SentinelOne Ranger Receives 2019 Security Excellence Award from IoT Evolution

We are happy to share that our own SentinelOne Ranger has received a 2019 IoT Evolution Security Excellence Award from IoT Evolution World, the leading publication covering IoT technology. This award honors organizations delivering exemplary software or hardware solutions which secure IoT devices and networks, and we’re pleased to see Ranger recognized for its breakthrough capabilities securing the connected world.

By 2030, there will be more than 125 billion connected IoT devices, many with little or no built-in security capabilities. Currently, enterprise security teams lack the ability to deploy software onto these fragmented devices, resulting in a complete lack of environmental awareness and the ability to take accurate network inventory. SentinelOne Ranger solves this critical problem by providing visibility into the enterprise network, enabling devices to become environmentally aware and fend off attacks from outside and from one another, without human intervention. 

Using AI to monitor and control access to every IoT device, SentinelOne solves a problem that was previously impossible to address at scale. The technology can not only fingerprint and profile the devices that the SentinelOne agent discovers by enabling complete environmental visibility but also identify the weak points in a network and subsequently minimize risk. 

Our Ranger technology is the industry’s first solution that allows machines to autonomously protect themselves and notify security teams of vulnerabilities, rogue devices, and anomalous behavior. The key is it uses existing agents as sensors, meaning organizations don’t have to install yet another agent for Ranger to work. Other products on the market require adding physical appliances to the network and directing traffic there. This can be hard to scale, especially for large and busy networks.

Ranger, on the other hand, gives organizations a window into their network, which becomes increasingly important and valuable as more devices start living on the network. And organizations don’t need to install anything new to use the feature — it’s all part of the existing SentinelOne agent.

For more information about SentinelOne Ranger, please visit our blog.

Rhino looks to replace renters’ security deposits with a small monthly fee

Rhino, the insurtech startup incubated by Kairos and co-founded by Kairos CEO Ankur Jain, has today announced the close of a $21 million Series A round led by Kairos and Lakestar.

Rhino was founded in 2017 with the goal of getting back to renters the billions of dollars that are locked up in cash security deposits, all while protecting landlords and their property. As it stands now, landlords usually take one month’s rent to cover any damage that might be done to the apartment during the lease. This is piled on top of first and sometimes last month’s rent, and even at times a broker’s fee of one month’s rent, which adds up to an incredibly steep cost of moving.

Because of certain regulations, this money is held in an individual escrow account and can’t really generate interest, which results in billions of dollars zapped out of the economy and instead sitting dead in some account.

Rhino is looking to give renters the option to pay a small monthly fee (as low as $3) to cover an insurance policy for the landlord. Rhino is itself a managing general agent, allowing the company to both sell and create policy plans for landlords through partnerships with carriers.

Thus far the startup has saved renters upwards of $60 million in 2019, with users in more than 300,000 rental units across the country.

“The greatest challenge is working against legacy and industry norms,” said Rhino CEO and co-founder Paraag Sarva. “That start has begun, but there is a huge amount of inertia behind the status quo and that is far and away what we are most challenged by day in and day out.”

To help speed up the process, Rhino is working alongside policymakers to enact change on a federal level.

Alongside the funding announcement, the company is announcing its new policy proposal that was created in collaboration with federal, state and local government officials. The policy essentially allows for renters to be given a choice when it comes to cash deposits, including allowing residents to cover security deposits in installments or use insurtech products like Rhino to cover deposits.

Rhino says it will be sharing the policy proposal with 2020 presidential candidates on both sides of the aisle.

Rhino is one of a handful of companies that has been incubated by Kairos, a startup studio led by Ankur Jain with the goal of solving the biggest problems faced by everyday Americans. The studio focuses on housing and healthcare, with companies such as Rhino, June Homes, Little Spoon, Cera and a couple of startups still in stealth.

Salesforce is building an office tower in Sydney, pledging 1000 new jobs in next five years

Salesforce announced this week that it’s building another shiny tower. This one will be in Sydney with views of the harbor and the iconic Sydney Opera House. The company has also committed to adding 1000 new jobs in the next five years and to building the tower in a sustainable fashion.

