Entertainment payroll startup Wrapbook raises $27M round led by a16z

/0 Comments/in /by

Wrapbook, a startup that simplifies the payroll process for TV, film and commercial productions, has raised $27 million in Series A funding from noteworthy names in both the tech and entertainment worlds.

The round was led by Andreessen Horowitz, with participation from Equal Ventures and Uncork Capital, as well as from WndrCo (the investment and holding company led by DreamWorks and Quibi founder/co-founder Jeffrey Katzenberg) and from CAA co-founder Michael Ovitz.

“It’s time we bring production financial services into the 21st century,” Katzenberg said in a statement. “We need a technology solution that will address the increasing complexities of production onboarding, pay and insuring cast and crew, only exacerbated by COVID-19, and I believe that Wrapbook delivers.”

Wrapbook co-founder and CEO Ali Javid explained that entertainment payroll has remained a largely old-fashioned, paper-based process, which can be particularly difficult to track as cast and crew move from project to project, up to 30 times in single year. Wrapbook digitizes and simplifies the process — electronically collecting all the forms and signatures needed at the beginning of production, handling payroll itself, creating a dashboard to track payments and also making it easy to obtain the necessary insurance.

Wrapbook founders

Wrapbook founders Cameron Woodward, Ali Javid, Hesham El-Nahhas and Naysawn Naji

Although the startup was founded in 2018, Javid told me that demand has increased dramatically as production resumed during the pandemic, with COVID-19 “totally” changing the industry’s culture and prompting production companies to say, “Hey, if there’s an easier, faster way to do this from my house, then yeah let’s look at it.”

Javid also described the Wrapbook platform as a “a vertical fintech solution that’s growing really fast in an industry that we understand really well and not many others have thought about.” In fact, he said the company’s revenue grew 7x in 2020.

And while Wrapbook’s direct customers are the production companies, co-founder and CMO Cameron Woodward (who previously worked in filmmaking insurance and commercial production) said that the team has also focused on creating a good experience for the cast and crew who get paid through the platform — a growing number of them (12% thus far) have used their Wrapbook profiles to get paid on multiple productions.

Wrapbook growth chart

Image Credits: Wrapbook

The startup previously raised $3.6 million in seed funding. Looking ahead, Javid and Woodward said that Wrapbook’s solution could eventually be adopted in other project-based industries. But for now, they see plenty of opportunity to continue growing within entertainment alone — they estimated that the industry currently sees $200 billion in annual payments.

“We’re going to double down on what’s working and build things out based on what customers have asked for within entertainment,” Javid said. “To that end, we’re working towards hiring 100 people in the next 12 months.”

10 VCs say interactivity, regulation and independent creators will reshape digital media in 2021

Aqua Security raises $135M at a $1B valuation for its cloud native security service

/0 Comments/in /by

Aqua Security, a Boston- and Tel Aviv-based security startup that focuses squarely on securing cloud-native services, today announced that it has raised a $135 million Series E funding round at a $1 billion valuation. The round was led by ION Crossover Partners. Existing investors M12 Ventures, Lightspeed Venture Partners, Insight Partners, TLV Partners, Greenspring Associates and Acrew Capital also participated. In total, Aqua Security has now raised $265 million since it was founded in 2015.

The company was one of the earliest to focus on securing container deployments. And while many of its competitors were acquired over the years, Aqua remains independent and is now likely on a path to an IPO. When it launched, the industry focus was still very much on Docker and Docker containers. To the detriment of Docker, that quickly shifted to Kubernetes, which is now the de facto standard. But enterprises are also now looking at serverless and other new technologies on top of this new stack.

“Enterprises that five years ago were experimenting with different types of technologies are now facing a completely different technology stack, a completely different ecosystem and a completely new set of security requirements,” Aqua CEO Dror Davidoff told me. And with these new security requirements came a plethora of startups, all focusing on specific parts of the stack.

Image Credits: Aqua Security

What set Aqua apart, Dror argues, is that it managed to 1) become the best solution for container security and 2) realized that to succeed in the long run, it had to become a platform that would secure the entire cloud-native environment. About two years ago, the company made this switch from a product to a platform, as Davidoff describes it.

