stated by Microsoft at the time, this change was intended to help reduce the overall disk footprint size and users were recommended to recover corrupt registry hives via a system restore point. In hindsight, that recommendation looks less than wise, and it will be interesting to see if Microsoft revises that advice.

Current guidance by Microsoft is available here.

Mitigating HiveNightmare With SentinelOne

The SentinelOne Singularity Platform detects and prevents attacks associated with CVE-2021-36934 (HiveNightmare) with the current Endpoint Security Agent release (starting 4.1). The Agent’s Intrusion Detection engine autonomously blocks attempts to access sensitive SAM information from a volume shadow copy.

To enable the protection, please follow the steps mentioned in this KB support article.

SentinelOne vs HiveNightmare
Watch how we protect Windows 10 against CVE-2021-36934 attacks.

Conclusion

HiveNightmare is certainly poised to become a standard weapon in the modern attacker’s armory. Escalating privileges and stealing credentials are tactics every threat actor desires to accomplish, and HiveNightmare just made these a whole lot easier to achieve. Organizations that fail to take the appropriate proactive mitigation steps are putting a target on their backs that may cost them dearly in the future. IT and security teams are, therefore, strongly advised to follow the mitigation procedures described above. If you need further assistance or would like to know more about how SentinelOne can help secure your organization, contact us or request a free demo.

MITRE ATT&CK

Credential Dumping: Security Account Manager – T1003.002
Unsecured Credentials: Credentials In Files – T1552.001
Data Encoding: Standard Encoding – T1132.001
Credential Dumping: NTDS – T1003.003
Signed Binary Proxy Execution- T1218
Indirect Command Execution – T1202
Obfuscated Files or Information – T1027
Deobfuscate/Decode Files or Information – T1140
Query Registry – T1012

Sample Hashes

SHA256
422411a976daad538aff6a61201934b4d60372a6afe7981b2b2b684a852ef6d7
92e853dd359cb3636fa165a7170498d14ef7c692d8e6545b7adea95d89fe189f

SHA1
e9cab9ddd3aa4f20aff8d33991f5996deb50bb02
a3bf960f6d124d0b53608ddb0c65177d3717a22f


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Buildots raises $30M to put eyes on construction sites

One year after raising $16 million, construction technology company Buildots is back to claim another $30 million, this time in Series B funding.

Lightspeed Venture Partners led the round, with participation from previous investors TLV Partners, Future Energy Ventures, Tidhar Construction Group and Maor Investments. This gives the company $46 million in total funding, Roy Danon, co-founder and CEO of Buildots, told TechCrunch.

The three-year-old company, with headquarters in Tel Aviv and London, is leveraging artificial intelligence computer vision technology to address construction inefficiencies. Danon said though construction accounts for 13% of the world’s GDP and employs hundreds of millions of people, construction productivity continues to lag, only growing 1% in the past two decades.

Danon spent six months on construction sites talking to workers to understand what was happening and learned that control was one of the areas where efficiency was breaking down. While construction processes would seem similar to manufacturing processes, building to the design or specs didn’t happen often due to different rules and reliance on numerous entities to get their jobs done first, he said.

Buildots’ technology is addressing this gap using AI algorithms to automatically validate images captured by hardhat-mounted 360-degree cameras, detecting immediately any gaps between the original design, scheduling and what is actually happening on the construction site. Project managers can then make better decisions to speed up construction.

“It even finds events where contractors are installing out of place and streamline payments so that information is transparent and clear,” Danon said. “Buildots also creates a collaborative environment and trust by having a single source telling everyone what is going on. There is no more blaming or cutting corners because the system validates that and also makes construction a healthier industry to work in.”

Buildots went after new funding once it was able to show product market fit and was expanding into other countries. The platform is being utilized on major building projects in countries like the U.S., U.K., Germany, Switzerland, Scandinavia and China. To meet demand, Buildots will use the new funding to continue that expansion; double the size of its global team with a focus on sales, marketing and R&D; and grow on the business side. Danon’s aim is “to get to the point where we are the standard for every construction site.” The company is also looking at areas outside construction where its technology would be applicable.

Tal Morgenstern, partner at Lightspeed Venture Partners, said he keeps an eye on graduates of the Israel Defense Forces, where the three Buildots founders came from. However, in the case of this company, Lightspeed actually passed on both the seed and Series A.

