The Cybersecurity and Infrastructure Security Agency has launched a vulnerability disclosure program allowing ethical hackers to report security flaws to federal agencies.
The platform, launched with the help of cybersecurity companies Bugcrowd and Endyna, will allow civilian federal agencies to receive, triage and fix security vulnerabilities from the wider security community.
The move to launch the platform comes less than a year after the federal cybersecurity agency, better known as CISA, directed the civilian federal agencies that it oversees to develop and publish their own vulnerability disclosure policies. These policies are designed to set the rules of engagement for security researchers by outlining what (and how) online systems can be tested, and which can’t be.
It’s not uncommon for private companies to run VDP programs to allow hackers to report bugs, often in conjunction with a bug bounty to pay hackers for their work. The U.S. Department of Defense has for years warmed to hackers, the civilian federal government has been slow to adopt.
Bugcrowd, which last year raised $30 million at Series D, said the platform will “give agencies access to the same commercial technologies, world-class expertise, and global community of helpful ethical hackers currently used to identify security gaps for enterprise businesses.”
The platform will also help CISA share information about security flaws between other agencies.
The platform launches after a bruising few months for government cybersecurity, including a Russian-led espionage campaign against at least nine U.S. federal government agencies by hacking software house SolarWinds, and a China-linked cyberattack that backdoored thousands of Microsoft Exchange servers, including in the federal government.
When it comes to meeting compliance standards, many startups are dominating the alphabet. From GDPR and CCPA to SOC 2, ISO27001, PCI DSS and HIPAA, companies have been charging toward meeting the compliance standards required to operate their businesses.
Today, every healthcare founder knows their product must meet HIPAA compliance, and any company working in the consumer space would be well aware of GDPR, for example.
But a mistake many high-growth companies make is that they treat compliance as a catchall phrase that includes security. Thinking this could be an expensive and painful error. In reality, compliance means that a company meets a minimum set of controls. Security, on the other hand, encompasses a broad range of best practices and software that help address risks associated with the company’s operations.
It makes sense that startups want to tackle compliance first. Being compliant plays a big role in any company’s geographical expansion to regulated markets and in its penetration to new industries like finance or healthcare. So in many ways, achieving compliance is a part of a startup’s go-to-market kit. And indeed, enterprise buyers expect startups to check the compliance box before signing on as their customer, so startups are rightfully aligning around their buyers’ expectations.
One of the best ways startups can begin tackling security is with an early security hire.
With all of this in mind, it’s not surprising that we’ve witnessed a trend where startups achieve compliance from the very early days and often prioritize this motion over developing an exciting feature or launching a new campaign to bring in leads, for instance.
Compliance is an important milestone for a young company and one that moves the cybersecurity industry forward. It forces startup founders to put security hats on and think about protecting their company, as well as their customers. At the same time, compliance provides comfort to the enterprise buyer’s legal and security teams when engaging with emerging vendors. So why is compliance alone not enough?
First, compliance doesn’t mean security (although it is a step in the right direction). It is more often than not that young companies are compliant while being vulnerable in their security posture.
What does it look like? For example, a software company may have met SOC 2 standards that require all employees to install endpoint protection on their devices, but it may not have a way to enforce employees to actually activate and update the software. Furthermore, the company may lack a centrally managed tool for monitoring and reporting to see if any endpoint breaches have occurred, where, to whom and why. And, finally, the company may not have the expertise to quickly respond to and fix a data breach or attack.
Therefore, although compliance standards are met, several security flaws remain. The end result is that startups can suffer security breaches that end up costing them a bundle. For companies with under 500 employees, the average security breach costs an estimated $7.7 million, according to a study by IBM, not to mention the brand damage and lost trust from existing and potential customers.
Second, an unforeseen danger for startups is that compliance can create a false sense of safety. Receiving a compliance certificate from objective auditors and renowned organizations could give the impression that the security front is covered.
Once startups start gaining traction and signing upmarket customers, that sense of security grows, because if the startup managed to acquire security-minded customers from the F-500, being compliant must be enough for now and the startup is probably secure by association. When charging after enterprise deals, it’s the buyer’s expectations that push startups to achieve SOC 2 or ISO27001 compliance to satisfy the enterprise security threshold. But in many cases, enterprise buyers don’t ask sophisticated questions or go deeper into understanding the risk a vendor brings, so startups are never really called to task on their security systems.
