Hydra, the world’s biggest cybercrime forum, shut down in police sting

A cartoon figure stalks a giant bitcoin logo.

Enlarge / Laundering of stolen cryptocurrency was a key service offered by Hydra. (credit: Getty Images)

Hydra, the world’s biggest cybercrime forum, is no more. Authorities in Germany have seized servers and other infrastructure used by the sprawling, billion-dollar enterprise along with a stash of about $25 million in bitcoin.

Hydra had been operating since at least 2015 and had seen a meteoric rise since then. In 2020, it had annual revenue of more than $1.37 billion, according to a 2021 report jointly published by security firm Flashpoint and blockchain analysis company Chainalysis. In 2016, the companies said Hydra had a revenue of just $9.4 million. German authorities said the site had 17 million customer and over 19,000 seller accounts registered.

Cybercrime bazaar

Available exclusively through the Tor network, Hydra was a bazaar that brokered sales of narcotics, fake documents, cryptocurrency-laundering services, and other digital goods. Flashpoint and Chainalysis identified 11 core operators but said the marketplace was so big that it likely was staffed by “several dozen people, with clearly delineated responsibilities.”

Read 6 remaining paragraphs | Comments

#biz-it, #cybercrime, #hydra, #law-enforcement

Telegram emerges as new dark web for cyber criminals

Telegram emerges as new dark web for cyber criminals

Enlarge (credit: Carl Court / Getty Images)

Telegram has exploded as a hub for cybercriminals looking to buy, sell, and share stolen data and hacking tools, new research shows, as the messaging app emerges as an alternative to the dark web.

An investigation by cyber intelligence group Cyberint, together with the Financial Times, found a ballooning network of hackers sharing data leaks on the popular messaging platform, sometimes in channels with tens of thousands of subscribers, lured by its ease of use and light-touch moderation.

In many cases, the content resembled that of the marketplaces found on the dark web, a group of hidden websites that are popular among hackers and accessed using specific anonymizing software.

Read 25 remaining paragraphs | Comments

#biz-it, #cybercrime, #dark-web, #hacking, #policy, #telegram

Ransomware: A market problem deserves a market solution

REvil is a solid choice for a villain’s name: R Evil. Revil. Evil and yet fun. I could imagine Black Widow, Hulk and Spider-Man teaming up to topple the leadership of REvil Incorporated.

The criminal gang using the name REvil may have enabled ransomware attacks on thousands of small businesses worldwide this summer — but the ransomware problem is bigger than REvil, LockBit or DarkSide. REvil has disappeared from the internet, but the ransomware problem persists.

REvil is a symptom, not the cause. I advise Tony Stark and his fellow Avengers to look past any one criminal organization — because there is no evil mastermind. Ransomware is just the latest in the 50,000-year evolution of petty criminals discovering get-rich-quick schemes.

The massive boom in the number of ransomware occurrences arises from the lack of centralized control. More than 304 million ransomware attacks hit global businesses last year, with costs surpassing $178,000 per event. Technology has created a market where countless petty criminals can make good money fast. The best way to fight this kind of threat is with a market-based approach.

The spike in global ransomware attacks reflects a massive “dumbing down” of criminal activity. People looking to make an illicit buck have many more options available to them today than they did even two years ago. Without technical chops, people can steal your data, hold it for ransom and coerce you to pay to get it back. Law enforcement has not yet responded to combat this form of cybercrime, and large, sophisticated criminal networks have likewise not yet figured out how to control the encroaching upstarts.

The spike in ransomware attacks is attributable to the “as a service” economy. In this case, we’re talking about RaaS, or ransomware as a service. This works because each task in the ransomware chain benefits from the improved sophistication enabled by the division of labor and specialization.

Someone finds a vulnerable target. Someone provides bulletproof infrastructure outside of the jurisdiction of responsible law enforcement. Someone provides the malicious code. The players all come together without knowing each other’s names. No need to meet in person as Mr. Pink, Mr. Blonde and Mr. Orange because the ability to coordinate tasks has become simple. The rapid pace of technological innovation created a decentralized market, enabling amateurs to engage in high-dollar crimes.

There’s a gig economy for the underworld just like there is for the legal business world. I’ve built two successful software companies, even though I’m an economist. I use open source software and rent infrastructure via cloud technologies. I operated my first software company for six years before I sought outside capital, and I used that money for marketing and sales more than technology.

This tech advancement is both good and bad. The global economy did better than expected during a global pandemic because technology enabled many people to work from anywhere.

But the illicit markets of crime also benefited. REvil provided a service — a piece of a larger network — and earned a share of proceeds from ransomware attacks committed by others — like Jeff Bezos and Amazon get a share of my company’s revenues for the services they provide to me.

To fight ransomware attacks, appreciate the economics — the markets that enable ransomware — and change the market dynamics. Specifically, do three things:

1. Analyze the market like a business executive

Any competitive business thinks about what’s allowing competitors to succeed and how they can outcompete. The person behind a ransomware strike is an entrepreneur or a worker in a firm engaged in cybercrime, so start with good business analytics using data and smart business questions.

Can the crypto technologies that enable the crime also be used to enable entity resolution and deny anonymity/pseudonymity? Can technology undermine a criminal’s ability to recruit, coordinate or move, store and spend the proceeds from criminal activities?

2. Define victory in market terms

Doing the analytics to understand competing firms allows one to more clearly see the market for ransomware. Eliminating one “firm” often creates a power vacuum that will be filled by another, provided the market remains the same.

REvil disappeared, but ransomware attacks persist. Victory in market terms means creating markets in which criminals choose not to engage in the activity in the first place. The goal is not to catch criminals, but to deter the crime. Victory against ransomware happens when arrests drop because attempted attacks drop to near zero.

3. Combat RaaS as an entrepreneur in a competitive market

To prevent ransomware is to fight against criminal entrepreneurs, so the task requires one to think and fight crime like an entrepreneur.

Crime-fighting entrepreneurs require collaboration — networks of government officials, banking professionals and technologists in the private sector across the globe must come together.

Through artificial intelligence and machine learning, the capability to securely share data, information and knowledge while preserving privacy exists. The tools of crime become the tools to combat crime.

No evil mastermind sits in their lair laughing at the chaos inflicted on the economy. Instead, growing numbers of amateurs are finding ways to make money quickly. Tackling the ransomware industry requires the same coordinated focus on the market that enabled amateurs to enter cybercrime in the first place. Iron Man would certainly agree.

#column, #computer-security, #crime, #cybercrime, #machine-learning, #malware, #open-source-software, #ransomware, #security, #security-breaches, #tc

BitSight raises $250M from Moody’s and acquires cyber risk startup VisibleRisk

BitSight, a startup that assesses the likelihood that an organization will be breached, has received a $250 million investment from credit rating giant Moody’s, and acquired Israeli cyber risk assessment startup VisibleRisk for an undisclosed sum.

Boston-based BitSight says the investment from Moody’s, which has long warned that cyber risk can impact credit ratings, will enable it to create a cybersecurity risk platform, while the credit ratings giant said it plans to make use of BitSight’s cyber risk data and research across its integrated risk assessment product offerings.

The investment values BitSight at $2.4 billion and makes Moody’s the largest shareholder in the company.

“Creating transparency and enabling trust is at the core of Moody’s mission,” Moody’s president and CEO Rob Fauber said in a statement. “BitSight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of cyber loss.”

Meanwhile, BitSight’s purchase of VisibleRisk, a cyber risk ratings joint venture created by Moody’s and Team8, brings in-depth cyber risk assessment capabilities to BitSight’s platform, enabling the startup to better analyze and calculate an organization’s financial exposure to cyber risk. VisibleRisk, which has raised $25 million to date, says its so-called “cyber ratings” are based on cyber risk quantification, which allows companies to benchmark their cyber risk against those of their peers, and to better understand and manage the impact of cyber threats to their businesses.

Following the acquisition, BitSight will also create a risk solutions division focused on delivering a suite of critical solutions and analytics serving stakeholders including chief risk officers, C-suite executives, and boards of directors. This division will be led by VisibleRisk co-founder and CEO Derek Vadala, who previously headed up Moody’s cyber risk group.

Steve Harvey, president and CEO of BitSight, said the company’s partnership with Moody’s and its acquisition of VisibleRisk will expand its reach to “help customers manage cyber risk in an increasingly digital world.”

BitSight was founded in 2011 and has raised a total of $155 million in outside funding, most recently closing a $60 million Series D round led by Warburg Pincus. The startup has just shy of 500 employees and more than 2,300 global customers, including government agencies, insurers and asset managers. 

#articles, #boston, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #leader, #risk, #risk-analysis, #risk-management, #safety, #security, #team8, #warburg-pincus

Technology giant Olympus hit by BlackMatter ransomware

Olympus said in a brief statement Sunday that it is “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network.

“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement said.

But according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8. The person shared details of the incident prior to Olympus acknowledging the incident on Sunday.

A ransom note left behind on infected computers claimed to be from the BlackMatter ransomware group. “Your network is encrypted, and not currently operational,” it reads. “If you pay, we will provide you the programs for decryption.” The ransom note also included a web address to a site accessible only through the Tor Browser that’s known to be used by BlackMatter to communicate with its victims.

Read more on TechCrunch

Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the site in the ransom note is associated with the BlackMatter group.

BlackMatter is a ransomware-as-a-service group that was founded as a successor to several ransomware groups, including DarkSide, which recently bounced from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which went silent for months after the Kaseya attack flooded hundreds of companies with ransomware. Both attacks caught the attention of the U.S. government, which promised to take action if critical infrastructure was hit again.

Groups like BlackMatter rent access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a cut of whatever ransoms are paid. Emsisoft has also found technical links and code overlaps between Darkside and BlackMatter.

Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but that the total number of victims is likely to be significantly higher.

