HP offers its investors billions in shareholder returns to avoid a Xerox tie-up

To ward off a hostile takeover bid by Xerox, which is a much smaller company, HP (not to be confused with Hewlett Packard Enterprise, a separate public company) is promising its investors billions and billions of dollars.

All investors have to do to get the goods is reject the Xerox deal.

In a letter to investors, HP called Xerox’s offer a “flawed value exchange” that would lead to an “irresponsible capital structure” that was being sold on “overstated synergies.” Here’s what HP is promising its owners if they do allow it to stay independent:

  • About $16 billion worth of “capital return” between its fiscal 2020 and fiscal 2022 (HP’s Q1 fiscal 2020 wrapped January 31, 2020, for reference). According to the company, the figure “represents approximately 50% of HP’s current market capitalization.” TechCrunch rates that as true, before the company’s share-price gains posted after this news became known.
  • That capital return would be made up of a few things, including boosting the company’s share repurchase program to $15 billion (up from $5 billion, previously). More specifically, HP intends to “repurchase of at least $8 billion of HP shares over 12 months” after its fiscal 2020 meeting. The company also intends to raise its “target long-term return of capital to 100% of free cash flow generation,” allowing for the share purchases and a rising dividend payout (“HP intends to maintain dividend per share growth at least in line with earnings.”)

If all that read like a foreign language, let’s untangle it a bit. What HP is telling investors is that it intends to use all of the cash it generates to reward their ownership of shares in its business. This will come in the form of buybacks (concentrating future earnings on fewer shares, raising the value of held equity) and dividends (rising payouts to owners as HP itself makes more money), powered in part by cost-cutting (boosting cash generation and profitability).

HP is saying, in effect: Please do not sell us to Xerox; if you do not, we will do all that we can to make you money. 

Shares of HP are up 6% as of the time of writing, raising the value of HP’s consumer-focused spinout to just under $34 billion. We’ll see what investors choose for the company. But now, how did we get here?

The road to today

You may ask yourself, how did we get here (to paraphrase Talking Heads). It all began last Fall when Xerox made it known that it wanted to merge with HP, offering in the range of $27 billion to buy the much larger company. As we wrote at the time:

What’s odd about this particular deal is that HP is the company with a much larger market cap of $29 billion, while Xerox is just a tad over $8 billion. The canary is eating the cat here.

HP never liked the idea of the hostile takeover attempt and the gloves quickly came off as the two companies wrangled publicly with one another, culminating with HP’s board unanimously rejecting Xerox’s offer. It called the financial underpinnings of the deal “highly conditional and uncertain.” HP also was unhappy with the aggressive nature of the offer, writing that Xerox was, “intent on forcing a potential combination on opportunistic terms and without providing adequate information.”

Just one day later, Xerox responded, saying it would take the bid directly to HP shareholders in an attempt to by-pass the board of directors, writing in yet another public letter, “We plan to engage directly with HP shareholders to solicit their support in urging the HP Board to do the right thing and pursue this compelling opportunity.”

In January, the shenanigans continued when Xerox announced it was putting forth a friendly slate of candidates for the HP board to replace the ones that had rejected the earlier Xerox offer. And more recently, in an attempt to convince shareholders to vote in favor of the deal, Xerox sweetened the deal to $34 billion or $24 a share.

Xerox wrote that it had on-going conversations with large HP shareholders, and this might have gotten HP’s attention— hence the most recent offer on its part to make an offer to shareholders that would be hard to refuse. The company’s next shareholder meeting is taking place in April when we will finally find out the final reckoning.

 

What is Hacktivism? And Why Should Enterprise Care?

Only a few years ago, the antics of hacktivists regularly populated media headlines with grand stunts and ominous threats, defacing websites, knocking global brands offline and leaking data belonging to multinational, multi-billion dollar corporations. Hacktivists styled themselves as “rebels with a cause” while media headlines typically portrayed them as juvenile script kiddies or malcontents with nothing but mischief on their minds. About the only thing both sides largely agreed on was that hacktivists were collectives acting out of some sense – either noble or misguided (delete as appropriate) – of wider purpose or shared ideology, rather than committing cybercrimes merely for the sake of selfish, financial gain like typical cybercriminals

Today, hacktivists and hacktivism rarely make the news headlines at all. So what happened to them? Are they still a threat to organizations or has their time been and gone? In this post, we take a look at hacktivism from its origins to the present day, discuss its motivations and explain why hacktivist groups should still be on your threat assessment radar.

image of what is hacktivism

What is Hacktivism? Who Are These “Hacktivists”?

