How Today’s Supply Chain Attacks Are Changing Enterprise Security

/0 Comments/in /by

Exploiting Trust

When we think of the word ‘trust’, what thoughts jump to the forefront of our minds? It initially evokes thoughts of personal relationships, with our closest family members and long term friendships or colleagues, where you know those individuals are consistently and reliably there for you. They are trusted for their authenticity, their integrity and honesty, they listen to you and ultimately are discreet with your information. However, that trust as we have often experienced is something that is fragile and easily damaged. While it is implicit for some relationships, for others, it is easier to lose that feeling of trust.

If we relate trust to the information security industry and the third party tools and systems that we implement to help secure our organisations, then the same concepts hold true. We place our trust in security systems that have earned trust by proving to be reliable and consistent, by demonstrating integrity, value and confidentiality, through a trusted network of recommendations amongst many other data points.

That trust is used to help us manage and mitigate risk and in turn helps other business relationships place their trust in us, and so trust is chained together from business to business, supplier to supplier, vendor to vendor.

However, when we select a security system to help protect ourselves, we are also accepting hidden areas of trust: relationships that you are unaware that you have agreed to, ones that were made on your behalf in a chain of relationships beyond your immediate control. These chains sometimes have weak points, areas where a gap has been identified, where a process or tool might not be quite as robust as yours, and this is what the supply chain attackers in the last 10 years have looked to exploit.

Supply chain attacks look to areas of trust that are fragile. Weaknesses in these chains can be used to bypass the implicit trust you have in your own security systems, processes and organisations. Something you were, until that point, completely unaware of.

In this post, we will explore some of the high-profile examples of where these chains have been compromised and look to learn lessons from these incidents, to help identify trust weaknesses and help mitigate potential future problems.

RSA Security – 2011

Back in 2011, RSA – the security division of EMC – was attacked and critical SecurID product secrets were stolen. These secrets would allow an attacker to clone and replicate the two factor authentication system supplied by RSA.

RSA SecurID token at the time was a very popular hardware based (something you have), six digit, one-time token-based password system used by companies to reduce the reliance and insecurity of static usernames and passwords. By breaking into RSA, the attacker accessed product seed data that compromised up to 40 million tokens in the field.

The attackers’ ultimate goal was to target military secrets held by Lockheed Martin and Northrop Grumman, but they had been prevented from doing so by those organizations’ use of the strong authentication token supplied by RSA.

Organizations had placed their trust in the RSA SecurID system to provide an additional layer of security, and the attackers bypassed the trust of this system by targeting the supplier of the tokens directly.

At the time, the attacker employed a zero day vulnerability in Adobe Flash Player to inject their backdoor, delivered by a phishing email to an RSA employee.

CCleaner March 2017

In March 2017, the hugely popular computer cleaning software called CCleaner was compromised by an attacker to help distribute their malicious code to unsuspecting victims that used CCleaner as a trustworthy tool. It was a devastatingly successful attack, which reportedly led to approximately 1.6 million downloads of the infected copy of CCleaner.

The attackers compromised the maker of CCleaner’s network to inject their software, known as ShadowPad, into the application. The attackers were specifically targeting a smaller group of companies and some eleven of those targeted were successfully compromised by the backdoored CCleaner application.

NotPetya June 2017

The NotPeyta attack of summer 2017 involved a ransomware-style attack which encrypted data and in some cases also destroyed the MBR (Master Boot Record) of infected computers.

This attack leveraged the Shadowbrokers recently released Eternalblue and EternalRomance exploits, which took advantage of vulnerabilities within the SMBv1 (Server Message Block) protocols for computers running MS Windows. These were the same vulnerabilities that were used in the WannaCry outbreak earlier that year.

A similar theme of leveraging the trust in the supply chain was implemented. The attackers used a legitimate software package update mechanism of a company called M.E.Doc, a financial software package predominantly used by Ukrainian financial institutions, to launch their attack. While it was clear the target of the attack was Ukraine, the attack quickly spread elsewhere.

What became most interesting was that the encrypted computers were not designed to be decrypted; therefore, the purpose of the attack was solely destructive rather than a financially-motivated ransomware attack. It is widely accepted that the financial impact of this attack was in the region of $10bn.

ASUS Software Update 2019

In 2019, computer manufacturing giant ASUSTek Computer – more commonly known as ASUS – identified a problem with its live update service, learning as a result that it had been compromised earlier in 2018. The compromise allowed this supposedly legitimate and trusted software to deliver malware to thousands of ASUS customers.

According to one report, it impacted 13,000 computers; 80% were consumer customers, and the remainder were businesses. However, the 2nd stage malware was highly targeted via a list of specific MAC addresses. Malicious versions of ASUS’ Live Update software (normally used to deliver updates to ASUS components and applications), was found to be installed and used to deliver a secondary payload of malware.

What was most interesting about this attack was that the version of ASUS Live Update that was compromised to deliver malware was legitimately signed by an ASUSTek Computer certificate. By obtaining access to the signing authority for this application, the attackers were able to effectively bypass the trust relationship that had been placed in the certificate infrastructure.

In 2020, responsibility for the ASUS supply chain attack was attributed to APT41.

SolarWinds December 2020

While there seemed to be a temporary lull in supply chain attacks after those mentioned above, the Solarwinds attack put them firmly back on the map back in December 2020.