Morgenstern admits the decision was a mistake, but at the time, he thought the technology Buildots was trying to build “first, impossible and second, I knew construction was difficult to sell into.” He felt that Buildots, with such a premium product, would have a challenge selling to a low-margin industry that was late to adopt technology in general.

By the time the Series B came round, he said Buildots had solved both of those issues, proving that it works, but also that customers were adopting the technology without much sales and marketing. In addition, other solutions in construction tech were still relying on lasers or people to manually input or tap photos.

“Buildots is seamlessly capturing images and providing a level of insights that is so high, and that is why the company is able to command the price structure they have and are receiving interesting commercial results,” Morgenstern said.

Walking around today’s construction site, Danon said the adoption of technology is enabling Buildots to move quickly to build processes for the industry.

As such, the company saw more than 50% growth quarter over quarter over the past year in three of the countries in which it operates. It is now working with four of the top 10 construction companies in Europe and around the world.

“We did a good job selling remotely, but now we need local offices,” Danon added. “We are also sitting on piles of data from construction sites. We learn from one project to another and want to look for the challenges where data will help make a financial impact. It’s a natural next step for the company.”

 

Work-Bench will continue supporting early-stage enterprise startups with new $100M fund

In spite of the pandemic, New York City remains the center of commerce and business, and over the last decade a robust startup community has developed there. Work-Bench, the NYC VC firm that concentrates on early-stage enterprise seed investments, announced its $100 million Fund 3 this morning.

The company started back in 2013, when most investment was still concentrated in Silicon Valley, but founders Jonathan Lehr and Jessica Lin believed there was room for a new firm in NYC that concentrated on writing first checks for enterprise startups. The founding team knew IT and believed that with the concentration of Fortune 500 companies in the city, they could build something that took advantage of that proximity.

The bet has paid off in a big way with investments in successful startups like Cockroach Labs, Catalyst, Dialpad and FireHydrant (all companies TechCrunch has covered). Big exits include CoreOs, which Red Hat acquired for $250 million in 2018.

Writing in a blog post announcing the new fund, Lehr and Lin said their initial idea has grown far beyond anything they could have hoped for in those early days. “By utilizing our deep corporate network of Fortune 500 customers here in NYC, we can get conviction in companies early on, and before they have the metrics other VC firms require. It’s also through this network of customers that we can land critical early customer logos and through our extensive community events and playbooks that we can enable pivotal knowledge sharing,” the two founders wrote.

Lehr says, even with the pandemic, which could have allowed it to expand its reach, the company is mostly sticking to its NYC focus with the majority of investments based there. “This may sound ironic, but while businesses went virtual, the pandemic reinforced our focus on New York City. Our city was hit first and hardest by COVID, but despite it all, VC funding activity for local enterprise startups actually increased substantially during the pandemic. Along with that, with so many Fortune 500s in NYC all going through accelerated digital transformation during the pandemic, there was a ton of work to be done and numerous customer opportunities right here in our own backyard,” Lehr said.

He says that the $47 million Fund 2 portfolio was deployed to 70% NYC-based startups, and he predicts that Fund 3 will have a similar composition, if not slightly more concentrated in New York.

The company didn’t just decide to write first checks though, it tried to build the community by offering workspace in their offices where early-stage companies could feed off one another (at least until the pandemic came along). The founders have also offered events where various speakers came to their offices, hosting hundreds of events since inception, while going virtual when the pandemic closed down in-person gatherings.

Lehr says as the company deploys Fund 3 money, it is looking for ways to invest in a more diverse group of founders. “Right now, 20% of our portfolio is made up of women founders. While we are proud of that number within an enterprise context, we believe there is so much room for improvement. As we’ve learned, deal flow doesn’t become diverse on its own — you need to make it diverse, which is why we place a huge emphasis on identifying and amplifying the voices of women and diverse founders within our own Investment Committee meetings and across the rest of the VC and enterprise tech community.”

The company will continue to look at enterprise startups, particularly in New York City, as it looks to distribute these new funds.

Enterprise AI 2.0: The acceleration of B2B AI innovation has begun

Two decades after businesses first started deploying AI solutions, one can argue that they’ve made little progress in achieving significant gains in efficiency and profitability relative to the hype that drove initial expectations.

On the surface, recent data supports AI skeptics. Almost 90% of data science projects never make it to production; only 20% of analytics insights through 2022 will achieve business outcomes; and even companies that have developed an enterprisewide AI strategy are seeing failure rates of up to 50%.

