Segment launches customer journey tool to build fine-grained personal experiences

/0 Comments/in /by

Twilio Segment announced a tool, which is available starting today, to help marketers create fine-grained customer journeys. Until now the company has enabled marketers to build buyer personas and broader audiences, but this enables users to have much greater control of their interactions with a customer.

Company co-founder and CEO Peter Reinhardt says that marketers have been craving the ability to build more customized customer journeys and this tool gives them that. “It’s basically taking the power that existed in personas and audiences and actually putting it fully in marketers’ hands to build their dream journeys across every channel with the best data,” he said.

This enables marketers to stitch together a whole sequence of audiences. “Say when someone comes to the top of the funnel, they want to do X, then if they want to branch it and use X or Y, then do two different things, and you can keep branching and personalizing via this whole journey to cover the whole lifecycle.”

He says this capability has existed in some tools, but the Twilio Segment offering enables it to be used in more than 300 tools in the Segment ecosystem. “This is the first time that we’re going to be able to really do that and orchestrate this way, not just for a limited subset of channels, but across all of the channels,” he said.

Customer experience and digital transformation concepts are merging during the pandemic

Marketers can build branching by dragging and dropping journey components to send people on different paths depending on things like if they are a regular customer or a first-time customer or just about anything you can think of. Reinhardt says that flexibility is a key attribute of the new feature.

While it’s competing with some major players like Adobe and Salesforce in this space, Reinhardt believes this capability really gives Twilio a leg up over the competitors. “I think if you look at more of the legacy journey builders, [their products] are not built on real-time data, meaning that they’re actually missing basically all of the interesting behavioral data that marketers actually build on,” he said.

Segment was acquired by Twilio last year for $3.2 billion, and part of the reason for that was to increase its customer engagement capabilities. Segment gives Twilio a customer data platform to build on top of its other communications tooling, and today’s announcement expands on that capability.

Twilio’s $3.2B Segment acquisition is about helping developers build data-fueled apps

Honeywell and Cambridge Quantum form joint venture to build a new full-stack quantum business

/0 Comments/in /by

Honeywell, which only recently announced its entry into the quantum computing race, and Cambridge Quantum Computing (CQ), which focuses on building software for quantum computers, today announced that they are combining Honeywell’s Quantum Solutions (HQS) business with Cambridge Quantum in the form of a new joint venture.

Honeywell has long partnered with CQ, and invested in the company last year, too. The idea here is to combine Honeywell’s hardware expertise with CQ’s software focus to build what the two companies call “the world’s highest-performing quantum computer and a full suite of quantum software, including the first and most advanced quantum operating system.”

The merged companies (or “combination,” as the companies’ press releases calls it) expect the deal to be completed in the third quarter of 2021. Honeywell Chairman and CEO Darius Adamczyk will become the chairman of the new company. CQ founder and CEO Ilyas Khan will become the CEO and current Honeywell Quantum Solutions President Tony Uttley will remain in this role at the new company.

The idea here is for Honeywell to spin off HQS and combine it with CQC to form a new company, while still playing a role in its leadership and finances. Honeywell will own a majority stake in the new company and invest between $270 and $300 million. It will also have a long-term agreement with the new company to build the ion traps at the core of its quantum hardware. CQ’s shareholders will own 45% of the new company.

Image Credits: Honeywell

“The new company will have the best talent in the industry, the world’s highest-performing quantum computer, the first and most advanced quantum operating system, and comprehensive, hardware-agnostic software that will drive the future of the quantum computing industry,” said Adamczyk. “The new company will be extremely well positioned to create value in the near-term within the quantum computing industry by offering the critical global infrastructure needed to support the sector’s explosive growth.”

The companies argue that a successful quantum business will need to be supported by large-scale investments and offer a one-stop shop for customers that combines hardware and software. By combining the two companies now, they note, they’ll be able to build on their respective leadership positions in their areas of expertise and scale their businesses while also accelerate their R&D and product roadmaps.

“Since we first announced Honeywell’s quantum business in 2018, we have heard from many investors who have been eager to invest directly in our leading technologies at the forefront of this exciting and dynamic industry — now, they will be able to do so,” Adamczyk said. “The new company will provide the best avenue for us to onboard new, diverse sources of capital at scale that will help drive rapid growth.”

CQ launched in 2014 and now has about 150 employees. The company raised a total of $72.8 million, including a $45 million round, which it announced last December. Honeywell, IBM Ventures, JSR Corporation, Serendipity Capital, Alvarium Investments and Talipot Holdings invested in this last round — which also means that IBM, which uses a different technology but, in many ways, directly competes with the new company, now owns a (small) part of it.