SolarWinds is a widely trusted software vendor with some 300,000 customers, but as the story unfolded it became clear that their Orion software had been severely compromised. The attackers managed to incorporate their malware into a legitimate Symantec certificate, which was used to update the SolarWinds software.

After further investigation, SolarWinds reported that there was evidence that the malicious code was placed into their software and updates between March and June 2020. They also reported that they believed it to impact some 18,000 of their customers.

The SolarWinds attack was highly sophisticated. For example, the malware was sandbox aware and only activated after 14 days of dormancy. Given the nature of the targets impacted, such as US government institutions, and the attackers level of sophistication, it was rapidly apparent that the threat actor was APT in nature, and now widely attributed to the Russian Foreign Intelligence Service (SVR).

Kayesa July 2021

Fast forward to summer 2021 and the discovery that Kaseya VSA software, responsible for monitoring and troubleshooting endpoint computers and widely used by Managed Service Providers to help support their customers, had also been compromised. An update to the VSA software included a ransomware component that went on to compromise some 1500 customers. The attackers leveraged two vulnerabilities, one known since April 2021 and the other since July 2015, in the VSA software.

What is most interesting about this particular attack is that the motivation seemed to be purely financial as the attackers were initially asking $70M for the recovery of the decrypted data of their victims.

This attack leveraged the REvil group’s ransomware. It is also worth noting that the delivery vehicle of the ransomware was only the externally facing Kaseya VSA infrastructure, exploited by known vulnerabilities rather than through an internal breach.

Supply Chain Attack Commonalities

Analysis of these examples shows that adversaries are often either manipulating the code signing procedures via compromised but legitimate digital signing of certificates, hijacking the update distribution network of an ISV solution, or compromising original source code.

The majority of the attackers have a high sophistication level, with the exception of the recent Kayesa attack, which leveraged an external facing service with known vulnerabilities.

Preventing and Mitigating Supply Chain Attacks

Attackers always attempt to take the least path of resistence. Today, it’s often done by first compromising one of the end targets’ upstream suppliers and then abusing the trust relationship that they have to the true target to obtain their goals.

Naturally when we think of our technology defenses, we expect to be facing out, expecting the attackers from the outside, whereas, these supply chain attacks exploit a trusted component within our environments: just where we are most vulnerable and where we have the least visibility.

As part of any organization’s risk management program, supply chain attacks must be factored in, so what are the typical processes for compliance, governance and technology areas that could be bolstered to help mitigate these problems?

  1. Develop and implement a vendor risk management program to evaluate, track, and measure 3rd-party risk.
  2. Enforce through contractual requirements vendor cybersecurity assessments, including for the vendors own supply chain risk.
  3. Require ISO 27001 certification or CMMI and/or comply with cybersecurity frameworks like NIST or CIS
  4. Plan to move to a zero trust network (ZTA) architecture ensuring that all identities and endpoints are no longer trusted by default but instead continuously validated for each access request.
  5. Deploy a modern, platform-agnostic XDR platform capable of detecting and remediating sophisticated attacks across your endpoints, cloud and network infrastructure.
  6. Enforce multi factor authentication (MFA) to prevent the most typical of authentication brute forcing attacks
  7. Increase your network and endpoint visibility retention rates so that long lasting attacks can be identified. (the SolarWinds attackers were present for at least 5 months before launching their outward-facing attack)
  8. Be exceptionally careful as to how and where you configure your endpoint tool exceptions. Being overly permissive here with tools that you supposedly trust could lead to detection gaps.
  9. If you are an ISV then ensure best practices for Secure Development Lifecycle (SDL), vulnerability assessment and patch management programs to address identified issues.

Conclusion

The real challenge with these sophisticated supply chain attacks are that they leverage the implicit trust we place into our 3rd parties and also the implicit trust we place in the tools we use to support our businesses.

The real benefit to the attacker is that if they are successful, they have potentially increased their ability to scale the targets that they can infect, as well as allowing them the benefit of going completely undetected for potentially many weeks or months in length, depending on the goal of the attack.

It is essential that organizations review their cybersecurity requirements, gain visibility into supply chain dependencies, and deploy a modern XDR platform that can identify and contain a breach even if it originates deep within the company’s own supply chain.

Want to know more about how SentinelOne can help? Contact us for more information, or request a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Yaydoo secures $20M, aims to simplify B2B collections, payments

/0 Comments/in /by

It’s no secret that the technology for easy business-to-business payments has not yet caught up to its peer-to-peer counterparts, but Yaydoo thinks it has the answer.

The Mexico City-based B2B software and payments company provides three products, VendorPlace, P-Card and PorCobrar, for managing cash flow, optimizing access to smart liquidity, and connecting small, midsize and large businesses to an ecosystem of digital tools.

Sergio Almaguer, Guillermo Treviño and Roberto Flores founded Yaydoo — the name combines “yay” and “do” to show the happiness of doing something — in 2017. Today, the company announced the close of a $20.4 million Series A round co-led by Base10 Partners and monashees.

Joining them in the round were SoftBank’s Latin America Fund and Leap Global Partners. In total, Yaydoo has raised $21.5 million, Almaguer told TechCrunch.

Prior to starting the company, Almaguer was working at another company in Mexico doing point-of-sale. His large enterprise customers wanted automation for their payments, but he noticed that the same tools were too expensive for small businesses.