“There was a spree of acquisitions by CheckPoint and Palo Alto [Networks] and Trend [Micro],” Davidoff said. “They all started to acquire pieces and tried to build a more complete offering. The big advantage for Aqua was that we had everything natively built on one platform. […] Five years later, everyone is talking about cloud-native security. No one says ‘container security’ or ‘serverless security’ anymore. And Aqua is practically the broadest cloud-native security [platform].”

One interesting aspect of Aqua’s strategy is that it continues to bet on open source, too. Trivy, its open-source vulnerability scanner, is the default scanner for GitLab’s Harbor Registry and the CNCF’s Artifact Hub, for example.

“We are probably the best security open-source player there is because not only do we secure from vulnerable open source, we are also very active in the open-source community,” Davidoff said (with maybe a bit of hyperbole). “We provide tools to the community that are open source. To keep evolving, we have a whole open-source team. It’s part of the philosophy here that we want to be part of the community and it really helps us to understand it better and provide the right tools.”

In 2020, Aqua, which mostly focuses on mid-size and larger companies, doubled the number of paying customers and it now has more than half a dozen customers with an ARR of over $1 million each.

Davidoff tells me the company wasn’t actively looking for new funding. Its last funding round came together only a year ago, after all. But the team decided that it wanted to be able to double down on its current strategy and raise sooner than originally planned. ION had been interested in working with Aqua for a while, Davidoff told me, and while the company received other offers, the team decided to go ahead with ION as the lead investor (with all of Aqua’s existing investors also participating in this round).

“We want to grow from a product perspective, we want to grow from a go-to-market [perspective] and expand our geographical coverage — and we also want to be a little more acquisitive. That’s another direction we’re looking at because now we have the platform that allows us to do that. […] I feel we can take the company to great heights. That’s the plan. The market opportunity allows us to dream big.”

2020 was a record year for Israel’s security startup ecosystem

 

Microsoft Patch Tuesday, March 2021 Edition

/0 Comments/in /by

On the off chance you were looking for more security to-dos from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating, meaning they can be exploited by malware or miscreants with little or no help from users.

Top of the heap this month (apart from the ongoing, global Exchange Server mass-compromise) is a patch for an Internet Explorer bug that is seeing active exploitation. The IE weakness — CVE-2021-26411 — affects both IE11 and newer EdgeHTML-based versions, and it allows attackers to run a file of their choice by getting you to view a hacked or malicious website in IE.

The IE flaw is tied to a vulnerability that was publicly disclosed in early February by researchers at ENKI who claim it was one of those used in a recent campaign by nation-state actors to target security researchers. In the ENKI blog post, the researchers said they will publish proof-of-concept (PoC) details after the bug has been patched.

“As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,” said Satnam Narang, staff research engineer at Tenable. “We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.”

This is probably a good place to quote Ghacks.net’s Martin Brinkman: This is the last patch hurrah for the legacy Microsoft Edge web browser, which is being retired by Microsoft.

For the second month in a row, Microsoft has patched scary flaws in the DNS servers on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker’s choice. All five of the DNS bugs quashed in today’s patch batch earned a CVSS Score (danger metric) of 9.8 — almost as bad as it gets.

“There is the outside chance this could be wormable between DNS servers,” warned Trend Micro’s Dustin Childs.

As mentioned above, hundreds of thousands of organizations are in the midst dealing with a security nightmare after having their Exchange Server and Outlook Web Access (OWA) hacked and retrofitted with a backdoor. If an organization you know has been affected by this attack, please have them check with the new victim notification website mentioned in today’s story.

Susan Bradley over at Askwoody.com says “nothing in the March security updates (besides the Exchange ones released last week) is causing me to want to urge you to go running to your machines and patch at this time.” I’d concur, unless of course you cruise the web with older Microsoft browsers.

It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any kinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Additional reading:

Martin Brinkman’s always comprehensive take.

The SANS Internet Storm Center no-frills breakdown of the fixes.

 

Warning the World of a Ticking Time Bomb

/0 Comments/in /by

Globally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem.

On Mar. 5, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. The same sources who shared those figures say the victim list has grown considerably since then, with many victims compromised by multiple cybercrime groups.

Security experts are now trying to alert and assist these victims before malicious hackers launch what many refer to with a mix of dread and anticipation as “Stage 2,” when the bad guys revisit all these hacked servers and seed them with ransomware or else additional hacking tools for crawling even deeper into victim networks.

