Ransomware Bites 400 Veterinary Hospitals

National Veterinary Associates (NVA), a California company that owns more than 700 animal care facilities around the globe, is still working to recover from a ransomware attack late last month that affected more than half of those properties, separating many veterinary practices from their patient records, payment systems and practice management software. NVA says it expects to have all facilities fully back up and running normally within the next week.

Agoura Hills, Calif.-based NVA bills itself as is the largest private owner of freestanding veterinary hospitals in the United States. The company’s Web site says it currently owns roughly 700 veterinary hospitals and animal boarding facilities in the United States, Canada, Australia and New Zealand.

NVA said it discovered the ransomware outbreak on the morning of Sunday, Oct. 27, and soon after hired two outside security firms to investigate and remediate the attack. A source close to the investigation told KrebsOnSecurity that NVA was hit with Ryuk, a ransomware strain first spotted in August 2018 that targets mostly large organizations for a high-ransom return.

NVA declined to answer questions about the malware, or whether the NVA paid the ransom demand.

“It was ransomware, but we’ve been referring to it as a malware incident,” said Laura Koester, NVA’s chief marketing officer.

Koester said because every NVA hospital runs their IT operations as they see fit, not all were affected. More importantly, she said, all of the NVA’s hospitals have remained open and able to see clients (animals in need of care), and access to patient records has been fully restored to all affected hospitals.

“For a few days, some [pet owners] couldn’t do online bookings, and some hospitals had to look at different records for their patients,” Koester said. “But throughout this whole thing, if there was a sick animal, we saw them. No one closed their doors.”

The source close to the investigation painted a slight less rosy picture of the situation at NVA, and said the company’s response has been complicated by the effects of wildfires surrounding its headquarters in Los Angeles County: A year ago, a destructive wildfire in Los Angeles and Ventura Counties burned almost 100,00 acres, destroyed more than 1,600 structures, killed three people and prompted the evacuation of nearly 300,000 people — including all residents of Agoura Hills.

“The support center was scheduled to be closed on Friday Oct 25, 2019 due to poor air quality caused by wildfires to the north,” said the source, who asked to remain anonymous. “Around 2 am PT [Oct. 27], the Ryuk virus was unleashed at NVA. Approximately 400 locations were infected. [Microsoft] Active Directory and Exchange servers were infected. Many of the infected locations immediately lost access to their Patient Information Management systems (PIMs). These locations were immediately unable to provide care.”

The source shared internal communications from different NVA executives to their hospitals about the extent of the remediation efforts and possible source of the compromise, which seemed to suggest that at least some NVA properties have been struggling to accommodate patients.

A missive from NVA’s Director of Operations Robert Hill on Oct. 30 acknowledged that “we continue to be faced with a monumental effort to restore IT service [to] nearly 400 of our hospitals.”

“This really hit home for me Saturday,” Hill wrote. “One of my best friends had to take his Yellow Lab into Conejo Valley for urgent care. Thankfully CV was able to provide care as their [systems] were up and running, but many of our hospitals are not in as good shape.”

In an update sent to NVA hospitals on Nov. 6, the company’s new head of technology Greg Hartmann said its security system successfully blocked the ransomware from infiltrating its systems — at least at first.

“Because of the scale of the attack, the virus eventually found three smaller points of entry through accounts that were unaffiliated with NVA, but unfortunately opened within our network,” Hartmann said. “Upon discovery of the incident, our technology team immediately implemented procedures to prevent the malware from spreading; however, many local systems were affected. Still, we have many hospitals whose systems are not recovered. The technology team continues to set up interim workstations at each affected hospital while they prepare to rebuild servers.”

The source told KrebsOnSecurity that NVA suffered a separate ransomware infestation earlier this summer that also involved Ryuk, and they expressed concern that the first incident may not have been fully remediated — potentially letting the attackers maintain a foothold within the organization.

“This is the second time this year Ryuk struck NVA,” the source said. “The first time, NVA was rather open to all facilities about what happened. This time, however, they are simply referring to it as a ‘system outage.’”

A set of talking points NVA distributed to staff on Oct. 27, the day some 400 veterinary hospitals were hit with the Ryuk ransomware.

Koester said some NVA facilities did get hit with a malware incident earlier this year, but that she did not believe ransomware was involved in that intrusion.

The Ryuk ransomware has made a name for itself going after businesses that supply services to other companies — particularly cloud-data firms — with the ransom demands set according to the victim’s perceived ability to pay. In February, payroll software provider Apex Human Capital Management chose to pay the ransom demand after a Ryuk infection severed payroll management services for hundreds of the company’s customers. And on Christmas Eve 2018, cloud hosting provider Dataresolution.net suffered a multi-week outage after a Ryuk attack.