The co-founders started Yaydoo to provide procurement, accounts payable and accounts receivables, but in a simpler format so that the collection and payment of B2B transactions was affordable for small businesses.

Image Credits: Yaydoo

The idea is taking off, and vendors are adding their own customers so that they are all part of the network to better link invoices to purchase orders and then connect to accounts payable, Almaguer said. Yaydoo estimates that the automation workflows reduced 80% of time wasted paying vendors, on average.

Yaydoo is joining a sector of fintech that is heating up — the global B2B payments market is valued at $120 trillion annually. Last week, B2B payments platform Nium announced a $200 million in Series D funding on a $1 billion valuation. Others attracting funding recently include Paystand, which raised $50 million in Series C funding to make B2B payments cashless, while Dwolla raised $21 million for its API that allows companies to build and facilitate fast payments.

The new funding will enable the company to attract new hires in Mexico and when the company expands into other Latin American countries. Yaydoo is also looking at future opportunities for its working capital business, like understanding how many invoices customers are setting, the access to actual payments, and how money flows out and in so that it can provide insights on working capital funding gaps. The company will also invest in product development.

The company has grown to over 800 customers, up from 200 in the first quarter of 2020. Its headcount also grew to 100 from 30 during the same time. In the last 12 months, over 70,000 companies have transacted on the Yaydoo network, and total payment volume grew to hundreds of millions of dollars.

Yaydoo is a SaaS subscription model, but the new funding will also enable the company to create a pool of potential customers with a “freemium” offering with the goal of converting those customers into the subscription model as they grow, Almaguer said.

Rexhi Dollaku, partner at Base10 Partners, said the firm saw the way B2B payments were becoming modernized and “was impressed” by the Yaydoo team and how it built a complicated infrastructure, but made it easy to use.

He believes Latin America is 10 years behind in terms of B2B payments but will catch up sooner than later because of the digital transformation going on in the region.

“We are starting to see early signs of the network being built out of the payments product, and that is a good indication,” Dollaku said. “With the funding, Yaydoo will be also able to provide more financial services options for businesses to address a working fund gap.”

All B2B startups are in the payments business

Cloud infrastructure market kept growing in Q2, reaching $42B

/0 Comments/in /by

It’s often said in baseball that a prospect has a high ceiling, reflecting the tremendous potential of a young player with plenty of room to get better. The same could be said for the cloud infrastructure market, which just keeps growing, with little sign of slowing down any time soon. The market hit $42 billion in total revenue with all major vendors reporting, up $2 billion from Q1.

Synergy Research reports that the revenue grew at a speedy 39% clip, the fourth consecutive quarter that it has increased. AWS led the way per usual, but Microsoft continued growing at a rapid pace and Google also kept the momentum going.

AWS continues to defy market logic, actually increasing growth by 5% over the previous quarter at 37%, an amazing feat for a company with the market maturity of AWS. That accounted for $14.81 billion in revenue for Amazon’s cloud division, putting it close to a $60 billion run rate, good for a market leading 33% share. While that share has remained fairly steady for a number of years, the revenue continues to grow as the market pie grows ever larger.

Microsoft grew even faster at 51%, and while Microsoft cloud infrastructure data isn’t always easy to nail down, with 20% of market share according to Synergy Research, that puts it at $8.4 billion as it continues to push upward with revenue up from $7.8 billion last quarter.

Google too continued its slow and steady progress under the leadership of Thomas Kurian, leading the growth numbers with a 54% increase in cloud revenue in Q2 on revenue of $4.2 billion, good for 10% market share, the first time Google Cloud has reached double figures in Synergy’s quarterly tracking data. That’s up from $3.5 billion last quarter.

Synergy Research cloud infrastructure market share chart.

Image Credits: Synergy Research

After the Big 3, Alibaba held steady over Q1 at 6% (but will only report this week), with IBM falling a point from Q1 to 4% as Big Blue continues to struggle in pure infrastructure as it makes the transition to more of a hybrid cloud management player.

John Dinsdale, chief analyst at Synergy, says that the Big 3 are spending big to help fuel this growth. “Amazon, Microsoft and Google in aggregate are typically investing over $25 billion in capex per quarter, much of which is going towards building and equipping their fleet of over 340 hyperscale data centers,” he said in a statement.

Meanwhile, Canalys had similar numbers, but saw the overall market slightly higher at $47 billion. Their market share broke down to Amazon with 31%, Microsoft with 22% and Google with 8% of that total number.

Canalys analyst Blake Murray says that part of the reason companies are shifting workloads to the cloud is to help achieve environmental sustainability goals as the cloud vendors are working toward using more renewable energy to run their massive data centers.

“The best practices and technology utilized by these companies will filter to the rest of the industry, while customers will increasingly use cloud services to relieve some of their environmental responsibilities and meet sustainability goals,” Murray said in a statement.

Regardless of whether companies are moving to the cloud to get out of the data center business or because they hope to piggyback on the sustainability efforts of the Big 3, companies are continuing a steady march to the cloud. With some estimates of worldwide cloud usage at around 25%, the potential for continued growth remains strong, especially with many markets still untapped outside the U.S.

That bodes well for the Big 3 and for other smaller operators who can find a way to tap into slices of market share that add up to big revenue. “There remains a wealth of opportunity for smaller, more focused cloud providers, but it can be hard to look away from the eye-popping numbers coming out of the Big 3,” Dinsdale said.