Merriam-Webster dictionary defines Hacktivism as “computer hacking (as by infiltration and disruption of a network or website) done to further the goals of political or social activism”.

The term “Hacktivism” was coined in the early 90s by the (in)famous hacker collective, Cult of the Dead Cow. As the word suggests, Hacktivism is a means of collective political or social activism manifest through hacking computers and networks. Hacktivism began as a sub-culture of hacking, gaming and web communities, and allowed technically-inclined individuals to use the connectivity and anonymity of the web to join together with others and operate towards common causes. As such, hacktivists were originally mostly young males who enjoyed surfing the web, visiting forums and newsgroups, sharing information on illegal download sites, chatting in “private rooms” and colluding with like-minded drifters of the net.

The net granted them the opportunity to use any alias they wanted, and using that persona they engaged in joint adventures from pursuing pornographic materials, sharing pirated copies of desired software, pranks and sometimes illegal activities – mostly aimed at “The establishment”. Some of the more widely known groups to have caught public attention connected with Hacktivism are Anonymous, Lulzsec, and the Syrian Electronic Army. 

Here we come to the second trait of the hacktivists – the desire to “fight” against a common enemy. When the world became more connected, these individuals realized that they could act (with minimal personal risk) against others. But these activities (which soon became known as “Operations” or “Ops”) required more than a handful of online friends. They required an army. So the final ingredient of hacktivism was born – the “Legion”. The new narrative, created over a period of two decades, was that of an underground, faceless army fighting together as a collective to break the chains of the old world.  

What Do Hacktivists Want?

One of the defining characteristics of a hacktivist group is that they are united around some ideology, principle or cause. These can range from political, religious, regional, personal and even anarchist. Perhaps the first hacktivist ‘op’ occurred back in 1989, when, according to Julian Assange, the US Department of Energy and NASA computers were penetrated by the anti-nuclear Worm Against Nuclear Killers (WANK) worm. This might have been the first recorded incident, but it was not widely reported and went mostly unnoticed by the public at large. 

A later incident that occurred in 1994 received much more attention. A group of British activists protested against an “Anti-Rave” law by launching a DDoS attack against British Government websites. The protesters argued that the law was an infringement of people’s basic human rights. 

The following year, Italian protesters engaged in electronic civil disobedience with the first Netstrike, a precursor to automated DDoS attacks which involved individuals repeately clicking on a government website link in an attempt to overload the server as protest, again, against nuclear weapons. At the time it was described as a form of ‘virtual protest’ as the term ‘Hacktivist’ was not widely in use. 

Further hacktivist activities happened throughout the 90s and the first decade of the new millennium, but hacktivism only really achieved widespread public attention in later years of that decade. 

The Rise and Fall of Anonymous

By that time, the internet was vastly different than before, in ways that made it possible for hacktivism to leave its mark. Now, major commercial activities were taking place online, governments all over the world were also offering their services online, and millions of users were populating social media sites, YouTube, Reddit, 4chan and others: these communities were all ripe for recruiting people willing to participate in collective, hacktivist campaigns. 

In the early 2000s, one such collective, known as Anonymous, came to define and symbolize the hacktivist movement for a generation. Originating out of 4chan and famous for its use of the Guy Fawkes mask, Anonymous conducted high profile operations against well known “targets” such as the Church of Scientology, Amazon, PayPal, Visa, Mastercard and multiple government sites, including the CIA. Starting in 2011, Anonymous also became affiliated with political struggles such as the “Arab Spring”. 

But like any global movement without any clear structure or ideology, it started to disintegrate into local factions who often fought between themselves. In addition, law-enforcement agencies stepped up their efforts to unmask and prosecute the hacktivists, leading to the arrest of some prominent members of the community, which in turn crippled Anonymous’ ability to organize and execute large-scale attacks.  

Hacktivism Today

If media headlines are anything to go by, it might seem that the hacktivism heyday is over. Recorded Future, which monitors hacktivist activity, recently reported that it had been tracking 28 active hacktivist groups in 2016 but now is only tracking 7 such groups. 

But the headlines don’t quite paint the whole picture. Remnants of Anonymous, as well as hacktivist groups Ghost Squad Hackers, the Sudan Cyber Army and others have been active recently in political events in the Sudan and attacks on the Sudanese Ministry of Defense, for instance. Meanwhile, Anonymous also made threats against both Ecuador and the U.K. governments over the eviction of Julian Assange from Ecuador’s London embassy and his subsequent arrest in 2019. The Ecuadorian government claimed that over 40 million cyberattacks had been launched against government institutions in the wake of Assange’s eviction and arrest.

