The single vendor requirement ultimately doomed the DoD’s $10B JEDI cloud contract

/0 Comments/in /by

When the Pentagon killed the JEDI cloud program yesterday, it was the end of a long and bitter road for a project that never seemed to have a chance. The question is why it didn’t work out in the end, and ultimately I think you can blame the DoD’s stubborn adherence to a single vendor requirement, a condition that never made sense to anyone, even the vendor that ostensibly won the deal.

In March 2018, the Pentagon announced a mega $10 billion, decade-long cloud contract to build the next generation of cloud infrastructure for the Department of Defense. It was dubbed JEDI, which aside from the Star Wars reference, was short for Joint Enterprise Defense Infrastructure.

The idea was a 10-year contract with a single vendor that started with an initial two-year option. If all was going well, a five-year option would kick in and finally a three-year option would close things out with earnings of $1 billion a year.

While the total value of the contract had it been completed was quite large, a billion a year for companies the size of Amazon, Oracle or Microsoft is not a ton of money in the scheme of things. It was more about the prestige of winning such a high-profile contract and what it would mean for sales bragging rights. After all, if you passed muster with the DoD, you could probably handle just about anyone’s sensitive data, right?

Regardless, the idea of a single-vendor contract went against conventional wisdom that the cloud gives you the option of working with the best-in-class vendors. Microsoft, the eventual winner of the ill-fated deal acknowledged that the single vendor approach was flawed in an interview in April 2018:

Leigh Madden, who heads up Microsoft’s defense effort, says he believes Microsoft can win such a contract, but it isn’t necessarily the best approach for the DoD. “If the DoD goes with a single award path, we are in it to win, but having said that, it’s counter to what we are seeing across the globe where 80% of customers are adopting a multicloud solution,” Madden told TechCrunch.

Perhaps it was doomed from the start because of that. Yet even before the requirements were fully known there were complaints that it would favor Amazon, the market share leader in the cloud infrastructure market. Oracle was particularly vocal, taking its complaints directly to the former president before the RFP was even published. It would later file a complaint with the Government Accountability Office and file a couple of lawsuits alleging that the entire process was unfair and designed to favor Amazon. It lost every time — and of course, Amazon wasn’t ultimately the winner.

Oracle loses $10B JEDI cloud contract appeal yet again

While there was a lot of drama along the way, in April 2019 the Pentagon named two finalists, and it was probably not too surprising that they were the two cloud infrastructure market leaders: Microsoft and Amazon. Game on.

The former president interjected himself directly in the process in August that year, when he ordered the Defense Secretary to review the matter over concerns that the process favored Amazon, a complaint which to that point had been refuted several times over by the DoD, the Government Accountability Office and the courts. To further complicate matters, a book by former defense secretary Jim Mattis claimed the president told him to “screw Amazon out of the $10 billion contract.” His goal appeared to be to get back at Bezos, who also owns the Washington Post newspaper.

In spite of all these claims that the process favored Amazon, when the winner was finally announced in October 2019, late on a Friday afternoon no less, the winner was not in fact Amazon. Instead, Microsoft won the deal, or at least it seemed that way. It wouldn’t be long before Amazon would dispute the decision in court.

Why the Pentagon’s $10 billion JEDI deal has cloud companies going nuts

By the time AWS re:Invent hit a couple of months after the announcement, former AWS CEO Andy Jassy was already pushing the idea that the president had unduly influenced the process.

“I think that we ended up with a situation where there was political interference. When you have a sitting president, who has shared openly his disdain for a company, and the leader of that company, it makes it really difficult for government agencies, including the DoD, to make objective decisions without fear of reprisal,” Jassy said at that time.

Then came the litigation. In November the company indicated it would be challenging the decision to choose Microsoft charging that it was was driven by politics and not technical merit. In January 2020, Amazon filed a request with the court that the project should stop until the legal challenges were settled. In February, a federal judge agreed with Amazon and stopped the project. It would never restart.

In April the DoD completed its own internal investigation of the contract procurement process and found no wrongdoing. As I wrote at the time:

While controversy has dogged the $10-billion, decade-long JEDI contract since its earliest days, a report by the DoD’s inspector general’s office concluded today that, while there were some funky bits and potential conflicts, overall the contract procurement process was fair and legal and the president did not unduly influence the process in spite of public comments.

Last September the DoD completed a review of the selection process and it once again concluded that Microsoft was the winner, but it didn’t really matter as the litigation was still in motion and the project remained stalled.

Judge temporarily halts work on JEDI contract until court can hear AWS protest

The legal wrangling continued into this year, and yesterday the Pentagon finally pulled the plug on the project once and for all, saying it was time to move on as times have changed since 2018 when it announced its vision for JEDI.

The DoD finally came to the conclusion that a single-vendor approach wasn’t the best way to go, and not because it could never get the project off the ground, but because it makes more sense from a technology and business perspective to work with multiple vendors and not get locked into any particular one.

“JEDI was developed at a time when the Department’s needs were different and both the CSPs’ (cloud service providers) technology and our cloud conversancy was less mature. In light of new initiatives like JADC2 (the Pentagon’s initiative to build a network of connected sensors) and AI and Data Acceleration (ADA), the evolution of the cloud ecosystem within DoD, and changes in user requirements to leverage multiple cloud environments to execute mission, our landscape has advanced and a new way ahead is warranted to achieve dominance in both traditional and nontraditional warfighting domains,” said John Sherman, acting DoD chief information officer in a statement.

In other words, the DoD would benefit more from adopting a multicloud, multivendor approach like pretty much the rest of the world. That said, the department also indicated it would limit the vendor selection to Microsoft and Amazon.

“The Department intends to seek proposals from a limited number of sources, namely the Microsoft Corporation (Microsoft) and Amazon Web Services (AWS), as available market research indicates that these two vendors are the only Cloud Service Providers (CSPs) capable of meeting the Department’s requirements,” the department said in a statement.

That’s not going to sit well with Google, Oracle or IBM, but the department further indicated it would continue to monitor the market to see if other CSPs had the chops to handle their requirements in the future.

In the end, the single vendor requirement contributed greatly to an overly competitive and politically charged atmosphere that resulted in the project never coming to fruition. Now the DoD has to play technology catch-up, having lost three years to the histrionics of the entire JEDI procurement process and that could be the most lamentable part of this long, sordid technology tale.