In fact, it’s hard to see the ceiling for these companies any time in the foreseeable future.

With a $50B run rate in reach, can anyone stop AWS?

Salesforce steps into RPA buying Servicetrace and teaming it with Mulesoft

/0 Comments/in /by

Over the last couple of years, robotic process automation or RPA has been red hot with tons of investor activity and M&A from companies like SAP, IBM and ServiceNow. UIPath had a major IPO in April and has a market cap over $30 billion. I wondered when Salesforce would get involved and today the company dipped its toe into the RPA pool, announcing its intent to buy German RPA company Servicetrace.

Salesforce intends to make Servicetrace part of Mulesoft, the company it bought in 2018 for $6.5 billion. The companies aren’t divulging the purchase price, suggesting it’s a much smaller deal. When Servicetrace is in the fold, it should fit in well with Mulesoft’s API integration, helping to add an automation layer to Mulesoft’s tool kit.

“With the addition of Servicetrace, MuleSoft will be able to deliver a leading unified integration, API management and RPA platform, which will further enrich the Salesforce Customer 360 — empowering organizations to deliver connected experiences from anywhere. The new RPA capabilities will enhance Salesforce’s Einstein Automate solution, enabling end-to-end workflow automation across any system for service, sales, industries, and more,” Mulesoft CEO Brent Hayward wrote in a blog post announcing the deal.

No code, workflow and RPA line up for their automation moment

While Einstein, Salesforce’s artificial intelligence layer, gives companies with more modern tooling the ability to automate certain tasks, RPA is suited to more legacy operations, and this acquisition could be another step in helping Salesforce bridge the gap between older on-prem tools and more modern cloud software.

Brent Leary, founder and principal analyst at CRM Essentials says that it brings another dimension to Salesforce’s digital transformation tools. “It didn’t take Salesforce long to move to the next acquisition after closing their biggest purchase with Slack. But automation of processes and workflows fueled by real-time data coming from a growing variety of sources is becoming a key to finding success with digital transformation. And this adds a critical piece to that puzzle for Salesforce/MuleSoft,” he said.

While it feels like Salesforce is joining the market late, in an investor survey we published in May, Laela Sturdy, general partner at CapitalG, told us that we are just skimming the surface so far when it comes to RPA’s potential.

“We’re a long way from needing to think about the space maturing. In fact, RPA adoption is still in its early infancy when you consider its immense potential. Most companies are only now just beginning to explore the numerous use cases that exist across industries. The more enterprises dip their toes into RPA, the more use cases they envision,” Sturdy responded in the survey.

Servicetrace was founded in 2004, long before the notion of RPA even existed. Neither Crunchbase nor PitchBook shows any money raised, but the website suggests a mature company with a rich product set. Customers include Fujitsu, Siemens, Merck and Deutsche Telekom.

5 investors discuss the future of RPA after UiPath’s IPO

Mixlab raises $20M to provide purrfect pharmacy experience for pet parents

/0 Comments/in /by

Pet pharmacy Mixlab has developed a digital platform enabling veterinarians to prescribe medications and have them delivered — sometimes on the same day — to pet parents.

The New York-based company raised a $20 million Series A in a round of funding led by Sonoma Brands and including Global Founders Capital, Monogram Capital, Lakehouse Ventures and Brand Foundry. The new investment gives Mixlab total funding of $30 million, said Fred Dijols, co-founder and CEO of Mixlab.

Dijols and Stella Kim, chief experience officer, co-founded Mixlab in 2017 to provide a better pharmacy experience, with the veterinarian at the center.

Dijols’ background is in medical devices as well as healthcare investment banking, where he became interested in the pharmacy industry, following TruePill and PillPack, which he told TechCrunch were “creating a modern pharmacy model.”

As more pharmacy experiences revolved around at-home delivery, he found the veterinary side of pharmacy was not keeping up. He met Kim, a user experience expert, whose family owns a pharmacy, and wanted to bring technology into the industry.

“The pharmacy industry is changing a lot, and technology allows us to personalize the care and experience for the veterinarian, pet parent and the pet,” Kim said. “Customer service is important in healthcare as is dignity and empathy. We kept that in mind when starting Mixlab. Many companies use technology to remove the human element, but we use it to elevate it.”

Where top VCs are investing in digital health

Mixlab’s technology includes a digital service for veterinarians to streamline their daily medication workflow and gives them back time to spend with patient care. The platform manages the home delivery of medications across branded, generic and over-the-counter medications, as well as reduces a clinic’s on-site pharmacy inventories. Veterinarians can write prescriptions in seconds and track medication progress and therapy compliance.

The company also operates its own compound pharmacy where it specializes in making medications on-demand that are flavored and dosed.

On the pet parent side, they no longer have to wait up to a week for medications nor have to drive over to the clinic to pick them up. Medications come in a personalized care package that includes a note from the pharmacist, clear and easy-to-read instructions and a new toy.

Over the past year, adoptions of pets spiked as more people were at home, also leading to an increase in vet visits. This also caused the global pet care industry to boom, and it is now projected to reach $343 billion by 2030, when it had been valued at $208 billion in 2020.