Third, compliance only deals with a defined set of knowns. It doesn’t cover anything that is unknown and new since the last version of the regulatory requirements were written.
For example, APIs are growing in use, but regulations and compliance standards have yet to catch up with the trend. So an e-commerce company must be PCI-DSS compliant to accept credit card payments, but it may also leverage multiple APIs that have weak authentication or business logic flaws. When the PCI standard was written, APIs weren’t common, so they aren’t included in the regulations, yet now most fintech companies rely heavily on them. So a merchant may be PCI-DSS compliant, but use nonsecure APIs, potentially exposing customers to credit card breaches.
Startups are not to blame for the mix-up between compliance and security. It is difficult for any company to be both compliant and secure, and for startups with limited budget, time or security know-how, it’s especially challenging. In a perfect world, startups would be both compliant and secure from the get-go; it’s not realistic to expect early-stage companies to spend millions of dollars on bulletproofing their security infrastructure. But there are some things startups can do to become more secure.
One of the best ways startups can begin tackling security is with an early security hire. This team member might seem like a “nice to have” that you could put off until the company reaches a major headcount or revenue milestone, but I would argue that a head of security is a key early hire because this person’s job will be to focus entirely on analyzing threats and identifying, deploying and monitoring security practices. Additionally, startups would benefit from ensuring their technical teams are security-savvy and keep security top of mind when designing products and offerings.
Another tactic startups can take to bolster their security is to deploy the right tools. The good news is that startups can do so without breaking the bank; there are many security companies offering open-source, free or relatively affordable versions of their solutions for emerging companies to use, including Snyk, Auth0, HashiCorp, CrowdStrike and Cloudflare.
A full security rollout would include software and best practices for identity and access management, infrastructure, application development, resiliency and governance, but most startups are unlikely to have the time and budget necessary to deploy all pillars of a robust security infrastructure.
Luckily, there are resources like Security 4 Startups that offer a free, open-source framework for startups to figure out what to do first. The guide helps founders identify and solve the most common and important security challenges at every stage, providing a list of entry-level solutions as a solid start to building a long-term security program. In addition, compliance automation tools can help with continuous monitoring to ensure these controls stay in place.
For startups, compliance is critical for establishing trust with partners and customers. But if this trust is eroded after a security incident, it will be nearly impossible to regain it. Being secure, not only compliant, will help startups take trust to a whole other level and not only boost market momentum, but also make sure their products are here to stay.
So instead of equating compliance with security, I suggest expanding the equation to consider that compliance and security equal trust. And trust equals business success and longevity.
APIs make the world go round in tech, but that also makes them a very key target for bad actors: as doorways into huge data troves and services, malicious hackers spent a lot of time looking for ways to pick their locks or just force them open when they’re closed, in order to access that information. And a lot of recent security breaches stemming from API vulnerabilities (see here, here, and here for just a few) show just how real and current the problem is.
Today, a company that’s building a network of services to help those using and producing APIs to identify and eradicate those risks is announcing a round of funding to meet a growing demand for its services. Salt Security, which provides AI-based technology to identify issues and stop attacks across the whole of your API library, has closed $70 million in funding, money that it will be using both to meet current demand but also continue building out its technology for a wider set of services and use cases for API management.
The funding is being led by Advent International, by way of Advent Tech, with Alkeon Capital, DFJ Growth and previous backers Sequoia Capital, Tenaya Capital, S Capital VC, and Y Combinator all also participating.
Salt, founded in Israel and now active globally, is not disclosing valuation but I understand from a reliable source it that it is in the region of $600-700 million.
As with many of the funding rounds that seem to be getting announced these days, this one is coming on the heels of both another recent round, as well as strong growth. Salt has raised $131 million since 2016, but nearly all of that — $120 million, to be exact — has been raised in the last year.
Part of the reason for that is Salt’s performance: in the last 12 months, it’s seen revenue grow 400% — with customers including a range of Fortune 500 and other large businesses in the financial services, retail and SaaS sectors like Equinix, Finastra, TripActions, Armis, and DeinDeal; headcount grow 160%; and, perhaps most importantly, API traffic on its network grow 380%.