In fact, Salesforce is pledging the new tower will be one of the greenest buildings in the country when they are finished. “The building has achieved Sydney’s first-ever WELL core and shell Platinum pre-certification, the highest obtainable pre-certification, and will achieve a 6 Star Green Star Design and As-Built rating, representing world excellence in sustainable design,” Salesforce’s Elizabeth Pinkham wrote in a blog post announcing the project.

As is Salesforce’s way, it’s going to be the tallest building in the city when it’s done, and will sit in the Circular Quay, part of the central business district in the city, and will house shops and restaurants on the main floor. As with all of its modern towers, it’s going to dedicate the top floor to allow for flexible use for employees, customers and partners. The building will also boast a variety of spaces including a Salesforce Innovation Center for customers along with social lounges, mindfulness areas and a variety of spaces for employees to collaborate.

Salesforce has had a presence in Sydney for over 15 years, according to the company, and this tower is an attempt to consolidate that presence into a single, modern space with room to expand over the next five years and add hundreds of new employees.

The announcement comes on the heels of the one earlier this year that the company was building a similarly grand project in Dublin to centralize operations in that city where it has had a presence since 2001.

Mariposa Botnet Author, Darkcode Crime Forum Admin Arrested in Germany

A Slovenian man convicted of authoring the destructive and once-prolific Mariposa botnet and running the infamous Darkode cybercrime forum has been arrested in Germany on request from prosecutors in the United States, who’ve recently re-indicted him on related charges.

NiceHash CTO Matjaž “Iserdo” Škorjanc, as pictured on the front page of a recent edition of the Slovenian daily Delo.si, is being held by German authorities on a US arrest warrant for operating the destructive “Mariposa” botnet and founding the infamous Darkode cybercrime forum.

The Slovenian Press Agency reported today that German police arrested Matjaž “Iserdo” Škorjanc last week, in response to a U.S.-issued international arrest warrant for his extradition.

In December 2013, a Slovenian court sentenced Škorjanc to four years and ten months in prison for creating the malware that powered the ‘Mariposa‘ botnet. Spanish for “Butterfly,” Mariposa was a potent crime machine first spotted in 2008. Very soon after its inception, Mariposa was estimated to have infected more than 1 million hacked computers — making it one of the largest botnets ever created.

An advertisement for the ButterFly Bot.

Škorjanc and his hacker handle Iserdo were initially named in a Justice Department indictment from 2011 (PDF) along with two other men who allegedly wrote and sold the Mariposa botnet code. But in June 2019, the DOJ unsealed an updated indictment (PDF) naming Škorjanc, the original two other defendants, and a fourth man (from the United States) in a conspiracy to make and market Mariposa and to run the Darkode crime forum.

More recently, Škorjanc served as chief technology officer at NiceHash, a Slovenian company that lets users sell their computing power to help others mine virtual currencies like bitcoin. In December 2017, approximately USD $52 million worth of bitcoin mysteriously disappeared from the coffers of NiceHash. Slovenian police are reportedly still investigating that incident.

The “sellers” page on the Darkode cybercrime forum, circa 2013.

It will be interesting to see what happens with the fourth and sole U.S.-based defendant added in the latest DOJ charges — Thomas K. McCormick, a.k.a “fubar” — allegedly one of the last administrators of Darkode. Prosecutors say McCormick also was a reseller of the Mariposa botnet, the ZeuS banking trojan, and a bot malware he allegedly helped create called “Ngrbot.”

Between 2010 and 2013, Fubar would randomly chat me up on instant messenger apropos of nothing to trade information about the latest goings-on in the malware and cybercrime forum scene.

Fubar frequently knew before anyone else about upcoming improvements to or new features of ZeuS, and discussed at length his interactions with Iserdo/Škorjanc. Every so often, I would reach out to Fubar to see if he could convince one of his forum members to call off an attack against KrebsOnSecurity.com, an activity that had become something of a rite of passage for new Darkode members.

On Dec. 5, 2013, federal investigators visited McCormick at his University of Massachusetts dorm room. According to a memo filed by FBI agents investigating the case, in that interview McCormick acknowledged using the “fubar” identity on Darkode, but said he’d quit the whole forum scene years ago, and that he’d even interned at Microsoft for several summers and at Cisco for one summer.

A subsequent search warrant executed on his dorm room revealed multiple removable drives that held tens of thousands of stolen credit card records. For whatever reason, however, McCormick wasn’t arrested or charged until December 2018.