Pet parents are also spending more on their pets, and a Morgan Stanley report showed that they see pets as part of their family, and as a result, 37% of people said they would take on debt to pay for a pet’s medical expenses, while 29% would put a pet’s needs before their own.

To meet the increased demand in veterinary care, the company will use the new funding to improve its technology and expand into more locations where it can provide same-day delivery. Currently it is shipping to 47 states and Dijols expects to be completely national by the end of the year. He also expects to hire more people on both the sales team and in executive leadership positions.

The company is already operating in New York and Los Angeles and growing 3x year over year, though Dijols admits operating during the pandemic was a bit challenging due to “a massive surge of orders” that came in as veterinarians had to shut down their offices.

As part of the investment, Keith Levy, operating partner at Sonoma Brands and former president of pet food manufacturer Royal Canin USA, will join Mixlab’s board of directors. Sonoma Brands is focused on growth sectors of the consumer economy, and pets was one of the areas that investors were interested in.

Over time, Sonoma found that within the veterinary community, there was space for a lot of players. However, veterinarians want to home in on one company they trust, and Mixlab fit that description for many because they were getting medication out faster, Levy said.

“What Mixlab is doing isn’t completely unique, but they are doing it better,” he added. “When we looked at their customer service metrics, we saw they had a good reputation and were relentlessly focused on providing a better experience.”

SoftBank-backed Embark Veterinary valued at $700M after $75M Series B

The Good, the Bad and the Ugly in Cybersecurity – Week 31

/0 Comments/in /by

The Good

These last few years have been, at the very least, challenging as well as eye-opening. The rate of high-profile, high-impact ransomware and extortion attacks has been and continues to be on a steep rise. The stakes are higher than ever before, with entire countries’ infrastructure at risk. This week, in the wake of attacks against the likes of Kaseya, SolarWinds, the Colonial Pipeline and more, the Biden administration unveiled the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

This updated memorandum aims to bring together multiple federal agencies, including CISA and NIST, to develop updated cybersecurity goals and metrics, as well as new guidelines for the support of critical infrastructure. The memorandum also includes the Industrial Control Systems Cybersecurity Initiative. This is a voluntary collaborative effort between the private and public sector to work towards improving critical infrastructure security. Expanding on the ICS, it also aims to greatly accelerate improvements around visibility and monitoring of these systems. As stated in Section 3:

“We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response…is central to ensuring the safe operations of these critical systems.”

All this comes on the heels of recent remarks from President Joe Biden, essentially stating that an escalation of cyber threats can potentially lead to a ‘real shooting war’.

While that is an extreme we hopefully will never see, proactive measures such as these are a welcome effort. Updating and modernizing security of these critical systems is crucial to the ongoing security of all countries.

The Bad

Iran has been in the cyber wars again with two stories breaking this week in which the country has both been on the giving and receiving end of APT campaigns. According to one research paper, the Iranian nation-state APT group TA456 targeted a U.S defense contractor over a period of years by masquerading as an attractive female aerobics instructor by the name of “Marcella Flores”.

The ruse was designed to infect the device of an employee at the aerospace defense contractor with malware that could exfiltrate sensitive information over SMTPS. The employee was “groomed” from at least 2019 through email and social media chat before being sent a malicious link in June 2021 to a cloud-hosted document purporting to be a diet survey. The document contained macros to infect the user’s device. The fake persona included a Facebook profile first created in 2018 that linked ‘Marcy’ with multiple social media ‘friends’ working at defense contractors. While it appears that the plot was unsuccessful, it demonstrates just how much time and resources APTs are prepared to dedicate when it comes to high-value targets.

Source: Proofpoint

Meanwhile, SentinelLabs reported this week that Iran was itself on the receiving end of a sophisticated attack that disrupted its national train service earlier this year with a previously unknown wiper malware dubbed ‘MeteorExpress’. The threat actor behind the attack also seems to be a new player, displaying TTPs that do not track to any other known group. A full analysis of the malware is given here, but much remains to be discovered about the motives and identity of the attacker.

The Ugly

This week a cybersecurity advisory was released covering the top routinely exploited vulnerabilities. The new report was released as a joint effort between the FBI, NCSC (UK Cyber Security Centre), ACSC (Australian Cyber Security Centre), and CISA (U.S. Cybersecurity and Infrastructure Security Agency. The report encompasses data from 2020 to current and goes into detail on related indicators of compromise and associated mitigations. The 2021 list should be of little surprise to those of us that made it through the Hafnium (aka ProxyLogon/Exchange) attacks just a few months ago.

Source: CISA

The top targeted applications (so far) for 2020 include:

For 2020, the bulletin provides the top 10 specific CVEs regularly targeted, which are as follows:

Citrix CVE-2019-19781
Pulse CVE 2019-11510
Fortinet CVE 2018-13379
F5- Big IP CVE 2020-5902
MobileIron CVE 2020-15505
Microsoft CVE-2017-11882
Atlassian CVE-2019-11580
Drupal CVE-2018-7600
Telerik CVE 2019-18935
Microsoft CVE-2019-0604
Microsoft CVE-2020-0787
Netlogon CVE-2020-1472

Many of these flaws have been actively exploited by numerous threat actors since their public disclosure. CVE-2017-11882, for instance, has been leveraged by the Ramsay Trojan, Agent Tesla, and it is incorporated into numerous exploit kits and Malware-as-a-Service (MaaS) products distributed among threat actors. Pulse is another standout, having been heavily leveraged by REvil across multiple campaigns. Also worthy of special mention is CVE-2019-1150, which allows attackers to read sensitive files or data off a remote host. This includes the ability for remote, unauthenticated, attackers to siphon usernames and passwords in cleartext from exposed devices.