That growth in API traffic underscores the issue that Salt is tackling. Companies these days use a variety of APIs — some private, some public — in their tech stack as a way to interface with other businesses and run their services. APIs are a huge part of how the Internet and digital services operate, with Akamai estimating that as much as 83% of all IP traffic is API traffic.
The problem, Roey Eliyahu, CEO and co-founder of Salt Security told me, is that this usage has outpaced how well many manage those APIs.
“How APIs have evolved is very different to how developers used APIs years ago,” he said. “Before, there were very few, and you could say they were more manageable, and they contained less sensitive data, and there were very few changes and updates made to them,” he said. “Today with the pace of development, not only are they always getting updated, but you have thousands of them now touching crown jewels of the company.”
This has made them a prime target for malicious hackers. Eliyahu notes Gartner stats that predict that by 2022, APIs will make up the largest attack vector in cybercrime.
Salt’s approach starts with taking stock of a whole network and doing a kind of spring clean to find all the APIs that might be used or abused.
“Companies don’t know how many APIs they even have,” Eliyahu said, noting that there some 40%-80% of the APIs in existence for a typical company’s data are not even in active operation, lying there as “shadow APIs” for someone to pick up and misuse.
It then looks at what vulnerabilities might inadvertently be contained in this mix and makes suggestions for how to alter them to fix that. After this, it also monitors how they are used in order to stop attacks as they happen. The third of these also involves remediation “insights”, but carrying out the remediation is done by third parties at the moment, Eliyahu said. All of this is done through Salt’s automated, AI-based, flagship Salt Security API Protection Platform.
There are a number of competitors in the same space as Salt, including Ping, and newer players like Imvision and 42Crunch (which raised funding earlier this month), and the list is likely to grow as not just other API management companies get deeper into this huge space, but cyber security companies do, too.
“The rapid proliferation of APIs has dramatically altered the attack surface of applications, creating a major challenge for large enterprises since existing security mechanisms cannot protect against this new threat,” said Bryan Taylor, managing partner and head of Advent’s technology team, in a statement. “We continue to see API security incidents make the news headlines and cause significant reputational risk for companies. As we investigated the API security market, Salt stood out for its multi-year technical lead, significant customer traction and references, and talented team. We look forward to drawing on our deep experience in this sector to partner with Salt in this exciting new chapter.”
Australian security software house Click Studios has told customers not to post emails sent by the company about its data breach, which allowed malicious hackers to push a malicious update to its flagship enterprise password manager Passwordstate to steal customer passwords.
Last week, the company told customers to “commence resetting all passwords” stored in its flagship password manager after the hackers pushed the malicious update to customers over a 28-hour window between April 20-22. The malicious update was designed to contact the attacker’s servers to retrieve malware designed to steal and send the password manager’s contents back to the attackers.
In an email to customers, Click Studios did not say how the attackers compromised the password manager’s update feature, but included a link to a security fix.
But news of the breach only became public after Danish cybersecurity firm CSIS Group published a blog post with details of the attack hours after Click Studios emailed its customers.
Click Studios claims Passwordstate is used by “more than 29,000 customers,” including in the Fortune 500, government, banking, defense and aerospace, and most major industries.
In an update on its website, Click Studios said in a Wednesday advisory that customers are “requested not to post Click Studios correspondence on Social Media.” The email adds: “It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks.”
“It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content,” the company said.
Besides a handful of advisories published by the company since the breach was discovered, the company has refused to comment or respond to questions.
It’s also not clear if the company has disclosed the breach to U.S. and EU authorities where the company has customers, but where data breach notification rules obligate companies to disclose incidents. Companies can be fined up to 4% of their annual global revenue for falling foul of Europe’s GDPR rules.
Click Studios chief executive Mark Sandford has not responded to repeated requests (from TechCrunch) for comment. Instead, TechCrunch received the same canned autoresponse from the company’s support email saying that the company’s staff are “focused only on assisting customers technically.”
TechCrunch emailed Sandford again on Thursday for comment on the latest advisory, but did not hear back.
Click Studios, the Australian software house that develops the enterprise password manager Passwordstate, has warned customers to reset passwords across their organizations after a cyberattack on the password manager.
An email sent by Click Studios to customers said the company had confirmed that attackers had “compromised” the password manager’s software update feature in order to steal customer passwords.