More recently, hacktivist group Lizard Squard were responsible for an attack on the U.K.’s Labour party during the country’s general election last December. The botnet-powered DDoS attack targeted the then-leader of the party, Jeremy Corbyn, as well as his party’s websites. The group promised more attacks on both government and Labour party websites should Labour win the election (something they failed to do). In the past, Lizard Squad had claimed responsibility for attacks on Sony, Microsoft XBox and even Taylor Swift, but this was its first known outing for some years. According to one report, the group may have turned to financially motivated crime in the interim, quietly building and hiring out its botnet in a DDoS-for-hire service.

More concerning is that hacktivism just might be taking a much more sinister turn right in front of our eyes. It seems that hacktivism is now being used in ‘false flag’ or covert operations, as nations exchange virtual blows without taking responsibility by means of supposedly “volunteer” hacktivist groups. For instance, in a recent skirmish between Turkish and Greek hacktivists, there were numerous DDoS attacks from both sides. However, the tenacity of the attacks hints that there might be more at play here than mere script kiddies using makeshift tools. 

Following the initial attack and counter-attack (which disabled Turkey’s internet infrastructure for several hours), Turkish hackers unleashed an attack on at least 30 entities, including government ministries, embassies and security services as well as corporations in multiple locations, among them Cyprus, Greece and Iraq. According to Reuters, the target selection hints at the involvement of the Turkish government. This pattern has been utilized around the world by nations such as China, Iran, and Russia – all notorious for operating “non-official” proxies for political goals.

It is likely that hacktivist groups affiliated with certain nations will continue to flourish and may even be given tools, funds and training to allow them to operate in a semi-independent way (as long as they please their masters).

Why Should Enterprise Care About Hacktivism?

Enterprises have enough threat actors to worry about as it is, so are hacktivists really something they need to be concerned about today? 

Hacktivists have been known for attacking enterprises who appeared to them as engaging in activities that were anathema to their ideology, such as Visa refusing to process donations made for Julian Assange, and subsequently being attacked in Operation Payback, as well as the aforementioned attacks on Sony and Microsoft. 

More commonly, enterprises are hit as collateral damage. They can suffer from general disruptions (like nationwide internet service outages), specific denial of service attacks, defacement attacks and attempts to identify and steal sensitive information. 

The rule of thumb is that enterprises and organizations who are closely affiliated with a nation (such as a national bank, or an enterprise named after the said country) are more likely to be attacked. It is true that most of these attacks can be categorized as nuisance, but even short-term website defacement can cause reputation damage, and business disruption through large-scale DDoS attacks and data leaks can even cause actual financial harm. 

Conclusion

As the line between ‘hacktivists’ and state-sponsored APTs starts to blur, and as low cost malware and ransomware-as-a-service (RaaS) options continue to increase in availability, more serious cyber attacks from hacktivists utilising such cyber weapons should be considered as a possibility in your threat assessment. Therefore, it is a good idea to consume threat intelligence covering the latest hacktivist trends and prepare accordingly. 

If you would like to see how SentinelOne can help protect your organization against all kinds of threat actors including hacktivists, please contact us for more information or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Databricks makes bringing data into its ‘lakehouse’ easier

Databricks today announced the launch of its new Data Ingestion Network of partners and the launch of its Databricks Ingest service. The idea here is to make it easier for businesses to combine the best of data warehouses and data lakes into a single platform — a concept Databricks likes to call “lakehouse.”

At the core of the company’s lakehouse is Delta Lake, Databricks’ Linux Foundation-managed open-source project that brings a new storage layer to data lakes that helps users manage the lifecycle of their data and ensures data quality through schema enforcement, log records and more. Databricks users can now work with the first five partners in the Ingestion Network — Fivetran, Qlik, Infoworks, StreamSets, Syncsort — to automatically load their data into Delta Lake. To ingest data from these partners, Databricks customers don’t have to set up any triggers or schedules — instead, data automatically flows into Delta Lake.

“Until now, companies have been forced to split up their data into traditional structured data and big data, and use them separately for BI and ML use cases. This results in siloed data in data lakes and data warehouses, slow processing and partial results that are too delayed or too incomplete to be effectively utilized,” says Ali Ghodsi, co-founder and CEO of Databricks. “This is one of the many drivers behind the shift to a Lakehouse paradigm, which aspires to combine the reliability of data warehouses with the scale of data lakes to support every kind of use case. In order for this architecture to work well, it needs to be easy for every type of data to be pulled in. Databricks Ingest is an important step in making that possible.”