Honeywell says it will soon launch the world’s most powerful quantum computer

Microsoft Patches Six Zero-Day Security Holes

/0 Comments/in /by

Microsoft today released another round of security updates for Windows operating systems and supported software, including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks.

June’s Patch Tuesday addresses just 49 security holes — about half the normal number of vulnerabilities lately. But what this month lacks in volume it makes up for in urgency: Microsoft warns that bad guys are leveraging a half-dozen of those weaknesses to break into computers in targeted attacks.

Among the zero-days are:

CVE-2021-33742, a remote code execution bug in a Windows HTML component.
CVE-2021-31955, an information disclosure bug in the Windows Kernel
CVE-2021-31956, an elevation of privilege flaw in Windows NTFS
CVE-2021-33739, an elevation of privilege flaw in the Microsoft Desktop Window Manager
CVE-2021-31201, an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider
CVE-2021-31199, an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider

Kevin Breen, director of cyber threat research at Immersive Labs, said elevation of privilege flaws are just as valuable to attackers as remote code execution bugs: Once the attacker has gained an initial foothold, he can move laterally across the network and uncover further ways to escalate to system or domain-level access.

“This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools,” Breen said. “The ‘exploit detected’ tag means attackers are actively using them, so for me, it’s the most important piece of information we need to prioritize the patches.”

Microsoft also patched five critical bugs — flaws that can be remotely exploited to seize control over the targeted Windows computer without any help from users. CVE-2021-31959 affects everything from Windows 7 through Windows 10 and Server versions 2008, 2012, 2016 and 2019.

Sharepoint also got a critical update in CVE-2021-31963; Microsoft says this one is less likely to be exploited, but then critical Sharepoint flaws are a favorite target of ransomware criminals.

Interestingly, two of the Windows zero-day flaws — CVE-2021-31201 and CVE-2021-31199 — are related to a patch Adobe released recently for CVE-2021-28550, a flaw in Adobe Acrobat and Reader that also is being actively exploited.

“Attackers have been seen exploiting these vulnerabilities by sending victims specially crafted PDFs, often attached in a phishing email, that when opened on the victim’s machine, the attacker is able to gain arbitrary code execution,” said Christopher Hass, director of information security and research at Automox. “There are no workarounds for these vulnerabilities, patching as soon as possible is highly recommended.”

In addition to updating Acrobat and Reader, Adobe patched flaws in a slew of other products today, including Adobe Connect, Photoshop, and Creative Cloud. The full list is here, with links to updates.

The usual disclaimer:

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

For a quick visual breakdown of each update released today and its severity level, check out the this Patch Tuesday post from the SANS Internet Storm Center.

When JBS Met REvil Ransomware | Why We Need to Beef Up Critical Infrastructure Security

/0 Comments/in /by

The steady drumbeat of news about ransomware attacks continued this week, with the world’s biggest meat processor JBS being hit, as well as the New York Metropolitan Transit Authority and the Massachusetts Steamship Authority. Ransomware attacks are nothing new of course – unscrupulous criminals have been locking the data and demanding payment of individuals and entities for years – but recent attacks represent a significant escalation in scale and kind as attackers increasingly hit essential public services.

Essential Public Services – An Easy Mark for Ransomware Attacks

Two weeks ago a criminal hacker gang calling itself DarkSide attacked the Colonial Pipeline, which supplies much of the East Coast with nearly half of its fuel. The news of the pipeline’s shutdown caused panic buying throughout much of the country resulting in major gasoline shortages in several states.

It wasn’t the first time that ransomware has hit energy suppliers either. In February 2020, CISA advised all operational technology owners to take action after a ransomware attack on a natural gas plant forced it to shutdown for two days. Although that attack was instigated from a spear-phishing email, ransomware operators are increasingly infecting targets through other vectors, including stolen credentials, brute force attacks and installation through desktop sharing apps.

Critical infrastructure such as food and energy suppliers along with schools and healthcare institutions are often easy targets for criminals. Many organizations in those sectors are public-funded and often lack both the budget and the expertise of large, well-resourced private enterprises. For that reason, Government facilities, education and the healthcare sector tend to be the most frequent victims of ransomware among the 16 sectors that CISA designates as ‘critical infrastructure’. The spate of ransomware attacks since 2018 on hospitals, schools and cities like Atlanta, Greenville, Baltimore and Riviera Beach City Council being some of the more high-profile cases in point.