But the past 25 years have only been the first phase in the evolution of enterprise AI — or what we might call Enterprise AI 1.0. That’s where many businesses remain today. However, companies on the leading edge of AI innovation have advanced to the next generation, which will define the coming decade of big data, analytics and automation — Enterprise AI 2.0.

The difference between these two generations of enterprise AI is not academic. For executives across the business spectrum — from healthcare and retail to media and finance — the evolution from 1.0 to 2.0 is a chance to learn and adapt from past failures, create concrete expectations for future uses and justify the rising investment in AI that we see across industries.

Two decades from now, when business leaders look back to the 2020s, the companies who achieved Enterprise AI 2.0 first will have come to be big winners in the economy, having differentiated their services, scooped up market share and positioned themselves for ongoing innovation.

Framing the digital transformations of the future as an evolution from Enterprise AI 1.0 to 2.0 provides a conceptual model for business leaders developing strategies to compete in the age of automation and advanced analytics.

Enterprise AI 1.0 (the status quo)

Starting in the mid-1990s, AI was a sector marked by speculative testing, experimental interest and exploration. These activities occurred almost exclusively in the domain of data scientists. As Gartner wrote in a recent report, these efforts were “alchemy … run by wizards whose talents will not scale in the organization.”

Former Facebook teammates raise $10.4M in Sequoia-led round to launch features development

Statsig is taking the A/B testing applications that drive Facebook’s growth and putting similar functionalities into the hands of any product team so that they, too, can make faster, data-informed decisions on building products customers want.

The Seattle-based company on Thursday announced $10.4 million in Series A funding, led by Sequoia Capital, with participation from Madrona Venture Group and a group of individual investors, including Robinhood CPO Aparna Chennapragada, Segment co-founder Calvin French-Owen, Figma CEO Dylan Field, Instacart CEO Fidji Simo, DoorDash exec Gokul Rajaram, Code.org CEO Hadi Partovi and a16z general partner Sriram Krishnan.

Co-founder and CEO Vijaye Raji started the company with seven other former Facebook colleagues in February, but the idea for the company started more than a year ago.

He told TechCrunch that while working at Facebook, A/B testing applications, like Gatekeeper, Quick Experiments and Deltoid, were successfully built internally. The Statsig team saw an opportunity to rebuild these features from scratch outside of Facebook so that other companies that have products to build — but no time to build their own quick testing capabilities — can be just as successful.

Statsig’s platform enables product developers to run quick product experiments and analyze how users respond to new features and functionalities. Tools like Pulse, Experiments+ and AutoTune allow for hundreds of experiments every week, while business metrics guide product teams to build and ship the right products to their customers.

Raji intends to use the new funding to hire folks in the area of design, product, data science, sales and marketing. The team is already up to 14 since February.

“We already have a set of customers asking for features, and that is a good problem, but now we want to scale and build them out,” he added.

Statsig has no subscription or upfront fees and is already serving millions of end-users every month for customers like Clutter, Common Room and Take App. The company will always offer a free tier so customers can try out features, but also offers a Pro tier for 5 cents per event so that when the customer grows, so does Statsig.

Raji sees adoption of Statsig coming from a few different places: developers and engineers that are downloading it and using it to serve a few million people a month, and then through referrals. In fact, the adoption the company is getting is “bottom up,” which is what Statsig wants, he said. Now the company is talking to bigger customers.

There are plenty of competitors for this product, including incumbents in the market, according to Raji, but they mostly focus on features, while Statsig provides insights and ties metrics back to features. In addition, the company has automated analysis where other products require manual set up and analysis.

Sequoia partner Mike Vernal worked at Facebook prior to joining the venture capital firm and had worked with Raji, calling him “a top 1% engineer” that he was happy to work with.

Having sat on many company boards, he has found that many companies spend a long time talking about sales and marketing, but very little on product because there is not an easy way to get precise numbers for planning purposes, just a discussion about what they did and plan to do.

What Vernal said he likes about Statsig is that the company is bringing that measurement aspect to the table so that companies don’t have to hack together a poorer version.

“What Statsig can do, uniquely, is not only set up an experiment and tell if someone likes green or blue buttons, but to answer questions like what the impact this is of the experiment on new user growth, retention and monitorization,” he added. “That they can also answer holistic questions and understand the impact on any single feature on every metric is really novel and not possible before the maturation of the data stack.”