Databricks VP of Product Marketing Bharath Gowda also tells me that this will make it easier for businesses to perform analytics on their most recent data and hence be more responsive when new information comes in. He also noted that users will be able to better leverage their structured and unstructured data for building better machine learning models, as well as to perform more traditional analytics on all of their data instead of just a small slice that’s available in their data warehouse.

Lightspeed leads Laiye’s $42M round to bet on Chinese enterprise IT

Laiye, a Chinese startup that offers robotic process automation services to several major tech firms in the nation and government agencies, has raised $42 million in a new funding round as it looks to scale its business.

The new financing round, Series C, was co-led by Lightspeed Venture Partners and Lightspeed China Partners. Cathay Innovation, which led the startup’s Series B+ round and Wu Capital, which led the Series B round, also participated in the new round.

China has been the hub for some of the cheapest labor in the world. But in recent years, a number of companies and government agencies have started to improve their efficiency with the help of technology.

That’s where Laiye comes into play. Robotic process automation (RPA) allows software to mimic several human behaviors such as keyboard strokes and mouse clicks.

“For instance, a number of banks did not previously offer APIs, so humans had to sign in and fetch the data and then feed it into some other software. Processes like these could be automated by our platform,” said Arvid Wang, co-founder and co-chief executive of Laiye, in an interview with TechCrunch.

The four-and-a-half-year-old startup, which has raised more than $100 million to date, will use the fresh capital to hire talent from across the globe and expand its services. “We believe robotic process automation will achieve its full potential when it combines AI and the best human talent,” he said.

Laiye’s announcement today comes as the market for robotic automation process is still in nascent stage in China. There are a handful of startups looking into this space, but Laiye, which counts Microsoft as an investor, and Sequoia-backed UiPath are the two clear leaders in the market.

As my colleague Rita Liao wrote last year, it was only recently that some entrepreneurs and investors in China started to shift their attention from consumer-facing products to business applications.

Globally, RPA has emerged as the fastest growing market in enterprise space. A Gartner report found last year that RPA market grew over 63% in 2018. Recent surveys have shown that most enterprises in China today are also showing interest in enhancing their RPA projects and AI capabilities.

Laiye today has more than 200 partners and more than 200,000 developers have registered to use its multilingual UiBot RPA platform. UiBot enables integration with Laiye’s native and third-party AI capabilities such as natural language processing, optical character recognition, computer vision, chatbot and machine learning.

“We are very bullish on China, and the opportunities there are massive,” said Lightspeed partner Amy Wu in an interview. “Laiye is doing phenomenally there, and with this new fundraise, they can look to expand globally,” she said.

Zyxel Fixes 0day in Network Storage Devices

Patch comes amid active exploitation by ransomware gangs

Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerability were being sold for $20,000 in the cybercrime underground.

Based in Taiwan, Zyxel Communications Corp. (a.k.a “ZyXEL”) is a maker of networking devices, including Wi-Fi routers, NAS products and hardware firewalls. The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide. While in many respects the class of vulnerability addressed in this story is depressingly common among Internet of Things (IoT) devices, the flaw is notable because it has attracted the interest of groups specializing in deploying ransomware at scale.

KrebsOnSecurity first learned about the flaw on Feb. 12 from Alex Holden, founder of Milwaukee-based security firm Hold Security. Holden had obtained a copy of the exploit code, which allows an attacker to remotely compromise more than a dozen types of Zyxel NAS products remotely without any help from users.

A snippet from the documentation provided by 500mhz for the Zyxel 0day.

Holden said the seller of the exploit code — a ne’er-do-well who goes by the nickname “500mhz” –is known for being reliable and thorough in his sales of 0day exploits (a.k.a. “zero-days,” these are vulnerabilities in hardware or software products that vendors first learn about when exploit code and/or active exploitation shows up online).

For example, this and previous zero-days for sale by 500mhz came with exhaustive documentation detailing virtually everything about the flaw, including any preconditions needed to exploit it, step-by-step configuration instructions, tips on how to remove traces of exploitation, and example search links that could be used to readily locate thousands of vulnerable devices.

500mhz’s profile on one cybercrime forum states that he is constantly buying, selling and trading various 0day vulnerabilities.

“In some cases, it is possible to exchange your 0day with my existing 0day, or sell mine,” his Russian-language profile reads.