While attacks in the Food and Agriculture sector are not as common, there have reportedly been at least 40 cases in the last twelve months of ransomware targeting food companies. And unfortunately, as we have seen this past week with JBS, the effect of hitting a major food distributor with ransomware can have consequences far beyond that of monetary loss for the organization itself.

Food Suppliers Are Tempting Targets For Ransomware

The attack on JBS represents a massive assault on the food supply not just in the U.S. but in countries around the world. JBS is the world’s largest meat supplier with more than 150 plants and over 150,000 workers employed in fifteen countries. In the US, the company is the second-largest producer of beef, pork and chicken, processing around a quarter of the nation’s beef and about a fifth of its pork.

In a statement last Monday, JBS said that it had been “the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems.” Meanwhile, the U.S. Department of Agriculture said it had reached out to other major meat processors and encouraged them to accommodate additional capacity where possible. The USDA stressed the importance of keeping supply moving and mitigating any potential price issues.

By Thursday, the company released a further statement claiming it was able to limit the loss of food produced during the attack to less than one days’ worth of production and that lost production across the company’s global business would be “fully recovered by the end of next week”.

JBS Attack Attributed to REvil (Sodinokibi)

Meanwhile, the FBI attributed the attack to the REvil gang in a tweet on Thursday.

The REvil ransomware group has been in operation since at least mid 2019. Earlier this year they made headlines with two high-profile attacks on tech companies Acer in March and Apple supplier Quanta in April, demanding ransom payments to the tune of $50 million (it is not known if either of these were paid).

The operators have also been fine-tuning their RaaS (Ransomware-as-a-Service) offering in a bid to evade weak security controls. A recent version attempts to reboot an infected computer into Windows Safe Mode with Networking using the -smode argument. The ransomware changes the user’s password to a hard-coded value then automatically logs in with the new credentials. The SentinelOne platform protects against this (and all other) versions of the REvil ransomware.

The dust hasn’t yet settled on this attack and many facts remain unknown, including whether the company paid a ransom. JBS projected optimism that production would be restored quickly in places where it had been interrupted, but even a short disruption to a fifth of the U.S. beef harvesting capacity could have large knock-on effects in the market, potentially causing short term supply shortages and raising prices for beef and other proteins. A longer disruption could have had massive impacts on the entire food supply chain.

Criminal hackers have deftly probed for new vulnerabilities and found new opportunities in places that we previously haven’t thought of as being particularly cyber-dependent. At least on its face, few things could seem less vulnerable to hacking than beef harvesting, but every person and every entity is potentially, and increasingly, vulnerable.

What’s Next For Ransomware and Our Critical Infrastructure?

These attacks raise the specter of even more destructive events down the road. What if criminal hackers managed to strike a major blow to the electrical grid, or a sustained attack on a large energy supplier or big city utility?  Previously these kinds of major attacks on civilian critical infrastructure have been the preserve of nation-state actors, and at least in the United States, they’ve been more a threat that we know exists than an everyday reality that we must deal with.

This is the reality of our interconnected world: cyber threats are whole-of-society threats. High-impact attacks are no longer simply a geopolitical concern – they are an ever-present threat from both state and non-state actors. Both are relentlessly searching out vulnerabilities and pain points, and properly dealing with either requires that we recognize the scale and immediacy of the threat. Protecting our food supply, electrical grid, hospital systems and so many other elements of critical infrastructure requires that every public and private entity step up and meet this threat.

If you would like to learn more about how the SentinelOne Singularity Platform can help protect your organization or business, please contact us, or request a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Naspers co-leads $14.5M extension round in mobility startup WhereIsMyTransport

/0 Comments/in /by

Many people in emerging markets depend on informal public transport to move across cities. But while there are ride-hailing and bus-hailing applications in some of these cities, there’s a dire need for journey-planning apps to improve mobility for users and reduce the time they spend commuting.

South African-founded startup WhereIsMyTransport is one such company filling that gap for now. Today, it is announcing a $14.5 million Series A extension to continue its expansion across emerging markets; the company already has a presence in South Africa and Mexico.

Naspers, via its investment arm, Naspers Foundry, co-led the investment with Cathay AfricInvest Innovation Fund. According to Naspers, the size of its check was $3 million. Japan’s SBI Investment also participated in the round.

The extension round is coming a year after WhereIsMyTransport received a $7.5 million Series A investment from VC firms and strategic investment from Google, Nedbank and Toyota Tsusho Corporation (TTC).