 

Ransomware Gangs and the Name Game Distraction

It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation.

A rough timeline of major ransomware operations and their reputed links over time.

Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.

Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network.

I put together the above graphic to illustrate some of the more notable ransom gang reinventions over the past five years. What it doesn’t show is what we already know about the cybercriminals behind many of these seemingly disparate ransomware groups, some of whom were pioneers in the ransomware space almost a decade ago. We’ll explore that more in the latter half of this story.

One of the more intriguing and recent revamps involves DarkSide, the group that extracted a $5 million ransom from Colonial Pipeline earlier this year, only to watch much of it get clawed back in an operation by the U.S. Department of Justice.

After acknowledging someone had also seized their Internet servers, DarkSide announced it was folding. But a little more than a month later, a new ransomware affiliate program called BlackMatter emerged, and experts quickly determined BlackMatter was using the same unique encryption methods that DarkSide had used in their attacks.

DarkSide’s demise roughly coincided with that of REvil, a long-running ransomware group that claims to have extorted more than $100 million from victims. REvil’s last big victim was Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. That attack let REvil deploy ransomware to as many as 1,500 organizations that used Kaseya.

REvil demanded a whopping $70 million to release a universal decryptor for all victims of the Kaseya attack. Just days later, President Biden reportedly told Russian President Vladimir Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

A REvil ransom note.

Whether that conversation prompted actions is unclear. But REvil’s victim shaming blog would disappear from the dark web just four days later.

Mark Arena, CEO of cyber threat intelligence firm Intel 471, said it remains unclear whether BlackMatter is the REvil crew operating under a new banner, or if it is simply the reincarnation of DarkSide.

But one thing is clear, Arena said: “Likely we will see them again unless they’ve been arrested.”

Likely, indeed. REvil is widely considered a reboot of GandCrab, a prolific ransomware gang that boasted of extorting more than $2 billion over 12 months before abruptly closing up shop in June 2019. “We are living proof that you can do evil and get off scot-free,” Gandcrab bragged.

And wouldn’t you know it: Researchers have found GandCrab shared key behaviors with Cerber, an early ransomware-as-a-service operation that stopped claiming new victims at roughly the same time that GandCrab came on the scene.

GOOD GRIEF

The past few months have been a busy time for ransomware groups looking to rebrand. BleepingComputer recently reported that the new “Grief” ransomware startup was just the latest paintjob of DoppelPaymer, a ransomware strain that shared most of its code with an earlier iteration from 2016 called BitPaymer.

All three of these ransom operations stem from a prolific cybercrime group known variously as TA505, “Indrik Spider” and (perhaps most memorably) Evil Corp. According to security firm CrowdStrike, Indrik Spider was formed in 2014 by former affiliates of the GameOver Zeus criminal network who internally referred to themselves as “The Business Club.”

The Business Club was a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide. In 2015, the FBI offered a standing $3 million bounty for information leading to the capture of the Business Club’s leader — Evgeniy Mikhailovich Bogachev. By the time the FBI put a price on his head, Bogachev’s Zeus trojan and later variants had been infecting computers for nearly a decade.

The alleged ZeuS Trojan author, Evgeniy Mikhaylovich Bogachev. Source: FBI

Bogachev was way ahead of his colleagues in pursuing ransomware. His Gameover Zeus Botnet was a peer-to-peer crime machine that infected between 500,000 and a million Microsoft Windows computers. Throughout 2013 and 2014, PCs infected with Gameover were seeded with Cryptolocker, an early, much-copied ransomware strain allegedly authored by Bogachev himself.

CrowdStrike notes that shortly after the group’s inception, Indrik Spider developed their own custom malware known as Dridex, which has emerged as a major vector for deploying malware that lays the groundwork for ransomware attacks.

“Early versions of Dridex were primitive, but over the years the malware became increasingly professional and sophisticated,” CrowdStrike researchers wrote. “In fact, Dridex operations were significant throughout 2015 and 2016, making it one of the most prevalent eCrime malware families.”

That CrowdStrike report was from July 2019. In April 2021, security experts at Check Point Software found Dridex was still the most prevalent malware (for the second month running). Mainly distributed via well-crafted phishing emails — such as a recent campaign that spoofed QuickBooks — Dridex often serves as the attacker’s initial foothold in company-wide ransomware attacks, CheckPoint said.