The profile page of 500mhz, translated from Russian to English via Google Chrome.

PARTIAL PATCH

KrebsOnSecurity first contacted Zyxel on Feb. 12, sharing a copy of the exploit code and description of the vulnerability. When four days elapsed without any response from the vendor to notifications sent via multiple methods, this author shared the same information with vulnerability analysts at the U.S. Department of Homeland Security (DHS) and with the CERT Coordination Center (CERT/CC), a partnership between DHS and Carnegie Mellon University.

Less than 24 hours after contacting DHS and CERT/CC, KrebsOnSecurity heard back from Zyxel, which thanked KrebsOnSecurity for the alert without acknowledging its failure to respond until they were sent the same information by others.

“Thanks for flagging,” Zyxel’s team wrote on Feb. 17. “We’ve just received an alert of the same vulnerabilities from US-CERT over the weekend, and we’re now in the process of investigating. Still, we heartily appreciate you bringing it to our attention.”

Earlier today, Zyxel sent a message saying it had published a security advisory and patch for the zero-day exploit in some of its affected products. The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054.

However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel’s advice for those users is simply “do not leave the product directly exposed to the internet.”

“If possible, connect it to a security router or firewall for additional protection,” the advisory reads.

Holden said given the simplicity of the exploit — which allows an attacker to seize remote control over an affected device by injecting just two characters to the username field of the login panel for Zyxel NAS devices — it’s likely other Zyxel products may have related vulnerabilities.

“Considering how stupid this exploit is, I’m guessing this is not the only one of its class in their products,” he said.

CERT’s advisory on the flaw rates it at a “10” — its most severe. The advisory includes additional mitigation instructions, including a proof-of-concept exploit that has the ability to power down affected Zyxel devices.

EMOTET GOES IOT?

Holden said recent activity suggests that attackers known for deploying ransomware have been actively working to test the zero-day for use against targets. Specifically, Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet, a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim’s files for ransom.

Holden said 500mhz was offering the Zyxel exploit for $20,000 on cybercrime forums, although it’s not clear whether the Emotet gang paid anywhere near that amount for access to the code. Still, he said, ransomware gangs could easily earn back their investment by successfully compromising a single target with this simple but highly reliable exploit.

“From the attacker’s standpoint simple is better,” he said. “The commercial value of this exploit was set at $20,000, but that’s not much when you consider a ransomware gang could easily make that money back and then some in a short period of time.”

Emotet’s nascent forays into IoT come amid other disturbing developments for the prolific exploitation platform. Earlier this month, security researchers noted that Emotet now has the capability to spread in a worm-like fashion via Wi-Fi networks.

“To me, a 0day exploit in Zyxel is not as scary as who bought it,” he said. “The Emotet guys have been historically targeting PCs, laptops and servers, but their venture now into IoT devices is very disturbing.”

DISCLOSURE DEBATE

This experience was a good reminder that vulnerability reporting and remediation often can be a frustrating process. Twelve days turnaround is fairly quick as these things go, although probably not quick enough for customers using products affected by zero-day vulnerabilities.

It can be tempting when one is not getting any response from a vendor to simply publish an alert detailing one’s findings, and the pressure to do so certainly increases when there is a zero-day flaw involved. KrebsOnSecurity ultimately opted not to do that for three reasons.

Firstly, at the time there was no evidence that the flaws were being actively exploited, and because the vendor had assured DHS and CERT-CC that it would soon have a patch available.

Perhaps most importantly, public disclosure of an unpatched flaw could well have made a bad situation worse, without offering affected users much in the way of information about how to protect their systems.

Many hardware and software vendors include a link from their home pages to /security.txt, which is a proposed standard for allowing security researchers to quickly identify the points of contact at vendors when seeking to report security vulnerabilities. But even vendors who haven’t yet adopted this standard (Zyxel has not) usually will respond to reports at security@[vendordomainhere]; indeed, Zyxel encourages researchers to forward any such reports to security@zyxel.com.tw.

On the subject of full disclosure, I should note that while this author is listed by Hold Security’s site as an advisor, KrebsOnSecurity has never sought nor received remuneration of any kind in connection with this role.

The Good, the Bad and the Ugly in Cybersecurity – Week 8

The Good

“Ring! Ring!”
“Who’s There?”
“Multi-Factor Authentication !!!”