Google, Toyota Tsusho invest in WhereIsMyTransport to map transport in emerging cities

Devin de Vries, Chris King and Dave New started the company in 2015. As a mobility startup, WhereIsMyTransport maps formal and informal public transport networks. The company then uses data gotten to improve the public transport experience, making commuting safe and accessible.

In addition to this, WhereIsMyTransport licenses some of this data to governments, DFIs, NGOs, operators, and third-party developers. It claims this is done for research, analytics, insights and consumer and enterprise solutions purposes.  

“WhereIsMyTransport started in South Africa, focused on becoming a central source of accurate and reliable public transport data for high-growth markets. We’re thrilled to welcome Naspers as an investor as our journey continues in megacities across the majority world,” said CEO Devin de Vries in a statement.

Last year when we covered the company, it had mapped 34 cities in Africa while actively mapping some in India, Southeast Asia and Latin America. Since then, it expanded into Mexico City last November and has completed multiple data production projects in the city alongside Lima, Bangkok, Gauteng and Dhaka. Right now, the company has worked in 41 cities across 28 countries. 

WhereIsMyTransport also launched its first consumer product Rumbo, which provides network information from all modes of public transport in Mexico with more than 100,000 users delivering over 750,000 real-time network alerts. The company says there are plans to launch Rumbo in Lima, Peru later this year.

Devin de Vries CEO_WhereIsMyTransport

Devin de Vries (CEO WhereIsMyTransport). Image Credits: WhereIsMyTransport

For co-lead investor Naspers Foundry, this is the firm’s first investment in mobility. So far, it has funded four other South African startups — Aerobotics, SweepSouth, Food Supply Network and The Student Hub — with a focus on edtech, food and cleaning sectors.

“We couldn’t pass on the opportunity to back an extraordinary South African founder who has built his business here in Cape Town to a global market leader in mapping formal and informal transportation with a strong focus on emerging markets,” head of Naspers Foundry Fabian Whate told TechCrunch

He also added that there is an overlap between mobility and the food and e-commerce businesses that seem to be the main focus from a Naspers perspective. “The global food and e-commerce businesses, often operating in emerging markets, are quite reliant on mobility solutions. So there’s a great overlap between what the Naspers Group does and the vision for WhereIsMyTransport.”

In South Africa, WhereIsMyTransport’s clients include Johannesburg commuter rail system Gautrain and Transport for Cape Town. On the other hand, its international client base includes Google, the World Bank and WSP, and others.

South Africa CEO of Naspers Phuthi Mahanyele-Dabengwa said: “Mobility remains an obstacle for billions of people in high-growth markets across the world. Our investment in WhereIsMyTransport is a testimony of our belief that great innovation and tech talent is found in South Africa, and with the right backing and support, these businesses can provide solutions to local challenges that can improve the lives of ordinary people in South Africa and abroad.”

Who will own the future of transportation?

Microsoft’s Windows Virtual Desktop is now Azure Virtual Desktop

/0 Comments/in /by

As remote work became the default for many companies during the pandemic, it’s maybe no surprise that services like Microsoft’s Windows Virtual Desktop, which gives users access to a fully managed Windows 10 desktop experience from virtually anywhere, saw a lot of interest from large enterprises and a new crop of small businesses that suddenly had to find ways to better support their remote workers. That’s pretty much what Microsoft saw, too, which had originally targeted Windows Virtual Desktop at some of the world’s largest enterprises. And so as the user base changed, Microsoft’s vision for the product changed as well, leading it to now changing its name from Windows Virtual Desktop to Azure Virtual Desktop.

“When we first went GA with Windows Virtual Desktop, about a year and a half ago, the world was a very different place,” said Kam VedBrat, Microsoft’s general manager for Azure Virtual Desktop. “And to be blunt, we looked at the service and what we were building, who we were building it for, pretty differently. No one at that time had any idea that this global pandemic was going to happen and that it would cause so many organizations around the world and millions of people to have to essentially leave the office and work from home — and the role the service would play in enabling a lot of that.”

Image Credits: Microsoft

While the original idea was to help enterprises move their virtual desktop environments from their data centers to the cloud, the pandemic brought a slew of new use cases to Windows Azure Virtual Desktop. It now hosts anything from virtual school labs to the traditional remote enterprise use cases. These new users also have somewhat different needs and expertise from those users the service was originally meant for, so on top of today’s name change, the company is also launching a set of new features that should make it easier for new users to get started with using Azure Virtual Desktop.