Despite JEDI loss, AWS retains dominant market position

Nobody wins as DoD finally pulls the plug on controversial $10B JEDI contract

Microsoft Issues Emergency Patch for Windows Flaw

/0 Comments/in /by

Microsoft on Tuesday issued an emergency software update to quash a security bug that’s been dubbed “PrintNightmare,” a critical vulnerability in all supported versions of Windows that is actively being exploited. The fix comes a week ahead of Microsoft’s normal monthly Patch Tuesday release, and follows the publishing of exploit code showing would-be attackers how to leverage the flaw to break into Windows computers.

At issue is CVE-2021-34527, which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target’s system. Microsoft says it has already detected active exploitation of the vulnerability.

Satnam Narang, staff research engineer at Tenable, said Microsoft’s patch warrants urgent attention because of the vulnerability’s ubiquity across organizations and the prospect that attackers could exploit this flaw in order to take over a Windows domain controller.

“We expect it will only be a matter of time before it is more broadly incorporated into attacker toolkits,” Narang said. “PrintNightmare will remain a valuable exploit for cybercriminals as long as there are unpatched systems out there, and as we know, unpatched vulnerabilities have a long shelf life for attackers.”

In a blog post, Microsoft’s Security Response Center said it was delayed in developing fixes for the vulnerability in Windows Server 2016, Windows 10 version 1607, and Windows Server 2012. The fix also apparently includes a new feature that allows Windows administrators to implement stronger restrictions on the installation of printer software.

“Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server,” reads Microsoft’s support advisory. “After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”

Windows 10 users can check for the patch by opening Windows Update. Chances are, it will show what’s pictured in the screenshot below — that KB5004945 is available for download and install. A reboot will be required after installation.

Friendly reminder: It’s always a good idea to backup your data before applying security updates. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Microsoft’s out-of-band update may not completely fix the PrinterNightmare vulnerability. Security researcher Benjamin Delpy posted on Twitter that the exploit still works on a fully patched Windows server if the server also has Point & Print enabled — a Windows feature that automatically downloads and installs available printer drivers.

Delpy said it’s common for organizations to enable Point & Print using group policies because it allows users to install printer updates without getting approval first from IT.

This post will be updated if Windows users start reporting any issues in applying the patch.

REvil’s Grand Coup | Abusing Kaseya Managed Services Software for Massive Profits

/0 Comments/in /by

Executive Summary

  • A suspected zero-day exploit was used to deliver REvil’s Sodinokibi ransomware to thousands of corporate endpoints.
  • Attackers targeted Kaseya VSA servers commonly used by Managed Security Service Providers and IT management firms in order to reach the breadth of their respective customers.
  • The attackers abused a variety of benign components, such as certutil.exe, Microsoft Defender, and stolen digital certificates as part of their execution chain.
  • At this point, this appears to be the largest mass-scale ransomware incident to date. In an unexpected twist, the attackers are offering a universal decryption tool for all victims at a lump sum of $50 million (originally $70 million).
  • In this post, we cover the attack’s execution chain, provide a video showing SentinelOne Singularity’s response against the attack, and provide indicators as well as hunting rules to assist defenders.

What Happened?

On Friday, July 2nd, 2021 a well-orchestrated, mass-scale, ransomware campaign was discovered targeting customers of Kaseya’s managed services software and delivering REvil ransomware. It was initially considered a supply chain attack, a safe assumption at that scale, but with time it became apparent that the attackers were instead leveraging a zero-day exploit against internet-facing Kaseya VSA servers.

Kaseya’s initial advisory underscored the severity of the situation as the company instructed customers to shut down VSA servers until further notice.

Initial statement from Kaseya

Since then, Kaseya has engaged the security community and triaged the root cause of this incident. This post seeks to unravel the infection chain, highlight relevant indicators, and clarify protections for our customers.

Malware execution chain

Kaseya VSA Exploit and Infection Chain

Current findings show logic flaws in one of the VSA components (dl.asp) may have led to an authentication bypass. The attackers could then use KUpload.dll to drop multiple files including ‘agent.crt’, a fake certificate that contains the malware dropper. Another dropped artifact, Screenshot.jpg, appears to be a JavaScript file and has only been partially recovered at this time. Specific details regarding the exact nature of the exploit used are still being discovered as the analysis is ongoing.

The suspected exploit chain ends with a SQL injection in userFilterTableRpt.asp in order to queue up a series of VSA procedures that would execute the malware and purge the logs. This activity was seen originating from a hijacked AWS EC2 instance 18.223.199[.]234. Additional activity was observed originating from 161.35.239[.]148 (DigitalOcean), 162.253.124[.]16 (Sapioterra), and 35.226.94[.]113 (Google Cloud).

REvil malware infection chain

The malicious procedure was labeled ‘Kaseya VSA Agent Hot-fix’. This is a series of commands that check for internet access and use PowerShell to disable a sequence of native Operating System security measures including real-time monitoring, intrusion prevention, network protection, and sample auto-submission. The procedure then invokes the native certutil.exe application commonly used to validate certificates and uses it to decode the contents of ‘agent.crt’ into an executable, agent.exe.

The agent.exe binary was compiled on July 1st, 2021 and acts as a dropper for two embedded executable resources, ‘MODLIS’ and ‘SOFTIS’.

Resources embedded in agent.exe

Resource 101, SOFTIS is an outdated legitimate Microsoft Defender executable that is being used to sideload the malicious payload. It’s worth noting that this delivery mechanism of a sideloading dyad (a two-part execution chain) has been used to deliver REvil as early as April 2021.

The payload itself is contained in resource 102, under the resource name ‘MODLIS’.

SHA256
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

SHA1
e1d689bf92ff338752b8ae5a2e8d75586ad2b67b

MD5
7ea501911850a077cf0f9fe6a7518859

Compilation Timestamp
2021-07-01 12:39:06

Signature Date
2021-07-02 23:15:00

Size
788.88 KB

Digital Signature
PB03 TRANSPORT LTD.

In order for the malicious payload to be sideloaded by Microsoft Defender, the DLL is dropped at %WinDir%MpSvc.dll and exports the functions ServiceCrtMain, ServiceMain, and SvchostPushServiceGlobals. The file is signed with a stolen digital certificate from a Canadian transport company. It’s one of several stolen certificates recently employed by REvil. The ransomware employs statically-linked OpenSSL to conduct its cryptographic operations. ServiceCRTMain() creates a thread that will deobfuscate the main payload.