Ransomware groups like BlackMatter typically steal data from a company’s network before encrypting it, and later threaten to publish the files online if the ransom to decrypt the files is not paid. Another site associated with BlackMatter, which the group uses to publicize its victims and touts stolen data, did not have an entry for Olympus at the time of publication.

Japan-headquartered Olympus manufactures optical and digital reprography technology for the medical and life sciences industries. Until recently, the company built digital cameras and other electronics until it sold its struggling camera division in January.

Olympus said it was “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Christian Pott, a spokesperson for Olympus, did not respond to emails and text messages requesting comment.

#africa, #colonial-pipeline, #crime, #crimes, #cyberattacks, #cybercrime, #digital-cameras, #electronics, #kaseya, #middle-east, #olympus, #ransomware, #security, #spokesperson, #u-s-government, #united-states

Thoma Bravo takes a stake in threat intelligence provider Intel 471

Private equity giant Thoma Bravo has taken a stake in Intel 471, a provider of cyber threat intelligence for enterprises and governments.

The strategic growth investment, which comes as organizations double-down on cybersecurity amid a pandemic-fueled rise in cyber threats, will enable Intel 471 to evolve its product suite, broaden its go-to-market strategy and continue to “aggressively pursue innovation,” according to Thoma Bravo. Financial terms of the deal were not disclosed.

Intel 471, a Texas-based firm founded in 2014, takes a preventative approach to cybersecurity. It leverages its access to forums and dark web marketplaces to equip organizations with intelligence and monitoring on threat actors and malware attacks. Using the company’s platform, businesses can track threat actor activity and vulnerability exploits, analyze near-real-time monitoring of malware activity, trace threats that could cause security breaches, and receive alerts on compromised credentials.

“As cybercriminals and their tactics become increasingly sophisticated, our monitoring and intelligence solutions have become mission-critical, with organizations of all sizes looking to us to help them protect against attacks,” said Mark Arena, CEO of Intel 471.

Arena, along with fellow co-founder Jason Passwaters, will continue to lead Intel 471 and will retain a “significant” ownership position

Thoma Bravo’s investment in Intel 471 sees the private equity firm continue its cybersecurity investing spending-spree. Its recent $12.3 billion purchase of Proofpoint, for example, said to be the largest acquisition in cybersecurity history, trumps Broadcom’s $10.7 billion purchase of Symantec, Intel’s $7.6 billion acquisition of McAfee, and Okta’s proposed $6.5 billion acquisition of Auth0.

Thoma Bravo also previously acquired Sophos for $3.9 billion, took a majority stake in LogRhythm and paid $544 million for authentication startup Imprivata. 

#auth0, #broadcom, #ceo, #computing, #cybercrime, #cyberwarfare, #logrhythm, #mcafee, #security, #security-software, #sophos, #symantec, #technology, #texas, #thoma-bravo

Howard University cancels classes after ransomware attack

Washington D.C’s Howard University has canceled classes after becoming the latest educational institution to be hit by a ransomware attack.

The incident was discovered on September 3, just weeks after students returned to campus, when the University’s Enterprise Technology Services (ETS) detected “unusual activity” on the University’s network and intentionally shut it down in order to investigate.

“Based on the investigation and the information we have to date, we know the University has experienced a ransomware cyberattack,” the university said in a statement. While some details remain unclear — it’s unknown who is behind the attack or how much of a ransom was demanded — Howard University said that there is no evidence so far to suggest that personal data of its 9,500 undergraduate and graduate students been accessed or exfiltrated. 

“However, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed,” the statement said.

In order to enable its IT team to fully assess the impact of the ransomware attack, Howard University has canceled Tuesday’s classes, opening its campus to essential employees only. Campus Wi-Fi will also be down while the investigation is underway, though cloud-based software will remain available to students and teachers. 

“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data,” the university said. “We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering.”

But the university warned that that remediation will be “a long haul — not an overnight solution.”

Howard University is the latest in a long line of educational institutions to be hit by ransomware since the start of the pandemic, with the FBI’s Cyber Division recently warning that cybercriminals using this type of attack are focusing heavily on schools and universities due to the widespread shift to remote learning. Last year, the University of California paid $1.14 million to NetWalker hackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

According to Emsisoft threat analyst Brett Callow last month, ransomware attacks have disrupted 58 U.S. education organizations and school districts, including 830 individual schools, so far in 2021. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities.

“We’ll likely see a significant increase in ed sector incidents in the coming weeks,” Callow tweeted on Tuesday.

#california, #cloud-based-software, #crime, #crimes, #cyberattacks, #cybercrime, #federal-bureau-of-investigation, #ransomware, #security, #united-states, #university-of-california, #utah, #washington

FTC bans spyware maker SpyFone, and orders it to notify hacked victims

The Federal Trade Commission has unanimously voted to ban the spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leaving it on the open internet.

The agency said SpyFone “secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack,” allowing the spyware purchaser to “see the device’s live location and view the device user’s emails and video chats.”

SpyFone is one of many so-called “stalkerware” apps that are marketed under the guise of parental control but are often used by spouses to spy on their partners. The spyware works by being surreptitiously installed on someone’s phone, often without their permission, to steal their messages, photos, web browsing history, and real-time location data. The FTC also charged that the spyware maker exposed victims to additional security risks because the spyware runs at the “root” level of the phone, which allows the spyware to access off-limits parts of the device’s operating system. A premium version of the app included a keylogger and “live screen viewing,” the FTC says.

But the FTC said that SpyFone’s “lack of basic security” exposed those victims’ data, because of an unsecured Amazon cloud storage server that was spilling the data its spyware was collecting from more than 2,000 victims’ phones. SpyFone said it partnered with a cybersecurity firm and law enforcement to investigate, but the FTC says it never did.

Practically, the ban means SpyFone and its CEO Zuckerman are banned from “offering, promoting, selling, or advertising any surveillance app, service, or business,” making it harder for the company to operate. But FTC Commissioner Rohit Chopra said in a separate statement that stalkerware makers should also face criminal sanctions under U.S. computer hacking and wiretap laws.

The FTC has also ordered the company to delete all the data it “illegally” collected, and, also for the first time, notify victims that the app had been secretly installed on their devices.

In a statement, the FTC’s consumer protection chief Samuel Levine said: “This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security.”

The EFF, which launched the Coalition Against Stalkerware two years ago, a coalition of companies that detects, combats and raises awareness of stalkerware, praised the FTC’s order. “With the FTC now turning its focus to this industry, victims of stalkerware can begin to find solace in the fact that regulators are beginning to take their concerns seriously,” said EFF’s Eva Galperin and Bill Budington in a blog post.

This is the FTC’s second order against a stalkerware maker. In 2019, the FTC settled with Retina-X after the company was hacked several times and eventually shut down.

Over the years, several other stalkerware makers were either hacked or inadvertently exposed their own systems, including mSpy, Mobistealth, and Flexispy. Another stalkerware maker, ClevGuard, left thousands of hacked victims’ phone data on an exposed cloud server.

Read more:


If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911.

Did you receive a notification and want to tell your story? You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.

#cybercrime, #espionage, #law-enforcement, #mobile-applications, #privacy, #security, #stalkerware, #stalking

BreachQuest emerges from stealth with $4.4M to modernize incident response

BreachQuest, an early-stage startup with a founding team of cybersecurity experts building a modern incident response platform, has emerged from stealth with $4.4 million in seed funding.

The investment was raised from Slow Ventures, Lookout founder Kevin Mahaffey, and Tinder co-founders Sean Rad and Justin Mateen, who described BreachQuest as having a “disruptive vision and a world-class team.”

The latter is certainly true. BreachQuest is made up of former U.S. Cyber Command, National Security Agency, and Department of Defense employees that it sees as its biggest competitive advantage. The second is its Priori platform, which the Texas-based company believes will re-engineer the incident response process and move incident preparedness into the future.

Currently, it takes most organizations thereabouts 280 days to detect a breach, the startup says, and the slow recovery process that typically follows means this largely manual process costs the average U.S. business just shy of $4 million. The startup’s Priori platform uses aims to improve on what the team sees as “unacceptable industry standards,” enabling organizations to detect intrusions and compromises far faster. That allows companies to near-instantly respond and contain the compromise, the startup says.

BreachQuest’s co-founder and CTO is Jake Williams, a former NSA hacker and founder of Rendition Infosec, an Augusta, Ga.-based cybersecurity company that was acquired by BreachQuest. Williams told TechCrunch that while most other incident response firms are focused on preventing incidents, BreachQuest is focusing on preparing for the inevitable.

“It’s a reality that determined adversaries will get into your network regardless of what tools you put in place to keep them out,” he says. “That’s not [fear, uncertainty and doubt], it’s just a reality that if you’re targeted you’re going to be compromised. That’s what our mission is all about: preparation to facilitate response.”

BreachQuest, which will also assess the cybersecurity risks posed to an organization by potential mergers and acquisitions, believes it has little competition in the market right now because incident preparation is a tough market.

“We continuously see statistics about how IT managers think their security controls will prevent them from being breached, so selling incident response preparation tools and services to those organizations is a hard sell,” Williams said. “But given the landscape of ransomware and other cybersecurity threats being regular front-page news, we think the market is ready.”

BreachQuest will use its $4.4 million seed investment to accelerate the rollout and development of its Priori platform, with future plans to speed up its forensic evidence collection processes and improve response coordination across its disparate team members.

“Incident response is chaotic and it’s hard for people who infrequently work in these situations to address all the issues identified throughout the investigation,” Williams said. “Fundamentally, the problem is a combination of the difficulties getting the right evidence in a timely manner and understanding the status of the response.”

Read more:

#articles, #computer-security, #cybercrime, #funding, #lookout, #malware, #security, #texas, #tinder

Ransomware recovery can be costly, and not just because of the ransom

Ransomware is rarely out of the headlines. Just last week, IT consulting giant Accenture was hit by the LockBit ransomware gang, days after Taiwan-based laptop maker Gigabyte also fell victim to an apparent ransomware attack, leading the hackers to leak gigabytes of confidential AMD and Intel data.