Among those is a new Quickstart experience, which will soon launch in public preview. “One piece of feedback that we saw is that as so many organizations are looking at Azure Virtual Desktop to enable new scenarios for hybrid work, they want to get these environments up and running quickly to understand how they work, how their apps behave in them, how to think about app groups and host pools and some of the new concepts that are there,” VedBrat explained. Ideally, it should now only take a few clicks to set up a full virtual desktop environment from the Azure portal.

Also new in Azure Virtual Desktop is support for managing multi-session virtual machines (VMs) with Microsoft Endpoint Manager, Microsoft’s unified service for device management. This marks the first time Endpoint Manager is able to handle multi-session VMs, which are one of the biggest selling points for Azure Virtual Desktop, since it allows a business to host multiple users on the same machine running Windows 10 Enterprise in the cloud.

In addition, Azure Virtual Desktop now offers enhanced support for Azure Active Directory, in addition to a new per-user access pricing option (in addition to the cost of running on the Azure infrastructure) that will allow users to deliver apps to external users. This, Microsoft argues, will allow software vendors to deliver their apps as a SaaS solution, for example.

As for the name change, VedBrat argues that while Windows is obviously at the core of the experience, a lot of the service’s users care about the underlying Azure infrastructure as well, be that storage or networking, for example. “They look at that broader environment that they’re creating — that window estate that they’re creating in the cloud — and they see that as a larger thing and they look at a lot of Azure as part of that. So we felt like the right thing to do at this point, in order to address that broader view that our customers are taking, was to look at the new name,” he explained.

I thought Windows Virtual Desktop explained the core concept just fine, but nobody has ever accused me of being a marketing genius.

Adventures in Contacting the Russian FSB

/0 Comments/in /by

KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI). In the process of doing so, I encountered a small snag: The FSB’s website said in order to communicate with them securely, I needed to download and install an encryption and virtual private networking (VPN) appliance that is flagged by at least 20 antivirus products as malware.

The FSB headquarters at Lubyanka Square, Moscow. Image: Wikipedia.

The reason I contacted the FSB — one of the successor agencies to the Russian KGB — ironically enough had to do with security concerns raised by an infamous Russian hacker about the FSB’s own preferred method of being contacted.

KrebsOnSecurity was seeking comment from the FSB about a blog post published by Vladislav “BadB” Horohorin, a former international stolen credit card trafficker who served seven years in U.S. federal prison for his role in the theft of $9 million from RBS WorldPay in 2009. Horohorin, a citizen of Russia, Israel and Ukraine, is now back where he grew up in Ukraine, running a cybersecurity consulting business.

Horohorin’s BadB carding store, badb[.]biz, circa 2007. Image: Archive.org.

Visit the FSB’s website and you might notice its web address starts with http:// instead of https://, meaning the site is not using an encryption certificate. In practical terms, any information shared between the visitor and the website is sent in plain text and will be visible to anyone who has access to that traffic.

This appears to be the case regardless of which Russian government site you visit. According to Russian search giant Yandex, the laws of the Russian Federation demand that encrypted connections be installed according to the Russian GOST cryptographic algorithm.

That means those who have a reason to send encrypted communications to a Russian government organization — including ordinary things like making a payment for a government license or fine, or filing legal documents — need to first install CryptoPro, a Windows-only application that loads the GOST encryption libraries on a user’s computer.

But if you want to talk directly to the FSB over an encrypted connection, you can just install their own client, which bundles the CryptoPro code. Visit the FSB’s site and select the option to “transfer meaningful information to operational units,” and you’ll see a prompt to install a “random number generation” application that is needed before a specific contact form on the FSB’s website will load properly.

Mind you, I’m not suggesting anyone go do that: Horohorin pointed out that this random number generator was flagged by 20 different antivirus and security products as malicious.

“Think well before contacting the FSB for any questions or dealing with them, and if you nevertheless decide to do this, it is better to use a virtual machine,” Horohorin wrote. “And a spacesuit. And, preferably, while in another country.”

Antivirus product detections on the FSB’s VPN software. Image: VirusTotal.

It’s probably worth mentioning that the FSB is the same agency that’s been sanctioned for malicious cyber activity by the U.S. government on multiple occasions over the past five years. According to the most recent sanctions by the U.S. Treasury Department, the FSB is known for recruiting criminal hackers from underground forums and offering them legal cover for their actions.

“To bolster its malicious cyber operations, the FSB cultivates and co-opts criminal hackers, including the previously designated Evil Corp., enabling them to engage in disruptive ransomware attacks and phishing campaigns,” reads a Treasury assessment from April 2021.