While the IOCs directly relevant to the Kaseya incident are a specific subset, we have collected samples for a cluster of similar execution chains including the Microsoft Defender sideloading dyad and still valid stolen digital certificates. We have provided hashes and YARA signatures at the end of this post to help identify additional files signed with these stolen certificates.

During this process, netsh.exe (as we have seen with prior REvil samples) is also called, making the following adjustment to local firewall rules:

netsh.exe netsh advfirewall firewall set rule "group=Network Discovery" new enable=Yes

The following are still valid signers. We have provided YARA signatures at the end of this post to help identify additional files signed with these stolen certificates.

  • BUKTBAI, OOO
    thumbprint = “282ebc0a99a6328343a7d7706465778c3925adb6”
  • PB03 TRANSPORT LTD
    thumbprint = “11ff68da43f0931e22002f1461136c662e623366”
  • OOO Saylent
    thumbprint = “0d61738e6407c01d5c9f477039fb581a5f81f436”

Encryption and Post Encryption Behavior

The Salsa20 encryption algorithm used by this variant of the REvil ransomware is incredibly fast compared to other common encryption algorithms and is an optimal choice for a ransomware operation of this magnitude. Other highly-prolific ransomware families have employed the same algorithm (e.g., DarkSide & later variations of Petya / GoldenEye).

Once the contents of the machine have been successfully encrypted, ransom notes are dropped alongside encrypted files and the machine’s wallpaper is changed to alert users to their predicament.

Ransom note displayed upon infection

The ransom note directs users to an .onion site and an alternative for those that don’t have access to TOR. The site asks for the key appended to the ransom note before providing a ransom amount for that specific endpoint, along with a timer that indicates how long the victim has to pay before the ransom demand increases. The standard demand for a non-corporate domain machine is the equivalent of $44,999 in Monero (XMR) or Bitcoin (BTC). Taking a broader view, the REvil gang has reportedly offered a universal decrypter for the eye-watering lump sum of $70 million (later amended to $50 million).

July 4th Update from the REvil gang

Latest Developments

On Monday, July 5, Kaseya announced they are developing a new patch for on-premise installations in order to assist customers in getting back to service. Kaseya also published a Compromise Detection Tool for customers to check if their on-premise installation had been actually compromised.

Since this outbreak, attackers have been scanning for Kaseya on-premise internet exposed servers using publicly available platforms such as Shodan.io. This time window allows attack groups besides REvil to obtain immediate access over the internet to customer-sensitive networks.

This attack proves again the necessity for a modern EDR solution which defends against improper use of built-in operating system executables (LOLBINs), such as detecting certutil.exe writing executables or usage of signed software such as MsMpEng.exe running from unexpected locations and executing unexpected software.

This threat is detected and mitigated by SentinelOne:

SentinelOne vs REvil (Sodinokibi)
Preventing the Kaseya Ransomware Attack

Watch Now

Conclusions

While the full impact of this attack is still unfolding, it’s a further escalation in the sophistication of cybercrime, not only on the technical side but also in how the attack was orchestrated. It’s clear that the perpetrators are well aware of the PR implications and will use widespread disruptions to try to maximize the payouts. This is yet another reminder of why security products need to leverage the power of data, specifically rich behavioral data, and AI. Malware and ransomware are increasingly cunning and novel in their techniques to compromise devices. A data-driven and AI-powered approach creates an autonomous posture to cybersecurity. It’s not enough to use signature-based or human-powered legacy solutions to protect your organization’s attack surfaces as every second counts when defending from advanced attacks like this one.

While we continue to uncover the full ramifications of this attack, our advice to defenders is to always act under the assumption that their networks are already host to malicious actors. The exorbitant profits realized by cyber criminals will only add to the sophistication of the attacks we’ll continue to see, the means and motivations are already there. Ransomware is a reality that every organization must face operating in the digital age. Cybersecurity today has become a critical part of corporate operations: the ability for malicious actors to disrupt and profit has reached new levels of relevance as a possible existential threat to businesses.

Indicators of Compromise

Samples

agent.crt encoded dropper
2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643

agent.exe dropper
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Payloads
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

Additional recent REvil activity including dyad droppers and payloads with still valid stolen digital signatures:

aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
f6908ef76b666157a13534db47652a845d8f7d985fdf944f7e43a3afd3f3d8c2
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471

MITRE TTPs Used in Kaseya Attack

T1112 – Modify Registry
T1012 – Query Registry
T1082 – System Information Discovery
T1120 – Peripheral Device Discovery
T1491 – Defacement
T1543.003 – Create or Modify System Process: Windows Service
T1036 – Masquerading
T1036.003 – Masquerading: Rename System Utilities
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1106 – Native API

YARA Hunting Rules for REvil/Kaseya Artifacts

import "pe"
import "math"

rule cw_REvil_Kaseya_BUKTBAI_stolenCert
{
	meta:
		desc = "Stolen digital certificate: BUKTAI"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20"
		hash = "d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f"
		hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
		hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=RU/L=Samara/O=BUKTBAI, OOO/CN=BUKTBAI, OOO"
			or
			signer.serial == "42:c1:64:9a:6b:80:64:0f:ad:7a:fb:b8:3e:29:81:52"
			or
			signer.thumbprint == "282ebc0a99a6328343a7d7706465778c3925adb6"
		)
}

rule cw_REvil_Kaseya_PB03TRANSPORT_stolenCert
{
	meta:
		desc = "Stolen digital certificate: PB03 TRANSPORT"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"
		hash = "e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2"
		hash = "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=CA/ST=Ontario/L=Brampton/O=PB03 TRANSPORT LTD./CN=PB03 TRANSPORT LTD."
			or
			signer.serial == "11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0"
			or
			signer.thumbprint == "11ff68da43f0931e22002f1461136c662e623366"
		)
}

rule cw_REvil_Kaseya_SAYLENT_stolenCert
{
	meta:
		desc = "Stolen digital certificate: PB03 TRANSPORT"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6"
		hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=RU/L=Cherepovetz/O=OOO Saylent/CN=OOO Saylent"
			or
			signer.serial == "00:bd:df:46:f3:a2:de:7d:2b:fb:f5:16:9a:e9:76:d9:7e"
			or
			signer.thumbprint == "0d61738e6407c01d5c9f477039fb581a5f81f436"
		)
}

rule cw_REvil_Kaseya_Dropper
{
	meta:
		desc = "Dropper for Microsoft Defender + Sodinokibi DLL Sideload"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
		hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
		hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
		hash = "81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471"
	strings:
		$drop_ransom = "mpsvc.dll" ascii wide fullword
		$drop_defender = "MsMpEng.exe" ascii wide fullword
		$drop_path = "C:Windows" wide fullword
	condition:
		uint16(0) == 0x5a4d
		and
		(
			2 of ($drop*) 
			and
			pe.number_of_resources == 2
			and
			for all rsrc in pe.resources:
				(
				math.entropy(rsrc.offset, rsrc.length) >= 6.7
				)
		)
}