But that rescue effort has been stymied by the sheer volume of attacks on these Exchange vulnerabilities, and by the number of apparently distinct hacking groups that are vying for control over vulnerable systems.

A security expert who has briefed federal and military advisors on the threat says many victims appear to have more than one type of backdoor installed. Some victims had three of these web shells installed. One was pelted with eight distinct backdoors. This initially caused a major overcount of potential victims, and required a great deal of de-duping various victim lists.

The source, who spoke on condition of anonymity, said many in the cybersecurity community recently saw a large spike in attacks on thousands of Exchange servers that was later linked to a profit-motivated cybercriminal group.

“What we thought was Stage 2 actually was one criminal group hijacking like 10,000 exchange servers,” said one source who’s briefed U.S. national security advisors on the outbreak.

On Mar. 2, when Microsoft released updates to plug the four Exchange flaws being attacked, it attributed the hacking activity to a previously unidentified Chinese cyber espionage group it called “Hafnium.” Microsoft said Hafnium had been using the Exchange flaws to conduct a series of low-and-slow attacks against specific strategic targets, such as non-governmental organization (NGOs) and think tanks.

But by Feb. 26, that relatively stealthy activity was morphing into the indiscriminate mass-exploitation of all vulnerable Exchange servers. That means even Exchange users that patched the same day Microsoft released security updates may have had servers seeded with backdoors.

Many experts who spoke to KrebsOnSecurity said they believe different cybercriminal groups somehow learned of Microsoft’s plans to ship fixes for the Exchange flaws a week earlier than they’d hoped (Microsoft originally targeted today, Patch Tuesday, as the release date).

The vulnerability scanning activity also ramped up markedly after Microsoft released its updates on Mar. 2. Security researchers love to tear apart patches for clues about the underlying security holes, and one major concern is that various cybercriminal groups may have already worked out how to exploit the flaws independently.

AVERTING MASS-RANSOMWARE

Security experts now are desperately trying to reach tens of thousands of victim organizations with a single message: Whether you have patched yet or have been hacked, backup any data stored on those servers immediately.

Every source I’ve spoken with about this incident says they fully expect profit-motivated cybercriminals to pounce on victims by mass-deploying ransomware. Given that so many groups now have backdoor web shells installed, it would be trivial to unleash ransomware on the lot of them in one go. Also, compromised Exchange servers can be a virtual doorway into the rest of the victim’s network.

“With the number of different threat actors dropping [web] shells on servers increasing, ransomware is inevitable,” said Allison Nixon, chief research officer at Unit221B, a New York City-based cyber investigations firm.

So far there are no signs of victims of this mass-hack being ransomed. But that may well change if the exploit code used to break into these vulnerable Exchange servers goes public. And nobody I’ve interviewed seems to think working exploit code is going to stay unpublished for much longer.

When that happens, the exploits will get folded into publicly available exploit testing kits, effectively making it simple for any attacker to find and compromise a decent number of victims who haven’t already patched.

CHECK MY OWA

Nixon is part of a group of security industry leaders who are contributing data and time to a new victim notification platform online called Check My OWA (Outlook Web Access, the Internet-facing Web component of Exchange Server machines).

Checkmyowa.unit221b.com checks if your Exchange Server domain showed up in attack logs or lists of known-compromised domains.

Perhaps it’s better to call it a self-notification service that is operated from Unit221B’s own web site. Enter an email address at Check My OWA, and if that address matches a domain name for a victim organization, that email address will get a notice.

“Our goal is to motivate people who we might otherwise have never been able to contact,” Nixon said. “My hope is if this site can get out there, then there’s a chance some victim companies are notified and take action or can get att

If the email’s domain name (anything to the right of the @ sign) is detected in their database, the site will send that user an email stating that is has observed the email domain in a list of targeted domains.

“Malicious actors were able to successfully compromise, and some of this information suggested they may have been able to install a webshell on an Exchange server associated with this domain,” reads one of the messages to victims. “We strongly recommend saving an offline backup of your Exchange server’s emails immediately, and refer back to the site for additional information on patching and remediation.”

“We have observed your e-mail domain appears in our list of domains the malicious actors were able to successfully compromise, and some of this information suggested they may have been able to install a webshell on an Exchange server associated with this domain,” is another message the site may return.

Nixon said Exchange users can save themselves a potentially nightmarish scenario if they just back up any affected systems now. And given the number of adversaries currently attacking still-unpatched Exchange systems, there is almost no way this won’t end in disaster for at least some victims.

