Cybereason raises $275M at Series F, adds Steven Mnuchin to board

Cybereason, a US-Israeli late-stage cybersecurity startup that provides extended detection and response (XDR) services, has secured $275 million in Series F funding. 

The investment was led by Liberty Strategic Capital, a venture capital fund recently founded by Steven Mnuchin, who served as U.S. Treasury Secretary under the Trump administration. As part of the deal, Mnuchin will join Cybereason’s board of directors, along with Liberty advisor Gen. Joseph Dunford, who was chairman of the Joint Chiefs of Staff under Trump until his retirement in 2019.

Lior Div, CEO and co-founder of Cybereason, tells TechCrunch that the startup’s decision to work with Liberty Strategy Capital came down to the firm’s “massive network” and the “understanding of the financial and government markets that Mnuchin and Gen. Joseph Dunford bring to our team.”

“For example, the executive order on cybersecurity put out by the Biden Administration recommends that endpoint detection and response solutions be deployed on all endpoints,” Dior added. “This accelerates the importance of solutions like ours in the public market, and Liberty Strategic Capital has the relationships to help accelerate our go-to-market strategy in the federal sector.”

This round, which will be used to fuel “hypergrowth driven by strong market demand,” follows $389 million in prior funding from SoftBank, CRV, Spark Capital, and Lockheed Martin. The company didn’t state at what valuation it raised the funds, but it is estimated to be in the region of $3 billion.

Cybereason’s recent growth, which saw it end 2020 at over $120 million in annual recurring revenue, has been largely driven by its AI-powered platform. Unlike traditional alert-centric models, Cybereason’s Defense Platform is operation-centric, which means it exposes and remediates entire malicious operations. The service details the full attack story from root cause to impacted users and devices, which the company claims significantly reduces the time taken to investigate and recover from an enterprise-wide cyber attack. 

The company, whose competitors include the likes of BlackBerry-owned Cylance and CrowdStrike, also this week expanded its channel presence with the launch of its so-called Defenders League, a global program that enables channel partners to use its technology and services to help their customers prevent and recover from cyberattacks. Cybereason claims its technology has helped protect customers from the likes of the recent SolarWinds supply-chain attack and other high-profile ransomware attacks launched by DarkSide, REvil, and Conti groups. 

Today’s $275 million funding round is likely to be Cybereason’s last before it goes public. Div previously said in August 2019 the company planned to IPO within two years, though he wouldn’t be pressed on whether the company is gearing up to go public when asked by TechCrunch. However, the company did compare its latest investment to SentinelOne‘s November 2020 Series F round, which was secured just months before it filed for a $100 million IPO.

#artificial-intelligence, #biden-administration, #companies, #computing, #crowdstrike, #crv, #cybereason, #cylance, #donald-trump, #executive, #funding, #lockheed-martin, #neuberger-berman, #president, #security, #softbank, #softbank-group, #solarwinds, #spark-capital, #steve-mnuchin, #techcrunch, #united-states

Your boss might tell you the office is more secure, but it isn’t

For the past 18 months, employees have enjoyed increased flexibility, and ultimately a better work-life balance, as a result of the mass shift to remote working necessitated by the pandemic. Most don’t want this arrangement, which brought an end to extensive commutes and superfluous meetings, to end: Buffer’s 2021 State of Remote Work report shows over 97% of employees would like to continue working remotely at least some of the time.

Companies, including some of the biggest names in tech, appear to have a different outlook and are beginning to demand that staff start to return to the workplace.

While most of the reasoning around this shift back to the office centers around the need for collaboration and socialization, another reason your employer might say is that the office is more secure. After all, we’ve seen an unprecedented rise in cybersecurity threats during the pandemic, from phishing attacks using Covid as bait to ransomware attacks that have crippled entire organizations.

Tessian research shared with TechCrunch shows that while none of the attacks have been linked to staff working remotely, 56% of IT leaders believe their employees have picked up bad cybersecurity behaviors since working from home. Similarly, 70% of IT leaders believe staff will be more likely to follow company security policies around data protection and data privacy while working in the office.