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Box takes fight with activist investor public in SEC filing

/0 Comments/in /by

The war between Box’s current leadership and activist shareholder Starboard took a new turn today with a detailed timeline outlining the two groups’ relationship, thanks to an SEC filing and companion press release. Box is pushing back against a slate of board candidates put forth by Starboard, which wants to shake up the company’s leadership and sell it.

The SEC filing details a lengthy series of phone calls, meetings and other communications between the technology company and Starboard, which has held a stake in Box greater than 5% since September of 2019. Since then shares of Box have risen by around $10 per share.

Today’s news is multi-faceted, but we’ve learned more concerning Starboard’s demands that Box sell itself; how strongly the investor wanted co-founder and CEO Aaron Levie to be fired; and that the company’s complaints about a KKR-led investment into Box that it used to repurchase its shares did not match its behavior, in that Starboard asked to participate in the transaction despite its public statements.

Activist investors, a bit like short-sellers, are either groups that you generally like or do not. In this case, however, we can learn quite a lot from the Box filing. Including the sheer amount of time and communication that it takes to manage such an investor from the perspective of one of its public-market investments.

As activist investors loom, what’s next for Box?

What follows are key excerpts from Box’s SEC filing on the matter, starting with its early stake and early agreement with Starboard:

  • On September 3, 2019, representatives of Starboard contacted Mr. Levie to inform Mr. Levie that Starboard would be filing a
  • Schedule 13D with the SEC reporting a 7.5% ownership stake in the company.
  • On March 9, 2020, Mr. O’Driscoll and Ms. Barsamian had a call with representatives of Starboard to discuss entering into a settlement agreement with Starboard.
  • On March 22, 2020, the company and Starboard entered into an agreement[.]
    Also on March 23, 2020, Starboard reported beneficial ownership of 7.7% of the outstanding Class A common stock.

Then Box reported earnings, which Starboard appeared to praise:

  • On May 27, 2020, the company reported its fiscal first quarter results, noting a 13% increase in year-over-year revenue, a 900 basis point increase in year-over-year GAAP operating margin and a $36.4 million increase in year-over-year cash flow from operations. Peter Feld, a representative of Starboard, and Mr. Levie had an email conversation related to the company’s first quarter results in which Mr. Feld stated “you guys are on a good path…congrats to the team and keep it up.”
  • Also on May 29, 2020, Starboard reported that it had decreased its beneficial ownership to 6.0% of the outstanding Class A common stock.

The same pattern repeated during Box’s next earnings report:

  • On August 27, 2020, Mr. Levie, Mr. Smith and company IR discussed the company’s earnings release with Starboard. Starboard indicated it was pleased with the rate of margin expansion and where the company was heading. In an email exchange between Mr. Feld and Mr. Levie related to the company’s results, Mr. Feld stated that he was “thrilled to see the company breaking out and performing better both on the top and bottom line. Appreciate you guys working with us and accepting the counsel. Not everyone behaves that way and it is greatly appreciated. Shows your comfort as a leader and a willingness to adapt. Very impressive.”

Then Box reported its next quarter’s results, which was followed by a change in message from Starboard (emphasis TechCrunch):

  • On December 1, 2020, the company announced its fiscal third quarter results, noting an 11% increase in year-over-year revenue, an improvement of 2100 basis points in year-over-year GAAP operating margin and a $36 million increase in year-over-year cash flow from operations. The company also provided guidance regarding its fiscal fourth quarter results, noting that its revised revenue guidance was due to “lower professional services bookings than we noted previously, which creates a roughly $2 million headwind” and that the company was being “prudent in our growth expectations given the macroeconomic challenges that our customers are facing.” The revised guidance for revenue was 1.1% below analysts’ consensus estimates of $198.8 million.
  • On December 2, 2020, Box’s common stock declined approximately 9% from its prior close of $18.54 to $16.91. On December 2, 2020 and December 4, 2020, Mr. Levie, Mr. Smith and Box IR discussed the company’s earnings release with representatives of Starboard. Despite the prior support Mr. Feld communicated to the company, Starboard reversed course and demanded that the company explore a sale of the entire company or fire the company’s CEO, or otherwise face a proxy contest from Starboard. Mr. Feld further stated that the company should not turn down an offer from a third party to buy the entire company “in the low twenties” and that Starboard would be a seller at such a price.

Recall that Box shares are now in the mid-$26s. At the time, however, Box shares lost value (emphasis: TechCrunch)

  • On December 16, 2020, two weeks after earnings, the company’s stock price closed at $18.85, which was above where it was trading immediately prior to the announcement of the company’s fiscal third quarter results on December 1, 2020.
  • On January 11, 2021, Starboard disclosed that it had increased its beneficial ownership to 7.9% of the outstanding Class A common stock.
  • On January 15, 2021, Mr. Lazar and Ms. Barsamian had a call with representatives from Starboard. Mr. Feld expressed his view that, while the company’s Convertible Senior Notes were executed on favorable terms, he was not supportive of the transaction. He reiterated his demand that the company sell itself and indicated that if the company did not do so then it must replace its CEO or otherwise face a proxy contest from Starboard to replace the CEO.

Over the next few months, Box bought SignRequest, reported earnings, and engaged external parties to try to help it bolster shareholder value. Then the KKR deal came onto the table:

  • On March 31, 2021, the Strategy Committee met to discuss the status of the strategic review. At such time, the Strategy Committee was in receipt of a proposal from KKR pursuant to which KKR and certain partners would make an investment in the form of convertible preferred stock at an initial yield of 3%, which had been negotiated down from KKR’s proposal of 7% yield in its preliminary indication of interest in early March.