“There are researchers running honeypots to [attract] attacks from different groups, and those honeypots are getting shelled left and right,” she said. “The sooner they can run a backup, the better. This can help save a lot of heartache.”

Oh, and one more important thing: You’ll want to keep any backups disconnected from everything. Ransomware has a tendency to infect everything it can, so make sure at least one backup is stored completely offline.

“Just disconnect them from a computer, put them in a safe place and pray you don’t need them,” Nixon said.

McAfee sells enterprise biz to Symphony Technology Group for $4B

/0 Comments/in /by

Security firm McAfee announced this morning that it will be selling its enterprise business to a consortium led by the private equity firm Symphony Technology Group for $4 billion.

It should pair well with RSA, another enterprise-focused security company the private equity firm purchased last February for $2 billion.

McAfee President and Chief Executive Officer Peter Leav says that his company has decided to direct the firm’s resources to the consumer side of the business. “This transaction will allow McAfee to singularly focus on our consumer business and to accelerate our strategy to be a leader in personal security for consumers,” he said in a statement.

The company has been making some moves in the last year, returning to the public markets after a decade as a private company. In January, the company reportedly laid off a couple of hundred employees and shut down its software development center in Tel Aviv.

12 top cybersecurity VCs discuss investing, valuations and no-go zones

Although Symphony did not point directly to the RSA acquisition, the two investments create a large combined legacy security business for the firm, both of which have strong brand recognition, but might have lost some of their edge to more modern competitors in the marketplace.

Looking at McAfee’s latest earning’s report, Q42020, which the company reported on February 24, 2021, the consumer business grew at a much brisker rate than the enterprise side of the house. The former was up 23% YoY, while the latter grew at a far slower 5% rate.

As for the entire year, the company reported $2.9 billion in total FY2020 revenue, up 10% YoY. That broke down to $1.6 billion in consumer net revenue up 20% YoY, and $1.3 billion in enterprise net revenue, an increase of just 1% for the full year.

The company has a complex history, starting life in the 1980s selling firewall software. It eventually went public before being purchased by Intel for $7.7 billion in 2010 and going private again. In 2014, the company changed names to Intel Security before Intel sold a majority stake to TPG in 2017 for $4.2 billion and changed the name back to McAfee.

The transaction is expected to close by the end of this year, subject to regulatory oversight.

Dell sells RSA to consortium led by Symphony Technology Group for over $2B

Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-dde292b93a5f3017145419dd51bb9fce’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-dde292b93a5f3017145419dd51bb9fce’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

A Basic Timeline of the Exchange Mass-Hack

/0 Comments/in /by

Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program.

When did Microsoft find out about attacks on previously unknown vulnerabilities in Exchange?

Pressed for a date when it first became aware of the problem, Microsoft told KrebsOnSecurity it was initially notified “in early January.” So far the earliest known report came on Jan. 5, from a principal security researcher for security testing firm DEVCORE who goes by the handle “Orange Tsai.” DEVCORE is credited with reporting two of the four Exchange flaws that Microsoft patched on Mar. 2.

Reston, Va.-based Volexity first identified attacks on the flaws on Jan. 6, and officially informed Microsoft about it on Feb. 2. Volexity now says it can see attack traffic going back to Jan. 3. Microsoft credits Volexity with reporting the same two Exchange flaws as DEVCORE.

Danish security firm Dubex says it first saw clients hit on Jan. 18, and reported their incident response findings to Microsoft on Jan. 27.

In a blog post on their discovery, Please Leave an Exploit After the Beep, Dubex said the victims it investigated in January had a “web shell” backdoor installed via the “unifying messaging” module, a component of Exchange that allows an organization to store voicemail and faxes along with emails, calendars, and contacts in users’ mailboxes.

“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App,” Dubex wrote. “Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone.”

Dubex says Microsoft “escalated” their issue on Feb. 8, but never confirmed the zero-day with Dubex prior to the emergency patch plea on Mar. 2. “We never got a ‘real’ confirmation of the zero-day before the patch was released,” said Dubex’s Chief Technology Officer Jacob Herbst.

How long have the vulnerabilities exploited here been around?