Unsurprisingly, ransomware — which has rocketed in activity during the pandemic — remains among the most costly to businesses, with large U.S companies losing an average of $5.66 million each year to ransomware. But new findings show that is not for the reason you might think.

While we often hear of multimillion-dollar ransom payments made by hackers, research from Proofpoint and the Ponemon Institute found that ransom payments typically account for less than 20% of the total cost of a ransomware attack. Of that $5.66 million figure each year, just $790,000 accounts for ransom payments. Rather, the research shows businesses suffer the majority of their losses through lost productivity and the time-consuming task of containing and cleaning up after a ransomware attack.

Proofpoint says that the remediation process for an average-sized organization takes on average 32,258 hours, which when multiplied by the average $63.50 IT hourly wage totals more than $2 million. Downtime and lost productivity is another costly consequence of ransomware attacks; the research shows that phishing attacks, for example, which were determined as the root cause of almost one-fifth of ransomware attacks last year, have led to employee productivity losses of $3.2 million in 2021, up from $1.8 million in 2015. 

“In the wake of a ransomware attack, communication and interaction between employees and any effected external parties must increase massively, causing many teams to have to drop all existing work as part of their ‘day job’ immediately and focus on this urgent matter, for potentially days, weeks or even months,” Proofpoint’s Andrew Rose told TechCrunch.

“They automatically face more scrutiny from customers, regulators and have to increase reliance on third parties. This may include a significant increase in external audits by customers and regulators, which again increases workload cost. There’s also the potential of regulatory fines, or class action lawsuits from customers,” said Rose.

This isn’t all businesses have to contend with from a financial point of view; organizations hit by ransomware are also likely to face an increase in cyber insurance costs, hefty IT expenditure and likely will have to cough up for PR teams, legal staff, customer services and external specialists. There’s also the brand and reputational fallout from such attacks: recent research from Cybereason shows that more than half of U.S. companies reported their brand was tarnished as a result of a ransomware attack. 

“For public organizations, there is also the potential for the share price to fall,” Rose adds. “Customers can also lose trust in a business once they know their data may have been at risk, which may in turn cause them to jump ship to a competitor, costing revenue.”

#crime, #cyberattacks, #cybercrime, #intel, #phishing, #ransomware, #security

Pearson to pay $1M fine for misleading investors about 2018 data breach

Pearson, a London-based publishing and education giant that provides software to schools and universities has agreed to pay $1 million to settle charges that it misled investors about a 2018 data breach resulting in the theft of millions of student records.

The U.S. Securities and Exchange Commission announced the settlement on Monday after the agency found that Pearson made “misleading statements and omissions” about its 2018 data breach, which saw millions of student usernames and scrambled passwords stolen, along with the administrator login credentials of 13,000 schools, district and university customer accounts.

The agency said that in Person’s semi-annual review filed in July 2019, the company referred to the incident as a “hypothetical risk,” even after the data breach had happened. Similarly, in a statement that same month, Pearson said the breach may include dates of birth and email addresses, when it knew that such records were stolen, according to the SEC.

Pearson also said that it had “strict protections” in place when it actually took the company six months to patch the vulnerability after it was notified.

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

While Pearson did not admit wrongdoing as part of the settlement, Pearson agreed to pay a $1 million penalty — a small fraction of the $489 million in pre-tax profits that the company raked in last year.

A Pearson spokesperson told TechCrunch: “We’re pleased to resolve this matter with the SEC. We also appreciate the work of the FBI and the Justice Department to identify and charge those responsible for a global cyberattack that affected Pearson and many other companies and industries, including at least one government agency.”

Pearson said the breach related to its AIMSweb1.0 web-based software for entering and tracking students’ academic performance, which it retired in July 2019. “Pearson continues to enhance its cybersecurity efforts to minimize the risk of cyberattacks in an ever-changing threat landscape,” the spokesperson added.

#articles, #computer-security, #cyberattack, #cybercrime, #data-breach, #data-security, #federal-bureau-of-investigation, #pearson, #security, #u-s-securities-and-exchange-commission

Siga secures $8.1M Series B to prevent cyberattacks on critical infrastructure

Siga OT Solutions, an Israeli cybersecurity startup that helps organizations secure their operations by monitoring the raw electric signals of critical industrial assets, has raised $8.1 million in Series B funding.

Siga’s SigaGuard says its technology, used by Israel’s critical water facilities and the New York Power Authority, is unique in that rather than monitoring the operational network, it uses machine learning and predictive analysis to “listen” to Level 0 signals. These are typically made up of components and sensors that receive electrical signals, rather than protocols or data packets that can be manipulated by hackers.

By monitoring Level 0, which Siga describes as the “richest and most reliable level of process data within any operational environment,” the company can detect cyberattacks on the most critical and vulnerable physical assets of national infrastructures. This, it claims, ensures operational resiliency even when hackers are successful in manipulating the logic of industrial control system (ICS) controllers.

Amir Samoiloff, co-founder and CEO of Siga, says: “Level 0 is becoming the major axis in the resilience and integrity of critical national infrastructures worldwide and securing this level will become a major element in control systems in the coming years.”

The company’s latest round of funding — led by PureTerra Ventures, with investment from Israeli venture fund SIBF, Moore Capital, and Phoenix Contact — comes amid an escalation in attacks against operational infrastructure. Israel’s water infrastructure was hit by three known cyberattacks in 2020 and these were followed by an attack on the water system of a city in Florida that saw hackers briefly increase the amount of sodium hydroxide in Oldsmar’s water treatment system. 

The $8.1 million investment lands three years after the startup secured $3.5 million in Series A funding. The company said it will use the funding to accelerate its sales and strategic collaborations internationally, with a focus on North America, Europe, Asia, and the United Arab Emirates. 

Read more:

#articles, #asia, #computer-security, #cryptography, #cyberattack, #cybercrime, #cybersecurity-startup, #cyberwarfare, #data-security, #energy, #europe, #florida, #israel, #machine-learning, #north-america, #nozomi-networks, #phoenix, #ransomware, #security, #united-arab-emirates

Checkmarx acquires open source supply chain security startup Dustico

Checkmarx, an Israeli provider of static application security testing (AST), has acquired open-source supply chain security startup Dustico for an undisclosed sum. 

Founded in 2020, Dustico provides a dynamic source-code analysis platform that employs machine learning to detect malicious attacks and backdoors in software supply chains. 

The acquisition will see Checkmarx combine its AST capabilities with Dustico’s behavioral analysis technology to give customers a consolidated view into the risk and reputation of open-source packages, and as a result, a more comprehensive approach to preventing supply chain attacks. 

The deal comes amid a sharp rise in supply chain attacks, in which threat actors slip malicious code into a trusted piece of software or hardware. Last December, it was revealed that Russian hackers had breached software firm SolarWinds to plant malicious code in its IT management tool Orion. This allowed the hackers — later identified as Russia’s Foreign Intelligence Service (SVR) — to access as many as 18,000 networks that used the Orion software.

Dustico’s technology, which is similar to that offered by Sonatype, analyses open source packages using a three-pronged approach. First, it factors in trust, providing visibility into the credibility of package providers and individual contributors in the open-source community, and then it examines the health of packages to determine their level of maintenance. Finally, Dustico’s advanced behavioral analysis engine inspects the package and looks for malicious attacks hiding within including backdoors, ransomware, multi-stage attacks, and trojans. 

This insight, coupled with vulnerability results from Checkmarx’s AST solutions, aims to give organizations and developers greater insights for managing the risks associated with open-source and the supply chains dependent on them, according to the two companies.

“We’re thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent,” said Emmanuel Benzaquen, CEO of Checkmarx. “Blending Dustico’s differentiated approach to open-source analysis with Checkmarx’s security testing capabilities will bring disruptive value to our customers as they manage the challenges with securing software supply chains.”

The acquisition of Dustico comes after Checkmarx was bought by private equity firm Hellman & Friedman at a valuation of $1.15 billion in March 2020. Prior to this, in 2015, the company was sold to Insight Partners with an $84 million investment. 

#backdoor, #ceo, #checkmarx, #computer-security, #computing, #cryptography, #cybercrime, #cyberwarfare, #developer, #hellman-friedman, #insight-partners, #ma, #machine-learning, #security, #software, #solarwinds, #supply-chain, #supply-chain-attack, #supply-chain-management, #united-states

Passwordstate customers complain of silence and secrecy after cyberattack

It has been over three months since Click Studios, the Australian software house behind the enterprise password manager Passwordstate, warned its customers to “commence resetting all passwords.” The company was hit by a supply chain attack that sought to steal the passwords from customer servers around the world.

But customers tell TechCrunch that they are still without answers about the attack. Several customers say they were met with silence from Click Studios, while others were asked to sign strict secrecy agreements when they asked for assurances about the security of the software.

One IT executive whose company was compromised by the attack said they felt “abandoned” by the software maker in the wake of the attack.

Passwordstate is a standalone web server that enterprise companies can use to store and share passwords and secrets for their organizations, like keys for cloud systems and databases that store sensitive customer data, or “break glass” accounts that grant emergency access to the network. Click Studios says it has 29,000 customers using Passwordstate, including banks, universities, consultants, tech companies, defense contractors and U.S. and Australian government agencies, according to public records seen by TechCrunch. The sensitive data held by these customers might be why Passwordstate was the target of this supply-chain attack.

Click Studios sent an email to customers on April 22 warning of a possible Passwordstate compromise, but it wasn’t until Danish security research firm CSIS published a blog post the next day that revealed the existence and the extent of the breach.