The deal was unanimously approved by Box’s board, and announced on April 8th, 2021. Starboard was not stoked about the transaction, however:

  • Later on April 8, 2021, Ms. Mayer and Mr. Lazar had a call with representatives of Starboard. Mr. Feld expressed Starboard’s strong displeasure with the results of the strategic review. During the conversation, Mr. Feld indicated that he would stop the fight immediately if Mr. Levie were replaced.
  • On April 14, 2021, Ms. Mayer, Mr. Lazar and Ms. Barsamian had a call with Mr. Feld. Despite his prior statements, Mr. Feld now indicated that Starboard was not willing to sell its shares of Class A common stock at $21 or $22 per share. Mr. Feld requested that the company release KKR from its obligation to vote in favor of the company as a gesture of good faith. Mr. Feld reiterated Starboard’s desire to replace Mr. Levie as CEO and indicated that he would like to join the Board of Directors if the company did so. Ms. Mayer offered Mr. Feld the opportunity to execute a non-disclosure agreement to receive more information about the strategic review process, which Mr. Feld immediately declined.

Box was like, all right, but Feld doesn’t get to be on the board:

  • On April 20, 2021, Ms. Mayer and Mr. Lazar had a call with representatives of Starboard. Mr. Feld stated that Starboard would not move forward with its planned director nominations if Starboard were offered the opportunity to participate in the KKR-Led Transaction and Mr. Feld were appointed to the Board of Directors. Mr. Feld reiterated that he was not willing to sign a non-disclosure agreement.
  • On April 27, 2021, Mr. Park had a discussion with Mr. Feld. During this conversation, Mr. Feld reiterated his desire for Starboard to participate as an investor in the KKR-Led Transaction.
  • On April 28, 2021, Ms. Mayer and Mr. Lazar informed Mr. Feld that the Board of Directors was amenable to allowing Starboard to participate in the KKR-Led Transaction but would not appoint Mr. Feld as a director. Mr. Feld indicated that there is no path to a settlement that doesn’t include appointing him to the Board of Directors.

Starboard Value puts Box on notice that it’s looking to take over board

And then Starboard initiated a proxy war.

What to make of all of this? That trying to shake up a company from the position of a minority stake is not impossible, with Starboard able to exercise influence on Box despite having a sub-10% ownership position. And that Box was not willing to put a person on the board that wanted to fire its CEO.

What’s slightly silly about all of this is that the fight is coming at a time when Box is doing better than it has in some time. Its profitability has improved greatly, and in its most recent quarter the company topped expectations and raised its forward financial guidance.

There were times in Box’s history when it may have deserved a whacking for poor performance, but now? It’s slightly weird. Also recall that Starboard has already made quite a lot of money on its Box stake, with the company’s value appreciating sharply since the investor bought in.

Most media coverage is surrounding the public criticism by Starboard of the KKR deal and its private demand to be let into the deal. That dynamic is easily explained: Starboard thought that the deal wouldn’t make it money, but later decided that it could. So it changed its tune; if you are expecting an investor to do anything but try to maximize returns, you are setting yourself up for disappointment.

A person close to the company told TechCrunch that the current situation should be a win-win for everyone involved, but Starboard is not seeing it that way. “If you’re a near term shareholder, [like Starboard] then the path Box has taken has already been better. And if you’re a long term shareholder, Box sees significantly more upside. […] So overwhelmingly, the company believes this is the best path for shareholders and it’s already been proven out to be that,” the person said.

Box beats expectations, raises guidance as it looks for a comeback

Alan Pelz-Sharpe, founder and principal analyst at the Deep Analysis, who has been watching the content management space for many years, says the battle isn’t much of a surprise given that the two have been at odds pretty much from the start of the relationship.

“Like any activist investor Starboard is interested in a quick increase in shareholder values and a flip. Box is in it for the long run. Further, it seems that Starboard may have mistimed or miscalculated their moves, Box clearly was not as weak as they appeared to believe and Box has been doing well over the past year. Bringing in KKR was the start of a big fight back, and the proposed changes couldn’t make it any clearer that they are fed up with Starboard and ready to fight back hard,” Pelz-Sharpe said.

He added that publicly revealing details of the two companies’ interactions is a bit unusual, but he thinks it was appropriate here.

“Actually naming and shaming, detailing Starboard’s moves and seemingly contradictory statements, is unusual but it may be effective. Starboard won’t back down without a fight, but from an investor relations/PR perspective this looks bad for them and it may well be time to walk away. That being said, I wouldn’t bet on Starboard walking away, as Silicon Valley has a habit of moving forward when they should be walking back from increasingly damaging situations”

What comes next is a vote on Box’s board makeup, which should happen later this summer. Let’s see who wins.

It’s worth noting that we attempted to contact Starboard Value, but as of publication they had not gotten back to us. Box indicated that the press release and SEC filing speak for themselves.

KKR hands Box a $500M lifeline

 

 

Nobody wins as DoD finally pulls the plug on controversial $10B JEDI contract

/0 Comments/in /by

After several years of fighting and jockeying for position by the biggest cloud infrastructure companies in the world, the Pentagon finally pulled the plug on the controversial winner-take-all, $10 billion JEDI contract today. In the end, nobody won.

“With the shifting technology environment, it has become clear that the JEDI cloud contract, which has long been delayed, no longer meets the requirements to fill the DoD’s capability gaps,” a Pentagon spokesperson stated.

The contract procurement process began in 2018 with a call for RFPs for a $10 billion, decade-long contract to handle the cloud infrastructure strategy for The Pentagon. Pentagon spokesperson Heather Babb told TechCrunch why they were going with the. single-winner approach: “Single award is advantageous because, among other things, it improves security, improves data accessibility and simplifies the Department’s ability to adopt and use cloud services,” she said at the time.

From the start though, companies objected to the single-winner approach, believing that the Pentagon would be better served with a multi-vendor approach. Some companies, particularly Oracle believed the procurement process was designed to favor Amazon.

In the end it came down to a pair of finalists — Amazon and Microsoft — and in the end Microsoft won. But Amazon believed that it had superior technology and only lost the deal because of direct interference by the previous president who had open disdain for then-CEO Jeff Bezos (who is also the owner of the Washington Post newspaper).

DoD reaffirms Microsoft has won JEDI cloud contract, but Amazon legal complaints still pending

Amazon decided to fight the decision in court, and after months of delay, the Pentagon made the decision that it was time to move on. In a blog post, Microsoft took a swipe at Amazon for precipitating the delay.

