The Good, the Bad and the Ugly in Cybersecurity – Week 38

/0 Comments/in /by

The Good

If you’ve been following security news for the last couple of years you may well remember the CCleaner and ASUS ShadowHammer supply chain attacks. Great news this week: five Chinese individuals thought to be responsible for those and more than 100 other hacks have been indicted by the U.S. government. More formerly known as APT41, the group have also been behind ransomware attacks and cryptominer infections.

Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan and Fu Qiang remain at large, almost certainly in China, and the chances of arrest remain slim so long as they eschew international travel. However, two Malaysian businessmen, Wong Ong Hua and Ling Yang Ching, who helped the gang profit from stolen game currencies are facing extradition from Malaysia to the U.S. and could well see jail time.

The identification of the Chinese gang members came along with the seizure of hundreds of accounts, servers, domain names and other internet assets. Neither the indictment nor the seizures are likely to stop the gang from engaging in further operations, but their identification and the insight gained into their close relationship with the Chinese Ministry of Public Security sends a strong signal to such actors that they can no longer be certain of anonymity or immunity from international sanction.

The Bad

Still with China, CISA issued an advisory this week that Chinese-affiliated nation-state actors are targeting U.S. government agencies in a new wave of attacks leveraging OSINT and publicly available tools. The hackers’ toolkits include pentester favorites such as Shodan, Cobalt Strike and Mimikatz.

On top of that, the threat actors have been exploiting well-known but unpatched networking software vulnerabilities such as CVE-2019-11510 (Pulse Secure VPN), CVE-2019-19781 (Citrix VPN), CVE-2020-0688 (MS Exchange Servers) and CVE-2020-5902 (F5 Networks Big-IP TMUI).

Unpatched VPN software has long been a cause of concern, and this isn’t the first time that CISA have warned companies about APTs targeting critical infrastructure sectors.

The latest advisory also notes that:

To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from “.rar” to “.jpg”) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ “recycle bins”.

CISA advise organizations to implement robust configuration and patch management programs to prevent attackers making easy use of common vulnerabilities and off-the-shelf tools. While that’s certainly a minimum, some robust EDR should be top of your priority list, too.

The Ugly

This week’s Ugly is a sad tale of how the unintended consequences of a cyber attack can end in real-life tragedy. What appears to have been an attempt at a ransomware attack on a German university by inexperienced hackers ended up encrypting 30 servers in a nearby hospital. The malware dropped a ransom note in the usual way, naming the university directly and providing a means of contact to arrange payment.

The operators were no doubt surprised to hear directly from Düsseldorf police rather than the university administrators. The police informed them that they had missed their intended target and had in fact put the lives of patients at the Düsseldorf University Clinic in jeopardy. The ransomware had crashed the hospital’s servers forcing administrators to redirect emergency admissions to other locations. One patient who needed urgent admission was redirected to a hospital 32km away; this caused an hour’s delay before doctors could treat her for a life-threatening condition. Sadly, due to the delay, there was little they could do and she passed away.

The hackers did provide the police with a decryption key without payment, but have otherwise remained uncontactable. It appears the compromise targeted a software vulnerability in “commercially available software”, which has since been patched. It is not known which strain of ransomware was used, but reportedly no data was exfiltrated.

The police continue to investigate and hope to bring charges of ‘negligent manslaughter’. If ever there was a lesson to make those who think hacking might be a “fun”, “easy way to make money” that “doesn’t do anyone any harm” step back and think again, then this is surely it.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Salesforce announces 12,000 new jobs in the next year just weeks after laying off 1,000

/0 Comments/in /by

In a case of bizarre timing, Salesforce announced it was laying off 1,000 employees at the end of last month just a day after announcing a monster quarter with over $5 billion in revenue, putting the company on a $20 billion revenue run rate for the first time. The juxtaposition was hard to miss.

Earlier today, Salesforce CEO and co-founder Marc Benioff announced in a tweet that the company would be hiring 4,000 new employees in the next six months, and 12,000 in the next year. While it seems like a mixed message, it’s probably more about reallocating resources to areas where they are needed more.

While Salesforce wouldn’t comment further on the hirings, the company has obviously been doing well in spite of the pandemic, which has had an impact on customers. In the prior quarter, the company forecasted that it would have slower revenue growth due to giving some customers facing hard times with economic downturn time to pay their bills.

How Salesforce beat its own target to reach $20B run rate ahead of schedule

That’s why it was surprising when the CRM giant announced its earnings in August and that it had done so well in spite of all that. While the company was laying off those 1,000 people, it did indicate it would give those employees 60 days to find other positions in the company. With these new jobs, assuming they are positions the laid-off employees are qualified for, they could have a variety of positions from which to choose.

The company had 54,000 employees when it announced the layoffs, which accounted for 1.9% of the workforce. If it ends up adding the 12,000 news jobs in the next year, that would put the company at approximately 65,000 employees by this time next year.