CSIS said that cyber-criminals had compromised the Passwordstate software update feature to deliver a malicious update to any customer who had updated their server during a 28-hour window between April 20–22. The malicious update was designed to steal the secrets from customers’ Passwordstate servers and transmit them back to the cyber-criminals.

Read more on TechCrunch

This is how some customers found out about the hack, they told TechCrunch. Many customers turned to social media since Click Studios shut down its blog and forums as a “precaution,” prompting customers to look for other sources of information.

Some believed that the hack was “another SolarWinds,” referring to an incident months earlier at tech company SolarWinds after the network management software it sells to customers to monitor their networks and fleets of devices was compromised. Russian spies had infiltrated SolarWinds’ network and planted a backdoor in Orion’s software update feature, which was automatically pushed to customer systems. That gave the spies unfettered access to sneak around and gather information from potentially thousands of networks, including nine agencies of the U.S. federal government.

But Passwordstate was fortunate in ways that SolarWinds was not. Since new Passwordstate software updates need to be manually installed, many companies evaded compromise simply by luck. Determining whether a server had been compromised was also relatively easy by checking to see if the size of a particular file on the server was larger than it should be; the fix was fairly simple, as well.

Click Studios went public with the breach on April 24 — late on Friday night in the United States — by publishing an advisory on its website. The advisory largely repeated what it emailed to customers the day before, urging them to reset their passwords starting with all internet-facing networking gear, which, if compromised by a stolen password, would allow the cyber-criminals into a victim’s network.

Several customers who spoke to TechCrunch about the hack, including customers with compromised servers, said the Click Studios was largely unresponsive after that.

The IT executive whose Passwordstate server was compromised by the attack said they updated their server during the 28-hour-long attack, but heard nothing from Click Studios besides the mass email warning of the hack. “Everything was just, ‘change your passwords,’” the executive said.

The executive’s company invoked its incident response plan and found logs showing that passwords had been exfiltrated, but found no evidence that the stolen passwords were used. Because the company uses multi-factor authentication, the stolen passwords alone aren’t enough to break into its network. “None of the multi-factor authentication prompts came up that would have if somebody had tried to log in with any of these accounts,” the executive said.

The executive offered to provide its logs to Click Studio in the hope it would help the investigation. In a reply, Click Studios apologized but did not request the logs.

Another compromised customer — a managed service provider — said that the attackers tried to steal the company’s passwords but a glitch stopped the exfiltration in its tracks. The company’s logs showed that the malicious update tried to communicate with the cyber-criminals’ servers using a deprecated encryption protocol, which the server refused to accept. The customer said they offered to provide the logs to Click Studios, which the company agreed to and received, but that the customer heard nothing more from Click Studios after that.

Click Studios published two more advisories that weekend, but customers who asked for more information were only referred back to the advisories. Some vented their frustrations along with their other embattled customers on public forums.

By the following week, Click Studios began asking customers to refrain from posting its correspondence to social media after reports of phishing emails that were similarly worded to the emails sent by Click Studios, but some customers suspected the company was trying to control the fallout.

Months on, some customers said they feel discouraged by the Click Studios’ lack of response and are using what leverage they have to get answers.

Some customers had licenses up for renewal and wanted firm reassurances about the security and resiliency of the software. Before the incident, customers would expect an update every week or two, but Passwordstate updates were on pause indefinitely until the company’s software development line could be secured. Click Studios had a plan to prevent a similar attack in the future, but insisted on customers signing strict non-disclosure agreements before it would say anything about what changes it was making. The non-disclosure agreements also included provisions that barred anyone from revealing the very existence of the agreement.

Click Studios chief executive Mark Sandford has not responded to multiple requests for comment since the incident. Instead, TechCrunch received the same canned auto-response from the company’s support email saying that its staff are “focused only on assisting customers technically.”

In its most recent advisory, Click Studios said as of May 17 the company has returned to “normal business operations,” but has not responded to our more recent emails. Click Studios released a long-awaited update to Passwordstate on August 2 to remove the software update feature that it blamed on the supply chain attack.

Some organizations said they are staying on as customers despite the attack. One said while the incident was scary and that it warranted an investigation, they said the initial reporting was “vastly overblown.” Others expressed some sympathy for Click Studios for what was seen as a rare event that was unlikely to happen again.

“I haven’t lost faith. But this was unpleasant,” said one customer.


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.

#computer-security, #computing, #cybercrime, #government, #passwordstate, #phishing, #security, #solarwinds, #supply-chain-attack

A Silicon Valley VC firm with $1.8B in assets was hit by ransomware

Advanced Technology Ventures, a Silicon Valley venture capital firm with more than $1.8 billion in assets under its management, was hit by a ransomware attack in July that saw cybercriminals steal personal information on the company’s private investors, or limited partners (LPs).

In a letter to the Maine attorney general’s office, ATV said it became aware of the attack on July 9 after its servers storing financial information had been encrypted by ransomware. By July 26, the ATV learned that data had been stolen from the servers before the files were encrypted, a common “double extortion” tactic used by ransomware groups, which then threaten to publish the files online if the ransom to decrypt the files is not paid.

The letter said ATV believes the names, email addresses, phone numbers and Social Security numbers of the individual investors in ATV’s funds were stolen in the attack. Some 300 individuals were affected by the incident, including one person in Maine, according to a listing on the Maine attorney general’s data breach notification portal.

Venture capital firms often do not disclose all of their LPs — the investors who have thrown millions into an investment vehicle — to the public. A number of pre-approved names may be included in an announcement, but overall, a company’s private investors try to stay that way: private. The reasons vary, but it comes down to secrecy and a degree of competitive advantage: The firm may not want competitors to know who is backing them, and an investor may not want others to know where their money is going. This particular attack likely stole key information on a hush-hush part of how venture money works.

ATV said it notified the FBI about the attack. A spokesperson for the FBI did not immediately comment when reached by TechCrunch. ATV’s managing director Mike Carusi did not respond to questions sent by TechCrunch on Monday.

The venture capital firm, based in Menlo Park, California with offices in Boston, was founded in 1979 and invests largely in technology, communications, software and services, and healthcare technology. The company was an early investor in many of the startups from the last decade, like software library Fandango, Host Analytics (now Planfun) and Apptegic (now Evergage). Its more recent investments include Tripwire, which was later sold to cybersecurity company Belden for $710 million; Cedexis, a network traffic monitoring startup acquired by Cisco in 2018; and Actifo, which was sold to Google in 2020.


Natasha Mascarenhas contributed reporting. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send TechCrunch files or documents using our SecureDrop.

#attorney-general, #atv, #boston, #california, #cedexis, #cisco, #cybercrime, #encryption, #fandango, #federal-bureau-of-investigation, #google, #healthcare-technology, #maine, #private-equity, #ransomware, #securedrop, #security, #signal, #software, #spokesperson, #venture-capital

Sophos extends its spending spree with Refactr buy

Thoma Bravo-owned Sophos has announced its second takeover in as many weeks with the acquisition of Seattle-based DevSecOps startup Refactr.

Refactr was founded in 2017 and offers an automation platform that helps cybersecurity and DevOps teams to collaboratively operate. The platform, which is used by the non-profit Center for Internet Security and the U.S. Air Force’s Platform One, features a drag-and-drop low-code pipeline builder and DevOps-friendly features that encourage disparate teams to collaborate on the same agile workflow process, according to the company.

“Our mission is to enable DevSecOps to become the modern approach to automation, where cybersecurity use cases like Security Operation, Automation and Response (SOAR), Extended Detection and Response (XDR), compliance, cloud security, and Identity and Access Management (IAM) become building blocks for DevSecOps solutions,” said Michael Fraser, CEO and co-founder of Refactr.

The deal, the terms of which were not disclosed, will see Refactr’s entire team of developers and engineers join Sophos. While Sophos says it will continue to develop and offer Refactr’s DevSecOps automation platform to existing customers, it will also embed its SOAR capabilities to its own managed threat response (MTR) and XDR solutions.

“With Refactr, Sophos will fast track the integration of such advanced SOAR capabilities into our adaptive cybersecurity ecosystem, the basis for our XDR product and MTR service,” said Joe Levy, chief technology officer at Sophos.

Sophos’ acquisition of Refactr lands shortly after it announced plans to buy Braintrace, a cybersecurity startup that provides organizations visibility into suspicious network traffic patterns. Thoma Bravo completed its $3.9 billion takeover of Sophos in 2020 as the company continues to increase its reach in the cybersecurity space. Since then, the private equity firm has acquired security vendor Proofpoint for $12.3 billion and led a $225 million funding round in zero-trust unicorn Illumio.

#braintrace, #chief-technology-officer, #computing, #cybercrime, #cybersecurity-startup, #devops, #illumio, #information-technology, #ma, #proofpoint, #seattle, #security, #security-software, #sophos, #technology, #thoma-bravo, #u-s-air-force

Industrial cybersecurity startup Nozomi Networks secures $100M in pre-IPO funding

Nozomi Networks, an industry cybersecurity startup that aims to shield critical infrastructure from cyberattacks, has raised $100 million in pre-IPO funding. 

The Series D funding round was led by Triangle Peak Partners, and also includes investment from a number of equipment, security, service provider and go-to-market companies including Honeywell Ventures, Keysight Technologies and Porsche Digital. 

This funding comes at a critical time for the company. Cyberattacks on industrial control systems (ICS) — the devices necessary for the continued running of power plants, water supplies, and other critical infrastructure — increased both in frequency and severity during the pandemic. Look no further than May and June, which saw ransomware attacks target the IT networks of Colonial Pipeline and meat manufacturing giant JBS, forcing the companies to shut down their industrial operations.

Nozomi Networks, which competes with Dragos and Claroty, claims its industrial cybersecurity solution, which works to secure ICS devices by detecting threats before they hit, aims to prevent such attacks from happening. It provides real-time visibility to help organizations manage cyber risk and improve resilience for industrial operations.