“The 20 months since DoD selected Microsoft as its JEDI partner highlights issues that warrant the attention of policymakers: When one company can delay, for years, critical technology upgrades for those who defend our nation, the protest process needs reform. Amazon filed its protest in November 2019 and its case was expected to take at least another year to litigate and yield a decision, with potential appeals afterward,” Microsoft wrote in its blog post about the end of the deal.

But in a statement of its own, Amazon reiterated its belief that the process was not fairly executed. “We understand and agree with the DoD’s decision. Unfortunately, the contract award was not based on the merits of the proposals and instead was the result of outside influence that has no place in government procurement. Our commitment to supporting our nation’s military and ensuring that our warfighters and defense partners have access to the best technology at the best price is stronger than ever. We look forward to continuing to support the DoD’s modernization efforts and building solutions that help accomplish their critical missions,” a company spokesperson said.

It seems like a fitting end to a project that I felt was doomed from the beginning. From the moment the Pentagon announced this contract with the cutesy twist on the Star Wars name, the procurement process has taken more twists and turns than a TV soap.

In the beginning, there was a lot of sound and fury and it led to a lot of nothing. We move onto whatever cloud procurement process happens next.

The $10B JEDI contract is locked, loaded and still completely stuck

Sarah Guo, Kobie Fuller & Casey Aylward headline investor panel at TC Sessions: SaaS

/0 Comments/in /by

While SaaS has become the default way to deliver software in 2021, it still takes a keen eye to find the companies that will grow into successful businesses, maybe even more so with so much competition. That’s why we’re bringing together three investors to discuss what they look for when they invest in SaaS startups.

For starters, we’ll have Sarah Guo, who has been a partner at Greylock since 2013 where she concentrates on AI, cybersecurity, infrastructure and the future of work — all in a SaaS context of course. Among her investments are Obsidian, Clubhouse and Awake. Her exits include Demisto, which Palo Alto acquired for $560 million in 2019 and Skyhigh Networks, which McAfee bought for $400 million in 2018.

Prior to joining Greylock, she worked for Goldman Sachs investing in growth-stage companies and advising SaaS companies like Dropbox and Workday.

Next we’ll have Kobie Fuller, a partner at Upfront Ventures, who looks at SaaS as well as AR and VR. Fuller has been at Upfront since 2016 when he joined after a three-year stint at Accel. He oversaw a pair of billion dollar exits while at Accel including ExactTarget to Salesforce for $2.5 billion and Oculus to Facebook for $2 billion. Upfront investments include Bevy, community building software, which recently got a $40 million investment with 20% of that coming from 25 Black investors.

Finally, we’ll have Casey Aylward, a principal at Costanoa Ventures where she concentrates on early-stage enterprise startups. Among her investments have been Aserto, Bigeye and Cyral. She tends to concentrate on developer tools. “My entire career so far has been focused on developers: whether it was building tools for developers, building software myself or now investing in enabling technologies for the next generation of technical users,” she wrote on her bio page.

This prestigious group will share their thoughts at TC Sessions: SaaS, a one-day virtual event that will examine the state of SaaS to help startup founders, developers and investors understand the state of play and what’s next. We hope you’ll join us.

The single-day event will take place 100% virtually on October 27 and will feature actionable advice, Q&A with some of SaaS’s biggest names and plenty of networking opportunities. Importantly, $75 Early Bird passes are now on sale. Book your passes today to save $100 before prices go up.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-c594f6a45f3ff3eabbf91af2a7d9403e’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-c594f6a45f3ff3eabbf91af2a7d9403e’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

Pleo raises $150M at a $1.7B valuation for its new approach to managing expenses for SMBs

/0 Comments/in /by

Whether you are part of the accounting department, or just any employee at an organization, managing expenses can be a time-consuming and error-filled, yet also quite mundane, part of your job. Today, a startup called Pleo — which has built a platform that can help some of that work more smoothly, by way of a vertically integrated system that includes payment cards, expense management software, and integrated reimbursement and pay-out services — is announcing a big round of growth funding to expand its business after seeing strong traction.

The Copenhagen-based startup has raised $150 million — money that it will be using to continue building out more features for its users, and for business development. The round, which sets a record for being the largest Series C for a Danish startup, values Pleo at $1.7 billion, the startup has confirmed.

There are around 17,000 small and medium businesses now using Pleo, with companies at the medium end of that numbering around 1,000 employees. Now with Pleo moving into slightly larger customers (up to 5,000 employees, CEO Jeppe Rindom, said), the startup has set an ambitious target of reaching 1 million users by 2025, a very lucrative goal, considering that expenses management is estimated to be a $80 billion market in Europe (with the global opportunity, of course, even bigger).

It will also be using the funds simply to expand its business. Pleo has around 330 employees today spread across London, Stockholm, Berlin and Madrid, as well as in Copenhagen, and it will be using some of the investment to grow that team and its reach.

Bain Capital Ventures and Thrive Capital co-led this round, a Series C. Previous backers, including Creandum, Kinnevik, Founders, Stripes and Seedcamp, also participated. Stripes led the startup’s Series B in 2019. It looks like this round was oversubscribed: the original intention had been to raise just $100 million.

Like other business processes, managing expenses and handling company spending has come a long way in the last many years.

Gone are the days where expenses inevitably involved collecting paper receipts and inputting them manually into a system in order to be reimbursed; now, expense management software links up with company-issued cards and taps into a range of automation tools to cut out some of the steps in the process, integrating with a company’s internal accounting policies to shuffle the process along a little less painfully. And there are a number of companies in this space, from older players like SAP’s Concur through to startups on the cusp of going public like Expensify as well as younger entrants bringing new technology into the process.

But, there is still lots more room for improvement. Rindom, Pleo’s CEO who co-founded the company with CTO Niccolo Perra, said the pair came up with the idea for Pleo on the back of years of working in fintech — both were early employees at the B2B supply chain startup Tradeshift — and seeing first-hand how short-changed, so to speak, small and medium businesses in particular were when it came to tools to handle their expenses.

Pleo’s approach has been to build, from the ground up, a system for those smaller businesses that integrate all the different stages of how an employee might spend money on behalf of the company.