According to a bulletin released by the FBI in May, cybercriminals had targeted over 100 U.S. and international businesses with Ryuk since August 2018. Security firm CrowdStrike estimated that attackers deploying Ryuk had netted over $3.7 million in bitcoin ransom payments between Aug. 2018 and January 2019.

Many people and organizations may be under the impression that ransomware attacks like Ryuk can appear at a moment’s notice merely from someone clicking a malicious link or opening a booby-trapped email attachment. While the latter appears to be the most common vector for ransomware infestations, an advisory released in September by the U.K’s National Cyber Security Centre suggests most Ryuk victims are compromised weeks or months before the ransomware is actually deployed inside the victim’s network.

“The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out
reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximizing the impact of the attack,” reads the NCSC advisory, which includes tips on spotting signs of a Ryuk infection. “But it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.”

As for what changes NVA will be making to prevent yet another ransomware outbreak, an internal update on Nov. 7 from NVA’s chief information officer Joe Leggio said NVA was investing in software from Carbon Black, a cloud-based security solution that will be installed on all NVA property computers.

“Throughout my career, I have witnessed incredible advances in technology making our lives better,” Leggio wrote. “At nearly the same rate, the bad guys have been increasing the aggressiveness and sophistication of their attacks. As we rebuild, we are also thinking of the future. That is why we are investing in cybersecurity talent, new infrastructure, and better software.”

The Education Sector and the Increasing Threat from Cybercrime

Last September, just when teachers, parents and children across the nation were looking forward to the beginning of the school year, parents in New York’s Orange County received an unwelcome announcement. The superintendent of Monroe-Woodbury school district had been forced to inform them that the school would remain closed as a result of a cyber attack that had disrupted the district’s computer systems.

Monroe-Woodbury is just one of the many schools and educational institutions in the United States and throughout the world whose operations have been disrupted by cyber criminals. Earlier, in the summer, Rockville and Mineola school districts were targeted with Ryuk ransomware. In all, over 500 attacks against US public schools have been reported in 2019 to date.

image of education and cybercrime

How Does Cybercrime Affect Education?

According to a recent report, the education sector was the most affected of all U.S. business sectors in 2018 and the first half of 2019. Threats range from nuisance adware to serious malware like trojans, backdoors and, of course, ransomware – a malicious file that encrypts system files and information on endpoints and servers. Schools hit by ransomware attacks are denied access to vital information until they pay a ransom in crypto currency (most often Bitcoin). 

Apart from the direct financial damage caused by this kind of attack (one Long Island school paid about $100,000 to release its systems in August, and Rockville Centre School District paid $ 88,000 that month), the inability to access computer systems paralyses the academic institution. The cost of the damage only accelerates the longer the school is unable to send emails, record working hours or allocate classrooms and study resources, including school computers and Internet access necessary for many learning activities.

Schools that refuse to pay can be incapacitated for extended periods of time – like Walcott County, Connecticut, which suffered a ransomware attack three months ago and was locked out of its affected devices until early September, when the ransom payment was finally approved by the county board.

The now-infamous Emotet malware has also been striking schools, with attackers using spearphishing to infect systems with the malware trojan. As many services are now entirely computerized, this can even affect infrastructure like heating and cooling, cafeteria services and security systems. The K-12 Cyber Incidents map provides a graphic overview of just how widespread the problem is.

image of k-12 cyber incidents map

It’s not only schools that are being targeted either. Higher education institutions are also vulnerable to cyber attacks. A number of US universities and colleges have suffered from ransomware attacks, information leaks, and email hacking in the past year. Unlike schools, universities and academic institutes are also being targeted by more sophisticated attackers interested in stealing the intellectual property (IP) and research data produced there.

In one such sophisticated attack, hackers exploited a weakness in the ERP system used by many US universities, Ellucian Banner. Approximately 62 universities were attacked and the threat actors gained access to student registration systems, financial data and personal information. Fortunately in this case, the breach was quickly identified by the US Department of Education, which limited the impact of the incident. 

The situation in other parts of the world is as bad. In Australia the head of the local intelligence agency was recruited to inform universities about cyber threats and ways of prevention. This was one of the initiatives put in place after an extremely sophisticated threat actor compromised ANU and persisted within the university’s network for months at a time. 