Those tasked with enterprise security can learn an important lesson from this list. These CVEs are not all from 2021 or even 2020. Some were disclosed as far back as 2017. In other words, despite constant outcries to patch and update exposed and vulnerable systems, attackers know this does not always transition into timely action. Targeting old flaws remains a successful attack vector and is less work than discovering and developing new zero days.

Unfortunately, the list in this new joint alert is only a subset of what is being leveraged by threat actors and it is vital to keep our sense of awareness grounded in the reality of our threat landscape. There is always room for improvement when it comes to patch deployment and threat mitigation.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

ConverseNow is targeting restaurant drive-thrus with new $15M round

/0 Comments/in /by

One year after voice-based AI technology company ConverseNow raised a $3.3 million seed round, the company is back with a cash infusion of $15 million in Series A funding in a round led by Craft Ventures.

The Austin-based company’s AI voice ordering assistants George and Becky work inside quick-serve restaurants to take orders via phone, chat, drive-thru and self-service kiosks, freeing up staff to concentrate on food preparation and customer service.

Joining Craft in the Series A round were LiveOak Venture Partners, Tensility Venture Partners, Knoll Ventures, Bala Investments, 2048 Ventures, Bridge Investments, Moneta Ventures and angel investors Federico Castellucci and Ashish Gupta. This new investment brings ConverseNow’s total funding to $18.3 million, Vinay Shukla, co-founder and CEO of ConverseNow, told TechCrunch.

As part of the investment, Bryan Rosenblatt, partner at Craft Ventures, is joining the company’s board of directors, and said in a written statement that “post-pandemic, quick-service restaurants are primed for digital transformation, and we see a unique opportunity for ConverseNow to become a driving force in the space.”

At the time when ConverseNow raised its seed funding in 2020, it was piloting its technology in just a handful of stores. Today, it is live in over 750 stores and grew seven times in revenue and five times in headcount.

Restaurants were some of the hardest-hit industries during the pandemic, and as they reopen, Shukla said their two main problems will be labor and supply chain, and “that is where our technology intersects.”

The AI assistants are able to step in during peak times when workers are busy to help take orders so that customers are not waiting to place their orders, or calls get dropped or abandoned, something Shukla said happens often.

It can also drive more business. ConverseNow said it is shown to increase average orders by 23% and revenue by 20%, while adding up to 12 hours of extra deployable labor time per store per week.

Company co-founder Rahul Aggarwal said more people prefer to order remotely, which has led to an increase in volume. However, the more workers have to multitask, the less focus they have on any one job.

“If you step into restaurants with ConverseNow, you see them reimagined,” Aggarwal said. “You find workers focusing on the job they like to do, which is preparing food. It is also driving better work balance, while on the customer side, you don’t have to wait in the queue. Operators have more time to churn orders, and service time comes down.”

ConverseNow is one of the startups within the global restaurant management software market that is forecasted to reach $6.94 billion by 2025, according to Grand View Research. Over the past year, startups in the space attracted both investors and acquirers. For example, point-of-sale software company Lightspeed acquired Upserve in December for $430 million. Earlier this year, Sunday raised $24 million for its checkout technology.

The new funding will enable ConverseNow to continue developing its line-busting technology and invest in marketing, sales and product innovation. It will also be working on building a database from every conversation and onboarding new customers quicker, which involves inputting the initial menu.

By leveraging artificial intelligence, the company will be able to course-correct any inconsistencies, like background noise on a call, and better predict what a customer might be saying. It will also correct missing words and translate the order better. In the future, Shukla and Aggarwal also want the platform to be able to tell what is going on around the restaurant — what traffic is like, the weather and any menu promotions to drive upsell.

Olo’s IPO could value the company north of $3B as Toast waits in the wings

 

4 key areas SaaS startups must address to scale infrastructure for the enterprise

/0 Comments/in /by
Prashant Pandey
Contributor

Prashant Pandey is the head of engineering at Asana, a leading work management platform for teams. Prior to Asana, Prashant started and led the Bay Area team building Amazon DynamoDB, a fully managed NoSQL database service.

Startups and SMBs are usually the first to adopt many SaaS products. But as these customers grow in size and complexity — and as you rope in larger organizations — scaling your infrastructure for the enterprise becomes critical for success.

Below are four tips on how to advance your company’s infrastructure to support and grow with your largest customers.

Address your customers’ security and reliability needs

If you’re building SaaS, odds are you’re holding very important customer data. Regardless of what you build, that makes you a threat vector for attacks on your customers. While security is important for all customers, the stakes certainly get higher the larger they grow.

Given the stakes, it’s paramount to build infrastructure, products and processes that address your customers’ growing security and reliability needs. That includes the ethical and moral obligation you have to make sure your systems and practices meet and exceed any claim you make about security and reliability to your customers.

Here are security and reliability requirements large customers typically ask for:

Formal SLAs around uptime: If you’re building SaaS, customers expect it to be available all the time. Large customers using your software for mission-critical applications will expect to see formal SLAs in contracts committing to 99.9% uptime or higher. As you build infrastructure and product layers, you need to be confident in your uptime and be able to measure uptime on a per customer basis so you know if you’re meeting your contractual obligations.