Pleo starts with physical and virtual payment cards (which can be used in, for example, Apple Wallet) that are issued by Pleo (in partnership with MasterCard) to buy goods and services, which in turn are automatically itemized according to a company’s internal accounting systems, with the ability to work with e-receipts, but also let people use their phones to snap pictures of receipts when they are only on paper, if required. This is pretty much table stakes for expense software these days, but Pleo’s platform is going a couple of steps beyond that.

Users (or employers) can integrate a users’ own banking details to make it easier to get reimbursed when they have had to pay for something out of their own pocket; or conversely to pay for something that shouldn’t have been charged on the card. And if there are invoices to be paid at a later date from the time of purchase, these too can be actioned and set up within Pleo rather than having to liaise separately with an accounts payable department to get those settled. Higher priced tiers (beyond the basic service for up to five users) also lets a company set spending limits for individual users. Pricing is based on number of users, per month.

Pleo also has built fraud protection services into the platform to detect, for example, cases when a card number might have been compromised and is being used for non-work purposes.

What’s notable is that the startup has built all of the tech that it uses, including the payments feature, from the ground up, to have full control over the features and specifically to be able to add more of them more flexibly over time.

“In the beginning we ran with a partner in services like payments, but it didn’t allow us to move fast enough,” Rindom said in an interview. “So we decided to take all of that in-house.”

It seems like this opens the door to a lot of possibilities for how Pleo might evolve in the years ahead now that it’s focused on hyper-growth. However, Rindom added that whatever the next steps might be, they will remain focused on continuing to solve the expenses problem.

“When it comes to our infrastructure we use it only for ourselves,” he said. “We have no plans of selling [for example, payments] as a service, even if we do have a lot of other ideas for broadening our offerings.” Indeed, the ability to pay invoices was launched only in April of this year. “We come up with things all the time, but will launch only those relevant to customers.” For now, at least.

That focus and perhaps even more than that the execution and customer traction are what have brought investors around to backing a fintech out of Copenhagen.

“The future of work empowers employees with the tools they need to be effective, productive, and successful,” said Keri Gohman, a partner at Bain Capital Ventures, in a statement. “Pleo understands this critical shift for modern companies toward employee centricity—providing workers with a fun-to-use spend management app that automatically tracks their corporate spending and generates expense reports, paired with the powerful tools businesses need to create full visibility and management of every penny spent.”

Bain has been a pretty active investor in European fintech, also backing GoCardless in its recent round. “BCV invests in founders who aren’t afraid to tackle big problems, and Jeppe and Nicco saw a big challenge that employers faced—tracking all corporate spending and reconciling expenses back to the general ledger—and solved it with elegant technology that both employers and employees love,” added Merritt Hummer, a partner at Bain Capital Ventures.

Thrive is also a notable backer here, and it will be interesting to see how and if Pleo links up with others in the VC’s portfolio, which include companies like Plaid, Gong and Trade Republic.

“Pleo has already transformed the way that over 17,000 companies think about managing their expenses, saving them time and lowering costs while increasing transparency,” noted Kareem Zaki, a general partner at Thrive Capital, in a statement. “We are excited to partner closely with the Pleo team to help drive their next phase of growth.”

The Good, the Bad and the Ugly in Cybersecurity – Week 27

/0 Comments/in /by

The Good

Remember Gozi? Well, you’d be forgiven if you’d forgotten, but this particular piece of banking malware was rife around the turn of the decade, causing trouble in at least eight countries, including the US, the UK and several European nations. While the world of cyber security may have moved on, law enforcement didn’t forget. Back in 2016, the cops caught up with two of the malware as a service (MaaS) authors and this week, they nabbed a third.

On Tuesday, it was reported that Mihai Ionut Paunescu was arrested in Bogota, Colombia on charges relating to designing hosting systems that were used to share Gozi files with affiliates without being detected. Paunescu and pals allegedly charged criminals $500/week for use of their malware, which was used to steal bank account passwords and subsequently millions of dollars from victims. It’s not the first time Paunescu has been caught. In 2012, the Romanian national was arrested in his own country but escaped extradition. He’s unlikely to be so lucky this time around.

Meanwhile, more bad news for crims this week as Europol cyber cops took down DoubleVPN. The so-called ‘super secure’ service was a favorite on Russian and English-speaking cybercrime forums, where it was heavily recommended for those seeking to hide their identity and location while undertaking ransomware, phishing and other malicious activities.

Before it was taken down, the DoubleVPN website claimed that it kept no customer logs. However, according to the notice posted by authorities on the now seized site, the cops grabbed personal information and logs relating to all DoubleVPN customers. “DoubleVPN’s owners failed to provide the services they promised”, the notice ominously stated.

The Bad

APT28, aka the 85th GTsSS of the GRU, is rarely out of the news for long, and it’s an adversary we’re well used to dealing with. This week, the NSA, FBI and other U.S cybersecurity agencies revealed that the Russian military intelligence unit has been making a beeline for enterprise cloud environments since at least mid-2019.

According to the advisory, the threat actor used a Kubernetes cluster as a springboard for attacking hundreds of private and public sector targets worldwide. Much of their activity took the form of anonymized brute force and password spraying attacks against organizations using Microsoft Office 365 cloud services, combined with exploiting known CVEs such as CVE 2020-0688 and CVE 2020-17144.


Source

The attacks originating from the Kubernetes cluster were primarily routed through TOR and commercial VPN services, although the advisory notes that some were delivered directly from nodes in the cluster. Targets included government and military organizations, political organizations, energy companies, logistics companies as well as law firms, media and higher education institutions.

Authorities warn that the campaign is almost certainly ongoing. Organizations are urged to adopt and expand the use of MFA and ensure that access controls have time-out and lock-out features, use strong passwords and a Zero Trust security model. More information on specific TTPs and IoCs are available here.

The Ugly

Question: what do you get when you add a zero-day to a freshly minted exploit and the accidental release of both by security researchers? Answer: a very ugly day in cybersecurity. What is now being dubbed PrintNightmare is a remote code execution vulnerability in the Windows Print Spooler service. The service is enabled by default on Windows Server editions, with the exception of Windows Server Core, and is likely to affect the majority of enterprises.

Most importantly, the bug is not fixed in the latest Microsoft patch and CISA advises all enterprises to disable the Windows Print Spooler service in Domain controllers, Active Directory admin systems, and all other systems that do not print. This can be effected with PowerShell via

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Or more succinctly via Windows cmd with:

net stop spooler

On Thursday, Microsoft assigned the bug to CVE-2021-34527 and further advised admins to disable inbound remote printing through Group Policy. The OS vendor also said they were aware of in-the-wild attacks but gave no further details.