In the UK in April of this year penetration testing conducted by JISC, the government agency that provides many computerized services to UK academic bodies, tested the defenses of over 50 British universities. The results were unflattering: the pen testers scored 100% success rate, gaining access to every single system they tested. Defense systems were bypassed in as little as an hour in some cases, with the ethical hackers easily able to gain access to information such as research data, financial systems as well as staff and student personal information.

Why Are Schools, Colleges Targeted by Cyber Criminals?

It is no coincidence that schools are among the most attacked. Schools manage substantial sums of money, store personal information for students and teachers and connect with a large number of external bodies and providers and, of course, parents, who primarily communicate with the school via email. This means that the school has a very large attack surface

Coupled with enticing rewards is the fact that students make for easy victims of phishing scams. Students’ lack of experience combined with a tendency to use simple passwords across multiple services makes them prone to credential harvesting and password-spraying attacks. In one incident this past September, over 3000 Kent State student emails were hacked in this way. In addition, the awareness of parents, teachers and faculty regarding cyber risks is often much lower in education than in other sectors. 

Further exacerbating the security situation is that educational establishments typically have a limited number of staff dedicated to security. Unlike banks, schools typically do not have dedicated information security personnel who are engaged in 24/7 protection. 

How Can Schools Defend Against Cybercrime?

In the absence of the kind of dedicated resources typically found in other sectors such as SOC teams an in-house red teamers or penetration testers, the defense systems installed in educational organizations carry a greater burden and must deal effectively with threats. A solution that can autonomously detect and respond to attacks can help mitigate the lack of human resources so that only in the event of a particularly severe attack is the intervention of professionals required. 

In the case of ransomware, the source of the attack is most likely to be contained in an infected file sent via email. In such cases, the EDR protection system must identify the file as soon as it tries to install itself on the endpoint, disable it and delete it from this and all other endpoints across the organization. This will prevent the attack at the infection phase and prevent the loss of services in the educational institution. Similarly, a solution that can rollback a device to a healthful state, including decrypting encrypted files, should be high on the institution’s security shopping list. 

Perhaps Schools Are Also The Beginning of the Solution?

As we’ve seen, schools and academia are in the crosshairs of cyber criminals, and will continue to be so for the foreseeable future. But educational institutions can also offer some hope of future relief. Policy makers understand that cyber education should start at an early age, and that educating young people about cybersecurity could lead to them, one day, becoming cybersecurity professionals, so badly needed in the industry nowadays. 

Northport High School, for example, are leading the way in offering classes in topics such as network concepts, security concepts, identifying threats and cryptography. The school also offers the after-hours CyberPatriot program, which aims to inspire K-12 students towards careers in cybersecurity.

Similar programs across the US and UK could eventually improve individual’s resilience and have an adverse effect on the explosion of cybercrime. It would also generate young adults who are proficient in cybersecurity and will naturally be inclined to join the industry upon graduation. 

Educational authorities are also becoming increasingly awaren of the need for greater funding to train educational staff in areas such as email security, USB device safety and phishing awareness. In Massachusetts, for example, $250,000 has been earmarked to provide cybersecurity awareness training to over 42,000 school employees in 94 municipalities. 

Conclusion

The importance of protecting our education system from cyber crime cannot be overstated. Not only do schools, colleges and universities provide vital services to our society and economy, they are rich treasure troves of sensitive data. From personal information like birth records, educational history, social security numbers and financial data to intellectual property and cutting-edge research, the data held by these organizations is among the most useful to cyber criminals and advanced threat actors. And yet, these storehouses of precious data are perhaps among the least well-defended and under-funded in terms of cybersecurity. As a result, it’s imperative that administrators and policy makers address these shortcomings as a matter of urgency.

If you’d like to see how SentinelOne can help secure your institution with an easy-to-use, automated security solution, contact us or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Ohi raises $2.75M to power same-day delivery for brands that aren’t Amazon

The world has gotten so much faster. Amazon has made two-day shipping the standard and same- or next-day shipping commonplace. And that doesn’t even include the collection of on-demand players that can get us everything from groceries to alcohol to services like concierge storage and in-home cleaning with the press of a button.

But the logistics around same- or next-day delivery are incredibly complicated, which usually means that only the biggest, most successful brands and platforms can pull it off.

Enter Ohi.

Ohi was founded last year by Ben Jones, with a mission to democratize e-commerce by offering Amazon-level speed to smaller brands. The company today announced the close of a $2.75 million seed round led by Flybridge Capital Partners .

Ohi partners with landlords to turn what would normally be leased as commercial retail property or office space into micro-warehouses within major cities. The company then offers those warehouses on flexible leases that can be as short as three months, which help D2C brands distribute their inventory and power same- or next-day delivery of their products. Ohi employs 1099 workers to handle pick and pack at warehouses, and partners with Postmates and Doordash for last-mile courier services.