“Despite the fact that this was an emerging issue prior to the pandemic I do believe many organizations will use security as an excuse to get people back into the office, and in doing so actually ignore the cyber risks they are already exposed to,” Matthew Gribben, a cybersecurity expert, and former GCHQ consultant, told TechCrunch.

“As we’ve just seen with the Colonial Pipeline attack, all it takes is one user account without MFA enabled to bring down your business, regardless of where the user is sat.”

Will Emmerson, CIO at Claromentis, has already witnessed some companies using cybersecurity as a ploy to accelerate the shift to in-person working. “Some organizations are already using cybersecurity as an excuse to get team members to get back into the office,” he says. “Often it’s large firms with legacy infrastructure that relies on a secure perimeter and that haven’t adopted a cloud-first approach.”

“All it takes is one user account without MFA enabled to bring down your business, regardless of where the user is sat.”
Matthew Gribben, former GCHQ consultant

The bigger companies can try to argue for a return to the traditional 9-to-5, but we’ve already seen a bunch of smaller startups embrace remote working as a permanent arrangement. Rather, it will be larger and more risk-averse companies, says Craig Hattersley, CTO of cybersecurity startup SOC.OC, a BAE Systems spin-off, tells TechCrunch, who “begrudgingly let their staff work at home throughout the pandemic, so will seize any opportunity to reverse their new policies.”

“Although I agree that some companies will use the increase of cybersecurity threats to demand their employees go back to the office, I think the size and type of organization will determine their approach,” he says. “A lack of direct visibility of individuals by senior management could lead to a fear that staff are not fully managed.”

While some organizations will use cybersecurity as an excuse to get employees back into the workplace, many believe the traditional office is no longer the most secure option. After all, not only have businesses overhauled cybersecurity measures to cater to dispersed workforces over the past year, but we’ve already seen hackers start to refocus their attention on those returning to the post-COVID office.

“There is no guarantee that where a person is physically located will change the trajectory of increasingly complex cybersecurity attacks, or that employees will show a reduction in mistakes because they are sitting within the walls of an office building,” says Dr. Margaret Cunningham, principal research scientist at Forcepoint.

Some businesses will attempt to get all staff back into the workplace, but this is simply no longer viable: as a result of 18 months of home-working, many employees have moved away from their employer, while others, having found themselves more productive and less distracted, will push back against five days of commutes every week. In fact, a recent study shows that almost 40% of U.S. workers would consider quitting if their bosses made them return to the office full time.

That means most employers will have to, whether they like it or not, embrace a hybrid approach going forward, whereby employees work from the office three days a week and spend two days at home, or vice versa.

This, in itself, makes the cybersecurity argument far less viable. Sam Curry, chief security officer at Cybereason, tells TechCrunch: “The new hybrid phase getting underway is unlike the other risks companies encountered.

“We went from working in the office to working from home and now it will be work-from-anywhere. Assume that all networks are compromised and take a least-trust perspective, constantly reducing inherent trust and incrementally improving. To paraphrase Voltaire, perfection is the enemy of good.”

#articles, #bae-systems, #cio, #computer-security, #cto, #cyberattack, #cybercrime, #cybereason, #cybersecurity-startup, #cyberwarfare, #data-security, #gchq, #malware, #security, #soc, #telecommuting, #united-states

Meet EventBot, a new Android malware that steals banking passwords and two-factor codes

Security researchers are sounding the alarm over a newly discovered Android malware that targets banking apps and cryptocurrency wallets.

The malware, which researchers at security firm Cybereason recently discovered and called EventBot, masquerades as a legitimate Android app — like Adobe Flash or Microsoft Word for Android — which abuses Android’s in-built accessibility features to obtain deep access to the device’s operating system.

Once installed — either by an unsuspecting user or by a malicious person with access to a victim’s phone — the EventBot-infected fake app quietly siphons off passwords for more than 200 banking and cryptocurrency apps — including PayPal, Coinbase, CapitalOne and HSBC — and intercepts and two-factor authentication text message codes.