Salesforce confirms it’s laying off around 1,000 people in spite of monster quarter

SaaS Ventures takes the investment road less traveled

/0 Comments/in /by

Most venture capital firms are based in hubs like Silicon Valley, New York City and Boston. These firms nurture those ecosystems and they’ve done well, but SaaS Ventures decided to go a different route: it went to cities like Chicago, Green Bay, Wisconsin and Lincoln, Nebraska.

The firm looks for enterprise-focused entrepreneurs who are trying to solve a different set of problems than you might find in these other centers of capital, issues that require digital solutions but might fall outside a typical computer science graduate’s experience.

Saas Ventures looks at four main investment areas: trucking and logistics, manufacturing, e-commerce enablement for industries that have not typically gone online and cybersecurity, the latter being the most mainstream of the areas SaaS Ventures covers.

The company’s first fund, which launched in 2017, was worth $20 million, but SaaS Ventures launched a second fund of equal amount earlier this month. It tends to stick to small-dollar-amount investments, while partnering with larger firms when it contributes funds to a deal.

We talked to Collin Gutman, founder and managing partner at SaaS Ventures, to learn about his investment philosophy, and why he decided to take the road less traveled for his investment thesis.

A different investment approach

Gutman’s journey to find enterprise startups in out of the way places began in 2012 when he worked at an early enterprise startup accelerator called Acceleprise. “We were really the first ones who said enterprise tech companies are wired differently, and need a different set of early-stage resources,” Gutman told TechCrunch.

Through that experience, he decided to launch SaaS Ventures in 2017, with several key ideas underpinning the firm’s investment thesis: after his experience at Acceleprise, he decided to concentrate on the enterprise from a slightly different angle than most early-stage VC establishments.

Collin Gutman from SaaS Ventures

Collin Gutman, founder and managing partner at SaaS Ventures (Image Credits: SaaS Ventures)

The second part of his thesis was to concentrate on secondary markets, which meant looking beyond the popular startup ecosystem centers and investing in areas that didn’t typically get much attention. To date, SaaS Ventures has made investments in 23 states and Toronto, seeking startups that others might have overlooked.

“We have really phenomenal coverage in terms of not just geography, but in terms of what’s happening with the underlying businesses, as well as their customers,” Gutman said. He believes that broad second-tier market data gives his firm an upper hand when selecting startups to invest in. More on that later.

How Ransomware Attacks Are Threatening Our Critical Infrastructure

/0 Comments/in /by

Threat actors are increasingly targeting critical infrastructure with ransomware, according to independent reports recently. In February, a natural gas compression facility was attacked by ransomware, forcing it to shut operations for two days. Healthcare companies and research labs have been aggressively targeted since the onset of the COVID-19 pandemic. And now, a new academic project from Temple University in Philadelphia tracking ransomware attacks on critical infrastructure over the last seven years shows that 2019 and 2020 saw a sharp increase, accounting for more than half of all reported incidents over the entire period. In this post, we look at the latest data and explore how such attacks can be prevented.

What is Critical Infrastructure?

According to CISA (the Cybersecurity & Infrastructure Security Agency), “critical infrastructure” is the “assets, systems, and networks” that are vital to the functioning of the economy, public health and national security. Attacks that affect critical infrastructure risk having “debilitating effects” on the country’s ability to function.

CISA says critical infrastructure is spread over 16 sectors, namely: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Defense, Education, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare, Information Technology, Nuclear, Transportation, and Water systems.

That’s a considerable attack surface that is made all the more vulnerable by the fact that organizations in many of those sectors are public-funded and often lack both the budget and the expertise of large, well-resourced private enterprises. The spate of ransomware attacks since 2018 on hospitals, schools and cities like Atlanta, Greenville, Baltimore and Riviera Beach City Council being some of the more high-profile cases in point.

How Frequent Are Ransomware Attacks on Critical Infrastructure?

Ransomware attacks on critical infrastructure have risen dramatically in the last two years, and all the indications are that this is a trend that will continue as ransomware tools and RaaS offerings become increasingly available and lower the bar to entry for cyber criminals without technical skills of their own.

Over the last 7 years, the public data collated by Temple University shows that there have been almost 700 ransomware attacks on critical infrastructure; that’s an average of just under 100 per year, but in fact over half of those have occurred since 2019. 440 attacks in less than two years (we’ve still around four months more of data to collect for 2020) presently equates to around 5 critical infrastructure ransomware attacks every week.

The attacks cut across all CI sectors, from food and agriculture to manufacturing, public health and even education. The defense sector has also been targeted, and so too, worryingly in one case, has the nuclear industry.

By far most ransomware attacks on critical infrastructure in recent years have targeted government-run facilities, with 199 reporting ransomware attacks. Education is not far behind that with 106 reports, followed by 61 reported ransomware incidents targeting Emergency Services.

Who Is Responsible for Attacks on Critical Infrastructure?

Attacks against critical infrastructure targets have become increasingly frequent with the prevalence of off-the-shelf ransomware tools like Netwalker sold on the darknet. It’s no surprise to see Maze top of the list of ransomware used in such attacks, as Maze has been on something of a rampage over the last 12 months or so, bringing with it the threat not only of encrypting data but also exfiltrating it to use as leverage against victims unwilling to pay.