On February 18, Ring (parent company Amazon) announced that they would be implementing new, mandatory layers of security for Ring customer accounts. Specifically, MFA will be required for all customers upon logging in to their Ring accounts. Customers can choose to receive a token via email or SMS as the second method of authentication. These changes come after multiple stories came to light surrounding the hijacking of Ring accounts…and as a result..devices. While not all are accustomed to ‘mandatory’ MFA, this should be viewed as a positive and necessary step forward.

Recent history has already shown that strong controls are required in order to secure these and all other IoT devices. MFA, while not perfect, is a step in the right direction for the ongoing quest to secure IoT devices and services. We all like to resist change, and it can be hard to work against that ‘friction’. However, the same could be said for giving up on floppy disk drives, or headphone jacks, etc. When driving toward the greater-good, a small process change (mandatory MFA), which stands between the good guys and the villains, should be seen as an admirable example of moving forward.

image of tweet of ring adding extra layers of security

The Bad

Critical Plant Shuts Down for Two Days After Ransomware ‘Hits the Gas’

A ransomware attack recently forced the shutdown of a U.S.-based natural gas plant. The infection had a direct effect on safety and operational systems. According to reports, The Department of Homeland Security said that “personnel were prevented from receiving crucial real-time operational data from control and communications equipment”.

It is reported that the attack started with a malicious email. This serves as a great reminder that email is still the top delivery vector for malware. The US Cybersecurity and Infrastructure Security Agency (CISA) released Alert (AA20-049A), providing additional information surrounding the event. The alert confirms the spear-phishing delivery mechanism. This established a foothold on the “IT network” and subsequently pivoted to the OT network, which provided access to HMIs (human machine interfaces), polling servers and historical data storage. CISA states that no PLCs were affected, nor was control lost on any specific system. The shutdown was done in direct response to events as they unfolded, with the decision being made to shutdown the plant’s operations in a deliberate and controlled manner.   

image of US-Cert twitter home page

The Ugly

APT28 and 2019 Attack Campaigns Against Georgia

By now we should all be familiar with APT28 (aka Fancy Bear, G74, Sofacy, Sednit, etc). The state-backed group has been focusing their efforts on high-value targets in the Chemical Engineering, Defense, Government, Industrial Systems, and Intelligence agencies for well over a decade. Notable campaigns include “Pawn Storm”, “Russian Doll”, breaching the International Olympic Committee, and more. This week the UK’s NCSC (National Cyber Security Centre) announced that it was this same group behind a series of cyberattacks against Georgia in October 2019. The NSCS emphasized this claim with “the highest level of probability”. 

image of tweet stating Russian APT GRU behind attacks on Georgia

The attacks in question were focused on a number of Georgian web hosting companies, along with media entities. Multiple Georgian TV stations were forced offline in addition to the defacements and availability attacks. The U.K. has come out strongly on this series of attacks (and subsequent attribution). Britain and Georgia are allies and therefore there are both cyber & political ramifications to the ongoing behavior being observed out of the Russian GRU.

It’s worth noting that these attribution stories can be difficult to interpret sometimes. In some cases, their release may be timed in strategic ways so as to coincide with other worldly events. However, we can be sure that the more that is exposed by these state-backed groups, the better. And when we have ally nations pointing the finger, that makes the message far more serious.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

DSP Concepts raises $14.5M for its Audio Weaver platform

DSP Concepts — a startup whose Audio Weaver software is used by companies as varied as Tesla, Porsche, GoPro and Braun Audio — is announcing that it has raised $14.5 million in Series B funding.

The startup goal, as explained to me by CEO Chin Beckmann and CTO Paul Beckmann (yep, they’re a husband-and-wife founding team), is to create the standard framework that companies use to develop their audio processing software.

To that end, Chin told me they were “picky about who we wanted on the B round, we wanted it to represent the support and endorsement of the industry.”

So the round was led by Taiwania Capital, but it also includes investments from the strategic arms of DSP Concepts’ industry partners — BMW i Ventures (which led the Series A), the Sony Innovation Growth Fund by Innovation Growth Ventures, MediaTek Ventures, Porsche Ventures and the ARM IoT Fund.

Paul said Audio Weaver started out as the “secret weapon” of the Beckmanns’ consulting business, which he could use to “whip out” the results of an audio engineering project. At a certain point, consulting customers started asking him, “Hey, how about you teach me how to use that?,” so they decided to launch a startup focused on the Audio Weaver platform.

Audio Weaver - AWE Designer

Paul described the software as a “graphical block diagram editor.” Basically, it provides a way for audio engineers to combine and customize different software modules for audio processing.