With a victim’s password and two-factor code, the hackers can break into bank accounts, apps and wallets, and steal a victim’s funds.

“The developer behind Eventbot has invested a lot of time and resources into creating the code, and the level of sophistication and capabilities is really high,” Assaf Dahan, head of threat research at Cybereason, told TechCrunch.

The malware quietly records every tap and key press, and can read notifications from other installed apps, giving the hackers a window into what’s happening on a victim’s device.

Over time, the malware siphons off banking and cryptocurrency app passwords back to the hackers’ server.

The researchers said that EventBot remains a work in progress. Over a period of several weeks since its discovery in March, the researchers saw the malware iteratively update every few days to include new malicious features. At one point the malware’s creators improved the encryption scheme it uses to communicate with the hackers’ server, and included a new feature that can grab a user’s device lock code, likely to allow the malware to grant itself higher privileges to the victim’s device like payments and system settings.

But while the researchers are stumped as to who is behind the campaign, their research suggests the malware is brand new.

“Thus far, we haven’t observed clear cases of copy-paste or code reuse from other malware and it seems to have been written from scratch,” said Dahan.

Android malware is not new, but it’s on the rise. Hackers and malware operators have increasingly targeted mobile users because many device owners have their banking apps, social media, and other sensitive services on their device. Google has improved Android security in recent years by screening apps in its app store and proactively blocking third-party apps to cut down on malware — with mixed results. Many malicious apps have evaded Google’s detection.

Cybereason said it has not yet seen EventBot on Android’s app store or in active use in malware campaigns, limiting the exposure to potential victims — for now.

But the researchers said users should avoid untrusted apps from third-party sites and stores, many of which don’t screen their apps for malware.

#android, #capitalone, #computing, #cybereason, #encryption, #finance, #malware, #mobile-malware, #operating-system, #operating-systems, #security, #security-breaches, #social-media

Hackers are targeting other hackers by infecting their tools with malware

A newly discovered malware campaign suggests that hackers have themselves become the targets of other hackers, who are infecting and repackaging popular hacking tools with malware.

Cybereason’s Amit Serper found that the attackers in this years-long campaign are taking existing hacking tools — some of which are designed to exfiltrate data from a database through to cracks and product key generators that unlock full versions of trial software — and injecting a powerful remote-access trojan. When the tools are opened, the hackers gain full access to the target’s computer.

Serper said the attackers are “baiting” other hackers by posting the repackaged tools on hacking forums.

But it’s not just a case of hackers targeting other hackers, Serper told TechCrunch. These maliciously repackaged tools are not only opening a backdoor to the hacker’s systems, but also any system that the hacker has already breached.

“If hackers are targeting you or your business and they are using these trojanized tools it means that whoever is hacking the hackers will have access to your assets as well,” Serper said.

That includes offensive security researchers working on red team engagements, he said.

Serper found that these as-yet-unknown attackers are injecting and repackaging the hacking tools with njRat, a powerful trojan, which gives the attacker full access to the target’s desktop, including files, passwords, and even access to their webcam and microphone. The trojan dates back to at least 2013 when it was used frequently against targets in the Middle East. njRat often spreads through phishing emails and infected flash drives, but more recently hackers have injected the malware on dormant or insecure websites in an effort to evade detection. In 2017, hackers used this same tactic to host malware on the website for the so-called Islamic State’s propaganda unit.

Serper found the attackers were using that same website-hacking technique to host njRat in this most recent campaign.

According to his findings, the attackers compromised several websites — unbeknownst to their owners — to host hundreds of njRat malware samples, as well as the infrastructure used by the attackers to command and control the malware. Serper said that the process of injecting the njRat trojan into the hacking tools occurs almost daily and may be automated, suggesting that the attacks are run largely without direct human interaction.

It’s unclear for what reason this campaign exists or who is behind it.

#computer-security, #computing, #cybercrime, #cybereason, #identity-theft, #malware, #phishing, #security, #security-breaches, #trojan-horse