It’s a tactic that’s been copied by REvil, Snatch, Netwalker, DoppelPaymer, Nemty and other ransomware operators. The general strategy is: don’t rely on your backups or technical solutions to get you out of trouble, because if you do we’ll just sell or publicise your IP and confidential data anyway.

SentinelOne versus the Maze Ransomware

Watch Now

Aside from Maze, which reportedly was used in at least 57 incidents against critical infrastructure, Wannacry’s “15 minutes of fame” led to it accounting for some 33 attacks on businesses in the 16 essential sectors, the same number as each of the more recent and still ubiquitous Ryuk and Revil/Sodinokibi ransomware strains.

Other ransomware strains reportedly involved in critical infrastructure attacks include DoppelPaymer (12), Netwalker (11), BitPaymer (8), CryptoLocker (7) and CryptoWall (5).

How Much Does A Critical Infrastructure Ransomware Attack Cost?

Unlike APTs and nation-state actors who may look for inroads into critical infrastructure for espionage or sabotage, cyber criminals using ransomware are typically interested in one thing: the financial pay off. To that end, the amount of ransom demanded in 13 recorded cases exceeded 5 million dollars, with another 13 recorded as between $1m and $5m. Some 31 ransomware incidents demanded $1m or less, while 66 sought $50,000 or less.

As noted above, the prevalence of ransomware has increased proportionally to its availability to technically low-level, likely “first-time” cyber criminals. This is evidenced by statistics showing that 54 ransomware attacks against critical infrastructure targets demanded $1,000 or less. Possibly, these actors had taken a “shotgun” or “scattergun” approach to infect random targets and were not fully aware of the nature of the organization they had compromised. Also, some RaaS tools set a fairly low ransom limit on first-time buyers and newbies “trying out” the software to entice these actors to pay for “premium services” after getting a taste of success.

What is the True Cost of a Ransomware Attack? | 6 Factors to Consider
The ransom demand may be the headline figure, but it’s not the only, or the biggest, cost to bear.

Read More

How Can We Protect Critical Infrastructure Against Ransomware?

With the nature of modern ransomware attacks now being to exfiltrate data as well as encrypt files, the key to ransomware defense is prevention; in other words, preventing the attackers from getting in where possible, and detecting and blocking them as early as possible in the threat lifecycle where not.

This requires, first and foremost, visibility into your network. What devices are connected and what are they? Discovery and fingerprinting through both active and passive discovery are a prerequisite for defending against intruders. It’s also important to control access, harden configurations and mitigate vulnerabilities through frequent patching. Enforcing VPN connectivity, mandatory disk encryption, and port control will also reduce the attack surface for ransomware.

Ebook: Understanding Ransomware in the Enterprise
This guide will help you understand, plan for, respond to and protect against this now-prevalent threat. It offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.

Read Now

Email and phishing are still the main entry vector for ransomware, so a good and frequent training program with simulations is important. On top of that, ensure that even if users are compromised, they only have access to services and resources necessary for their work.

These are all good measures that should stop opportunistic attacks, but determined threat actors targeting critical infrastructure will find ways around these. That’s why a proven EDR solution that stops attacks early is essential.

Conclusion

The increase in ransomware attacks on critical infrastructure is a major concern. Once the target solely of nation-state actors that would rarely execute “noisy” attacks which could reveal their presence, businesses and organizations within the 16 sectors of critical infrastructure are now seen as prime targets for ransomware operators. Disrupting and potentially damaging vital equipment, networks, assets and services means cyber criminals have a better chance of getting a payout. With data leakage and regulatory fines also a factor, it’s vital that these attacks are stopped in their tracks. If you would like to see how the autonomous SentinelOne platform can help protect your organization against ransomware attacks, contact us today or request a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Narrator raises $6.2M for a new approach to data modelling that replaces star schema

/0 Comments/in /by

Snowflake went public this week, and in a mark of the wider ecosystem that is evolving around data warehousing, a startup that has built a completely new concept for modelling warehoused data is announcing funding. Narrator — which uses an 11-column ordering model rather than standard star schema to organise data for modelling and analysis — has picked up a Series A round of $6.2 million, money that it plans to use to help it launch and build up users for a self-serve version of its product.

The funding is being led by Initialized Capital along with continued investment from Flybridge Capital Partners and Y Combinator — where the startup was in a 2019 cohort — as well as new investors, including Paul Buchheit.

Narrator has been around for three years, but its first phase was based around providing modelling and analytics directly to companies as a consultancy, helping companies bring together disparate, structured data sources from marketing, CRM, support desks and internal databases to work as a unified whole. As consultants, using an earlier build of the tool that it’s now launching, the company’s CEO Ahmed Elsamadisi said he and others each juggled queries “for eight big companies single-handedly,” while deep-dive analyses were done by another single person.

Having validated that it works, the new self-serve version aims to give data scientists and analysts a simplified way of ordering data so that queries, described as actionable analyses in a story-like format — or “Narratives,” as the company calls them — can be made across that data quickly — hours rather than weeks — and consistently. (You can see a demo of how it works below provided by the company’s head of data, Brittany Davis.)