Eventually, Ohi has plans to turn this into a full-fledged platform, paying landlords based on volume. For now, however, the startup is doing traditional leases with landlords, taking on more of a financial risk with the spaces, as it scales up the brand side of the platform.

Ohi charges brands a fixed monthly access fee to the platform, which starts at $750/month. More expensive tiers unlock premium intelligence features around matching inventory to warehouse location, as well as access to more spaces. At the transaction level, Ohi asks for a fee of $2.50 for pick and pack.

Jones says that delivery is actually a higher cost for brands than storage, and that same-day shipping can cost upwards of $50/package for a brand, with same-day pick and pack costing about $10/item. The hope is that Ohi can bring down the price of same-day and next-day delivery by using this Ohi network of commercial space, pick and pack and courier services to compete with Amazon.

Moreover, Ohi believes that the platform can go well beyond bringing down the price of same-day delivery. The company says its brands are also seeing a decrease in cart abandonment when customers see that same-day or next-day delivery option.

Plus, through the data it collects by handling fulfillment for brands, Ohi expects to be able to use its tech to predict demand based on geography and category, helping brands understand their own customers and customers shopping in their particular category.

“There is a lot of positive momentum behind what we’re doing,” said Jones. “Every brand we talk to knows this is the future.”

Jones came up with the idea for Ohi after suffering a serious back injury that left him for more than a year unable to get around easily or carry things. This forced him into a situation where e-commerce was his only option for just about everything. Many of the orders he placed offered three- to five-day shipping, leaving him waiting for what he needed.

He started to investigate how a service could democratize the convenience of same-day and next-day delivery for brands and their customers. And Ohi was born.

Ohi currently offers its service in Manhattan and Brooklyn in New York City, and is launching in Los Angeles this week.

“The greatest challenge we face is how to scale quickly without making mistakes,” said Jones. “It’s not quite as simple as a piece of software that has one-to-many distribution. We’re actually holding brands’ inventory and there’s a physical aspect to this business that makes it more complex. Making sure we can scale that efficiently without making mistakes is going to be one of the biggest challenges.”

Salesforce, Apple partnership begins to come to life

Last year at Dreamforce, Salesforce’s enormous annual customer conference, Apple and Salesforce announced the beginnings of a partnership where the two organizations would work together to enhance Salesforce products running on Apple devices. Today, as this year’s Dreamforce conference begins, the companies announced the fruits of that labor with general availability of two new tools that were first announced at last year’s event.

For starters, Apple has been working with Salesforce to redesign the Salesforce Mobile app to build in Apple iOS features into the app like being able to use Siri shortcuts to get work done faster, using your voice instead of typing, something that’s sometimes awkward to do on a mobile device.

Hey Siri example in Salesforce Mobile app.

Photo: Salesforce

For instance, you could say, “Hey Siri, next sales meeting,” and Siri can interact with Salesforce CRM to tell you who your meeting is with, the name of his or her company, when you last met and what the Einstein opportunity score is to help you predict how likely it is that you could make a sale today (or eventually).

In addition, the Mobile App takes advantage of Apple’s Handoff feature to reflect changes across devices immediately, and Apple’s Face ID for easy log on to the app.

Salesforce also announced a pilot of Einstein Voice on Salesforce Mobile, allowing reps to enter notes, add tasks and update the CRM database using voice. Einstein is Salesforce’s general artificial intelligence layer, and the voice feature uses natural language understanding to interpret what the rep asks.

The company reports that over 1000 companies participated in piloting the updated app, which constitutes the largest pilot in the history of the organization.

Salesforce also announced its new mobile development platform SDK, built specifically for iOS and iPadOS using the Swift language. The idea is to provide a tool to give Salesforce developers with the ability to build apps for iPad and iPhone, then package them up with a new tool called Swift UI and Package Manager.

Trailhead Go

Photo: Salesforce

Trailhead Go is the mobile version of the company’s online learning platform designed specifically for iPad and iPhone. It was built using the new Mobile SDK, and allows users to access the same courses they can on the web in a mobile context. The new mobile tool includes the ability to Handoff between devices along with support for picture-in-picture and split view for multi-tasking when it makes sense.

Salesforce Mobile and Trailhead Go are available starting today for free in the iOS App Store. The Salesforce Mobile SDK will be available later this year.