While Horohorin seems convinced the FSB is disseminating malware, it is not unusual for a large number of security tools used by VirusTotal or other similar malware “sandbox” services to incorrectly flag safe files as bad or suspicious — an all-too-common condition known as a “false positive.”

Late last year I warned my followers on Twitter to put off installing updates for their Dell products until the company could explain why a bunch of its software drivers were being detected as malware by two dozen antivirus tools. Those all turned out to be false positives.

To really figure out what this FSB software was doing, I turned to Lance James, the founder of Unit221B, a New York City based cybersecurity firm. James said each download request generates a new executable program. That is because the uniqueness of the file itself is part of what makes the one-to-one encrypted connection possible.

“Essentially it is like a temporary, one-time-use VPN, using a separate key for each download” James said. “The executable is the handshake with you to exchange keys, as it stores the key for that session in the exe. It’s a terrible approach. But it’s what it is.”

James said the FSB’s program does not appear to be malware, at least in terms of the actions it takes on a user’s computer.

“There’s no sign of actual trojan activity here except the fact it self deletes,” James said. “It uses GOST encryption, and [the antivirus products] may be thinking that those properties look like ransomware.”

James says he suspects the antivirus false-positives were triggered by certain behaviors which could be construed as malware-like. The screenshot below — from VirusTotal — says some of the file’s contents align with detection rules made to find instances of ransomware.

Some of the malware detection rules triggered by the FSB’s software. Source: VirusTotal.

Other detection rules tripped by this file include program routines that erase event logs from the user’s system — a behavior often seen in malware that is trying to hide its tracks.

On a hunch that just including the GOST encryption routine in a test program might be enough to trigger false positives in VirusTotal, James wrote and compiled a short program in C++ that invoked the GOST cipher but otherwise had no networking components. He then uploaded the file for scanning at VirusTotal.

Even though James’ test program did nothing untoward or malicious, it was flagged by six antivirus engines as potentially hostile. Symantec’s machine learning engine seemed particularly certain that James’ file might be bad, awarding it the threat name “ML.Attribute.HighConfidence” — the same designation it assigned to the FSB’s program.

KrebsOnSecurity installed the FSB’s software on a test computer using a separate VPN, and straight away it connected to an Internet address currently assigned to the FSB (213.24.76.xxx).

The program prompted me to click on various parts of the screen to generate randomness for an encryption key, and when that was done it left a small window which explained in Russian that the connection was established and that I should visit a specific link on the FSB’s site.

The FSB’s random number generator in action.

Doing so opened up a page where I could leave a message for the FSB. I asked them if they had any response to their program being broadly flagged as malware.

The contact form that ultimately appeared after installing the FSB’s software and clicking a specific link at fsb[.]ru.

After all the effort, I’m disappointed to report that I have not yet received a reply. Nor did I hear back from S-Terra CSP, the company that makes the VPN software offered by the FSB.

James said that given their position, he could see why many antivirus products might think it’s malware.

“Since they won’t use our crypto and we won’t use theirs,” James said. “It’s a great explanation on political weirdness with crypto.”

Still, James said, a number of things just don’t make sense about the way the FSB has chosen to deploy its one-time VPN software.

“The way they have set this up to suddenly trust a dynamically changing exe is still very concerning. Also, why would you send me a 256 random number generator seed in an exe when the computer has a perfectly valid and tested random number generator built in? You’re sending an exe to me with a key you decide over a non-secure environment. Why the fuck if you’re a top intelligence agency would you do that?”

Why indeed. I wonder how many people would share information about federal crimes with the FBI if the agency required everyone to install an executable file first — to say nothing of one that looks a lot like ransomware to antivirus firms?

After doing this research, I learned the FSB recently launched a website that is only reachable via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Unlike the FSB’s clear web site, the agency’s Tor site does not ask visitors to download some dodgy software before contacting them.

“The application is running for a limited time to ensure your safety,” the instructions for the FSB’s random number generator assure, with just a gentle nudge of urgency. “Do not forget to close the application when finished.”

Yes, don’t forget that. Also, do not forget to incinerate your computer when finished.

Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang

/0 Comments/in /by

The U.S. Department of Justice said today it has recovered $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists last month. The funds had been sent to DarkSide, a ransomware-as-a-service syndicate that disbanded after a May 14 farewell message to affiliates saying its Internet servers and cryptocurrency stash were seized by unknown law enforcement entities.