The email, posted on Twitter by Polish news site Niebezpiecznik early on Friday, said the malicious update exposed Passwordstate customers over a 28-hour window between April 20-22. Once installed, the malicious update contacts the attacker’s servers to retrieve malware designed to steal and send the password manager’s contents back to the attackers. The email also told customers to “commence resetting all passwords contained within Passwordstate.”
Manager haseł PasswordState został zhackowany a komputery klientów zainfekowane.
Producent informuje ofiary e-mailem.
Ten manager haseł jest "korporacyjny", więc problem będzie dotyczyć przede wszystkim firm… Auć!
(Informacja od Tajemniczego Pedro) pic.twitter.com/PGHhmEKpje
— Niebezpiecznik (@niebezpiecznik) April 23, 2021
Click Studios did not say how the attackers compromised the password manager’s update feature, but emailed customers with a security fix.
The company also said the attacker’s servers were taken down on April 22. But Passwordstate users could still be at risk if the attacker’s are able to get their infrastructure online again.
Enterprise password managers let employees at companies share passwords and other sensitive secrets across their organization, such as network devices — including firewalls and VPNs, shared email accounts, internal databases, and social media accounts. Click Studios claims Passwordstate is used by “more than 29,000 customers,” including in the Fortune 500, government, banking, defense and aerospace, and most major industries.
Although affected customers were notified this morning, news of the breach only became widely known several hours later after Danish cybersecurity firm CSIS Group published a blog post with details of the attack.
Click Studios chief executive Mark Sanford did not respond to a request for comment outside Australian business hours.
With the increase of digital transacting over the past year, cybercriminals have been having a field day.
In 2020, complaints of suspected internet crime surged by 61%, to 791,790, according to the FBI’s 2020 Internet Crime Report. Those crimes — ranging from personal and corporate data breaches to credit card fraud, phishing and identity theft — cost victims more than $4.2 billion.
For companies like Sift — which aims to predict and prevent fraud online even more quickly than cybercriminals adopt new tactics — that increase in crime also led to an increase in business.
Last year, the San Francisco-based company assessed risk on more than $250 billion in transactions, double from what it did in 2019. The company has over several hundred customers, including Twitter, Airbnb, Twilio, DoorDash, Wayfair and McDonald’s, as well a global data network of 70 billion events per month.
To meet the surge in demand, Sift said today it has raised $50 million in a funding round that values the company at over $1 billion. Insight Partners led the financing, which included participation from Union Square Ventures and Stripes.
While the company would not reveal hard revenue figures, President and CEO Marc Olesen said that business has tripled since he joined the company in June 2018. Sift was founded out of Y Combinator in 2011, and has raised a total of $157 million over its lifetime.
The company’s “Digital Trust & Safety” platform aims to help merchants not only fight all types of internet fraud and abuse, but to also “reduce friction” for legitimate customers. There’s a fine line apparently between looking out for a merchant and upsetting a customer who is legitimately trying to conduct a transaction.
Sift uses machine learning and artificial intelligence to automatically surmise whether an attempted transaction or interaction with a business online is authentic or potentially problematic.
One of the things the company has discovered is that fraudsters are often not working alone.
“Fraud vectors are no longer siloed. They are highly innovative and often working in concert,” Olesen said. “We’ve uncovered a number of fraud rings.”
Olesen shared a couple of examples of how the company thwarted fraud incidents last year. One recently involved money laundering through donation sites where fraudsters tested stolen debit and credit cards through fake donation sites at guest checkout.
“By making small donations to themselves, they laundered that money and at the same tested the validity of the stolen cards so they could use it on another site with significantly higher purchases,” he said.
In another case, the company uncovered fraudsters using Telegram, a social media site, to make services available, such as food delivery, with stolen credentials.
The data that Sift has accumulated since its inception helps the company “act as the central nervous system for fraud teams.” Sift says that its models become more intelligent with every customer that it integrates.
Insight Partners Managing Director Jeff Lieberman, who is a Sift board member, said his firm initially invested in Sift in 2016 because even at that time, it was clear that online fraud was “rapidly growing.” It was growing not just in dollar amounts, he said, but in the number of methods cybercriminals used to steal from consumers and businesses.
“Sift has a novel approach to fighting fraud that combines massive data sets with machine learning, and it has a track record of proving its value for hundreds of online businesses,” he wrote via email.