According to the FBI, back in that December 2013 interview McCormick voluntarily told them a great deal about his various businesses and online personas. He also apparently told investigators he talked with KrebsOnSecurity quite a bit, and that he’d tipped me off to some important developments in the malware scene. For example:

“TM had found the email address of the Spyeye author in an old fake antivirus affiliate program database and that TM was able to find the true name of the Spyeye author from searching online for an individual that used the email address,” the memo states. “TM passed this information on to Brian Krebs.”

Read more of the FBI’s interview with McCormick here (PDF).

News of Škorjanc’s arrest comes amid other cybercrime takedowns in Germany this past week. On Friday, German authorities announced they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker.

Checkm8: 5 Things You Should Know About The New iOS Boot ROM Exploit

Last week, the iOS jailbreaking community was set abuzz after security researcher axi0mX dropped what’s been described as a ‘game changing’ new exploit affecting Apple’s mobile platform. Dubbed ‘checkm8’, the Boot ROM exploit has widely been proclaimed as the most important single exploit ever released for iPhone, iPad, Apple TV and Apple Watch devices. But what does that actually mean for the security of the millions of affected iOS devices out there, in use in both personal and enterprise environments? In this post, we look behind the headlines and the inevitable FUD to break it all down and answer the essential questions.

image of checkm8 5 things you should know

1. Are iOS Devices Now Insecure Because of checkm8?

No, let’s get clear about this. For almost all realistic scenarios of in-use devices, Checkm8 hasn’t “changed the game” in terms of risk management. That’s not to say the Boot ROM exploit isn’t hugely important – it is, as we’ll explain below – but the ways in which this exploit can be used by attackers are few and limited.

First, there’s no remote execution possibility here. An attacker cannot use checkm8 to compromise an untethered device. That means anyone wanting to use this exploit without having the target device physically in their possession is out of luck.

Second, checkm8 does not allow a threat actor to bypass TouchID or PIN protections. In other words, it does not compromise the Secure Enclave. That means your personal data remains safe from attackers who don’t have your unlock credentials, notwithstanding the possibility of other zero days.

Third, there’s no persistence mechanism here, either. If an attacker gained possession of your device and used the Boot ROM exploit to compromise it, re-booting the device would bring it back to a healthful state. Any changes made by the attacker would be lost as Apple’s security checks would either delete the files modified by the attacker or refuse to run them.

image of axi0mX tweet

2. What Should I Do To Stay Safe from checkm8?

With that said, checkm8 does mean security-conscious users should consider the possibility of a potential hack or malware infection if the device has been out of their presence or physical control.

If you’ve left your iPhone unattended and powered-on in your hotel room, for example, or on a desk in shared office space, or had it temporarily confiscated by border security guards, say, you should re-boot your iOS device when it comes back into your possession. And for good measure, you should probably do a force restart to ensure that malware hasn’t found a way of simulating a fake reboot.

All that’s probably advice that you should already have been heeding anyway, as there’s been speculation of privately-held hacks and iOS zero days swirling around at least since the infamous San Bernardino, FBI vs Apple story back in 2016. Checkm8 means we now have a publicly-known and available exploit that could have been used in that kind of situation.

The following graphic taken from Apple’s WWDC 2016 presentation shows the flow of the secure boot chain from power on, from left to right, on an uncompromised device.

image of ios secure boot chain

According to the iOS Security Guide:

“Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust…This secure boot chain helps ensure that the lowest levels of software aren’t tampered with.”

What makes checkm8 so devastating is that it exploits flaws right at the beginning of this process, thus undermining all further checks made by subsequent steps in the chain.

image of checkm8 boot rom exploit

3. Which iOS Devices Are Affected by checkm8?

While not every iOS device is affected by checkm8, the vast majority in use are. If you own, or purchase, an iPhone XR, XS, XS Max or any of the iPhone 11 series, all of which use the A12 Bionic or later chip, then the Boot ROM exploit will not work on it. That’s because the use-after-free vulnerability that axi0mX found appears only in devices using A11 chips or earlier, which includes iPhone 4S to iPhone X models, as well as any iPad, Apple TV or Apple Watch device using A11 or earlier chips.

Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).

4. How Does checkm8 Change the Game for iOS Security?

As we’ve already explained, for end users concerned about the practical security of their devices on a day-to-day basis, there isn’t really anything particularly new to worry about it here. However, this exploit really is a game changer for researchers and, to a certain extent, for Apple itself as well as for some developers. That’s because with checkm8, anyone will be able to jailbreak their iOS device and inspect what’s going on ‘under the hood’ with any software that’s running on it.