“Audio is still in the Stone Ages compared to other industries,” he said. “Suppose you’re building a product with a touchscreen — are you going write the graphics from scratch or use a framework like Qt?”

Similarly, he suggested that while many audio engineers are still “down in the weeds writing code,” they can take advantage of Audio Weaver’s graphical interface to piece everything together, as well as the company’s “hundreds of different modules — pre-written, pre-tested, pre-optimized functions to build up your system.”

For example, Paul said that by using the Audio Weaver platform, DSP Concepts engineers could test out “hundreds of ideas” for algorithms for reducing wind noise in the footage captured by GoPro cameras, then ultimately “hand the algorithms over to GoPro,” whose team could them plug the algorithms into their software and modify it themselves.

The Beckmanns said the company also works closely with chip manufacturers to ensure that audio software will work properly on any device powered by a given chipset.

Other modules include TalkTo, which is designed to give voice assistants like Alexa “super-hearing,” so that they can still isolate voice commands and cancel out all the other noise in loud environments, even rock concerts. (You can watch a TalkTo demo in the video below.)

DSP Concepts has now raised more than $25 million in total funding.

 

Sasa Software Partners with SentinelOne to Offer NextGen AI-driven Security

Attackers never stop innovating. We know that, motivated by the rich prizes that await criminals that can penetrate a business network, threat actors will always look for new solutions and workarounds in their quest to beat enterprise security. It’s why defenders never stand still either, and seamlessly integrating new layers of defense is a key part of staying on top of the cyber security challenge while maintaining business productivity and flexibility. As part of meeting that challenge, we’re pleased to announce that Sasa Software has partnered with SentinelOne to integrate the SentinelOne NextGen AI engine into the Sasa Software GateScanner CDR technology. In this post, we’ll explain what this means and how it works.

image of Sasa partners with Sentinel One

What is Content Disarm and Reconstruction?

Content Disarm and Reconstruction (CDR) is designed to provide a safe, hassle-free solution for the prevention of file-based attacks. Instead of relying on signature-based scanning or sandbox behavioral analysis, the technology breaks the file into its components and then re-creates them, omitting all the insecure elements before the file enters the organization. 

infographic of content disarm and reconstruction process

This approach, championed by Sasa Software, has proven itself to a point where Gartner mentioned the technology as a “Best Practice” in its recent Hype Cycle for Threat Facing Technologies, noting that “CDR protects against exploits and weaponized content that have not been seen before”.  

How SentinelOne Fits Into the Picture

To pre-emptively block files that are malicious, GateScanner utilizes multiple highly-optimized AV engines that detect known signature-based threats. However, malware can be easily mutated to bypass these “static” AV engines. By introducing the capability to scan the files with the SentinelOne advanced AI engine, it is possible to catch malicious files based on their characteristics even if they are entirely novel, never-seen-before malware.

By incorporating the SentinelOne Nexus Embedded SDK, Sasa Software GateScanner Content Disarm and Reconstruction technology can now leverage SentinelOne’s predictive models to classify files as benign or malicious based on their characteristics, without using signatures or cloud lookup. It is extremely fast (classification is done within milliseconds) and provides information about various characteristics that exist in the analyzed files that are indicative of maliciousness. For example, an executable may be classified as malicious due to its high entropy or unusual binary format.

How SentinelOne Helps With Files That Cannot Be Disarmed

Technically, the SentinelOne Nexus SDK has been embedded as an additional scanning technology in Sasa Software’s CDR engines as part of the “Deep Threat Scans” capability.

The combined process will begin with scanning the files using multiple highly optimized AV engines, including SentinelOne. All files, whenever possible, will then continue to the disarm process, to prevent undetectable attacks. 

In addition, the SentinelOne Nexus SDK provides a significant new capability for enhancing the security of customers using files that cannot be disarmed, including binaries (PEs) and documents containing active content such as MS-Office Macros and PDF scripts. This is especially crucial for OT network users as they often introduce SCADA updates, control files, and other operational files that cannot be disarmed.

SentinelOne’s AI technology is able to extract features from a given file and predict whether the file is a threat or not, based on a statistical model trained on millions of samples to correlate features of both malicious and benign files.