When Olesen and the Sift team started the recent process of fundraising, Index actually approached them before they started talking to outside investors “because both the product and business fundamentals are so strong, and the growth opportunity is massive,” Lieberman added.
“With more businesses heavily investing in online channels, nearly every one of them needs a solution that can intelligently weed out fraud while ensuring a seamless experience for the 99% of transactions or actions that are legitimate,” he wrote.
The company plans to use its new capital primarily to expand its product portfolio and to scale its product, engineering and sales teams.
Sift also recently tapped Eu-Gene Sung — who has worked in financial leadership roles at Integral Ad Science, BSE Global and McCann — to serve as its CFO.
As to whether or not that meant an IPO is in Sift’s future, Olesen said that Sung’s experience of taking companies through a growth phase such as what Sift is experiencing would be valuable. The company is also for the first time looking to potentially do some M&A.
“When we think about expanding our portfolio, it’s really a buy/build partner approach,” Olesen said.
The Internet of Things has a security problem. The past decade has seen wave after wave of new internet-connected devices, from sensors through to webcams and smart home tech, often manufactured in bulk but with little — if any — consideration to security. Worse, many device manufacturers make no effort to fix security flaws, while others simply leave out the software update mechanisms needed to deliver patches altogether.
That sets up an entire swath of insecure and unpatchable devices to fail, and destined to be thrown out when they break down or are invariably hacked.
Security veteran Window Snyder thinks there is a better way. Her new startup, Thistle Technologies, is backed with $2.5 million in seed funding from True Ventures with the goal of helping IoT manufacturers reliably and securely deliver software updates to their devices.
Snyder founded Thistle last year, and named it after the flowering plant with sharp prickles designed to deter animals from eating them. “It’s a defense mechanism,” Snyder told TechCrunch, a name that’s fitting for a defensive technology company. The startup aims to help device manufacturers without the personnel or resources to integrate update mechanisms into their device’s software in order to receive security updates and better defend against security threats.
“We’re building the means so that they don’t have to do it themselves. They want to spend the time building customer-facing features anyway,” said Snyder. Prior to founding Thistle, Snyder worked in senior cybersecurity positions at Apple, Intel, and Microsoft, and also served as chief security officer at Mozilla, Square, and Fastly.
Thistle lands on the security scene at a time when IoT needs it most. Botnet operators are known to scan the internet for devices with weak default passwords and hijack their internet connections to pummel victims with floods of internet traffic, knocking entire websites and networks offline. In 2016, a record-breaking distributed denial-of-service attack launched by the Mirai botnet on internet infrastructure giant Dyn knocked some of the biggest websites — Shopify, SoundCloud, Spotify, Twitter — offline for hours. Mirai had ensnared thousands of IoT devices into its network at the time of the attack.
Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside.
Since device manufacturers have done little to solve their security problems among themselves, lawmakers are looking at legislating to curb some of the more egregious security mistakes made by default manufacturers, like using default — and often unchangeable — passwords and selling devices with no way to deliver security updates.
Snyder said the push to introduce IoT cybersecurity laws could be “an easy way for folks to get into compliance” without having to hire fleets of security engineers. Having an update mechanism in place also helps to keeps the IoT devices around for longer — potentially for years longer — simply by being able to push fixes and new features.
“To build the infrastructure that’s going to allow you to continue to make those devices resilient and deliver new functionality through software, that’s an incredible opportunity for these device manufacturers. And so I’m building a security infrastructure company to support that security needs,” she said.
With the seed round in the bank, Snyder said the company is focused on hiring device and back-end engineers, product managers, and building new partnerships with device manufacturers.
Phil Black, co-founder of True Ventures — Thistle’s seed round investor — described the company as “an astute and natural next step in security technologies.” He added: “Window has so many of the qualities we look for in founders. She has deep domain expertise, is highly respected within the security community, and she’s driven by a deep passion to evolve her industry.”
If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.
Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.
Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes, and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.
Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.
Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the mid-pandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.
It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.
Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.
If you think cyberattacks are scary, what if those attacks were directed at your cardiac pacemaker? Medtronic, a medical device company, has been in hot water over the last couple of years because its pacemakers were getting hacked through their internet-based software updating systems. But in a new partnership with Sternum, an IoT cybersecurity startup based in Israel, Medtronic has focused on resolving the issue.