For example, unscrupulous developers are now on notice that it’s only a matter of time before security researchers start to uncover any underhand behaviour or functionality in their apps that Apple’s code review might have missed. My prediction is that in the coming months we will see quite a few startling revelations of devious behaviour by so-called ‘reputable’ apps as more and more researchers begin jailbreaking devices and reverse engineering apps to examine how particular applications behave at runtime.

image of checkm8 features

The second, massive ‘game changing’ aspect of checkm8 is the one that most people have been talking about this weekend: it means we will not have to depend on Apple’s generosity in handing out special ‘research’ phones to a select few researchers in order to explore iOS itself for more bugs and security flaws. The iOS Security Research Device program was slated to commence in 2020, but it now appears to be effectively redundant. It remains to be seen if there’s any point now in Apple following through with it.

As a result of checkm8, there will be a huge increase in the actual number of people actively investigating iOS security. Assuming Apple don’t now change their minds about offering an expanded bug bounty program, that means we should see a real acceleration in finds of crucial bugs in the iOS operating system itself.

That, again, is a great thing for iOS security. As the old saying goes, security by obscurity is no security at all, and checkm8 really brings the inner workings of iOS out into the light for inspection by anyone, not just a handful of chosen researchers.

5. Will Apple Release a Security Patch to Fix checkm8?

No, that’s not going to happen for the simple reason that security updates cannot fix flaws in the Boot ROM code. The flaw is “baked in” at the factory and could only be fixed, perhaps, by a recall of affected devices. Given the cost to Apple of doing that versus the benefit, that’s extremely unlikely to happen.

This means that affected devices are vulnerable “forever”. Of course, there’s a shelf-life for how long these devices will be upgradable to the latest version of iOS, perhaps as much as 5 years from manufacture in some cases. That gives researchers a great opportunity to thoroughly explore how iOS works from now and into the mid-term future. Beyond that, although these devices will themselves still be vulnerable, once they are unable to run the latest version of iOS, we will once again be back to the ‘dark ages’ of not knowing what running code is doing on our iOS devices.

Conclusion

The main takeaway from the checkm8 Boot ROM exploit released last week by axi0mX is that while it doesn’t change much for users in terms of how they should manage risk in practical terms, it does change pretty much everything for researchers in terms of giving them unprecedented, privileged access to the inner workings of iOS and, indeed, 3rd party code running on their devices.

While there have been some voices in the media suggesting that these kind of exploits should not be made public, it’s hard to see how the net benefit of this won’t be a huge positive for users, researchers and Apple itself. The more people hunting bugs on iOS the better for everyone, and the checkm8 exploit is arguably only doing what Apple themselves had this year promised to do by providing ‘research’ phones and an expanded bug bounty program; namely, opening up iOS bug hunting to a larger – a very much larger – community of researchers.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Microsoft’s Windows Virtual Desktop service is now generally available

Microsoft today announced that Windows Virtual Desktop (WVD), its Azure-based system for virtualizing the Windows and Office user experience it announced last September, is now generally available. Using WVD, enterprises can give their employees access to virtualized applications and remote desktops, including the ability to provide multi-session Windows 10 experiences, something that sets Microsoft’s own apart from that of other vendors that offer virtualized Windows desktops and applications.

In addition to making the service generally available, Microsoft is also rolling it out globally, whereas the preview was U.S.-only and the original plan was to slowly roll it out globally. Scott Manchester, the principal engineering lead for WVD, also told me that more than 20,000 companies signed up for the preview. He also noted that Microsoft Teams is getting enhanced support in WVD with a significantly improved video conferencing experience.

Shortly after announcing the preview of WVD, Microsoft acquired a company called FSLogix, which specialized in provisioning the same kind of virtualized Windows environments that Microsoft offers through WVD. As Microsoft’s corporate VP for Microsoft 365 told me ahead of today’s announcement, the company took a lot of the know-how from FSLogix to ensure that the user experience on WVD is as smooth as possible.