On Mar. 2, Microsoft patched four flaws in Exchange Server 2013 through 2019. Exchange Server 2010 is no longer supported, but the software giant made a “defense in depth” exception and gave Server 2010 users a freebie patch, too. That means the vulnerabilities the attackers exploited have been in the Microsoft Exchange Server code base for more than ten years.

The timeline also means Microsoft had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately.

Here’s a rough timeline as we know it so far:

  • Jan. 5: DEVCORE alerts Microsoft of its findings.
  • Jan. 6: Volexity spots attacks that use unknown vulnerabilities in Exchange.
  • Jan. 8: DEVCORE reports Microsoft had reproduced the problems and verified their findings.
  • Jan. 11: DEVCORE snags proxylogon.com, a domain now used to explain its vulnerability discovery process.
  • Jan. 27: Dubex alerts Microsoft about attacks on a new Exchange flaw.
  • Jan. 29: Trend Micro publishes a blog post about “Chopper” web shells being dropped via Exchange flaws (but attributes cause as Exchange bug Microsoft patched in 2020)
  • Feb. 2: Volexity warns Microsoft about active attacks on previously unknown Exchange vulnerabilities.
  • Feb. 8: Microsoft tells Dubex it has “escalated” its report internally.
  • Feb. 18: Microsoft confirms with DEVCORE a target date of Mar. 9 (tomorrow) for publishing security updates for the Exchange flaws. That is the second Tuesday of the month — a.k.a. “Patch Tuesday,” when Microsoft releases monthly security updates (and yes that means check back here tomorrow for the always riveting Patch Tuesday roundup).
  • Feb. 26-27: Targeted exploitation gradually turns into a global mass-scan; attackers start rapidly backdooring vulnerable servers.
  • Mar. 2: A week earlier than previously planned, Microsoft releases updates to plug 4 zero-day flaws.
  • Mar. 2: DEVCORE researcher Orange Tsai (noted for finding and reporting some fairly scary bugs in the past) jokes that nobody guessed Exchange as the source of his Jan. 5 tweet about “probably the most serious [remotely exploitable bug] I have ever reported.”
  • Mar. 3: Tens of thousands of Exchange servers compromised worldwide, with thousands more servers getting freshly hacked each hour.
  • Mar. 4: White House National Security Advisor Jake Sullivan tweets about importance of patching Exchange flaws, and how to detect if systems are already compromised.
  • Mar. 5, 1:26 p.m. ET: In live briefing, White House press secretary Jen Paski expresses concern over the size of the attack.
  • Mar. 5, 4:07 p.m. ET: KrebsOnSecurity breaks the news that at least 30,000 organizations in the U.S. — and hundreds of thousands worldwide — now have backdoors installed.
  • Mar. 5, 6:56 p.m. ET: Wired.com confirms the reported number of victims.
  • Mar. 5, 8:04 p.m. ET: Former CISA head Chris Krebs tweets the real victim numbers “dwarf” what’s been reported publicly.
  • Mar. 6: CISA says it is aware of “widespread domestic and international exploitation of Microsoft Exchange Server flaws.”
  • Mar. 7-Present: Security experts continue effort to notify victims, coordinate remediation, and remain vigilant for “Stage 2” of this attack (further exploitation of already-compromised servers).

Update, 12:11 p.m. ET: Correct link to Dubex site (it’s Dubex.dk). Also clarified timing of White House press statement expressing concern over the number of the Exchange Server compromises. Corrected date of Orange Tsai tweet.

The Good, the Bad and the Ugly in Cybersecurity – Week 10

/0 Comments/in /by

The Good

Are cyberattacks on cyberattackers (aka ‘hacking back’) good news or bad news? While that question elicits mixed responses among security professionals, we can’t help but feel that when darknet criminals start to ask “are darkweb forums safe anymore?” this must be a good thing for the security of the rest of us. This week has seen the latest in a series of attacks on darknet forums where criminals regularly sell malware, credit card details, account credentials and leaked or stolen data.

Mazafuka (aka ‘Maza’) is a darknet criminal forum that’s been around so long many cyber pros were surprised to hear it was still in existence this week, when news broke that the Russian cybercrime forum had been the victim of a hack. Almost 3,000 user records containing user IDs, names, passwords and other social media contact info were leaked, with the latter likely of huge interest to LEAs around the world.