The technology currently supports more than a quarter of a million devices in sectors such as critical infrastructure, energy, manufacturing, mining, transportation, and utilities, with Nozomi Networks doubling its customer base in 2020 and seeing a 5,000% increase in the number of devices its solutions monitor. 

The company will use its latest investment, which comes less than two years after it secured $30 million in Series C funding, to scale product development efforts as well as its go-to-market approach globally. 

Specifically, Nozomi Networks said it plans to grow its sales, marketing, and partner enablement efforts, and upgrade its products to address new challenges in both the OT and IoT visibility and security markets. 

#articles, #australia, #canada, #colonial-pipeline, #computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #energy, #funding, #internet-of-things, #malware, #manufacturing, #mining, #nozomi-networks, #porsche, #security, #technology, #united-states

Noetic Cyber emerges from stealth with $15M led by Energy Impact Partners

Noetic Cyber, a cloud-based continuous cyber asset management and controls platform, has launched from stealth with a Series A funding round of $15 million led by Energy Impact Partners.

The round was also backed by Noetic’s existing investors, TenEleven Ventures and GlassWing Ventures, and brings the total amount of funds raised by the startup to $20 million following a $5 million seed round. Shawn Cherian, a partner at Energy Impact Partners, will join the Noetic board, while Niloofar Razi Howe, a senior operating partner at the investment firm, will join Noetic’s advisory board.

“Noetic is a true market disruptor, offering an innovative way to fix the cyber asset visibility problem — a growing and persistent challenge in today’s threat landscape,” said Howe.

The Massachusetts-based startup claims to be taking a new approach to the cyber asset management problem. Unlike traditional solutions, Noetic is not agent-based, instead using API aggregation and correlation to draw insights from multiple security and IT management tools.

“What makes us different is that we’re putting orchestration and automation at the heart of the solution, so we’re not just showing security leaders that they have problems, but we’re helping them to fix them,” Paul Ayers, CEO and co-founder of Noetic Cyber tells TechCrunch.

Ayer was previously a top exec at PGP Corporation (acquired by Symantec for $370 million) and Vormetric (acquired by Thales for $400 million) and founded Noetic Cyber with Allen Roger and Allen Hadden, who have previously worked at cybersecurity vendors including Authentica, Raptor and Axent. All three were also integral to the development of Resilient Systems, which was acquired by IBM.

“The founding team’s experience in the security, orchestration, automation and response market gives us unique experience and insights to make automation a key pillar of the solution,” Ayers said. “Our model gives you the certainty to make automation possible, the goal is to find and fix problems continuously, getting assets back to a secure state.”

“The development of the technology has been impacted by the current cyber landscape, and the pandemic, as some of the market drivers we’ve seen around the adoption of cloud services, and the increased use of unmanaged devices by remote workers, are driving a great need for accurate cyber asset discovery and management.”

The company, which currently has 20 employees, says it plans to use the newly raised funds to double its headcount by the end of the year, as well as increase its go-to-market capability in the U.S. and the U.K. to grow its customer base and revenue growth.

“In terms of technology development, this investment allows us to continue to add development and product management talent to the team to build on our cyber asset management platform,” Ayers said. 

“The beauty of our approach is that it allows us to easily add more applications and use cases on top of our core asset visibility and management model. We will continue to add more connectors to support customer use cases and will be bringing a comprehensive controls package to market later in 2021, as well as a community edition in 2022.”

#api, #cloud-services, #computer-security, #computing, #cryptography, #cybercrime, #cyberwarfare, #data-security, #energy-impact-partners, #funding, #glasswing-ventures, #ibm, #information-technology, #malware, #massachusetts, #partner, #raptor, #resilient-systems, #security, #shawn-cherian, #symantec, #technology-development, #teneleven-ventures, #thales, #united-kingdom, #united-states, #vormetric

Saudi Aramco confirms data leak after $50 million cyber ransom demand

The Hawiyah Natural Gas Liquids Recovery Plant, operated by Saudi Aramco, in Hawiyah, Saudi Arabia, on Monday, June 28, 2021.

Enlarge / The Hawiyah Natural Gas Liquids Recovery Plant, operated by Saudi Aramco, in Hawiyah, Saudi Arabia, on Monday, June 28, 2021. (credit: Bloomberg | Getty Images)

Saudi Aramco, the world’s largest oil producer, confirmed on Wednesday that some of its company files had been leaked via a contractor, after a cyber extortionist claimed to have seized troves of its data last month and demanded a $50 million ransom from the company.

Aramco said in a statement that it had “recently become aware of the indirect release of a limited amount of company data which was held by third-party contractors.” The oil company did not name the supplier or explain how the data were compromised.

“We confirm that the release of data was not due to a breach of our systems, has no impact on our operations, and the company continues to maintain a robust cyber security posture,” Aramco added.

Read 13 remaining paragraphs | Comments

#biz-it, #cybercrime, #infrastructure, #ransomware

Sophos acquires Braintrace to supercharge its threat detection capabilities

Thoma Bravo-owned Sophos has announced it’s acquiring Braintrace, a cybersecurity startup that provides organizations visibility into suspicious network traffic patterns. Terms of the deal were not disclosed.

Braintrace, which was founded in 2016 and has raised $10 million in funding, has developed a network detection and response (NDR) solution that helps organizations to easily inspect network traffic to identify and filter out suspicious activity. It does this using remote network packet capture (RNCAP) technology, which provides visibility into network traffic patterns, including encrypted traffic, without the need for man-in-the-middle decryption. It also provides visibility into cloud network traffic, a task that typically needs to be carried out on-site, and supports all of the major cloud providers including AWS and Microsoft Azure.

The deal will see Sophos integrate Braintrace’s NDR technology into its own adaptive cybersecurity ecosystem, which underpins all of its security products and services. The technology will also help Sophos collect data from firewalls, proxies and VPNs, allowing it to look for network traffic that contains instructions for malware like TrickBot, and attackers that misuse Cobalt Strike, as well as pre-empting other malicious traffic that might lead to ransomware attacks

Braintrace’s developers, data scientists and security analysts have joined its global Sophos’ managed threat response (MTR) and rapid response teams as part of the deal.

Commenting on the deal, which Sophos claims will make it one of the largest and fastest-growing managed detection and response (MDR) providers, the company’s CEO Joe Levy said: “We’re excited that Braintrace built this technology specifically to provide better security outcomes to their MDR customers. It’s hard to beat the effectiveness of solutions built by teams of skilled practitioners and developers to solve real-world cybersecurity problems.”

Bret Laughlin, co-founder and CEO of Braintrace, added: “We built Braintrace’s NDR technology from the ground up for detection and now, with Sophos, it will fit into a complete system to provide cross-product detection and response across a multi-vendor ecosystem.”

The deal comes a little over a year after Thoma Bravo completed its $3.9 billion takeover of Sophos, and sees the private equity firm further increasing its reach in the cybersecurity space. It acquired security vendor Proofpoint for $12.3 billion back in April, and recently led a $225 million funding round in zero trust unicorn Illumio.

#aws, #ceo, #computer-security, #computing, #cybercrime, #cybersecurity-startup, #illumio, #microsoft, #proofpoint, #security, #security-software, #sophos, #technology, #thoma-bravo

Cyber risk startup Safe Security lands $33M from UK telco BT

Safe Security, a Silicon Valley cyber risk management startup, has secured a $33 million investment from U.K. telco BT. 

Founded in 2012, Safe Security — formerly known as Lucideus — helps organizations to measure and mitigate enterprise-wide cyber risk using its security assessment framework for enterprises (SAFE) platform. The service, which is used by a number of companies including Facebook, Softbank and Xiaomi, helps businesses understand their likelihood of suffering a major cyberattack, calculates a financial cost to customers’ risks and provides actionable insight on the steps that can be taken to address them.

This funding round saw participation from Safe Security’s existing investors, including former Cisco chairman and chief executive John Chambers, and brings the total amount raised by Safe Security to $49.2 million.

BT said the investment, which is its first major third-party investment in cybersecurity since 2006, reflected its plans to grow rapidly in the sector. Philip Jansen, BT CEO said: “Cybersecurity is now at the top of the agenda for businesses and governments, who need to be able to trust that they’re protected against increasing levels of attack. 

“Already one of the world’s leading providers in a highly fragmented security market, this investment is a clear sign of BT’s ambition to grow further.”

The startup’s co-founder and chief executive Saket Modi said he was “delighted” to be working with BT.

“By aligning BT’s global reach and capabilities with SAFE’s ability to provide real-time visibility on cyber risk posture, we are going to fundamentally change how security is measured and managed across the globe,” he said.

As part of the investment, which will see Safe Security double its engineering team by the end of the year, BT will combine the SAFE platform with its managed security services, and gain exclusive rights to use and sell SAFE to businesses and public sector bodies in the UK. BT will also work collaboratively with Safe Security to develop future products, according to an announcement from the company.

Safe Security’s competitors include UpGuard, Exabeam, VisibleRisk.

#bt, #ceo, #cisco, #computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #exabeam, #facebook, #funding, #philip-jansen, #security, #softbank, #united-kingdom, #xiaomi

US blames China for Exchange server hacks and ransomware attacks

The Biden administration has formally accused China of the mass-hacking of Microsoft Exchange servers earlier this year, which prompted the FBI to intervene as concerns rose that the hacks could lead to widespread destruction.

The mass-hacking campaign targeted Microsoft Exchange email servers with four previously undiscovered vulnerabilities that allowed the hackers — which Microsoft already attributed to a China-backed group of hackers called Hafnium — to steal email mailboxes and address books from tens of thousands of organizations around the United States.

Microsoft released patches to fix the vulnerabilities, but the patches did not remove any backdoor code left behind by the hackers that might be used again for easy access to a hacked server. That prompted the FBI to secure a first-of-its-kind court order to effectively hack into the remaining hundreds of U.S.-based Exchange servers to remove the backdoor code. Computer incident response teams in countries around the world responded similarly by trying to notify organizations in their countries that were also affected by the attack.