The new data-as-a-service is also priced in SaaS tiers, with a free tier for the first 5 million rows of data, and a sliding scale of pricing after that based on data rows, user numbers and Narratives in use.

Image Credits: Narrator

Elsamadisi, who co-founded the startup with Matt Star, Cedric Dussud and Michael Nason, said that data analysts have long lived with the problems with star schema modelling (and by extension the related format of snowflake schema), which can be summed up as “layers of dependencies, lack of source of truth, numbers not matching and endless maintenance,” he said.

“At its core, when you have lots of tables built from lots of complex SQL, you end up with a growing house of cards requiring the need to constantly hire more people to help make sure it doesn’t collapse.”

(We)Work Experience

It was while he was working as lead data scientist at WeWork — yes, he told me, maybe it wasn’t actually a tech company, but it had “tech at its core” — that he had a breakthrough moment of realising how to restructure data to get around these issues.

Before that, things were tough on the data front. WeWork had 700 tables that his team was managing using a star schema approach, covering 85 systems and 13,000 objects. Data would include information on acquiring buildings, to the flows of customers through those buildings, how things would change and customers might churn, with marketing and activity on social networks, and so on, growing in line with the company’s own rapidly scaling empire.  All of that meant a mess at the data end.

“Data analysts wouldn’t be able to do their jobs,” he said. “It turns out we could barely even answer basic questions about sales numbers. Nothing matched up, and everything took too long.”

The team had 45 people on it, but even so it ended up having to implement a hierarchy for answering questions, as there were so many and not enough time to dig through and answer them all. “And we had every data tool there was,” he added. “My team hated everything they did.”

The single-table column model that Narrator uses, he said, “had been theorised” in the past but hadn’t been figured out.

The spark, he said, was to think of data structured in the same way that we ask questions, where — as he described it — each piece of data can be bridged together and then also used to answer multiple questions.

“The main difference is we’re using a time-series table to replace all your data modelling,” Elsamadisi explained. “This is not a new idea, but it was always considered impossible. In short, we tackle the same problem as most data companies to make it easier to get the data you want but we are the only company that solves it by innovating on the lowest-level data modelling approach. Honestly, that is why our solution works so well. We rebuilt the foundation of data instead of trying to make a faulty foundation better.”

Narrator calls the composite table, which includes all of your data reformatted to fit in its 11-column structure, the Activity Stream.

Elsamadisi said using Narrator for the first time takes about 30 minutes, and about a month to learn to use it thoroughly. “But you’re not going back to SQL after that, it’s so much faster,” he added.

Narrator’s initial market has been providing services to other tech companies, and specifically startups, but the plan is to open it up to a much wider set of verticals. And in a move that might help with that, longer term, it also plans to open source some of its core components so that third parties can build data products on top of the framework more quickly.

As for competitors, he says that it’s essentially the tools that he and other data scientists have always used, although “we’re going against a ‘best practice’ approach (star schema), not a company.” Airflow, DBT, Looker’s LookML, Chartio’s Visual SQL, Tableau Prep are all ways to create and enable the use of a traditional star schema, he added. “We’re similar to these companies — trying to make it as easy and efficient as possible to generate the tables you need for BI, reporting and analysis — but those companies are limited by the traditional star schema approach.”

So far the proof has been in the data. Narrator says that companies average around 20 transformations (the unit used to answer questions) compared to hundreds in a star schema, and that those transformations average 22 lines compared to 1,000+ lines in traditional modelling. For those that learn how to use it, the average time for generating a report or running some analysis is four minutes, compared to weeks in traditional data modelling. 

“Narrator has the potential to set a new standard in data,” said Jen Wolf, ​Initialized Capital COO and partner and new Narrator board member​, in a statement. “We were amazed to see the quality and speed with which Narrator delivered analyses using their product. We’re confident once the world experiences Narrator this will be how data analysis is taught moving forward.”

APAC cloud infrastructure revenue reaches $9B in Q2 with Amazon leading the way

/0 Comments/in /by

When you look at the Asia-Pacific (APAC) regional cloud infrastructure numbers, it would be easy to think that one of the Chinese cloud giants, particularly Alibaba, would be the leader in that geography, but new numbers from Synergy Research show Amazon leading across the region overall, which generated $9 billion in revenue in Q2.

The only exception to Amazon’s dominance was in China, where Alibaba leads the way with Tencent and Baidu coming in second and third, respectively. As Synergy’s John Dinsdale points out, China has its own unique market dynamics, and while Amazon leads in other APAC sub-regions, it remains competitive.

“China is a unique market and remains dominated by local companies, but beyond China there is strong competition between a range of global and local companies. Amazon is the leader in four of the five sub-regions, but it is not the market leader in every country,” he explained in a statement.