Brad Anderson, CVP of Microsoft 365, noted that just as enterprises are getting more comfortable with moving some of their infrastructure to the cloud (and have others worry about managing it), there is now also growing demand from organizations that want this same experience for their desktop experiences. “They look at the cloud as a way of saying, ‘listen, let the experts manage the infrastructure. They can optimize it; they can fine-tune it; they can make sure that it’s all done right.’ And then I’ll just have a first-party service — in this case Microsoft — that I can leverage to simplify my life and enable me to spin up and down capacity on demand,” Anderson said. He also noted, though, that making sure that these services are always available is maybe even more critical than for other workloads that have moved to the cloud. If your desktop stops working, you can’t get much done, after all.

Anderson also stressed that if a customer wants a multi-session Windows 10 environment in the cloud, WVD is the only way to go because that is the only way to get a license to do so. “We’ve built the operating system, we built the public cloud, so that combination is going to be unique and this gives us the ability to make sure that that Windows 10 experience is the absolute best on top of that public cloud,” he noted.

He also stressed that the FSLogix acquisition enabled his team to work with the Office team to optimize the user experience there. Thanks to this, when you spin up a new virtualized version of Outlook, for example, it’ll just take a second or two to load instead of almost a minute.

A number of companies are also still looking to upgrade their old Windows 7 deployments. Microsoft will stop providing free security patches for them very soon, but on WVD, these users will still be able to get access to virtualized Windows 7 desktops with free extended security updates until January 2023. Anderson does not believe that this will be a major driver for WVD adoption, but he does see “pockets of customers who are working on their transition.”

Enterprises can access Windows 10 Enterprise and Windows 7 Enterprise on WVD at no additional licensing cost (though, of course, the Azure resources they consume will cost them) if they have an eligible Windows 10 Enterprise or Microsoft 365 license.

 

Confluent adds free tier to Kafka real-time streaming data cloud service

When Confluent launched a cloud service in 2017, it was trying to reduce some of the complexity related to running a Kafka streaming data application. Today, it introduced a free tier to that cloud service. The company hopes to expand its market beyond large technology company customers, and the free tier should make it easier for smaller companies to get started.

The new tier provides up to $50 of service a month for up to three months. Company CEO Jay Kreps says that while $50 might not sound like much, it’s actually hundreds of gigabytes of throughput and makes it easy to get started with the tool.

“We felt like we can make this technology really accessible. We can make it as easy as we can. We want to make it something where you can just get going in seconds, and not have to pay anything to start building an application that uses real-time streams of data,” Kreps said.

Kafka has been available as an open-source product since 2011, so it’s been free to download, install and build applications, but still required a ton of compute and engineering resources to pull off. The cloud service was designed to simplify that, and the free tier lets developers get comfortable building a small application without making a large financial investment.

Once they get used to working with Kafka on the free version, users can then buy in whatever increments make sense for them, and only pay for what they use. It can be pennies’ worth of Kafka or hundreds of dollars, depending on a customer’s individual requirements. “After free, you can buy 11 cents’ worth of Kafka or you can buy it $10 worth, all the way up to these massive users like Lyft that use Confluent Cloud at huge scale as part of their ridesharing service,” he said.

While a free SaaS trial might feel like a common kind of marketing approach, Kreps says for a service like Kafka, it’s actually much more difficult to pull off. “With something like a distributed system where you get a whole chunk of infrastructure, it’s actually technically an extraordinarily difficult thing to provide zero to elastic scale up capabilities. And a huge amount of engineering goes into making that possible,” Kreps explained.

Kafka processes massive streams of data in real time. It was originally developed inside LinkedIn and open-sourced in 2011. Confluent launched as a commercial entity on top of the open-source project in 2014. In January the company raised $125 million on a $2.5 billion valuation. It has raised than $205 million, according to Crunchbase data.

AWS IQ matches AWS customers with certified service providers

AWS has a lot going on, and it’s not always easy for customers to deal with the breadth of its service offerings on its own. Today, the company announced a new service called AWS IQ that is designed to connect customers with certified service providers.

“Today I would like to tell you about AWS IQ, a new service that will help you to engage with AWS Certified third party experts for project work,” AWS’s Jeff Barr wrote in a blog post introducing the new feature. This could involve training, support, managed services, professional services or consulting. All of the companies available to help have received associate, specialty or professional certification from AWS, according to the post.