Several weeks previously, another Russian-speaking hacker forum ‘Verified’ was forcibly taken over by unknown intruders. Hacktivists, deep-cover law enforcement or a rival gang are all possibilities, although in a public post the attackers claimed to be “like-minded” and insisted they only wanted to develop and improve the site. Whether the shady users of the site will trust this new enforced management remains to be seen. These attacks followed in the wake of similar hacks on carding forum ‘Club2Crd’ and darknet website ‘Dread’ last month.

If such hacks are disrupting the ability of cyber criminals to profit from their misdeeds, we reckon it’s worth counting as good news. And besides, whether you take pleasure in the bad guys getting a taste of their own medicine or not, it just goes to show you can never take cybersecurity for granted, whichever side of the law you are on.

The Bad

A Chinese APT group that Microsoft have dubbed ‘Hafnium’ (otherwise known as the chemical element Hf) have been fingered for ITW attacks targeting Microsoft Exchange Server, it was revealed this week. The Redwood tech giant was forced to release an out-of-band security update to patch seven vulnerabilities affecting MS Exchange products as old as 2013.

Microsoft said that they were aware of active exploits in the wild leveraging four of the patched vulnerabilities. CISA also released an advisory the following day warning that attackers could use the flaws to gain persistent system access and control of an enterprise network, stating that this “poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action”.

In a separate post, Microsoft said the state-sponsored Hafnium group had been utilizing the zero day vulnerabilities to steal data from U.S. organizations, specifically via CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

SentinelOne has released its own advisory, technical review, IoCs and guidance for SentinelOne customers here.

The Ugly

Nobody expected the hack of the year (decade? century?), aka the SolarWinds breach, to go away anytime soon, and so it’s not entirely a surprise to hear that Microsoft have reported three new strains of malware likely associated with the APT espionage campaign, widely-believed to be of Russian intelligence origin.

In a report yesterday, Microsoft researchers dubbed the three new strains Sibot, GoldFinder and GoldMax (the latter is also being tracked as SUNSHUTTLE by FireEye). While we’re on naming conventions, Microsoft have also chosen to label the APT behind the entire campaign as ‘Nobelium’ (which happens to be a synthetic, radioactive chemical element with the atomic number of 102, in case you were wondering!); the significance of the name choices was not explained.

Sibot refers to three variants of a VBScript that download a malicious DLL from a compromised website, while GoldFinder and GoldMax are both malware tools written in Go (Golang).

GoldFinder appears to be a custom HTTP tracer tool for logging the route a packet takes to reach the attacker’s C2 server. The threat actors can use the tool to identify proxy servers and network security devices, aiding discovery of other potential points of ingress. GoldMax functions as a backdoor and allows the attacker to securely communicate with a C2 and to launch commands on the victim’s device. Comprehensive details and IoCs are available here.

The significance of finding further late-stage malware tools in compromised systems should not be underestimated. The full impact of the SolarWinds breach is still unfolding, and enterprise security teams are encouraged to remain vigilant and proactive in following up on these developments.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Snowflake latest enterprise company to feel Wall Street’s wrath after good quarter

/0 Comments/in /by

Snowflake reported earnings this week, and the results look strong with revenue more than doubling year-over-year.

However, while the company’s fourth quarter revenue rose 117% to $190.5 million, it apparently wasn’t good enough for investors, who have sent the company’s stock tumbling since it reported Wednesday after the bell.

It was similar to the reaction that Salesforce received from Wall Street last week after it announced a positive earnings report. Snowflake’s stock closed down around 4% today, a recovery compared to its midday lows when it was off nearly 12%.

Why the declines? Wall Street’s reaction to earnings can lean more on what a company will do next more than its most recent results. But Snowflake’s guidance for its current quarter appeared strong as well, with a predicted $195 million to $200 million in revenue, numbers in line with analysts’ expectations.

Sounds good, right? Apparently being in line with analyst expectations isn’t good enough for investors for certain companies. You see, it didn’t exceed the stated expectations, so the results must be bad. I am not sure how meeting expectations is as good as a miss, but there you are.

It’s worth noting of course that tech stocks have taken a beating so far in 2021. And as my colleague Alex Wilhelm reported this morning, that trend only got worse this week. Consider that the tech-heavy Nasdaq is down 11.4% from its 52-week high, so perhaps investors are flogging everyone and Snowflake is merely caught up in the punishment.