APAC Cloud Infrastructure leaders chart from Synergy Research

Image Credits: Synergy Research

The $9 billion in revenue across the region in Q2 represents less than a third of the more than $30 billion generated in the worldwide market in the quarter, but the APAC cloud market is still growing at more than 40% per year. It’s also worth pointing out as a means of comparison that Amazon alone generated more than the entire APAC region, with $10.81 billion in cloud infrastructure revenue in Q2.

While Dinsdale sees room for local vendors to grow, he says that the global nature of the cloud market in general makes it difficult for these players to compete with the largest companies, especially as they try to expand outside their markets.

“The challenge for local players is that in most ways cloud is a truly global market, requiring global presence, leading edge technology, strong brand name and credibility, extremely deep pockets and a long-term focus. For any local cloud companies looking to expand significantly beyond their home market, that is an extremely challenging proposition,” Dinsdale said in a statement.

Even as cloud infrastructure growth slows, revenue rises over $30B for quarter

Perigee infrastructure security solution from former NSA employee moves into public beta

/0 Comments/in /by

Perigee founder Mollie Breen used to work for NSA where she built a security solution to help protect the agency’s critical infrastructure. She spent the last two years at Harvard Business School talking to Chief Information Security Officers (CISOs) and fine-tuning that idea she started at NSA into a commercial product.

Today, the solution that she built moves into public beta and will compete at TechCrunch Disrupt Battlefield with other startups for $100,000 and the Disrupt Cup.

Perigree helps protect things like heating and cooling systems or elevators that may lack patches or true security, yet are connected to the network in a very real way. It learns what normal behavior looks like from an operations system when it interacts with the network, such as what systems it interacts with and which individual employees tend to access it. It can then determine when something seems awry and stop an anomalous activity before it reaches the network. Without a solution like the one Breen has built, these systems would be vulnerable to attack.

Perigee is a cloud-based platform that creates a custom firewall for every device on your network,” Breen told TechCrunch. “It learns each device’s unique behavior, the quirks of its operational environment and how it interacts with other devices to prevent malicious and abnormal usage while providing analytics to boost performance.”

Perigee HVAC fan dashboard view

Image Credits: Perigee

One of the key aspects of her solution is that it doesn’t require an agent, a small piece of software on the device, to make it work. Breen says this is especially important since that approach doesn’t scale across thousands of devices and can also introduce bugs from the agent itself. What’s more, it can use up precious resources on these devices if they can even support a software agent.

“Our sweet spot is that we can protect those thousands of devices by learning those nuances and we can do that really quickly, scaling up to thousands of devices with our generalized model because we take this agentless-based approach,” she said.

By creating these custom firewalls, her company is able to place security in front of the device preventing a hacker from using it as a vehicle to get on the network.

“One thing that makes us fundamentally different from other companies out there is that we sit in front of all of these devices as a shield,” she said. That essentially stops an attack before it reaches the device.

While Breen acknowledges that her approach can add a small bit of latency, it’s a tradeoff that CISOs have told her they are willing to make to protect these kinds of operational systems from possible attacks. Her system is also providing real-time status updates on how these devices are operating, giving them centralized device visibility. If there are issues found, the software recommends corrective action.

It’s still very early for her company, which Breen founded last year. She has raised an undisclosed amount of pre-seed capital. While Perigee is pre-revenue with just one employee, she is looking to add paying customers and begin growing the company as she moves into a wider public beta.

Chinese Antivirus Firm Was Part of APT41 ‘Supply Chain’ Attack

/0 Comments/in /by

The U.S. Justice Department this week indicted seven Chinese nationals for a decade-long hacking spree that targeted more than 100 high-tech and online gaming companies. The government alleges the men used malware-laced phishing emails and “supply chain” attacks to steal data from companies and their customers. One of the alleged hackers was first profiled here in 2012 as the owner of a Chinese antivirus firm.

Image: FBI

Charging documents say the seven men are part of a hacking group known variously as “APT41,” “Barium,” “Winnti,” “Wicked Panda,” and “Wicked Spider.” Once inside of a target organization, the hackers stole source code, software code signing certificates, customer account data and other information they could use or resell.

APT41’s activities span from the mid-2000s to the present day. Earlier this year, for example, the group was tied to a particularly aggressive malware campaign that exploited recent vulnerabilities in widely-used networking products, including flaws in Cisco and D-Link routers, as well as Citrix and Pulse VPN appliances. Security firm FireEye dubbed that hacking blitz “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”

The government alleges the group monetized its illicit access by deploying ransomware and “cryptojacking” tools (using compromised systems to mine cryptocurrencies like Bitcoin). In addition, the gang targeted video game companies and their customers in a bid to steal digital items of value that could be resold, such as points, powers and other items that could be used to enhance the game-playing experience.

APT41 was known to hide its malware inside fake resumes that were sent to targets. It also deployed more complex supply chain attacks, in which they would hack a software company and modify the code with malware.

“The victim software firm — unaware of the changes to its product, would subsequently distribute the modified software to its third-party customers, who were thereby defrauded into installing malicious software code on their own computers,” the indictments explain.

While the various charging documents released in this case do not mention it per se, it is clear that members of this group also favored another form of supply chain attacks — hiding their malware inside commercial tools they created and advertised as legitimate security software and PC utilities.