The bug came to light when Chinese cybersecurity outfit Sangfor released PoC code on Github for what they thought was a different vuln that had been included in Microsoft’s most recent Patch Tuesday. Researchers from the company intend to present at this year’s Black Hat about multiple Spooler vulns, but mistakenly released code related to a different vuln from that included in the patch. Subsequently, the PoC was removed from GitHub but not before others had cloned and forked the repo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Jim Whitehurst steps down as president at IBM just 14 months after taking role

/0 Comments/in /by

In a surprise announcement today, IBM announced that Jim Whitehurst, who came over in the Red Hat deal, would be stepping down as company president just 14 months after taking over in that role.

IBM didn’t give a lot of details as to why he was stepping away, but acknowledged his key role in helping bring the 2018 $34 billion Red Hat deal to fruition and helping bring the two companies together after the deal closed. “Jim has been instrumental in articulating IBM’s strategy, but also, in ensuring that IBM and Red Hat work well together and that our technology platforms and innovations provide more value to our clients,” the company stated.

He will stay on as a senior adviser to Krishna, but it begs the question why he is leaving after such a short time in the role, and what he plans to do next. Oftentimes after a deal of this magnitude closes, there is an agreement as to how long key executives will stay. It could be simply that the period has expired and Whitehurst wants to move on, but some saw him as the heir apparent to Krishna and the move comes as a surprise when looked at in that context.

“I am surprised because I always thought Jim would be next in line as IBM CEO. I also liked the pairing between a lifer IBMer and an outsider,” Patrick Moorhead, founder and principal analyst at Moor Insight & Strategies told TechCrunch.

Paul Cormier takes over as Red Hat CEO, as Jim Whitehurst moves to IBM

Regardless, it leaves a big hole in Krishna’s leadership team as he works to transform the company into one that is primarily focused on hybrid cloud. Whitehurst was undoubtedly in a position to help drive that change through his depth of industry knowledge and his credibility with the open source community from his time at Red Hat. He is not someone who would be easily replaced and the announcement didn’t mention anyone filling his role.

When IBM bought Red Hat in 2018 for $34 billion, it led to a cascading set of changes at both companies. First Ginni Rometty stepped down as CEO at IBM and Arvind Krishna took over. At the same time, Jim Whitehurst, who had been Red Hat CEO moved to IBM as president and long-time employee Paul Cormier moved into his role.

At the same time, the company also announced some other changes including that long-time IBM executive Bridget van Kralingen announced she too was stepping away, leaving her role as senior vice president of global markets. Rob Thomas, who had been senior vice president of IBM cloud and data platform, will step in to replace Van Kraligen.

What does Red Hat’s sale to IBM tell us about Couchbase’s valuation?

IBM CEO Arvind Krishna wants to completely transform his organization

Another 0-Day Looms for Many Western Digital Users

/0 Comments/in /by

Some of Western Digital’s MyCloud-based data storage devices. Image: WD.

Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system.

At issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running MyCloud OS 3, an operating system the company only recently stopped supporting.

Researchers Radek Domanski and Pedro Ribeiro originally planned to present their findings at the Pwn2Own hacking competition in Tokyo last year. But just days before the event Western Digital released MyCloud OS 5, which eliminated the bug they found. That update effectively nullified their chances at competing in Pwn2Own, which requires exploits to work against the latest firmware or software supported by the targeted device.

Nevertheless, in February 2021, the duo published this detailed YouTube video, which documents how they discovered a chain of weaknesses that allows an attacker to remotely update a vulnerable device’s firmware with a malicious backdoor — using a low-privileged user account that has a blank password.

The researchers said Western Digital never responded to their reports. In a statement provided to KrebsOnSecurity, Western Digital said it received their report after Pwn2Own Tokyo 2020, but that at the time the vulnerability they reported had already been fixed by the release of My Cloud OS 5.

“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” Western Digital said. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.”

Western Digital ignored questions about whether the flaw found by Domanski and Ribeiro was ever addressed in OS 3. A statement published on its support site March 12, 2021 says the company will no longer provide further security updates to the MyCloud OS 3 firmware.

“We strongly encourage moving to the My Cloud OS5 firmware,” the statement reads. “If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here.” A list of MyCloud devices that can support OS 5 is here.

But according to Domanski, OS 5 is a complete rewrite of Western Digital’s core operating system, and as a result some of the more popular features and functionality built into OS3 are missing.

“It broke a lot of functionality,” Domanski said of OS 5. “So some users might not decide to migrate to OS 5.”

In recognition of this, the researchers have developed and released their own patch that fixes the vulnerabilities they found in OS 3 (the patch needs to be reapplied each time the device is rebooted). Western Digital said it is aware of third parties offering security patches for My Cloud OS 3.

“We have not evaluated any such patches and we are unable to provide any support for such patches,” the company stated.

A snippet from the video showing the researchers uploading their malicious firmware via a remote zero-day flaw in MyCloud OS 3.

Domanski said MyCloud users on OS 3 can virtually eliminate the threat from this attack by simply ensuring that the devices are not set up to be reachable remotely over the Internet. MyCloud devices make it super easy for customers to access their data remotely, but doing so also exposes them to attacks like last month’s that led to the mass-wipe of MyBook Live devices.

“Luckily for many users they don’t expose the interface to the Internet,” he said. “But looking at the number of posts on Western Digital’s support page related to OS3, I can assume the userbase is still considerable. It almost feels like Western Digital without any notice jumped to OS5, leaving all the users without support.”

Dan Goodin at Ars Technica has a fascinating deep dive on the other zero-day flaw that led to the mass attack last month on MyBook Live devices that Western Digital stopped supporting in 2015. In response to Goodin’s report, Western Digital acknowledged that the flaw was enabled by a Western Digital developer who removed code that required a valid user password before allowing factory resets to proceed.

Facing a backlash of angry customers, Western Digital also pledged to provide data recovery services to affected customers starting this month. “MyBook Live customers will also be eligible for a trade-in program so they can upgrade to MyCloud devices,” Goodin wrote. “A spokeswoman said the data recovery service will be free of charge.”

If attackers get around to exploiting this OS 3 bug, Western Digital might soon be paying for data recovery services and trade-ins for a whole lot more customers.