The problem was not with the medical devices themselves, but with the remote systems used to update the devices. Medtronic’s previous solution was to disconnect the devices from the internet, which in and of itself can cause other issues to arise.
“Medtronic was looking for a long-term solution that can help them with future developments,” said Natali Tshuva, Sternum’s founder and CEO. The company has already secured about 100,000 Medtronic devices.
Sternum’s solution allows medical devices to protect themselves in real-time.
“There’s this endless race against vulnerability, so when a company discovers a vulnerability, they need to issue an update, but updating can be very difficult in the medical space, and until the update happens, the devices are vulnerable,” Tshuva told TechCrunch. “Therefore, we created an autonomous security that operates from within the device that can protect it without the need to update and patch vulnerabilities,”
However, it is easier to protect new devices than to go back and protect legacy devices. Over the years hackers have gotten more and more sophisticated, so medical device companies have had to figure out how to protect the devices that are already out there.
“The market already has millions — perhaps billions — of medical devices connected, and that could be a security and management nightmare,” Tshuva added.
In addition to potentially doing harm to an individual, hackers have been taking advantage of device vulnerability as the gateway of choice into a hospital’s network, possibly causing a breach that can affect many more people. Tshuva explained that hospital networks are secured from the inside out, but devices that connect to the networks but are not protected can create a way in.
In fact, health systems have been known to experience the most data breaches out of any sector, accounting for 79% of all reported breaches in 2020. And in the first 10 months of last year, we saw a 45% increase in cyberattacks on health systems, according to data by Health IT Security.
In addition to Sternum’s partnership with Medtronic, the company also launched this week an IoT platform that allows, “devices to protect themselves, even when they are not connected to the internet,” Tshuva said.
Sternum, which raised about $10 million to date, also offers cybersecurity for IoT devices outside of healthcare, and according to Tshuva, the company focuses on areas that are “mission-critical.” Examples include railroad infrastructure sensors and management systems, and power grids.
Tshuva, who grew up in Israel, holds a master’s in computer science and worked for the Israeli Defense Force’s 8200 unit — similar to the U.S.’s National Security Alliance — said she always wanted to make an impact in the medical field. “I looked to combine the medical space with my life, and I realized I could have an impact on remote care devices,” she said.
A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.
The Justice Department announced the operation on Tuesday, which it described as “successful.”
In March, Microsoft discovered a new China state-sponsored hacking group — Hafnium — targeting Exchange servers run from company networks. The four vulnerabilities when chained together allowed the hackers to break into a vulnerable Exchange server and steal its contents. Microsoft fixed the vulnerabilities but the patches did not close the backdoors from the servers that had already been breached. Within days, other hacking groups began hitting vulnerable servers with the same flaws to deploy ransomware.
The number of infected servers dropped as patches were applied. But hundreds of Exchange servers remained vulnerable because the backdoors are difficult to find and eliminate, the Justice Department said in a statement.
“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the statement said. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
The FBI said it’s attempting to inform owners via email of servers from which it removed the backdoors.
Assistant attorney general John C. Demers said the operation “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions.”
The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.
It’s believed this is the first known case of the FBI effectively cleaning up private networks following a cyberattack. In 2016, the Supreme Court moved to allow U.S. judges to issue search and seizure warrants outside of their district. Critics opposed the move at the time, fearing the FBI could ask a friendly court to authorized cyber-operations for anywhere in the world.
Other countries, like France, have used similar powers before to hijack a botnet and remotely shutting it down.
Neither the FBI nor the Justice Department commented by press time.
President Biden has named two former National Security Agency veterans to senior government cybersecurity positions, including the first national cyber director.
The appointments, announced Monday, land after the discovery of two cyberattacks linked to foreign governments earlier this year — the Russian espionage campaign that planed backdoors in U.S. technology giant SolarWinds’ technology to hack into at least nine federal agencies, and the mass exploitation of Microsoft Exchange servers linked to hackers backed by China.
Jen Easterly, a former NSA official under the Obama administration who helped to launch U.S. Cyber Command, has been nominated as the new head of CISA, the cybersecurity advisory unit housed under Homeland Security. CISA has been without a head for six months after then-President Trump fired former director Chris Krebs, who Trump appointed to lead the agency in 2018, for disputing Trump’s false claims of election hacking.