On May 7, the DarkSide ransomware gang sprang its attack against Colonial, which ultimately paid 75 Bitcoin (~$4.4 million) to its tormentors. The company said the attackers only hit its business IT networks — not its pipeline security and safety systems — but that it shut the pipeline down anyway as a precaution [several publications noted Colonial shut down its pipeline because its billing system was impacted, and it had no way to get paid].

On or around May 14, the DarkSide representative on several Russian-language cybercrime forums posted a message saying the group was calling it quits.

“Servers were seized, money of advertisers and founders was transferred to an unknown account,” read the farewell message. “Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information.”

A message from the DarkSide and REvil ransomware-as-a-service cybercrime affiliate programs.

Many security experts said they suspected DarkSide was just laying low for a while thanks to the heat from the Colonial attack, and that the group would re-emerge under a new banner in the coming months. And while that may be true, the seizure announced today by the DOJ certainly supports the DarkSide administrator’s claims that their closure was involuntary.

Security firms have suspected for months that the DarkSide gang shares some leadership with that of REvil, a.k.a. Sodinokibi, another ransomware-as-a-service platform that closed up shop in 2019 after bragging that it had extorted more than $2 billion from victims. That suspicion was solidified further when the REvil administrator added his comments to the announcement about DarkSide’s closure (see screenshot above).

First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.

According to an analysis published May 18 by cryptocurrency security firm Elliptic, 47 cybercrime victims paid DarkSide a total of $90 million in Bitcoin, putting the average ransom payment of DarkSide victims at just shy of $2 million.

HOW DID THEY DO IT?

The DoJ’s announcement left open the question of how exactly it was able to recover a portion of the payment made by Colonial, which shut down its Houston to New England fuel pipeline for a week and prompted long lines, price hikes and gas shortages at filling stations across the nation.

The DOJ said law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins (~$3.77 million on May 8), “representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.”

A passage from the DOJ’s press release today.

How it came to have that private key is the key question. Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said the most likely explanation is that law enforcements agent seized money from a specific DarkSide affiliate responsible for bringing the crime gang the initial access to Colonial’s systems.

“The ‘obtained the private key’ part of their statement is doing a lot of work,” Weaver said, point out that the amount the FBI recovered was less than the full amount Colonial paid.

“It is ONLY the Colonial Pipeline ransom, and it looks to be only the affiliate’s take.”

Experts at Elliptic came to the same conclusion.

“Any ransom payment made by a victim is then split between the affiliate and the developer,” writes Elliptic’s co-founder Tom Robinson. “In the case of the Colonial Pipeline ransom payment, 85% (63.75 BTC) went to the affiliate and 15% went to the DarkSide developer.”

The Biden administration is under increasing pressure to do something about the epidemic of ransomware attacks. In conjunction with today’s action, the DOJ called attention to the wins of its Ransomware and Digital Extortion Task Force, which have included successful prosecutions of crooks behind such threats as the Netwalker and SamSam ransomware strains.

The DOJ also released a June 3 memo from Deputy Attorney General Lisa O. Monaco instructing all federal prosecutors to adhere to new guidelines that seek centralize reporting about ransomware victims.

Having a central place for law enforcement and intelligence agencies to gather and act on ransomware threats was one of the key recommendations of a ransomware task force being led by some of the world’s top tech firms. In an 81-page report, the industry led task force called for an international coalition to combat ransomware criminals, and for a global network of investigation hubs. Their recommendations focus mainly on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.

The Good, the Bad and the Ugly in Cybersecurity – Week 23

/0 Comments/in /by

The Good

Browsers are the means by which almost all of us interact with the internet and are one of the few applications on any device that a user is almost guaranteed to use. Given their central role in our digital lives, anything that improves browser security is more than good news. This week saw two major browsers roll out updates with added security features.

Google’s Chrome browser is being given a new download protection feature that not only allows it to scan files for malware but to send the file to Google to be scanned for deeper analysis in real time. On top of that, Chrome 91’s Enhanced Safe Browsing feature offers additional protection when installing extensions from the Chrome Web store, a known vector for all sorts of adware and other malicious software. New developers will also not be given automatic trust by Enhanced Safe Browsing either, preventing malware authors circumventing detections just by spinning up a new developer identity.

This week also saw the release of Firefox 89. While the new ‘Proton’ UI was the headline news, it may have slipped under the radar that the new version extends protection against cross-site cookie tracking to Private Browsing windows by default. Mozilla claims that “Firefox’s Private Browsing windows have the most advanced privacy protections of any major browser’s private browsing mode.” Good to know.