REBRANDING TO AVOID SANCTIONS

Another ransomware family tied to Evil Corp. and the Dridex gang is WastedLocker, which is the latest name of a ransomware strain that has rebranded several times since 2019. That was when the Justice Department put a $5 million bounty on the head of Evil Corp., and the Treasury Department’s Office of Foreign Asset Control (OFAC) said it was prepared to impose hefty fines on anyone who paid a ransom to the cybercrime group.

Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI

In early June 2021, researchers discovered the Dridex gang was once again trying to morph in an effort to evade U.S. sanctions. The drama began when the Babuk ransomware group announced in May that they were starting a new platform for data leak extortion, which was intended to appeal to ransomware groups that didn’t already have a blog where they can publicly shame victims into paying by gradually releasing stolen data.

On June 1, Babuk changed the name of its leaks site to payload[dot]bin, and began leaking victim data. Since then, multiple security experts have spotted what they believe is another version of WastedLocker dressed up as payload.bin-branded ransomware.

“Looks like EvilCorp is trying to pass off as Babuk this time,” wrote Fabian Wosar, chief technology officer at security firm Emsisoft. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations.”

Experts are quick to point out that many cybercriminals involved in ransomware activity are affiliates of more than one distinct ransomware-as-a-service operation. In addition, it is common for a large number of affiliates to migrate to competing ransomware groups when their existing sponsor suddenly gets shut down.

All of the above would seem to suggest that the success of any strategy for countering the ransomware epidemic hinges heavily on the ability to disrupt or apprehend a relatively small number of cybercriminals who appear to wear many disguises.

Perhaps that’s why the Biden Administration said last month it was offering a $10 million reward for information that leads to the arrest of the gangs behind the extortion schemes, and for new approaches that make it easier to trace and block cryptocurrency payments.

Marvell nabs Innovium for $1.1B as it delves deeper into cloud ethernet switches

Marvell announced this morning it has reached an agreement to acquire Innovium for $1.1 billion in an all-stock deal. The startup, which raised over $400 million according to Crunchbase data, makes networking ethernet switches optimized for the cloud.

Marvell president and CEO Matt Murphy sees Innovium as a complementary piece to the $10 billion Inphi acquisition last year, giving the company, which makes copper-based chips, more ways to work across modern cloud data centers.

“Innovium has established itself as a strong cloud data center merchant switch silicon provider with a proven platform, and we look forward to working with their talented team who have a strong track record in the industry for delivering multiple generations of highly successful products,” Marvell CEO Matt Murphy said in a statement.

Innovium founder and CEO Rajiv Khemani, who will remain as an advisor post-close, told a familiar tale from a startup CEO being acquired, seeing the sale as a way to accelerate more quickly as part of a larger organization than it could on its own. “As we engaged with Marvell, it became clear that our data center optimized portfolio combined with Marvell’s scale, leading technology platform and complementary portfolio, can accelerate our growth and vision of delivering breakthrough switch silicon for the cloud and edge,” he wrote in a company blog post announcing the deal.

The company, which was founded in 2014, raised more than $143 million last year on a post-money valuation of $1.3 billion, according to PitchBook data. The question is, was this a reasonable deal for the company given that valuation?

No company wants to sell for less than it was last valued by its investors. In some cases, such deals can still be accretive for early backers of the selling concern, but not always. In this case TechCrunch is not privy to all the details of the Innovium cap table and what its later investors may have built into their deals with the company in the form of downside protection; such measures can tilt the value of the sale of a company more toward its later and final investors. This is usually managed at the expense of its earlier backers and employees.

Still, the Innovium deal should not be seen as a failure. Building a company that sells for north of $1 billion in equity value is impressive. The deal appears to be slightly smaller in enterprise value terms. In the business world, enterprise value is a useful method of valuing the true cost of an acquisition. In the case of Innovium, a large cash position, what was described as “Innovium cash and exercise proceeds expected at closing of approximately $145 million,” lowered the cost of the transaction to a more modest $955 million in net outlays.

Our general perspective is that the sale is probably not the outcome that Innovium’s backers had hoped for, but that it may still prove lucrative to early workers and early investors, and still works at that lower figure. It’s also notable how in today’s market of mega-rounds and surfeit unicorns, an exit north of the $1 billion mark in equity terms can be viewed as a disappointment in any terms. Innovium is selling for around the price that Facebook paid for Instagram in 2012, a deal that at the time was so large that it dominated technology headlines around the world.