In a statement out Monday, the Biden administration said the attack, launched by hackers backed by China’s Ministry of State Security, resulted in “significant remediation costs for its mostly private sector victims.”

“We have raised our concerns about both this incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the statement read.

The National Security Agency also released details of the attacks to help network defenders identify potential routes of compromise. The Chinese government has repeatedly denied claims of state-backed or sponsored hacking.

The Biden administration also blamed China’s Ministry of State Security for contracting with criminal hackers to conduct unsanctioned operations, like ransomware attacks, “for their own personal profit.” The government said it was aware that China-backed hackers have demanded millions of dollars in ransom demands against hacked companies. Last year, the Justice Department charged two Chinese spies for their role in a global hacking campaign that saw prosecutors accuse the hackers of operating for personal gain.

Although the U.S. has publicly engaged the Kremlin to try to stop giving ransomware gangs safe harbor from operating from within Russia’s borders, the U.S. has not previously accused Beijing of launching or being involved with ransomware attacks.

“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” said Monday’s statement.

The statement also said that the China-backed hackers engaged in extortion and cryptojacking, a way of forcing a computer to run code that uses its computing resources to mine cryptocurrency, for financial gain.

The Justice Department also announced fresh charges against four China-backed hackers working for the Ministry of State Security, which U.S. prosecutors said were engaged in efforts to steal intellectual property and infectious disease research into Ebola, HIV and AIDS, and MERS against victims based in the U.S., Norway, Switzerland and the United Kingdom by using a front company to hide their operations.

“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft,” said deputy attorney general Lisa Monaco.

#attorney-general, #biden, #biden-administration, #china, #computer-security, #computing, #cyberattacks, #cybercrime, #cyberwarfare, #department-of-justice, #doj, #federal-bureau-of-investigation, #government, #hacker, #hacking, #healthcare, #internet-security, #microsoft, #national-security-agency, #norway, #russia, #security, #switzerland, #technology, #united-kingdom, #united-states

This crowdsourced payments tracker wants to solve the ransomware visibility problem

Ransomware attacks, fueled by COVID-19 pandemic turbulence, have become a major money earner for cybercriminals, with the number of attacks rising in 2020.

These file-encrypting attacks have continued largely unabated this year, too. In the last few months alone we’ve witnessed the attack on Colonial Pipeline that forced the company to shut down its systems — and the gasoline supply — to much of the eastern seaboard, the hack on meat supplier JBS that abruptly halted its slaughterhouse operations around the world, and just this month a supply chain attack on IT vendor Kaseya that saw hundreds of downstream victims locked out of their systems.

However, while ransomware attacks continue to make headlines, it’s near-impossible to understand their full impact, nor is it known whether taking certain decisions — such as paying the cybercriminals’ ransom demands — make a difference.

Jack Cable, a security architect at Krebs Stamos Group who previously worked for the U.S. Cybersecurity and Infrastructure Agency (CISA), is looking to solve that problem with the launch of a crowdsourced ransom payments tracking website, Ransomwhere. 

“I was inspired to start Ransomwhere by Katie Nickels’s tweet that no one really knows the full impact of cybercrime, and especially ransomware,” Cable told TechCrunch. “After seeing that there’s currently no single place for public data on ransomware payments, and given that it’s not hard to track bitcoin transactions, I started hacking it together.”

The website keeps a running tally of ransoms paid out to cybercriminals in bitcoin, made possible thanks to the public record-keeping of transactions on the blockchain. As the site is crowdsourced, it incorporates data from self-reported incidents of ransomware attacks, which anyone can submit. However, in order to make sure all reports are legitimate, each submission is required to take a screenshot of the ransomware payment demand, and every case is reviewed manually by Cable himself before being made publicly available. If an approved report’s authenticity is later called into question, it will be removed from the database.

The already-burgeoning database, which doesn’t include any personal or victim-identifying information, is available as a free download for the cybersecurity community and law enforcement officials, which Cable hopes will help give some much-needed public transparency about the current state of the problem.

“As we consider policy proposals to change the state of ransomware economics, we will need data to assess whether these actions are successful,” Cable said. “For law enforcement, as we saw with the Colonial Pipeline hack, law enforcement does have the ability to recover some payments, so it would be great if this can further aid their efforts.”

At the time of writing, the site is tracking a total of more than $32 million in ransom payments for 2021. The bulk of these payments have been made to the REvil, the Russia-linked ransomware gang that took credit for the JBS and Kaseya hacks. The group has racked up more than $11 million in ransom payments this year, according to Ransomwhere, an amount that could increase dramatically if its recent demands for $70 million as part of the Kaseya attack are met. 

Netwalker, one of the most popular ransomware-as-a-service offerings on the dark web, comes in second with more than $6.3 million in payments for 2021, though Ransomwhere’s tally shows that the group has racked up the most ransom payments in total, with roughly $28 million to its name based on the site’s data.

RangarLocker, DarkSide, and Egregor round out Ransomwhere’s top five list — for now at least — having amassed sums of $4.6 million, $4.4 million, and $3.2 million, respectively. 

Cable says that going forward, he’s exploring ways of partnering with companies in the security and blockchain analysis spaces in order to integrate data that they already have on ransomware actions. He’s also looking at ways to support other traceable cryptocurrencies, such as Ethereum, as well as at the potential to track downstream bitcoin addresses. 

“It’ll never be possible to get the full picture — criminals who are using Monero will be near-impossible to track”, Cable says. “But I would like to get as complete of a picture as possible.”

Read more:

#colonial-pipeline, #crime, #crimes, #cyberattacks, #cybercrime, #dark-web, #fujifilm, #kaseya, #monero, #ransomware, #security

Kaseya hack floods hundreds of companies with ransomware

On Friday, a flood of ransomware hit hundreds of companies around the world. A grocery store chain, a public broadcaster, schools, and a national railway system were all hit by the file-encrypting malware, causing disruption and forcing hundreds of businesses to close.

The victims had something in common: a key piece of network management and remote control software developed by U.S. technology firm Kaseya. The Miami-headquartered company makes software used to remotely manage a company’s IT networks and devices. That software is sold to managed service providers — effectively outsourced IT departments — which they then use to manage the networks of their customers, often smaller companies.

But hackers associated with the Russia-linked REvil ransomware-as-a-service group are believed to have used a never-before-seen security vulnerability in the software’s update mechanism to push ransomware to Kaseya’s customers, which in turn spread downstream to their customers. Many of the companies who were ultimately victims of the attack may not have known that their networks were monitored by Kaseya’s software.

Kaseya warned customers on Friday to “IMMEDIATELY” shut down their on-premise servers, and its cloud service — though not believed to be affected — was pulled offline as a precaution.

“[Kaseya] showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint.” Security researcher Victor Gevers

John Hammond, senior security researcher at Huntress Labs, a threat detection firm that was one of the first to reveal the attack, said about 30 managed service providers were hit allowing the ransomware to spread to “well over” 1,000 businesses.” Security firm ESET said it knows of victims in 17 countries, including the U.K., South Africa, Canada, New Zealand, Kenya, and Indonesia.

Now it’s becoming clearer just how the hackers pulled off one of the biggest ransomware attacks in recent history.

Dutch researchers said they found several zero-day vulnerabilities Kaseya’s software as part of an investigation into the security of web-based administrator tools. (Zero-days are named as such since it gives companies zero days to fix the problem.) The bugs were reported to Kaseya and were in the process of being fixed when the hackers struck, said Victor Gevers, who heads the group of researchers, in a blog post.

Kaseya’s chief executive Fred Voccola told The Wall Street Journal that its corporate systems were not compromised, lending greater credence to the working theory by security researchers that servers run by Kaseya’s customers were compromised individually using a common vulnerability.

The company said that all servers running the affected software should stay offline until the patch is ready. Voccola told the paper that it expects patches to be released by late Monday.

The attack began late Friday afternoon, just as millions of Americans were logging off into the long July 4 weekend. Adam Meyers, CrowdStrike’s senior vice president of intelligence, said the attack was carefully timed.

“Make no mistake, the timing and target of this attack are no coincidence. It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down,” said Meyers.

A notice posted over the weekend on a dark web site known to be run by REvil claimed responsibility for the attack, and that the ransomware group publicly release a decryption tool if it is paid $70 million in bitcoin.

“More than a million systems were infected,” the group claims in the post.

#computer-security, #crime, #crimes, #crowdstrike, #cybercrime, #kaseya, #kenya, #miami, #network-management, #new-zealand, #ransomware, #security, #south-africa, #technology, #the-wall-street-journal, #united-kingdom, #united-states

Clop ransomware gang doxes two new victims days after police raids

The notorious Clop ransomware operation appears to be back in business, just days after Ukrainian police arrested six alleged members of the gang.

Last week, a law enforcement operation conducted by the National Police of Ukraine along with officials from South Korea and the U.S. saw the arrest of multiple suspects believed to be linked to the Clop ransomware gang. It’s believed to be the first time a national law enforcement group carried out mass arrests involving a ransomware group.

The Ukrainian police also claimed at the time to have successfully shut down the server infrastructure used by the gang. But it doesn’t seem the operation was completely successful.

While the Clop operation fell silent following the arrests, the gang has this week published a fresh batch of confidential data which it claims to have stolen from two new victims — a farm equipment retailer and an architects office — on its dark web site, seen by TechCrunch.

If true — and neither of the alleged victims responded to TechCrunch’s request for comment — this would suggest that the ransomware gang remains active, despite last week’s first-of-its-kind law enforcement sting. This is likely because the suspects cuffed included only those who played a lesser role in the Clop operation. Cybersecurity firm Intel 471 said it believes that last week’s arrests targeted the money laundering portion of the operation, with core members of the gang not apprehended.