As this partnership continues to develop, both companies should benefit. Salesforce gets direct access to Apple features, and can work with Apple to implement them in an optimized way. Apple gets deeper access to the enterprise with help from Salesforce, one of the biggest enterprise software vendors around.

Bill McDermott takes reins as ServiceNow CEO sooner than expected with new CFO

It was pretty unexpected when former SAP CEO Bill McDermott announced he was stepping down in October after a decade in the position. He indicated at that point he would stay until the end of the year to help with the transition to new leadership — then ServiceNow hired him to be its CEO just a few weeks later. Today, the company announced, McDermott has taken over his duties earlier than expected.

The company also announced it has filled its vacant CFO job, hiring Gina Mastantuono, who previously served in similar roles at Ingram Micro and Revlon, and has more than 20 years experience in finance.

It was a game of CEO musical chairs when ServiceNow announced on October 22 that former CEO John Donahoe was leaving to be CEO at Nike, and it would be bringing in McDermott to replace him.

Ray Wang, founder and principal analyst at Constellation Research says all of these changes had a cascading impact, and once Donahoe decided to leave early, everything else happened much faster than planned. “The original plan was to have a transition in January, however there was an urgency on Donahoe’s side to get the Nike thing wrapped up. One of the key reasons to do this early [from a business perspective] is to get the sales team and sales kickoff aligned for 2020. The other reason is providing the same smooth transition for SAP’s co-CEOs Jennifer Moran and Christian Klein,” Wang told TechCrunch.

It is a time of transition for ServiceNow, having to replace both a CFO and CEO, but they landed two experienced pros, who should help continue to guide the company into the future. The company has stated that it hopes to eventually achieve a $10 billion revenue goal under the new leadership team.

As I wrote in a piece analyzing his move to ServiceNow, McDermott seemed to fully embrace that challenge, even though he has a ways to go:

McDermott has his work cut out for him. The company’s 2018 revenue was $2.6 billion. Still, he fully embraced the $10 billion challenge. “Well let me answer that very simply, I completely stand by [the $10 billion goal], and I’m looking forward to achieving it,” he said with bravado during today’s call.

Mastantuono has a lot in common with McDermott, who also came from a much larger organization to help lead ServiceNow to the next level. At her previous position at Ingram Micro she led finance for a company with $50 billion in revenue and more than 200,000 customers.

Mastantuono sees a company with great potential as she takes over to guide the financial side of the organization. “ServiceNow is highly regarded by its customers and has tremendous momentum and opportunity to enable digital transformation and help make work, work better for people,” she said in a statement.

The new leadership duo has its work cut out for it, but it’s a company with lots of room for growth. It will now be up to McDermott and Mastantuono to lead it into that next phase.

Gremlin brings Chaos Engineering as a Service to Kubernetes

The practice of Chaos Engineering developed at Amazon and Netflix a decade ago to help those web scale companies test their complex systems for worst-case scenarios before they happened. Gremlin was started by a former employee of both these companies to make it easier to perform this type of testing without a team of Site Reliability Engineers (SREs). Today, the company announced that it now supports Chaos Engineering-style testing on Kubernetes clusters.

The company made the announcement at the beginning of KubeCon, the Kubernetes conference taking place in San Diego this week.

Gremlin co-founder and CEO Kolton Andrus says that the idea is to be able to test and configure Kubernetes clusters so they will not fail, or at least reduce the likelihood. He says to do this it’s critical to run chaos testing (tests of mission-critical systems under extreme duress) in live environments, whether you’re testing Kubernetes clusters or anything else, but it’s also a bit dangerous to do be doing this. He says to mitigate the risk, best practices suggest that you limit the experiment to the smallest test possible that gives you the most information.

“We can come in and say I’m going to deal with just these clusters. I want to cause failure here to understand what happens in Kubernetes when these pieces fail. For instance, being able to see what happens when you pause the scheduler. The goal is being able to help people understand this concept of the blast radius, and safely guide them to running an experiment,” Andrus explained.

In addition, Gremlin is helping customers harden their Kubernetes clusters to help prevent failures with a set of best practices. “We clearly have the tooling that people need [to conduct this type of testing], but we’ve also learned through many, many customer interactions and experiments to help them really tune and configure their clusters to be fault tolerant and resilient,” he said.

The Gremlin interface is designed to facilitate this kind of targeted experimentation. You can check the areas you want to apply a test, and you can see graphically which parts of the system are being tested. If things get out of control, there is a kill switch to stop the tests.

Gremlin Kubernetes testing screen (Screenshot: Gremlin)

Gremlin launched in 2016. Its headquarters are in San Jose. It offers both a freemium and pay product. The company has raised almost $27 million, according to Crunchbase data.