9 investors discuss hurdles, opportunities and the impact of cloud vendors in enterprise data lakes

Snowflake CEO Frank Slootman pointed out in the earnings call this week that Snowflake is well positioned, something proven by the fact that his company has removed the data limitations of on-prem infrastructure. The beauty of the cloud is limitless resources, and that forces the company to help customers manage consumption instead of usage, an evolution that works in Snowflake’s favor.

“The big change in paradigm is that historically in on-premise data centers, people have to manage capacity. And now they don’t manage capacity anymore, but they need to manage consumption. And that’s a new thing for — not for everybody but for most people — and people that are in the public cloud. I have gotten used to the notion of consumption obviously because it applies equally to the infrastructure clouds,” Slootman said in the earnings call.

Snowflake has to manage expectations, something that translated into a dozen customers paying $5 million or more on a trailing 12 month basis, according to the company. That’s a nice chunk of change by any measure. It’s also clear that while there is a clear tilt toward the cloud, the amount of data that has been moved there is still a small percentage of overall enterprise workloads, meaning there is lots of growth opportunity for Snowflake.

What’s more, Snowflake executives pointed out that there is a significant ramp up time for customers as they shift data into the Snowflake data lake, but before they push the consumption button. That means that as long as customers continue to move data onto Snowflake’s platform, they will pay more over time, even if it will take time for new clients to get started.

So why is Snowflake’s quarterly percentage growth not expanding? Well, as a company gets to the size of Snowflake, it gets harder to maintain those gaudy percentage growth numbers as the law of large numbers begins to kick in.

I’m not here to tell Wall Street investors how to do their job, anymore than I would expect them to tell me how to do mine. But when you look at the company’s overall financial picture, the amount of untapped cloud potential and the nature of Snowflake’s approach to billing, it’s hard not to be positive about this company’s outlook, regardless of the reaction of investors in the short term.

Note: This article originally stated the company had a dozen customer paying $5 million or more per month. It’s actually on a trailing 12 month basis and we have updated the article to reflect that.

Salesforce delivers, Wall Street doubts as stock falls 6.3% post-earnings

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

/0 Comments/in /by

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.

In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.

Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the riot at the U.S. Capitol.

But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.

“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

Reached for comment, Microsoft said it is working closely with the U.S. Cybersecurity & Infrastructure Security Agency (CISA), other government agencies, and security companies, to ensure it is providing the best possible guidance and mitigation for its customers.

“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”

Meanwhile, CISA has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.

Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.

A tweet from Chris Krebs, former director of the Cybersecurity & Infrastructure Security Agency, responding to a tweet from White House National Security Advisor Jake Sullivan.

White House press secretary Jen Psaki told reporters today the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant,” and “could have far-reaching impacts.”

“We’re concerned that there are a large number of victims,” Psaki said.

By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.

Security researchers have published several tools for detecting vulnerable servers. One of those tools, a script from Microsoft’s Kevin Beaumont, helps companies identify exposed servers.

KrebsOnSecurity has seen portions of a victim list compiled by running such a tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.

“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”

Another government cybersecurity expert who participated in a recent call with multiple stakeholders impacted by this hacking spree worries the cleanup effort required is going to be Herculean.

“On the call, many questions were from school districts or local governments that all need help,” the source said, speaking on condition they were not identified by name. “If these numbers are in the tens of thousands, how does incident response get done? There are just not enough incident response teams out there to do that quickly.”

When it released patches for the four Exchange Server flaws on Tuesday, Microsoft emphasized that the vulnerability did not affect customers running its Exchange Online service (Microsoft’s cloud-hosted email for businesses). But sources say the vast majority of the organizations victimized so far are running some form of Internet-facing Microsoft Outlook Web Access (OWA) email systems in tandem with Exchange servers internally.

“It’s a question worth asking, what’s Microsoft’s recommendation going to be?,” the government cybersecurity expert said. “They’ll say ‘Patch, but it’s better to go to the cloud.’ But how are they securing their non-cloud products? Letting them wither on the vine.”

The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.

“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”

Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.

“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.

Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.

This is a fast-moving story, and likely will be updated multiple times throughout the day. Stay tuned.

Update, 8:27 p.m. ET: Wired cybersecurity reporter Andy Greenberg has confirmed hearing the same number of victim numbers cited in this report: “It’s massive. Absolutely massive,” one former national security official with knowledge of the investigation told WIRED. “We’re talking thousands of servers compromised per hour, globally.” Read Greenberg’s account here.