“We do not believe that any core actors behind Clop were apprehended,” the security company said. “The overall impact to Clop is expected to be minor although this law enforcement attention may result in the Clop brand getting abandoned as we’ve recently seen with other ransomware groups like DarkSide and Babuk.”

Clop appears to still be in business, but it remains to be seen how long the group will remain operational. Not only have law enforcement operations dealt numerous blows to ransomware groups this year, such as U.S. investigators’ recent recovery of millions in cryptocurrency they claim was paid in ransom to the Colonial Pipeline hackers, but Russia has this week confirmed it will begin to work with the U.S. to locate cybercriminals.

Russia has until now taken a hands-off approach when it comes to dealing with hackers. Reuters reported Wednesday that the head of the country’s Federal Security Service (FSB) Alexander Bortnikov was quoted as saying it will co-operate with U.S. authorities on future cybersecurity operations.

Intel 471 previously said that it does not believe the key members of Clop were arrested in last week’s operation because “they are probably living in Russia,” which has long provided safe harbor to cybercriminals by refusing to take action.

The Clop ransomware gang was first spotted in early 2019, and the group has since been linked to a number of high-profile attacks. These include the breach of U.S. pharmaceutical giant ExecuPharm in April 2020 and the recent data breach at Accellion, which saw hackers exploit flaws in the IT provider’s software to steal data from dozens of its customers including the University of Colorado and cloud security vendor Qualys.

#accellion, #chief, #colorado, #computer-security, #crime, #cyberattack, #cybercrime, #head, #intel, #law-enforcement, #moscow, #qualys, #ransomware, #russia, #security, #security-breaches, #south-korea, #united-states

Mitiga raises $25M Series A to help organizations respond to cyberattacks

Israeli cloud security startup Mitiga has raised $25 million in a Series A round of funding as it moves to “completely change” the traditional incident response market.

Mitiga, unlike other companies in the cybersecurity space, isn’t looking to prevent cyberattacks, which the startup claims are inevitable no matter how much protection is in place. Rather, it’s looking to help organizations manage their incident response, particularly as they transition to hybrid and multi-cloud environments. 

The early-stage startup, which raised $7 million in seed funding in July last year, says its incident readiness and response tech stack accelerates post-incident bounce back from days down to hours. Its subscription-based offering automatically detects when a network is breached and quickly investigates, collects case data, and translates it into remediation steps for all relevant divisions within an organization so they can quickly and efficiently respond. Mitiga also documents each event, allowing organizations to fix the cause in order to prevent future attacks.

Mitiga’s Series A was led by ClearSky Security, Atlantic Bridge, and DNX, and the startup tells TechCrunch that it will use the funds to “continue to disrupt how incident readiness and response is delivered,” as well as “significantly” increasing its cybersecurity, engineering, sales, and marketing staff.

The company added that the funding comes amid a “changing mindset” for enterprise organizations when it comes to incident readiness and response. The pandemic has accelerated cloud adoption, and it’s predicted that spending on cloud services will surpass $332 billion this year alone. This acceleration, naturally, has provided a lucrative target for hackers, with cyberattacks on cloud services increasing 630% in the first four months of 2020, according to McAfee. 

“The cloud represents new challenges for incident readiness and response and we’re bringing the industry’s first incident response solution in the cloud, for the cloud,” said Tal Mozes, co-founder and CEO of Mitiga. 

“This funding will allow us to further our engagements with heads of enterprise security who are looking to recover from an incident in real-time, attract even more of the most innovative cybersecurity minds in the industry, and expand our partner network. I couldn’t be more excited about what Mitiga is going to do for cloud-first organizations who understand the importance of cybersecurity readiness and response.”

Mitiga was founded in 2019 by Mozes, Ariel Parnes and Ofer Maor, and the team of 42 currently works in Tel Aviv with offices in London and New York. It has customers in multiple sectors, including financial service institutions, banks, e-commerce, law enforcement and government agencies, and Mitiga also provides emergency response to active network security incidents such as ransomware and data breaches for non-subscription customers.

Recent funding:

#artificial-intelligence, #atlantic-bridge, #claroty, #cloud-services, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #data-security, #e-commerce, #funding, #law-enforcement, #london, #malware, #new-york, #security, #series-a, #techcrunch, #tel-aviv

Addressing the cybersecurity skills gap through neurodiversity

Addressing the skills gap and strengthening your own security team means bringing in different minds and perspectives — and that starts with embracing neurodiversity. To even have a chance at closing the cybersecurity skills gap, we need people with a variety of different abilities and thought processes. But did you know that there’s an untapped potential in individuals who are neurodivergent?

Neurodiversity can mean different things to different people. It’s a concept that views the spectrum of neurological differences — like ADHD, autism, dyslexia, Tourette’s and other cognitive and developmental disorders — as natural variations of the human brain. In a nutshell, neurodiversity recognizes that brain differences are just that: differences.

I was always aware of the fact that I had a different operating system. It was like growing up on a Mac OS, but made specifically for Windows OS. It wasn’t until I was diagnosed as autistic that I understood why I am the way that I am. My diagnosis gave me a purpose. It’s a purpose I’ve taken with me into the working world, and it’s helped me realize how vital neurodiverse individuals can and will be to the cybersecurity industry.

To even have a chance at closing the cybersecurity skills gap, we need people with a variety of different abilities and thought processes.

There are many inherent traits in people with autism that are well suited for working in cybersecurity. For example, many people with autism are pattern thinkers and are highly detail-oriented. This allows someone in a threat-hunting position to find those subtle differences between malicious and nonmalicious code and catch the threats that automated tools might miss. We also have the ability to hyperfocus, which allows us to concentrate on problem-solving and stick with complex issues that other people may abandon.

Of course, we all have a different set of skills, interests, strengths and weaknesses. But there are some characteristics that — when given the right support and environment — can translate to cybersecurity positively.

This is especially true when autistic adults are interested in technology and cybersecurity. Their interest can complement their attention to detail, which can make for a successful blue team cyber professional. The number and types of cyber threats are constantly changing. Some are obvious to hunt down, and some are much more subtle. Some malware even has the ability to “live off the land” by using already created applications or executables that live natively on a computer. Knowing this information, and knowing what to look for and where to hone in, allows a neurodivergent person to consistently inspect, investigate and hunt down even the most persistent threats.

Embrace the benefits

Instead of focusing on what makes a neurodivergent person “different,” we should embrace the benefits that different minds and viewpoints bring to the field of cybersecurity. Let’s face it: The world is going to need more cybersecurity professionals. Ensuring diversity in these teams includes embracing neurodiversity. Having a blend of unique talents provided by these detail-oriented, rule-bound, logical and independent-thinking individuals is — and will be — a competitive edge in cybersecurity.

Having a career in cybersecurity typically requires logic, discipline, curiosity and the ability to solve problems and find patterns. This is an industry that offers a wide spectrum of positions and career paths for people who are neurodivergent, particularly for roles in threat analysis, threat intelligence and threat hunting.

Neurodiverse minds are usually great at finding the needle in the haystack, the small red flags and minute details that are critical for hunting down and analyzing potential threats. Other strengths include pattern recognition, thinking outside the box, attention to detail, a keen sense of focus, methodical thinking and integrity.

The more diverse your teams are, the more productive, creative and successful they will be. And not only can neurodiverse talent help strengthen cybersecurity, employing different minds and perspectives can also solve communication problems and create a positive impact for both your team and your company.

According to the Bureau of Labor Statistics, the demand for Information Security Analysts — one of the common career paths for cybersecurity professionals — is expected to grow 31% by 2029, much higher than the average growth rate of 4% for other occupations. While vital jobs in cybersecurity are going unfilled, millions of smart people who’d be ideally suited for the work remain unemployed.

Taking the first step

It’s time to challenge the assumption that qualified talent equals neurotypicality. There are many steps companies can take to ensure inclusivity and promote belonging in the workplace. Let’s start all the way at the beginning and focus on job postings.

Job postings should be black and white in terms of the information they are asking for and the job requirements. Start by making job postings more inclusive and less constrictive in what is being required. Include a contact email address where an applicant can ask for accommodations, and provide a less traditional approach by providing these accommodations.

Traditional interviews can be a challenge for neurodivergent individuals, and this is often the first hurdle to employment. For example, to ease some candidates’ nerves, you could provide a list of questions that will be asked as a guideline. More importantly, don’t judge someone based on their lack of eye contact.

To promote an inclusive and belonging culture of neurodiversity in the workplace, the workplace should be more supportive of different needs. It is vital to ensure employees at all levels have the knowledge and understanding on how to empower a diverse team and create an open and inclusive workplace. This starts with diversity, equity, inclusion and belonging training for all employees. Companies should also consider changing their communication style. Neurodiverse individuals communicate differently and not altering the way you communicate could lead to a disconnect in the workplace.

My advice to other neurodivergent and/or autistic adults looking to break into the cybersecurity field is to continue your learning, connect with cybersecurity professionals for networking purposes and never give up. The more we push for awareness and inclusion in all aspects of all companies — small and large — the more opportunities there will be for success.

#adhd, #autism, #column, #computer-security, #cybercrime, #cybersecurity, #cyberwarfare, #diversity, #diversity-and-inclusion, #diversity-in-technology, #dyslexia, #neurodiversity, #opinion, #security, #tc, #tourettes

Biden’s executive order on cybersecurity should include behavior transparency

The Biden administration this spring announced an executive order designed to strengthen government cybersecurity defenses in the wake of several major recent hacks, including the SolarWinds, Microsoft Exchange Server and Pulse Secure incidents, which impacted numerous federal agencies and private companies. The order’s importance was underscored by the DarkSide ransomware attack on Colonial Pipeline just a few weeks later.