18 months after acquisition, MuleSoft is integrating more deeply into Salesforce

A year and a half after getting acquired by Salesforce for $6.5 billion, MuleSoft is beginning to resemble a Salesforce company — using its language and its methodologies to describe new products and services. This week at Dreamforce, as the company’s mega customer conference begins in San Francisco, MuleSoft announced a slew of new services as it integrates more deeply into the Salesforce family of products.

MuleSoft creates APIs to connect different systems together. This could be quite useful for Salesforce as a bridge between older software that may be on-prem or in the cloud. It allows Salesforce and its customers to access data wherever it lives, even from different parts of the Salesforce ecosystem itself.

MuleSoft made a number of announcements designed to simplify that process and put it in the hands of more customers. For starters, it’s announcing Accelerators, which are pre-defined integrations that let companies connect more easily to other systems. Not surprisingly, two of the first ones connect data from external products and services to Salesforce Service Cloud and Salesforce Commerce Cloud.

“What we’ve done is we’ve pre-built integrations to common back-end systems like ServiceNow and JIRA in Service Cloud, and we prebuilt those integrations, and then automatically connected that data and services through a Salesforce Lightning component directly in the Service console,” Lindsey Irvine, chief marketing officer at MuleSoft, explained.

What this does is allow the agent to get a more complete view of the customer by getting not just the data that’s stored in Salesforce, but in other systems as well.

The company also wants to put these kinds of integration skills in the hands of more Salesforce customers, so they have designed a set of courses in Trailhead, the company’s training platform, with the goal of helping 100,000 Salesforce admins, developers, integration architects and line of business users develop expertise around creating and managing these kinds of integrations.

The company is also putting resources into creating the API Community Manager, a place where people involved in building and managing these integrations can get help from a community of users, all built on Salesforce products and services, says Mark Dao, chief product officer at MuleSoft.

“We’re leveraging Community Cloud, Service Cloud and Marketing Cloud to create a true developer experience platform. And what’s interesting is that it’s targeting both the business users — in other words, business development teams and marketing teams — as well as external developers,” he said. He added that the fact this is working with business users as well as the integration experts is something new, and the goal is to drive increased usage of APIs using MuleSoft inside Salesforce customer organizations.

Finally, the company announced Flow Designer, a new tool fueled by Einstein AI, which helps automate the creation of workflows and integrations between systems in a more automated fashion without requiring coding skills.

MuleSoft Flow Designer requires no coding (Screenshot: MuleSoft)

Dao says this is about putting MuleSoft in reach of more users. “It’s about enabling use cases for less technical users in the context of the MuleSoft Anypoint Platform. This really requires a new way of thinking around creating integrations, and we’ve been making Flow Designer simpler and simpler, and removing that technical layer from those users,” he said.

API Community Manager is available now. Accelerators will be available by the end of the year and Flow Designer updates will be available Q2 2020, according to the company.

These and other features are all designed to take some of the complexity out of using MuleSoft to help connect various systems across the organization, including both Salesforce and external programs, to make use of data wherever it lives. MuleSoft does requires a fair bit of technical skill, so if the company is able to simplify integration tasks, it could help put it in the hands of more users.

Why Were the Russians So Set Against This Hacker Being Extradited?

The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States. When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned an Israeli woman for seven years on trumped-up drug charges in a bid to trade prisoners. That effort failed as well, and Burkov had his first appearance in a U.S. court last week. What follows are some clues that might explain why the Russians are so eager to reclaim this young man.

Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Andrei Shirokov / Tass via Getty Images.

On the surface, the charges the U.S. government has leveled against Burkov may seem fairly unremarkable: Prosecutors say he ran a credit card fraud forum called CardPlanet that sold more than 150,000 stolen cards.

However, a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.

Burkov calls himself a specialist in information security and denies having committed the crimes for which he’s been charged. But according to denizens of several Russian-language cybercrime forums that have been following his case in the Israeli news media, Burkov was by all accounts an elite cybercrook who primarily operated under the hacker alias “K0pa.”

This is the same nickname used by an individual who served as co-administrator of perhaps the most exclusive Russian-language hacking forums ever created, including Mazafaka and DirectConnection.

A screen shot from the Mazafaka cybercrime forum, circa 2011.

Since their inception in the mid-aughts, both of these forums have been among the most difficult to join — admitting only native Russian speakers and requiring each applicant to furnish a non-refundable cash deposit and “vouches” or guarantees from at least three existing members. Also, neither forum was accessible or even visible to anyone without a special encryption certificate supplied by forum administrators that allowed the sites to load properly in a Web browser.