You start by selecting the type of service you are looking for such as training or professional services, then the tool walks you through the process of defining your needs including providing a title, description and what you are willing to pay for these services. The service then connects the requestor with a set of providers that match the requirements. From there, the requestor can review expert profiles and compare the ratings and offerings in a kind of online marketplace.

AWS IQ start screen

You start by selecting the type of service you want to engage.

Swami Sivasubramanian, vice president at AWS says they wanted to offer a way for customers and service providers to get together. “We built AWS IQ to serve as a bridge between our customers and experts, enabling them to get to work on new projects faster and easier, and removing many of the hassles and roadblocks that both groups usually encounter when dealing with project-based work,” he said in a statement.

The company sees this as a particularly valuable tool for small and medium sized vendors, who might lack the expertise to find help with AWS services. The end result is that everyone should win. Customers get direct access to this community of experts, and the experts can more easily connect with potential customers to build their AWS consulting practice.

Why is Dropbox reinventing itself?

According to Dropbox CEO Drew Houston, 80% of the product’s users rely on it, at least partially, for work.

It makes sense, then, that the company is refocusing to try and cement its spot in the workplace; to shed its image as “just” a file storage company (in a time when just about every big company has its own cloud storage offering) and evolve into something more immutably core to daily operations.

Earlier this week, Dropbox announced that the “new Dropbox” would be rolling out to all users. It takes the simple, shared folders that Dropbox is known for and turns them into what the company calls “Spaces” — little mini collaboration hubs for your team, complete with comment streams, AI for highlighting files you might need mid-meeting, and integrations into things like Slack, Trello and G Suite. With an overhauled interface that brings much of Dropbox’s functionality out of the OS and into its own dedicated app, it’s by far the biggest user-facing change the product has seen since launching 12 years ago.

Shortly after the announcement, I sat down with Dropbox VP of Product Adam Nash and CTO Quentin Clark . We chatted about why the company is changing things up, why they’re building this on top of the existing Dropbox product, and the things they know they just can’t change.

You can find these interviews below, edited for brevity and clarity.

Greg Kumparak: Can you explain the new focus a bit?

Adam Nash: Sure! I think you know this already, but I run products and growth, so I’m gonna have a bit of a product bias to this whole thing. But Dropbox… one of its differentiating characteristics is really that when we built this utility, this “magic folder”, it kind of went everywhere.

German Cops Raid “Cyberbunker 2.0,” Arrest 7 in Child Porn, Dark Web Market Sting

German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two of the men accused in the scheme, this was their second bunker-based hosting business that was raided by cops and shut down for courting and supporting illegal activity online.

The latest busted cybercrime bunker is in Traben-Trarbach, a town on the Mosel River in western Germany. The Associated Press says investigators believe the 13-acre former military facility served a number of dark web sites, including: the “Wall Street Market,” a sprawling, online bazaar for drugs, hacking tools and financial-theft wares before it was taken down earlier this year; the drug portal “Cannabis Road;” and the synthetic drug market “Orange Chemicals.”

German police reportedly seized $41 million worth of funds allegedly tied to these markets, and more than 200 servers that were operating throughout the underground temperature-controlled, ventilated and closely guarded facility.

The former military bunker in Germany that housed CyberBunker 2.0 and, according to authorities, plenty of very bad web sites.

The authorities in Germany haven’t named any of the people arrested or under investigation in connection with CyberBunker’s alleged activities, but said those arrested were apprehended outside of the bunker. Still, there are clues in the details released so far, and those clues have been corroborated by sources who know two of the key men allegedly involved.

We know the owner of the bunker hosting business has been described in media reports as a 59-year-old Dutchman who allegedly set it up as a “bulletproof” hosting provider that would provide Web site hosting to any business, no matter how illegal or unsavory.

We also know the German authorities seized at least two Web site domains in the raid, including the domain for ZYZTM Research in The Netherlands (zyztm[.]com), and cb3rob[.]org.

A “seizure” placeholder page left behind by German law enforcement agents after they seized cb3rob.org, an affiliate of the the CyberBunker bulletproof hosting facility owned by convicted Dutch cybercriminal Sven Kamphuis.

According to historic whois records maintained by Domaintools.com, Zyztm[.]com was originally registered to a Herman Johan Xennt in the Netherlands. Cb3rob[.]org was an organization hosted at CyberBunker registered to Sven Kamphuis, a self-described anarchist who was convicted several years ago for participating in a large-scale attack that briefly impaired the global Internet in some places.