The Bad

This week’s raft of ransomware attacks includes incidents affecting the Steamship Authority of Massachusetts, FujiFilm, and JBS. While details of the first two are still incoming, according to the FBI, the REvil ransomware family is behind the recent attack on JBS. “We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice”, the Bureau tweeted on Thursday.

The ransomware attack affected operations in North America and Australia, igniting fears of product shortages and price increases. The REvil ransomware group has been in operation (in current form) since mid 2019. Their ransomware is distributed via multiple methods including Exploit Kits, exploitation, and partnerships with other malware ‘frameworks’. SentinelOne customers have been protected from REvil since the onset of their activity.

SentinelLabs’ senior threat researcher Jim Walter noted that REvil were something of a ‘pioneer’ in the modern ransomware threatscape, “being one of the early adopters of publicly blogging victims and leaning heavily into the ‘double-extortion’ side of things.” Copied by many ransomware operators that followed, Walter said that the actors behind REvil were “early experimenters with auctioning off stolen data. Some auctions were successful, some were not, but potentially data stolen from select victims would have been available to the highest bidder.”

The Ugly

If there’s anyone still out there that doesn’t understand that computer crime is now such big business that it is effectively run in the same way as legitimate businesses, this week’s latest news from the criminal underground should serve to ram home the point.

In a bid to boost knowledge on ways to steal private keys and cryptocurrency wallets, members of a cybercrime forum are being offered over $100,000 in prize money in a competition calling for research papers on cryptocurrency-related topics.

Among the papers submitted were entries showing how to create a phishing website to harvest cryptocurrency wallet keys and seed phrases and how to manipulate cryptocurrency services’ APIs to steal private keys. Incentivising innovation through cash prizes not only shows how developed cybercrime is as an industry but also just how much stolen cash is floating around for investment in further crime.

So, you think you can tell what counts as a computer crime? In other controversial news this week, the U.S. Supreme Court has overturned a lower court’s verdict concerning the meaning and scope of the Computer Fraud and Abuse Act (CFAA). The decision limits the scope of the Act and essentially does not consider it a crime under the CFAA if, for example, a malicious insider abuses their own credentials to steal corporate IP (they may, of course, be guilty of committing offenses under other statutes in so doing).

This is not necessarily a bad thing: the new ruling would not have resulted in convictions such as that handed down to internet activist and campaigner Aaron Swartz, for example, and allays concerns of government overreach in using the CFAA to criminalize trivial computer misuses. However, the decision will undoubtedly prove contentious and could see a re-write of the CFAA as a result.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Xometry is taking its excess manufacturing capacity business public

/0 Comments/in /by

Xometry, a Maryland-based service that connects companies with manufacturers with excess production capacity around the world, filed an S-1 form with the U.S. Securities and Exchange Commission announcing its intent to become a public company.

Growth aside, it’s clear that Xometry is no modern software business, at least from a revenue-quality profile.

As the global supply chain tightened during the pandemic in 2020, a company that helped find excess manufacturing capacity was likely in high demand. CEO and co-founder Randy Altschuler described his company to TechCrunch this way last September upon the announcement of a $75 million Series E investment:

“We’ve created a marketplace using artificial intelligence to power it, and provide an e-commerce experience for buyers of custom manufacturing and for suppliers to deliver that manufacturing,” Altschuler said at the time. Xometry raised nearly $200 million while private, per Crunchbase data.

With Xometry, companies looking to build custom parts now have the ability to do so in a digital way. Rather than working the phones or starting an email chain, they can go into the Xometery marketplace, define parameters for their project and find a qualified manufacturer who can handle the job at the best price.

As of last September, the company had built relationships with 5,000 manufacturers around the world and had 30,000 customers using the platform.

At the time of that funding round, perhaps it wasn’t a coincidence that the company’s lead investor was T. Rowe Price. When an institutional investor is involved in a late-stage round, it’s usually a sign that the company is ready to start thinking about an IPO. Altschuler said it was definitely something the company was considering and had brought on a CFO, too, another sign that a company is ready to take that next step.

So what do Xometry’s financials look like as it heads to the public markets? We took a look at the S-1 to find out.

The numbers

Xometry makes money in two ways. The first comes from one part of its marketplace, with the company generating “substantially all of [its] revenue” from charging “buyers on its platform.” The other way that Xometry engenders top line is seller-related services, including financial work. The company notes that seller-generated revenues were just 5% of its 2020 total, though it does expect that figure to rise.