While it’s hard to prioritize asks from your largest customers, you’ll find that their collective feedback will pull your product roadmap in a specific direction.

Real-time status of your platform: Most larger customers will expect to see your platform’s historical uptime and have real-time visibility into events and incidents as they happen. As you mature and specialize, creating this visibility for customers also drives more collaboration between your customer operations and infrastructure teams. This collaboration is valuable to invest in, as it provides insights into how customers are experiencing a particular degradation in your service and allows for you to communicate back what you found so far and what your ETA is.

Backups: As your customers grow, be prepared for expectations around backups — not just in terms of how long it takes to recover the whole application, but also around backup periodicity, location of your backups and data retention (e.g., are you holding on to the data too long?). If you’re building your backup strategy, thinking about future flexibility around backup management will help you stay ahead of these asks.

The Life Cycle of a Breached Database

/0 Comments/in /by

Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.

Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. One might even say passwords are the fossil fuels powering most IT modernization: They’re ubiquitous because they are cheap and easy to use, but that means they also come with significant trade-offs — such as polluting the Internet with weaponized data when they’re leaked or stolen en masse.

When a website’s user database gets compromised, that information invariably turns up on hacker forums. There, denizens with computer rigs that are built primarily for mining virtual currencies can set to work using those systems to crack passwords.

How successful this password cracking is depends a great deal on the length of one’s password and the type of password hashing algorithm the victim website uses to obfuscate user passwords. But a decent crypto-mining rig can quickly crack a majority of password hashes generated with MD5 (one of the weaker and more commonly-used password hashing algorithms).

“You hand that over to a person who used to mine Ethereum or Bitcoin, and if they have a large enough dictionary [of pre-computed hashes] then you can essentially break 60-70 percent of the hashed passwords in a day or two,” said Fabian Wosar, chief technology officer at security firm Emsisoft.

From there, the list of email addresses and corresponding cracked passwords will be run through various automated tools that can check how many email address and password pairs in a given leaked data set also work at other popular websites (and heaven help those who’ve re-used their email password elsewhere).

This sifting of databases for low-hanging fruit and password re-use most often yields less than a one percent success rate — and usually far less than one percent.

But even a hit rate below one percent can be a profitable haul for fraudsters, particularly when they’re password testing databases with millions of users. From there, the credentials are eventually used for fraud and resold in bulk to legally murky online services that index and resell access to breached data.

Much like WeLeakInfo and others operated before being shut down by law enforcement agencies, these services sell access to anyone who wants to search through billions of stolen credentials by email address, username, password, Internet address, and a variety of other typical database fields.

TARGETED PHISHING

So hopefully by this point it should be clear why re-using passwords is generally a bad idea. But the more insidious threat with hacked databases comes not from password re-use but from targeted phishing activity in the early days of a breach, when relatively few ne’er-do-wells have got their hands on a hot new hacked database.

Earlier this month, customers of the soccer jersey retailer classicfootballshirts.co.uk started receiving emails with a “cash back” offer. The messages addressed customers by name and referenced past order numbers and payment amounts tied to each account. The emails encouraged recipients to click a link to accept the cash back offer, and the link went to a look-alike domain that requested bank information.

The targeted phishing message that went out to classicfootballshirts.co.uk customers this month.

“It soon became clear that customer data relating to historic orders had been compromised to conduct this attack,” Classicfootballshirts said in a statement about the incident.

Allison Nixon, chief research officer with New York City-based cyber intelligence firm Unit221B, recalled what happened in the weeks leading up to Dec. 22, 2020, when cryptocurrency wallet company Ledger acknowledged that someone had released the names, mailing addresses and phone numbers for 272,000 customers.

Nixon said she and her colleagues noticed in the preceding months a huge uptick in SIM-swapping attacks, a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

“A week or two prior to that we were seeing a whole lot of SIM swapping activity,” Nixon said. “We knew the information was coming from some database but we couldn’t figure out what service they all had in common. After the Ledger database got leaked publicly, we started looking at the [SIM swapping] victims and found 100 percent of them were present in the Ledger database.”

In a statement about the breach, Ledger said the data was likely stolen in June 2020, meaning hackers had roughly six months to launch targeted attacks using extremely detailed information about customers.

“If you were to look [on cybercrime forums] at the past history of people posting about that Ledger database, you’d see people were selling it privately for months prior to that,” Nixon said. “It seems like this database was slowly percolating out wider and wider, until someone decided to remove a lot of its value by posting the whole thing publicly.”

Here are some tips to help avoid falling prey to incessant data breaches and increasingly sophisticated phishing schemes:

Avoid clicking on links and attachments in email, even in messages that appear to be sent from someone you have heard from previously. And as the phishing examples above demonstrate, many of today’s phishing scams use elements from hacked databases to make their lures more convincing.

Urgency should be a giant red flag. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly. Take a deep breath. If you’re unsure whether the message is legitimate, visit the site or service in question manually (ideally, using a browser bookmark so as to avoid potential typosquatting sites).

Don’t re-use passwords. If you’re the kind of person who likes to use the same password across multiple sites, then you definitely need to be using a password manager. That’s because password managers handle the tedious task of creating and remembering unique, complex passwords on your behalf; all you need to do is remember a single, strong master password or passphrase. In essence, you effectively get to use the same password across all Web sites. Some of the more popular password managers include DashlaneKeepassLastPass and Roboform.