With this technology, customers can be assured that they are getting the best protection available anywhere, today.

image of sentinel one machine learning

Conclusion

Sasa Software engineers have worked closely with the R&D team at SentinelOne to verify the effectiveness and performance of the solution in detecting highly mutated and previously unknown malware. The Sasa Software GateScanner Content Disarm and Reconstruction technology integrated with SentinelOne Advanced AI engine is available to all Sasa Software customers across all solutions: Portable (USB) media security, Email, Appliance Security, APIs, and Sasa’s new multi-route Security Dome. Please contact SentinelOne or Sasa Software to learn how you can enjoy using the SentinelOne AI engine today. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Cloud spending said to top $30B in Q4 as Amazon, Microsoft battle for market share

We all know the cloud infrastructure market is extremely lucrative; analyst firm Canalys reports that the sector reached $30.2 billion in revenue for Q4 2019.

Cloud numbers are hard to parse because companies often lump cloud revenue into a single bucket regardless of whether it’s generated by infrastructure or software. What’s interesting about Canalys’s numbers is that it attempts to measure the pure infrastructure results themselves without other cloud incomes mixed in:

As an example, Microsoft reported $12.5 billion in total combined cloud revenue for the quarter, but Canalys estimates that just $5.3 billion comes from infrastructure (Azure). Amazon has the purest number with $9.8 billion of a reported $9.95 billion attributed to its infrastructure business. This helps you understand why in spite of the fact that Microsoft reported bigger overall cloud earnings numbers and a higher growth rate, Amazon still has just less than double Microsoft’s market share in terms of IaaS spend.

That’s not to say Microsoft didn’t still have a good quarter — it garnered 17.6% of revenue for the period. That’s up from 14.5% in the same quarter a year ago. What’s more, Amazon lost a bit of ground, according to Canalys, dropping from 33.4% in Q4 2018 to 32.4% in the most recent quarter.

Part of the reason for that is because Microsoft is growing at close to twice the rate as Amazon — 62.3% versus Amazon’s 33.2%.

Meanwhile, number-three vendor Google came in at $1.8 billion for pure infrastructure revenue, good for 6% of the market, up from 4.9% a year ago on growth rate 67.6%. Google reported $2.61 billion in overall cloud revenue, but that included software. Despite the smaller results, it was a good quarter for the Mountain View-based company.

BluBracket scores $6.5M seed to help secure code in distributed environments

BluBracket, a new security startup from the folks who brought you Vera, came out of stealth today and announced a $6.5 million seed investment. Unusual Ventures led the round with participation by Point72 Ventures, SignalFire and Firebolt Ventures.

The company was launched by Ajay Arora and Prakash Linga, who until last year were CEO and CTO respectively at Vera, a security company that helps companies secure documents by having the security profile follow the document wherever it goes.

Arora says he and Linga are entrepreneurs at heart, and they were itching to start something new after more than five years at Vera. While Arora still sits on the Vera board, they decided to attack a new problem.

He says that the idea for BluBracket actually came out of conversations with Vera customers, who wanted something similar to Vera, except to protect code. “About 18-24 months ago, we started hearing from our customers, who were saying, ‘Hey you guys secure documents and files. What’s becoming really important for us is to be able to share code. Do you guys secure source code?’”

That was not a problem Vera was suited to solve, but it was a light bulb moment for Arora and Linga, who saw an opportunity and decided to seize it. Recognizing the way development teams operated has changed, they started BluBracket and developed a pair of products to handle the unique set of problems associated with a distributed set of developers working out of a Git repository — whether that’s GitHub, GitLab or BitBucket.

The first product is BluBracket CodeInsight, which is an auditing tool, available starting today. This tool gives companies full visibility into who has withdrawn the code from the Git repository. “Once they have a repo, and then developers clone it, we can help them understand what clones exist on what devices, what third parties have their code, and even be able to search open source projects for code that might have been pushed into open source. So we’re creating what we call a blueprint of where the enterprise code is,” Arora explained.

The second tool, BluBracket CodeSecure, which won’t be available until later in the year, is how you secure that code including the ability to classify code by level importance. Code tagged with the highest level of importance will have special status and companies can attach rules to it like that it can’t be distributed to an open source folder without explicit permission.

They believe the combination of these tools will enable companies to maintain control over the code, even in a distributed system. Arora says they have taken care to make sure that the system provides the needed security layer without affecting the operation of the continuous delivery pipeline.

“When you’re compiling or when you’re going from development to staging to production, in those cases because the code is sitting in Git, and the code itself has not been modified, BluBracket won’t break the chain,” he explained. If you tried to distribute special code outside the system, you might get a message that this requires authorization, depending on how the tags have been configured.

This is very early days for BluBracket, but the company takes its first steps as a startup this week and emerges from stealth next week at the RSA security conference in San Francisco. It will be participating in the RSA Sandbox competition for early security startups at the conference, as well.