One of the men indicted as part of APT41 — now 35-year-old Tan DaiLin — was the subject of a 2012 KrebsOnSecurity story that sought to shed light on a Chinese antivirus product marketed as Anvisoft. At the time, the product had been “whitelisted” or marked as safe by competing, more established antivirus vendors, although the company seemed unresponsive to user complaints and to questions about its leadership and origins.

Tan DaiLin, a.k.a. “Wicked Rose,” in his younger years. Image: iDefense

Anvisoft claimed to be based in California and Canada, but a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu in the Sichuan Province of China.

A review of Anvisoft’s website registration records showed the company’s domain originally was created by Tan DaiLin, an infamous Chinese hacker who went by the aliases “Wicked Rose” and “Withered Rose.” At the time of story, DaiLin was 28 years old.

That story cited a 2007 report (PDF) from iDefense, which detailed DaiLin’s role as the leader of a state-sponsored, four-man hacking team called NCPH (short for Network Crack Program Hacker). According to iDefense, in 2006 the group was responsible for crafting a rootkit that took advantage of a zero-day vulnerability in Microsoft Word, and was used in attacks on “a large DoD entity” within the USA.

“Wicked Rose and the NCPH hacking group are implicated in multiple Office based attacks over a two year period,” the iDefense report stated.

When I first scanned Anvisoft at Virustotal.com back in 2012, none of the antivirus products detected it as suspicious or malicious. But in the days that followed, several antivirus products began flagging it for bundling at least two trojan horse programs designed to steal passwords from various online gaming platforms.

Security analysts and U.S. prosecutors say APT41 operated out of a Chinese enterprise called Chengdu 404 that purported to be a network technology company but which served a legal front for the hacking group’s illegal activities, and that Chengdu 404 used its global network of compromised systems as a kind of dragnet for information that might be useful to the Chinese Communist Party.

Chengdu404’s offices in China. Image: DOJ.

“CHENGDU 404 developed a ‘big data’ product named ‘SonarX,’ which was described…as an ‘Information Risk Assessment System,’” the government’s indictment reads. “SonarX served as an easily searchable repository for social media data that previously had been obtained by CHENGDU 404.”

The group allegedly used SonarX to search for individuals linked to various Hong Kong democracy and independence movements, and snoop on a U.S.-backed media outlet that ran stories examining the Chinese government’s treatment of Uyghur people living in its Xinjian region.

As noted by TechCrunch, after the indictments were filed prosecutors said they obtained warrants to seize websites, domains and servers associated with the group’s operations, effectively shutting them down and hindering their operations.

“The alleged hackers are still believed to be in China, but the allegations serve as a ‘name and shame’ effort employed by the Justice Department in recent years against state-backed cyber attackers,” wrote TechCrunch’s Zack Whittaker.

The C-suite Guide to Cyber Safety | 7 Steps to Securing Your Organization

/0 Comments/in /by

Some cyber attacks, particularly those like the spate of ransomware incidents that seem to be never-ending at present, have some very visible consequences for organizations: outage of customer-facing services, loses in productivity, revenue, and reputation, not to mention the costs of remediation (like, say, paying the ransom), possible data leakages and even regulatory fines. However, it’s not just damage to the organization that such cyber incidents can cause, it can also get personal. Beginning with the famous “Target Breach”, moving on to Home Depot, Sony, the Equifax breach and the Imperva breach, several CEOs have been held responsible and forced to resign after highly damaging cyber incidents.

It might be assumed that the CISO would be the one primarily in the hot seat for such failures, but industry analysts Gartner say that future cyber attacks could result in “personal liability” for 75% of CEOs by 2024. In short, the entire C-suite needs to prepare for the consequences of a successful cyber attack, which can damage both the business and the careers of those tasked with ensuring the organization’s security.

Risk, Regulation and Evolving Threat Actors

Until very recently, companies could have kept cyber incidents and data breaches under the radar and away from the public eye. However, advancements in regulation, public sentiment and the nature of cyber attacks have changed all that.

HIPAA, GDPR, CCPA, NYC DFS and a host of other data breach notification and privacy regulations have made it impossible for companies to legally hide the fact that they have suffered a major cyber incident. Companies and individuals that try to downplay this could be caught and penalized, as was the case with former CISO of Uber who is now charged with obstruction of justice. He allegedly tried to cover up a 2016 hack that compromised the data of millions of users and drivers and present it as a security penetration testing exercise (while allegedly paying the actual hackers to go away).

The nature of attacks has also changed. Modern ransomware attacks are now exfiltrating huge data sets before encrypting and announcing to the world that their victim has been hit. The cyber criminals threaten to publish or sell the stolen data if their ransom demands are not met. In many cases, this means that the public will almost certainly become aware of the incident, at which point it only harms the victim’s reputation further if they continue to deny it or refuse to even make a public comment on it. Moreover, as the public have become increasingly aware of just how much data – and how sensitive it can be – is held about them, there is increasing anger at companies and organizations accused of having lax security practices. Many consumers now indicate that organizations should be held accountable for security negligence: A recent survey found that 35% of UK consumers see the CEO as personally responsible in case of a cyber incident.