DirectConnection, circa 2011. The identity shown at the bottom of this screenshot — Severa — belonged to Peter Levashov, a prolific spammer who pleaded guilty in the United States last year to operating the Kelihos spam botnet.

Notably, some of the world’s most-wanted cybercriminals were members of these two highly exclusive forums, and many of those individuals have already been arrested, extradited and tried for various cybercrime charges in the United States over the years. Those include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

A user database obtained by KrebsOnSecurity several years back indicates K0pa relied on the same email address he used to register at Mazafaka and DirectConnection to register the user account “Botnet” on Spamdot, which for years was the closely-guarded stomping ground of the world’s most prolific spammers and virus writers, as well as hackers who created services catering to both professions.

As a reporter for The Washington Post in 2008, I wrote about the core offering that K0pa/Botnet advertised on Spamdot and other exclusive forums: A botnet-based anonymity service called FraudCrew. This service sold access to hacked computers, which FraudCrew customers used for the purposes of hiding their real location online while conducting cybercriminal activities.

FraudCrew, a botnet-based anonymity service offered by K0pa.

K0pa also was a top staff member at Verified, among the oldest and most venerated of Russian language cybercrime forums. Specifically, K0pa’s role at Verified was in maintaining its blacklist, a dispute resolution process designed to weed out “dishonest” cybercriminals who seek only to rip off less experienced crooks. From this vantage point, K0pa would have held considerable sway on the forum, and almost certainly played a key role in vetting new applicants to the site.

Prior to his ascendance at these forums, K0pa was perhaps best known for being a founding member of a hacker group calling themselves the CyberLords. Over nearly a decade, the CyberLords team would release dozens of hacking tools and exploits targeting previously unknown security vulnerabilities in Web-based services and computer software.

A cached copy of cyberlords[.]ru, circa 2005.

A DIRECT CONNECTION?

According to security firm Cybereason, Russia has a history of using contractors — even cybercriminals — to run intelligence operations. These crooks-turned-spies “offer a resource to the state while enjoying a cloak of semi-protected ‘status’ for their extracurricular activities, provided they are directed against foreign targets.”

“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,” reads a 2017 story from The Register on Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most technically advanced and bold cybercriminal community in the world.”

A banner that ran on top of the Verified cybercrime forum for many years.

It’s probably worth noting that also present on both DirectConnection and Mazafaka were the core members of a prolific gang of online bank robbers called the JabberZeus Crew, who used custom versions of the ZeuS Trojan to steal tens — if not hundreds — of millions of dollars from hacked small businesses across the United States. In 2011, most of that crew was rounded up in an international cybercrime crackdown, although virtually all of them escaped prosecution in their home countries (mainly Russia and Ukraine).

I mention this because K0pa also was in regular communications with — if not a core member of –the JabberZeus crew. This gang worked directly with the author of the ZeuS trojan — Evgeniy “Slavik” Bogachev — a Russian man with a $3 million bounty on his head from the FBI. The cybercriminal organization Bogchev allegedly ran was responsible for the theft of more than $100 million from banks and businesses worldwide that were infected with his ZeuS malware. That organization, dubbed the “Business Club,” had members spanning most of Russia’s 11 time zones.

In this 2011 screenshot of DirectConnection, we can see the nickname “aqua,” one of the JabberZeus crime gang actors. K0pa also was affiliated with the JabberZeus crew.

Fox-IT, a Dutch security firm that infiltrated the Business Club’s back-end operations, found that beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled his cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.

Likewise, the keyword searches that Slavik used to scour bot-infected systems in Turkey suggested the botmaster was searching for specific files from the Turkish Ministry of Foreign Affairs – a specialized police unit. Fox-IT said it was clear that Slavik was looking to intercept communications about the conflict in Syria on Turkey’s southern border — one that Russia has supported by reportedly shipping arms into the region.

To my knowledge, no one has accused Burkov of being some kind of cybercrime fixer or virtual badguy Rolodex for the Russian government. On the other hand, from his onetime lofty perch atop some of the most exclusive Russian cybercrime forums, K0pa certainly would have fit that role nicely.

Further reading, including the fascinating story on the diplomatic back and forth between Russia and Israel mentioned in the first paragraph: The Russian Hacker Who Just Became One of Israel’s Most Famous Prisoners.