Also, the first and former director of CISA, Chris Krebs (no relation) seems to be suggesting on Twitter that the victim numbers cited here are conservative (or just outdated already):

Update 8:49 p.m.: Included a link to one of the more recommended tools for finding systems vulnerable to this attack.

Update, 10:17 p.m.: Added mention from Reuters story, which said White House officials are concerned about “a large number of victims.”

Feature Spotlight: ML Device Fingerprinting with Singularity Ranger®

/0 Comments/in /by

Knowing what is on your network is fundamental to securing your IT infrastructure. A single compromised device gives adversaries a foothold from which they can move laterally and take what is yours. Unfortunately, there is no common means for IP-enabled devices to identify themselves. Singularity Ranger from SentinelOne finds and fingerprints every device connected to your network. Our advanced machine learning algorithms, integral to the Sentinel agent, identify the operating system, type, and role of each device on your network. As a result, security professionals have more up-to-date information on, and better visibility into, what is on their network, so that they are more fully equipped to make better risk management decisions.

Alternatives and Limitations

Various passive and active scanning techniques have been available in both open source and commercial solutions for some time, but all these previous attempts have problems which limit their effectiveness.

Active fingerprinting, the process of sending pings and messages and using the responses to infer device information, misses information that is only sent passively. Then there are firewalls, bandwidth considerations, device functional impairment, and interoperability issues with network security solutions (i.e., alert storms and response).

While passive fingerprinting – listening for broadcast data packets – addresses some of these limitations, it is difficult to deploy in advanced network topologies, increasing deployment and maintenance costs. Moreover, data traffic is increasingly encrypted, limiting the effectiveness of many passive solutions beyond Layer 4.

Asset inventorying does not have to be this complicated.

Device Fingerprinting with Ranger

Ranger is uniquely positioned to solve these challenges via a combination of manual rules, MAC addressing, and our AI-driven Sentinel agents. First, Ranger transforms Sentinel agents into distributed network sensors, and it is these Sentinels which play an important role in training the fingerprinting model. Ranger combines passive and active scanning techniques with manual rules and MAC address information to deliver superior device fingerprinting, with no additional hardware or software to deploy. This saves customers time, money, and headache.

Our hierarchical machine learning model consists of three layers. The first model layer narrows in on the OS family, such as Windows, Linux, Android, and macOS. The next layer pinpoints the specific OS version, and the final layer identifies the specific device role and/or type.

Each device with a Sentinel agent reports details on its OS to the SentinelOne Cloud, and while SentinelOne supports a wide range of Linux distributions (among others), there are certain IoT devices which, due to device hardware or software limitations, cannot take a Sentinel agent.

Therefore, Sentinel agents also passively “listen” for broadcast information by any new devices, and then efficiently, actively scan these devices for more clues. These scan settings are highly configurable by subnet, so the admin controls what is scanned when and by what method.

This information is aggregated and used together with MAC address information. This is where SentinelOne partnered with SAM Seamless Network. SAM provides MAC-based fingerprinting for tens of thousands of device models, from smartphones to a wide variety of IoT devices commonly found in small and large networks alike. SAM algorithms continuously learn how to fingerprint devices based solely on their MAC address. By partnering with SAM, SentinelOne quickly augmented our ML model with SAM’s focused expertise based upon millions of connected devices worldwide.

SentinelOne takes care to not overfit the model to manual rules or MAC address prefixes, which would limit the model’s ability to generalize. Whereas a manual rules-only model is costly to develop, maintain, and improve, SentinelOne’s fingerprinting model becomes smarter with every device it sees. SentinelOne customers need only toggle Ranger ON, and the ML model gets right to work.

Summary

Through better fingerprinting, customers are better able to protect their networks. By more accurately categorizing IoT devices on your network, you more completely understand risk which, in turn, informs better corrective action planning.

Identify your agent deployment gaps, quantify your exposure to device-based threats like Ripple20, and prevent vulnerable devices from becoming compromised devices.

Ranger helps you to:

  • take immediate actions based on the risk image
  • isolate devices
  • set tags on devices to group them
  • apply device review statuses to mark as Not Trusted, Suspicious or Allowed.

If you would like to learn more about our device fingerprinting methods, read our whitepaper, Advanced Device Fingerprinting with Singularity Ranger. Let’s work together to discover and protect what is yours.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security