One key element of the cyber executive order is a “software bill of materials” (SBOM) that vendors would be required to provide as part of the federal procurement process. The SBOM would detail the exact software components utilized in a given product, including any open-source components, making it much easier and faster for federal agencies to determine whether they are subject to a vulnerability uncovered in one of these components.

The SBOM is an important step in shoring up federal cybersecurity, but it’s not enough. Understanding the software components included in various products will help agency security teams react more quickly when vulnerabilities come to light, but in other scenarios, like SolarWinds-style supply-chain attacks that surreptitiously insert software components, its impact is limited.

Establishing standards at the federal level for disclosures about software products will benefit cybersecurity in the private sector, as well as improve the overall security of the software supply chain.

That’s why the Biden administration should extend the cyber executive order to include not only an SBOM, but also “behavior transparency.”

Transparency requirements are not a new concept in technology. Certificate transparency (CT) is a public ledger of all certificates issued by any public certificate authority (CA) that provides a framework for monitoring and auditing CA activity, while Apple’s recently announced App Tracking Transparency allows users to see what activity apps are tracking and opt out. Behavior transparency is a proposed application of this concept to known software behaviors.

The purpose of a behavior transparency framework is to enumerate the expected actions of interest that a given piece of software will take on a device or on the network. This helps security analysts distinguish between expected noise and indications of compromise. This, in turn, can give security teams an advantage in identifying the exploitation of unknown vulnerabilities in any proprietary or open-source software.

The good news is that the enumeration of common software behaviors is already a standard industry practice for external network activity. Most major software vendors, including Meraki, McAfee, Tenable, LogMeIn/GoToMeeting, and my own company, ExtraHop, already publish lists of common product behaviors. Even SolarWinds has documentation describing its network behaviors.

But the Biden administration can help effect critical changes that improve upon this industry practice and improve the overall security posture for public and private organizations alike.

Establish standards for behavior transparency

First, the cyber executive order should form a working group in partnership with representative software and security software vendors, as well as organizations such as MITRE, to create standards for the types of network activity that must be included for full behavior transparency.

At a minimum, this should include things like external network destinations, internal network connection behavior with other software components, and, where applicable, a list of associated network ports and the purposes for which those ports are used. The behavior transparency framework should also include other network behavior, especially (but not limited to) anything that looks like scanning or reconnaissance behavior.

Make behavioral data available to common security tools

Second, the cyber executive order should mandate that known software behaviors be published in a machine-readable format such as JSON or CSV that could be ingested into common security products like security information and event management (SIEM), firewalls, endpoint protection platforms, network detection and response, and change management tools.

This is a crucial distinction from the current model, in which most behaviors are listed on a webpage or in a PDF that isn’t machine-readable. With this change, common security tools could use that machine-readable behavioral data to help build baselines for activity within an organization to more quickly and accurately detect deviations that indicate compromise. Meraki is already doing this by providing its list in CSV format.

Centralize access to behavioral information

Third, the cyber executive order should establish a clearinghouse for behavior transparency data, administered by the Cybersecurity and Infrastructure Security Agency or another appropriate federal agency. The status quo is to hunt around on a vendor’s website, consult their in-product documentation or open a support case to find out about network behavior. If the information provided is incorrect, that’s also a support case.

The current decentralized approach is deeply problematic. Unfettered network access for enterprise software products introduces substantial security risk — Zero Trust frameworks have been established to prevent precisely this — but typical practitioners do not have the time or expertise to individually track down the expected behaviors of each piece of enterprise software they have in the environment. Without centralized access to behavior transparency data, even the best Zero Trust implementations will have major gaps surrounding enterprise software.

A clearinghouse would provide a centralized repository for behavior transparency data, organized by company, product and product version. A forum like GitHub is an ideal mechanism for such a clearinghouse, providing a widely used, centralized repository for this information.

Streamline feedback between users and vendors

Fourth, the clearinghouse should include a mechanism by which product users can easily provide feedback to software vendors. Feedback can be in the form of issues or even pull requests, though the companies should be involved in approving changes. This way, deficiencies in the behaviors can be pointed out in a public forum. Most deficiencies will be for reasons like a product update that wasn’t reflected in the behavior transparency data, though as time goes on, companies will ideally make it a practice to make sure these are kept up to date. But there will also be true positives found.

Protecting the software supply chain with behavior transparency

The SolarWinds software supply chain attack, first disclosed in December 2020, illustrates and underscores the importance of behavior transparency. Prior to December 11, when FireEye first identified the vulnerability in the SolarWinds Orion software, at least two other cybersecurity companies, Palo Alto and Fidelis, identified that their SolarWinds installations communicating with the attacker-controlled “stage 1” avsvmcloud[.]com domain. Palo Alto observed and blocked additional malicious behavior, but at the time neither company determined that the communication with avsvmcloud[.]com itself was suspect. That’s due in large part to the notorious amount of “noise” involved in looking at network data.

But if more organizations had ready access to SolarWinds’ behavior transparency data, as well as a forum in which to compare deviations from the baseline, things might have played out differently.

SolarWinds Orion doesn’t reach out to a lot of external destinations, so when the first stage of the supply chain attack started hitting subdomains off of “appsync-api.eu-west-1.avsvmcloud[.]com,” an analyst on a threat hunt running a SIEM query, or a machine-learning-based EDR or NDR product armed with that information, might have more quickly determined that something was amiss.

Likewise, a low-friction public feedback mechanism could have tipped off SolarWinds and the industry that what seemed like noise in isolation (“appsync-api, seems legit?”) was actually something far more nefarious.

The cyber executive order, alongside the sanctions on Russia, are strong early indications that the Biden administration intends to take a far more proactive approach to cybersecurity. Critical to the success of these efforts will be the partnership the administration forges with private-sector technology providers. Establishing standards at the federal level for disclosures about software products will benefit cybersecurity in the private sector, as well as improve the overall security of the software supply chain.

#colonial-pipeline, #column, #computer-security, #cybercrime, #cybersecurity, #event-management, #extrahop, #government, #opinion, #russia, #security, #software-vendors, #solarwinds, #supply-chain-attack, #tc

Ukraine arrests ransomware gang in global cybercriminal crackdown

A chainlink fence separates us from fossil fuel tanks.

Enlarge / A Colonial Pipeline facility in Woodbridge, New Jersey. Hackers last month disrupted the pipeline supplying petroleum to much of the East Coast. (credit: Michael M. Santiago, Getty Images)

Ukrainian police have arrested members of a notorious ransomware gang that recently targeted American universities, as pressure mounts on global law enforcement to crack down on cybercriminals.

The Ukraine National Police said in a statement on Wednesday that it had worked with Interpol and the US and South Korean authorities to charge six members of the Ukraine-based Cl0p hacker group, which it claimed had inflicted a half-billion dollars in damages on victims based in the US and South Korea.

The move marks the first time that a national law enforcement agency has carried out mass arrests of a ransomware gang, adding to pressure on other countries to follow suit. Russia, a hub for ransomware gangs, has been blamed for harbouring cybercriminals by failing to prosecute or extradite them.

Read 9 remaining paragraphs | Comments

#biz-it, #cl0p, #cybercrime, #policy, #ransomware, #ukraine

Ukrainian police arrest multiple Clop ransomware gang suspects

Multiple suspects believed to be linked to the Clop ransomware gang have been detained in Ukraine after a joint operation from law enforcement agencies in Ukraine, South Korea, and the United States.

The Cyber Police Department of the National Police of Ukraine confirmed that six arrests were made after searches at 21 residences in the capital Kyiv and nearby regions. While it’s unclear whether the defendants are affiliates or core developers of the ransomware operation, they are accused of running a “double extortion” scheme, in which victims who refuse to pay the ransom are threatened with the leak of data stolen from their networks prior to their files being encrypted.

“It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement.

The police also seized equipment from the alleged Clop ransomware gang, said to behind total financial damages of about $500 million. This includes computer equipment, several cars — including a Tesla and Mercedes, and 5 million Ukrainian Hryvnia (around $185,000) in cash. The authorities also claim to have successfully shut down the server infrastructure used by the gang members to launch previous attacks.

“Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added.

These attacks first began in February 2019, when the group attacked four Korean companies and encrypted 810 internal services and personal computers. Since, Clop — often styled as “Cl0p” — has been linked to a number of high-profile ransomware attacks. These include the breach of U.S. pharmaceutical giant ExecuPharm in April 2020 and the attack on South Korean e-commerce giant E-Land in November that forced the retailer to close almost half of its stores.

Clop is also linked to the ransomware attack and data breach at Accellion, which saw hackers exploit flaws in the IT provider’s File Transfer Appliance (FTA) software to steal data from dozens of its customers. Victims of this breach include Singaporean telecom Singtel, law firm Jones Day, grocery store chain Kroger, and cybersecurity firm Qualys.

At the time of writing, the dark web portal that Clop uses to share stolen data is still up and running, although it hasn’t been updated for several weeks. However, law enforcement typically replaces the targets’ website with their own logo in the event of a successful takedown, which suggests that members of the gang could still be active.

“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit. “The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation.”

Hultquist said the efforts of the Ukrainian police “are a reminder that the country is a strong partner for the U.S. in the fight against cybercrime and authorities there are making the effort to deny criminals a safe harbor.”

The alleged perpetrators face up to eight years in prison on charges of unauthorized interference in the work of computers, automated systems, computer networks, or telecommunications networks and laundering property obtained by criminal means.

News of the arrests comes as international law enforcement turns up the heat on ransomware gangs. Last week, the U.S. Department of Justice announced that it had seized most of the ransom paid to members of DarkSide by Colonial Pipeline.

#aerospace, #colonial-pipeline, #crime, #cybercrime, #e-commerce, #extortion, #government, #kroger, #law, #law-enforcement, #malware, #mandiant, #oil-and-gas, #pharmaceuticals, #qualys, #ransomware, #security, #security-breaches, #singtel, #south-korea, #telecommunications, #tesla, #ukraine, #united-states