–Phone-based phishing uses hacked databases, too: A great many scams are perpetrated over the phone, leveraging personal and financial information gleaned from past data breaches to make them sound more believable. If you think you’d never fall for someone trying to scam you over the phone, check out this story about how a tech-savvy professional got taken for thousands of dollars by a fraudster masquerading as his credit union. Remember, When in Doubt: Hang Up, Look Up, & Call Back.

How To Build A Great Data Team | A Q&A With Denise Schlesinger

/0 Comments/in /by

Denise Schlesinger is senior director of R&D at SentinelOne. In this interview, Denise gives us an inside look at her work and how big data presents new challenges for enterprises in general and cybersecurity in particular. Denise discusses how she meets and defeats these challenges in her work and shares what it takes to build a great data team that can respond to the problems and opportunities created by collecting data at scale.

Tell Us About Your Journey So Far.

I grew up in Argentina and came to Israel at the age of 18 to study Computer Science. I started working in software companies at the age of 24 as a software engineer, mostly developing web applications. I was promoted to team leader and then R&D director by the age of 30 and was managing teams of software engineers.

Over the years, I worked as an architect and a VP of R&D at several startups in different industries: Agrotech, Adtech and Cybersecurity. My roles involved supporting big infrastructure and re-architecting products to support large-scale building and scaling tech teams. I was part of teams where I oversaw designing the complete architecture, from the ground up, of many cloud-based SaaS products and defining technical strategy and roadmap for Distributed applications, ensuring high availability and scalability.

To keep myself up to date, I read many blogs on subjects such as big data, high scale and productionizing of Machine Learning Models such as engineering blogs from Uber, Netflix, Lyft and Wix.

What Does Your Typical Day Look Like at SentinelOne?

Before SentinelOne, I was VP R&D at Novarize, where we developed AI-based tools to provide insights for marketers. I joined SentinelOne remotely during the pandemic, which was certainly a big challenge. It was incredible to see how generous people are with their time and knowledge. Thanks to their support and understanding, my transition has been a fun and positive experience.

Currently, I am a Senior Director of Engineering at SentinelOne. I lead AI and Big Data teams. My group is in charge of the data pipelines, the services that do pre-processing, aggregation and detection for all the data collected. We ingest hundreds of millions of events per minute, we run on the cloud. Our production infrastructure is huge.

On my day to day, I am involved in all aspects of architecture, software and product development, delivery schedules for high scale applications. I review my group’s development projects to ensure reliability, effectiveness and ROI.

Give Us a Glimpse Into Your Toolkit.

We run Presto, Spark, Kafka, ElasticSearch and all of our services on top of Kubernetes. We leverage Databricks, AWS Sagemaker and Spark for machine learning. We use AI to solve the hardest problems that are part of leading with such huge amounts of data. I am hands-on and love trying new technologies and frameworks.

What Does It Take to Build a Great Data Team?

I manage and mentor my teams and the managers I lead. I lead by example, I love understanding the small details that make the big picture. I like the challenge of simplifying complex systems. Enabling my teams to grow by granting autonomy, I create a safe environment with permission to fail. I truly care for them, I understand the strengths of each person and do my best to enable him/her to thrive.

I work closely with different business stakeholders in the organization to create awesome products. Building relationships, motivating, coaching and enabling each team member to be at their top game. On top of the really interesting technical challenges that come with working with big data and AI, one great thing about working is the impact you can create. Also big data means big scale and this means big problems, which are usually fun and challenging to solve. We invest a lot in building our Data Infrastructure to provide Scalability, Reliability, and Efficiency. I strongly believe in the saying: “culture eats strategy for breakfast”. This is highly important when creating a data-driven culture to breathe data and require for every decision to be data-driven.

What Do You Look for in Your Team Members When Hiring?

When hiring people I look for critical thinking, accountability, and innovation. I appreciate the ability to look at things from a bird’s eye view and at the same time dive into the details to get the whole picture. I value curiosity and find that great engineers want to work on difficult problems alongside peers. I hire good team players that believe in the mission and who value a culture of collaboration and exploration.

Soul of SentinelOne: Our Values

Watch Now

What Are Your Views on the Current AI and Cybersecurity Landscape?

Nowadays, hackers launch hundreds of millions of attacks worldwide. Unknown threats can cause massive damage affecting a company’s business if they go undetected. Human beings cannot possibly identify all the threats.

Organisations face the challenge of analysing and tracking cloud, network and workstation activities. There’s a lot of data that has to be scanned to allow protection from malicious people and software. AI is able to analyse billions of events and identify different types of threats: from malware exploiting zero-day vulnerabilities to identifying risky behavior that might lead to a phishing attack or download of malicious code.

AI allows the automated detection needed to skim through massive amounts of data and traffic; it can be trained to generate alerts for threats, identify new types of malware and protect sensitive data for organisations. Leveraging machine learning and deep learning to learn the network’s behavior over time can help recognize patterns, detect anomalies and respond to them.

We’d like to thank Denise for taking the time to talk with us about her role and the fascinating work of AI and Big Data. If you’re interested in working with Denise or any of our other teams at SentinelOne, check out our open positions here.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security