It’s no surprise, then, that cases of executives being held personally accountable for such incidents are not hard to find. The CEO of Austrian aerospace parts maker FACC was fired after the company was hit by cyber fraud that cost it some $47 million. The details are murky, but it has the hallmarks of a classic Business Email compromise: someone very senior within FACC, perhaps the CEO, was approached by email from a business partner or vendor and approved a wire transfer directly to the fraudsters. After the transfer was made, it was discovered that the actual partner never approached the company and the money was gone, costing both the CEO and the CFO their jobs.

In other cases, executives have been held accountable because cyber is now considered a fundamental business operation. For example, after the SingHealth data breach, the CEO and 4 other senior managers were fined due to their “collective leadership responsibility”.

Seven Steps to Secure Your Organization

It’s famously been said that “Cyber is hard”, but there is a well-defined path to enterprise security that responsible organizations can follow, limiting both the risk of and the fallout from a security breach.

  1. Assess Your Security Posture – The first step to consider is the status of the organization’s security posture. The C-suite (CIO, CSO, CISO) needs to have a clear and updated understanding of the organization’s security apparatus, including staffing levels, training, systems and procedures, incident response and business continuity. Are you still relying on legacy AV solutions that are easily bypassed by today’s threat actors? Who is tasked with threat hunting, and how often? What does your Incident Response procedure look like today? In the heightened security environment we now face, when threat actors from script kiddies to APTs are able to access and wield sophisticated malware, it is imperative to have a clear understanding of your current security posture.
  1. Conduct a Cyber Risk Assessment – The CEO and C-level executives need to understand the nature of the cyber threats the organization faces. There are plenty of tools available for risk assessment, including using industry benchmarks, government and law enforcement agencies recommendations and threat intelligence feeds. The risk assessment should also include regulatory and commercial risks such as reputation loss due to cyber attack.
Ebook: Understanding Ransomware in the Enterprise
This guide will help you understand, plan for, respond to and protect against this now-prevalent threat. It offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.

Read Now

  1. Develop a Business-wide Security Plan –  With a clear understanding of the threats facing your organization and your current security stance, it is possible to assess where the organization fares well and where there is room for improvement. It is vital to have a plan to address these gaps according to the organizations’ risk appetite. The plan should include a modern EDR platform, Incident Response and mitigation capabilities, backup systems and business continuity procedures.
  1. Allocate Sufficient Resources – After formulating and approving a security plan, the appropriate staffing, organizational and financial resources must be allocated. This is critical. A plan that calls for human resources you don’t have and don’t make provision to supply is not so much a plan but wishful thinking. A plan that cannot be implemented because it requires structural changes that the organization is not willing to make is merely a wasted thought experiment. A plan that lacks a fully-worked out and approved budget suggests there was no real will or intent to facilitate change. None of this is going to look good when stakeholders start apportioning blame in post-incident analysis.
  1. Practice Continued Oversight – The implementation of a well-thought out, sufficiently-resourced plan must be accompanied with monitoring and reporting to senior management. A contingency plan that was only partially implemented, not implemented as intended, or that (in practice) was not as “fit for purpose” as it seemed on paper, may be worse than no plan at all. Security executives should also monitor business operations development and how operational changes might impact the security plan. For instance, the sudden shift to working from home has markedly changed the risks organizations face, but how many business have updated their security planning and solutions to take that into consideration?
Cybersecurity for the remote workforce
Every threat. Every device. Every second.

Watch Now

  1. Engage an External Audit – It is advisable to introduce an external audit in order to validate the CISO’s plan and its execution. The benefits here include a non-partisan, objective look at your preparedness and compliance that can not only provide internal confidence that you are doing the right thing, but it can also be a vital part of rapidly rebuilding external confidence after a security breach.
  1. Rinse and Repeat – By the end of the period (fiscal year, calendar year, quarter) it is imperative to assess the success of the plan and decide if to continue with its implementation or make changes. Plenty of organizations thought they had a great plan in place, only to find a threat actor had repeatedly breached their defenses for months on end.

How To Respond When a Cyber Attack Happens

But executives are not only measured by how well they plan and let their people execute. They are also measured by how well they respond to crisis. When a crisis hits, it is best to act according to the predefined plan. If there isn’t one, bring in experts in Incident Response and crisis management as soon as possible.

It is imperative to communicate the situation promptly and openly with the board, employees, customers and the media. Organizations that react quickly, honestly and transparently usually receive the support of all these factions, and the mistakes (if there were any) are often quickly forgiven.

For example, Q&A site Quora suffered a data breach in late 2018, effecting approximately 100 million Quora users. The CEO responded quickly, publishing a very transparent blog post and notifying all users via email of how the breach affected stakeholders. The company then set up a dedicated Q&A site with timely updates to users as the situation unfolded.