But with so much capital available today, private valuations are soaring and mega deals abound. And recent rounds north of $100 million, much like Innovium’s 2020-era, $143 million round, can set companies up with rich valuations and a narrow path in front of them to beat those heightened expectations.

What likely happened? Perhaps Innovium found itself with more cash than opportunities to spend it; perhaps it simply needed a large partner to help it better sell into its market. With expected revenues of $150 million in Marvell’s fiscal 2023, its next fiscal period, Innovium did not fail to reach scale. It may have simply grown well as a private, independent company, and stalled out after its last round.

Regardless, a billion-dollar exit is a billion-dollar exit. The deal is expected to close by the end of this year. While both company boards have approved the deal, it still must clear regular closing hurdles, including approval by Innovium’s private stock holders.

Product-led revenue startup Correlated launches with $8.3M seed

Correlated on Wednesday announced it raised $8.3 million in seed funding to launch its product-led growth platform for sales teams.

NextView Ventures and Harrison Metal co-led the round and were joined by Apollo Projects, Attentive co-founders Brian Long and Andrew Jones, Cockroach Labs co-founder Ben Darnell and Atrium’s Pete Kazanjy. The round includes funding raised last year and more recent follow-on funding from both NextView and Harrison, co-founder and CEO Tim Geisenheimer told TechCrunch.

The New York-based company was founded in 2020 by Geisenheimer and Diana Hsieh, who overlapped at TimescaleDB, and John Pena, who Geisenheimer met at Facet. In their previous roles, they saw a need to connect product data to sales tools.

While at Timescale, Geisenheimer said there were thousands of free users to talk to, and he and Hsieh built a similar version of a product-led growth platform there, but secretly wished there was something more like Correlated available.

What they saw was data across multiple tools being stored manually on spreadsheets so that actionable insights could be generated. The data would quickly become outdated. Add in that the way customers use products now is different. Traditionally, customers would not be able to use a product until they talked to the sales team. Today, customers start using products for free and either get value from it or not, but sales teams don’t have real-time data on their experience.

“Sales needs to know how customers are using the product and the right time for sales to engage based on maturity of the experience,” Geisenheimer said. “That was the missing piece of it and sales teams ended up talking to the wrong people. With Correlated, they can close more deals efficiently.”

Correlated’s technology pulls in product usage data from tools and data warehouses and connects to a management platform like Salesforce or HubSpot, stitching it together into a data graph to show how customers are using a product. For example, within a company of 200 to 500 employees, a salesperson can see the frequency employees logged in and be alerted of when the best opportunity is to make the sale.

The company has a SaaS pricing model and is already working with mid-market companies like Ally, Pulumi, ReadMe and LaunchNotes. To support its launch out of beta, Geisenheimer intends to use the new funding for hiring across functions like engineering and go-to-market. The company has 11 employees currently.

There are other product-led growth platforms out there that raised venture capital funding recently, for example, Endgame, and similarly Geisenheimer said the competition is often in-house product teams building their own systems. Correlated’s differentiator is that it has taken on that task itself and enables customers to quickly see value once they are up-and-running, he added.

David Beisel, co-founder and partner at NextView Ventures, said his firm invests in category stage companies and is currently operating out of its fourth fund, infusing business-to-business SaaS and e-commerce companies. Beisel has known Geisenheimer for nearly a decade now, having met him when NextView invested in one of Geisenheimer’s previous companies, TapCommerce.

“At the end of the day with Tim, he knows sales and the company is selling a product that has a strong founder market fit,” Beisel said. “We are moving toward a world where end-user adoption of software — not the initial engagement — is growing over time. Instead, Correlated empowers that initial sale and account expansion and that will align with where the industry is going.”

 

FullStory raises $103M at a $1.8B valuation to combat rage clicks on websites and apps

Even with all the years of work that have been put into improving how screen-based interfaces work, our experiences with websites, mobile apps, and any other interactive service you might use still often come up short: we can’t find what we want, we’re bombarded with exactly what we don’t need, or the flow is just buggy in one way or another.

Now, FullStory, one of the startups that’s built a platform to identify when all of the above happens and provide suggestions to publishers for fixing it — it’s obsessed enough with the issue that it went so far as to trademark the phrase “Rage Clicks”, the focus of its mission — is announcing a big round of funding, a sign of its success and ambitions to do more.