How Russia Recruited Elite Hackers for Its Cyberwar

The Good, the Bad and the Ugly in Cybersecurity – Week 46

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Some of the tech industry’s leading names, Intel, Mozilla, Red Hat and Fastly have united to form the ByteCode Alliance. The aim of this new industry partnership is to build on and develop the work of a previous joint project involving Google, Microsoft and, again, Mozilla among others, namely WebAssembly. The new ByteCode Alliance intends to ensure that the WebAssembly ecosystem is put on a sound, security-first footing. The problem they’re hoping to solve is one most organizations will recognize: you either develop or adopt a modular application that in itself passes your security audit, but which has multiple dependencies, importing code from package registries like npm, PyPI and others. Security audits on those dependencies is a herculean if not impossible task, and there’s a real danger of opening the door to supply chain attacks. The ByteCode Alliance wants to ensure that WebAssembly – billed as “the foundations that the future of the internet will be built on” – can provide developers with a reusable set of components that promise to make running untrusted code safer in any environment. 

image of bytecode alliance

The Bad

Both old and new threat actors have emerged into the limelight this week. First, Lizard Squad popped their reptilian heads out of obscurity with two DDoS attacks on the UK’s Labour Party. Barely active since 2014, when the group claimed responsibility for attacks on North Korea, Sony and even Taylor Swift, Lizard Squad this week said they were behind two DDoS attacks on Labour Party servers. Although unsuccessful at knocking the party’s servers offline, the group – who support Brexit and are avowedly anti-Labour – promised more attacks from a “botnet connected to millions of devices around the world”. 

image of lizard squad

Meanwhile, a previously unknown threat actor has emerged targeting companies in Germany, Italy and the US. Their MO is straight out of Hacking 101: phishing emails carrying poisoned Word documents. The malspam, however, is carefully crafted to look like genuine email from government agencies such as the US Postal Service, the German Federal Ministry of Finance and the Italian Ministry of Taxation. Campaigns seen by researchers during October and November were low-volume and highly targeted. IT services companies, manufacturing and healthcare have been the primary targets to date. Victims that fell for the phishing lure were treated to Maze ransomware, the Cobalt Strike attack kit and the IcedID trojan for payloads.

image of fake U.S postal service doc

The Ugly

The dangers of a security solution whitelisting privileged processes is one thing, but Windows Defender has taken things to a whole new level of unsafe by simply whitelisting file names. As this POC by Grzegorz Tworek simply and reliably shows, Windows Defender’s real time scanning appears to give a green light to any executable called msiexec.exe. Tworek’s POC couldn’t be simpler. Compile an executable that does nothing other than download the eicar test file, and watch Defender ATP kick in and flag the downloaded file as malicious. 

image of code bypass windows defender

Repeat the experiment but this time compile the code and name the output file msiexec.exe. When you execute it this time, the eicar test file is again downloaded but ignored by Windows Defender. Cybersecurity doesn’t get much uglier than that!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Why Salesforce is moving Marketing Cloud to Microsoft Azure

When Salesforce announced this week that it was moving Marketing Cloud to Microsoft Azure, it was easy to see this as another case of wacky enterprise partnerships. But there had to be sound business reasons why the partnership came together, rather than going with AWS or Google Cloud Platform, both of which are also Salesforce partners in other contexts.

If you ask Salesforce, it says it was ultimately because of compatibility with Microsoft SQL.

“Salesforce chose Azure because it is a trusted platform with a global footprint, multi-layered security approach, robust disaster recovery strategy with auto failover, automatic updates and more,” a Salesforce spokesperson told TechCrunch. “Marketing Cloud also has a long standing relationship with Microsoft SQL which makes the transition to SQL on Azure a natural decision.”

Except for the SQL part, Microsoft’s chief rivals at AWS and Google Cloud Platform also provide those benefits. In fact, each of those reasons cited by the spokesperson — with the exception of SQL — are all part of the general cloud infrastructure value proposition that all the major cloud vendors provide.

There’s probably more to it than simply compatibility. There is also a long-standing rivalry between the two companies, and why in spite of their competition, they continue to make deals like this in the spirit of co-opetition. We spoke to a few industry experts to get their take on the deal to find out why these two seeming rivals decided to come together.

Retailer’s dilemma

Tony Byrne, founder and principal analyst at Real Story Group, thinks it could be related to the fact it’s a marketing tool and some customers may be wary about hosting their businesses on AWS while competing with Amazon on the retail side. This is a common argument for why retail customers in particular are more likely to go with Microsoft or Google over AWS.

“Salesforce Marketing Cloud tends to target B2C enterprises, so the choice of Azure makes sense in one context where some B2C firms are wary of Amazon for competitive reasons. But I’d also imagine there’s more to the decision than that,” Byrne said.