Conclusion

Securing your organization against today’s cyber threats is a business imperative. Long gone are the days when management only needed to hire an IT admin to install an off-the-shelf antivirus, erect a firewall around the network perimeter and sit back and think about “more important” things. In today’s world of cloud computing with containerized workloads, a remote workforce, and a dizzying array of unsecured IoT devices jumping on and off your network, combined with the exponential growth and sophistication of cyber attacks and cyber attackers, security is not only the C-suite’s responsibility, it may be their number one priority.

If you’d like to see how the SentinelOne platform can meet your organization’s security needs without stretching your resources, contact us or request a free demo.

The Key Measures of MITRE ATT&CK 2020
SentinelOne’s performance in MITRE ATT&CK 2020 is EDR at its finest

Read More

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

User-generated e-learning site Kahoot acquires Actimo for up to $33M to double down on corporate sector

/0 Comments/in /by

Norwegian company Kahoot originally made its name with a platform that lets educators and students create and share game-based online learning lessons, in the process building up a huge public catalogue of gamified lessons created by its community. Today the startup — now valued at more than $2 billion — is announcing an acquisition to give a boost to another segment of its business: corporate customers.

Kahoot has acquired Danish startup Actimo, which provides a platform for businesses to train and engage with employees. Kahoot said that the purchase is being made with a combination of cash and shares, and works out to a total enterprise value of between $26 million and $33 million for the smaller company, with the sale expected to be completed in October 2020.

It may sound like a modest sum in a tech market where companies are currently and regularly seeing paper valuations in the hundreds of millions at Series A stage, but it also presents a different kind of trajectory both for founders and their investors.

This is actually a strong exit for Actimo, which had raised less than $500,000, according to data from PitchBook. And it puts Actimo under the wing of a company that has been scaling globally fast, finding — like others in the areas of online education and remote working — that the current state of social distancing due to COVID-19 is resulting in a boost to its business.

To give you an idea of the scale and growth of Kahoot, the company says that currently it has over 1 billion “participating players,” on top of some 4.4 billion users in aggregate since first launching the platform in 2013. In the last 12 months, some 200 million games have been played on its platform. In June, when Kahoot announced that it had raised $28 million in funding, it told us that 100 million games had been played.

In light of its growth and the future opportunity — even putting aside the progression of the coronavirus, it looks like remote work and remote learning will at least become a lot more common as a longer-term option — the company has also seen a rise in its valuation. With some of its shares traded on the Merkur Market in Norway, the company currently has a market cap of 18.716 billion Norwegian Krone, which at today’s rates is about $2.08 billion. That figure was $1.4 billion in June.

Kahoot’s targeting of the corporate sector is not new. The company has been building a business in this space for years. It says that in the last 12 months, it logged 2 million sessions across 20 million participating “players” of its corporate training “games,” with some 97% of the Fortune 500 among those users. Customers include the likes of Facebook (for sales training), Oyo (hospitality training and onboarding) and Qualys (for taking polls during a conference), among others.

Critically, while a lot of Kahoot’s audience is in education, it’s corporate that most of the revenues come in —  one reason why it’s keen to grow that segment with more services and users.

The aim with Actimo, Kahoot says, is to build out a product set aimed at helping organisations with company culture — which, with many organisations now going on eight months and counting of entire teams working regularly outside of their physical offices, has grown as a priority.

Keeping a team feeling like a team, and an individual feeling more than a transactional regard for an employer, is not a simple thing in the best of times. Now, as we continue to work physically away from each other, it will take even more tools and efforts to get the balance right.

In that context, Actimo’s solution is just one aspect, but potentially an interesting one: it has built a platform where employees can track the training that they have done or need to do, engage with other co-workers, and provide feedback, and employers can use it to generally track and encourage how employees are engaging across the company and its various efforts. It counts some 200 enterprises, including Circle K, Hi3G and Compass Group, among its customers, and has current ARR of $5 million.

For comparison, Kahoot, in its Q2 financials published in August, reported ARR of $25 million, with invoiced revenue for the quarter at $9.6 million, growing some 317% on the same quarter a year before. The company has also raised some $110 million in private funding from the likes of Microsoft and Disney.

As Kahoot looks to find more than just a transient place in a company’s IT and software fabric — transience of attention always being a risk with anything gaming-based — it makes a lot of sense to pick up Actimo and work on ways of coupling the platform with its other corporate work. You can also imagine a time when it might create a similar kind of dashboard for the educational sector.

“We are excited to welcome the Actimo team to be part of the fast-growing Kahoot! family,” said Kahoot CEO, Eilert Hanoa, in a statement. “This acquisition will further extend Kahoot!’s corporate learning offerings, by providing solutions tailored for the frontline segment, as well as to solidify company culture and engagement among remote and distributed teams in companies of all types and sizes. This continues our expressed ambition to also grow through M&A by adding strategic capabilities that we can leverage across our global platform.”

“We are thrilled to join forces with Kahoot! in our mission to develop next-level solutions that connect remote employees and boost employee engagement and productivity,” said Eske Gunge, CEO at Actimo, in a statement. “Being part of Kahoot! and with our experience from working with innovative and ambitious enterprises across industries, we can together set a new standard for corporate learning and engagement.”