Both 59-year-old Xennt and Mr. Kamphuis worked together on a previous bunker-based project — a bulletproof hosting business they sold as “CyberBunker” and ran out of a five-story military bunker in The Netherlands.

That’s according to Guido Blaauw, director of Disaster-Proof Solutions, a company that renovates and resells old military bunkers and underground shelters. Blaauw’s company bought the 1,800 square-meter Netherlands bunker from Mr. Xennt in 2011 for $700,000.

Guido Blaauw, in front of the original CyberBunker facility in the Netherlands, which he bought from Mr. Xennt in 2011. Image: Blaauw.

Media reports indicate that in 2002 a fire inside the CyberBunker 1.0 facility in The Netherlands summoned emergency responders, who discovered a lab hidden inside the bunker that was being used to produce the drug ecstasy/XTC.

Blaauw said nobody was ever charged for the drug lab, which was blamed on another tenant in the building. Blauuw said Xennt and others in 2003 were then denied a business license to continue operating in the bunker, and they were forced to resell servers from a different location — even though they bragged to clients for years to come about hosting their operations from an ultra-secure underground bunker.

“After the fire in 2002, there was never any data or servers stored in the bunker,” in The Netherlands, Blaauw recalled. “For 11 years they told everyone [the hosting servers where] in this ultra-secure bunker, but it was all in Amsterdam, and for 11 years they scammed all their clients.”

Firefighters investigating the source of a 2002 fire at the CyberBunker’s first military bunker in The Netherlands discovered a drug lab amid the Web servers. Image: Blaauw.

Blaauw said sometime between 2012 and 2013, Xennt purchased the bunker in Traben-Trarbach, Germany — a much more modern structure that was built in 1997. CyberBunker was reborn, and it began offering many of the same amenities and courted the same customers as CyberBunker 1.0 in The Netherlands.

“They’re known for hosting scammers, fraudsters, pedophiles, phishers, everyone,” Blaauw said. “That’s something they’ve done for ages and they’re known for it.”

The former Facebook profile picture of Sven Olaf Kamphuis, shown here standing in front of Cyberbunker 1.0 in The Netherlands.

About the time Xennt and company were settling into their new bunker in Germany, he and Kamphuis were engaged in a fairly lengthy and large series of distributed denial-of-service (DDoS) attacks aimed at sidelining a number of Web sites — particularly anti-spam organization Spamhaus. A chat record of that assault, detailed in my 2016 piece, Inside the Attack that Almost Broke the Internet, includes references to and quotes from both Xennt and Kamphuis.

Kamphuis was later arrested in Spain on the DDoS attack charges. He was convicted in The Netherlands and sentenced to time served, which was approximately 55 days of detention prior to his extradition to the United States.

Some of the 200 servers seized from CyberBunker 2.0, a “bulletproof” web hosting facility buried inside a German military bunker. Image: swr.de.

The AP story mentioned above quoted German prosecutor Juergen Bauer saying the 59-year-old main suspect in the case was believed to have links to organized crime.

A 2015 expose’ (PDF) by the Irish newspaper The Sunday World compared Mr. Xennt (pictured below) to a villain from a James Bond movie, and said he has been seen frequently associating with another man: an Irish mobster named George “the Penguin” Mitchell, listed by Europol as one of the top-20 drug traffickers in Europe and thought to be involved in smuggling heroin, cocaine and ecstasy.

Cyberbunkers 1.0 and 2.0 owner and operator Mr. Xennt, top left, has been compared to a “Bond villain.” Image: The Sunday World, July 26, 2015.

Blaauw said he doesn’t know whether Kamphuis was arrested or named in the investigation, but added that people who know him and can usually reach him have not heard from Kamphuis over several days.

Here’s what the CyberBunker in The Netherlands looked like back in the early aughts when Xennt still ran it:

Here’s what it looks like now after being renovated by Blaauw’s company and designed as a security operations center (SOC):

The former CyberBunker in the Netherlands, since redesigned as a security operations center by its current owner. Image: Blaauw.

I’m glad when truly bad guys doing bad stuff like facilitating child porn are taken down. The truth is, almost anyone trafficking in the kinds of commerce these guys courted also is building networks of money laundering business that become very tempting to use or lease out for other nefarious purposes, including human trafficking, and drug trafficking.