The Atlanta-based company has closed a Series D round of $103 million, an oversubscribed round that actually was still growing between me interviewing the company and publishing this story (when we talked last week the figure was $100 million). Permira’s growth fund — which has previously invested in other customer experience startups like Klarna and Nexthink — is leading this round, with previous investors Kleiner Perkins, GV, Stripes, Dell Technologies Capital, Salesforce Ventures, and Glynn Capital also participating.

FullStory, which has raised close to $170 million to date, has confirmed that the investment values the company at $1.8 billion.

Scott Voigt, FullStory’s founder and CEO, tells me that FullStory currently has some 3,100 paying customers on its books across verticals like retail, SaaS, finance, and travel (customers include Peloton, the Financial Times, VMware and JetBlue), which collectively are on course to rack up more than 15 billion user sessions this year — working out to 1 trillion interactions involving clicks, navigations, highlights, scrolls, and frustration signals. It says that annual recurring revenue has to date risen by more than 70% year-on-year.

The plan now will be to continue investing in R&D to bring more real-time intelligence into its products, “and pass those insights on to customers,” and also to “move more aggressively into Europe and Asia Pacific,” he added.

FullStory competes with others like Glassbox and Decibel, although it also claims its tools have more presence on websites than its three biggest competitors combined.

Working across different divisions like product, customer success and marketing, and engineering, FullStory uses machine learning algorithms to analyze how people navigate websites and other digital interfaces.

If approved as part of the “consent gate” you might encounter because of, say, GDPR regulations, it then tracks things like when they are clicking in areas excessively over a short period of time because of delays (the so-called “rage clicks”); or when a click leads nowhere because of, for example, a blip in a piece of JavaScript; or when a person is just scrolling or moving their mouse or cursor or finger in a frustrated (fast) way — again with little or no subsequent activity (or activity from the customer ceasing altogether) resulting from it. It doesn’t use — nor does it have plans to — use eye tracking, or anything like sentiment analysis around data that customers put into, say, customer response windows.

FullStory then packages up the insights that it does collect into data streams that can be used with various visualization tools (having Salesforce as a strategic backer is interesting in this regard, given that it owns Tableau), or spreadsheets, or whatever a customer chooses to put them into. While it doesn’t offer direct remediation (perhaps an area it could tackle in the future), it does offer suggestions for alternative actions to fix whatever problems are arising.

Part of what has given FullStory a big boost in recent times (this round is by far the biggest fundraise the company has ever done) is the fact that, in today’s world, digital business has become the centerpiece of all business. Because of Covid-19 and the need for social distancing that have taken away some of the traffic of in-person experiences like going to stores, organizations that have natively or built experiences online are seeing unprecedented amounts of traffic; and they are now joined by organizations that have shifted into digital experiences simply to stay in business.

All of that has contributed to a huge amount of content online, and a big shift in mindset to making it better (and in the most urgent of cases, even more basically, simply usable), and that has resulted in the stars aligning for companies like FullStory.

“The category was so nascent to begin with that we had to explain the concept to customers,” Voigt told me of the company’s early days, where selling meant selling would-be customers on to the very idea of digital experience insights. “But digital experience, in the wake of Covid-19, suddenly mattered more than it ever has before, and the continued amount of inbound interest has been afterburner for us.” He noted that demand is increasing among mid-market and enterprise organizations, and something that has also helped FullStory grow is the general movement of talent in the industry.

“Our customers tend to take their tools with them when they change their jobs,” he said. Those tools include FullStory’s analytics.

The evolution of bringing more AI into the world of basically structuring what might otherwise be unstructured data has been a big boost to the world of analytics, and investors are interested in FullStory because of how it’s taken that trend and grown its business on top of it.

“We are very excited to partner with the FullStory team as they continue to expand and build a truly extraordinary technology brand that improves the digital experience for all stakeholders,” said Alex Melamud, who led the transaction on behalf of Permira Growth, in a statement.

“Traditional analytics have been upended by AI- and ML-enabled approaches that can instantly uncover nuanced patterns and anomalies in customer behavior,” said Bruce Chizen, a senior advisor at Permira, in a statement. “Leveraging both structured and unstructured data, FullStory has rapidly established itself as the market and technology leader in DXI and is now the fastest-growing company in the category and the de facto system of record for all digital experience data.” Chizen is joining the FullStory Board with this round.