Biden has also named former NSA deputy director John “Chris” Inglis as national cyber director, a new position created by Congress late last year to be housed in the White House, charged with overseeing the defense and cybersecurity budgets of civilian agencies.
Inglis is expected to work closely with Anne Neuberger, who in January was appointed as the deputy national security adviser for cyber on the National Security Council. Neuberger, a former NSA executive and its first director of cybersecurity, was tasked with leading the government’s response to the SolarWinds attack and Exchange hacks.
Biden has also nominated Rob Silvers, a former Obama-era assistant secretary for cybersecurity policy, to serve as undersecretary for strategy, policy, and plans at Homeland Security. Silvers was recently floated for the top job at CISA.
Both Easterly and Silvers’ positions are subject to Senate confirmation. The appointments were first reported by The Washington Post.
Former CISA director Krebs praised the appointments as “brilliant picks.” Dmitri Alperovitch, a former CrowdStrike executive and chair of Silverado Policy Accelerator, called the appointments the “cyber equivalent of the dream team.” In a tweet, Alperovitch said: “The administration could not have picked three more capable and experienced people to run cyber operations, policy and strategy alongside Anne Neuberger.”
Neuberger is replaced by Rob Joyce, a former White House cybersecurity czar, who returned from a stint at the U.S. Embassy in London earlier this year to serve as NSA’s new cybersecurity director.
Last week, the White House asked Congress for $110 million in new funding for next year to help Homeland Security to improve its defenses and hire more cybersecurity talent. CISA hemorrhaged senior staff last year after several executives were fired by the Trump administration or left for the private sector.
China is pushing forward an internet society where economic and public activities increasingly take place online. In the process, troves of citizen and government data get transferred to cloud servers, raising concerns over information security. One startup called ThreatBook sees an opportunity in this revolution and pledges to protect corporations and bureaucracies against malicious cyberattacks.
Antivirus and security software has been around in China for several decades, but until recently, enterprises were procuring them simply to meet compliance requests, Xue Feng, founder and CEO of six-year-old ThreatBook, told TechCrunch in an interview.
Starting around 2014, internet accessibility began to expand rapidly in China, ushering in an explosion of data. Information previously stored in physical servers was moving to the cloud. Companies realized that a cyber attack could result in a substantial financial loss and started to pay serious attention to security solutions.
In the meantime, cyberspace is emerging as a battlefield where competition between states plays out. Malicious actors may target a country’s critical digital infrastructure or steal key research from a university database.
“The amount of cyberattacks between countries is reflective of their geopolitical relationships,” observed Xue, who oversaw information security at Amazon China before founding ThreatBook. Previously, he was the director of internet security at Microsoft in China.
“If two countries are allies, they are less likely to attack one another. China has a very special position in geopolitics. Besides its tensions with the other superpowers, cyberattacks from smaller, nearby countries are also common.”
Like other emerging SaaS companies, ThreatBook sells software and charges a subscription fee for annual services. More than 80% of its current customers are big corporations in finance, energy, the internet industry, and manufacturing. Government contracts make up a smaller slice. With its Series E funding round that closed 500 million yuan ($76 million) in March, ThreatBook boosted its total capital raised to over 1 billion yuan from investors including Hillhouse Capital.
Xue declined to disclose the company’s revenues or valuation but said 95% of the firm’s customers have chosen to renew their annual subscriptions. He added that the company has met the “preliminary requirements” of the Shanghai Exchange’s STAR board, China’s equivalent to NASDAQ, and will go public when the conditions are ripe.
“It takes our peers 7-10 years to go public,” said Xue.
ThreatBook compares itself to CrowdStrike from Silicon Valley, which filed to go public in 2019 and detect threats by monitoring a company’s “endpoints”, which could be an employee’s laptops and mobile devices that connect to the internal network from outside the corporate firewall.
ThreatBook similarly has a suite of software that goes onto the devices of a company’s employees, automatically detects threats and comes up with a list of solutions.
“It’s like installing a lot of security cameras inside a company,” said Xue. “But the thing that matters is what we tell customers after we capture issues.”
SaaS providers in China are still in the phase of educating the market and lobbying enterprises to pay. Of the 3,000 companies that ThreatBook serves, only 300 are paying so there is plentiful room for monetization. Willingness to spend also differs across sectors, with financial institutions happy to shell out several million yuan ($1 = 6.54 yuan) a year while a tech startup may only want to pay a fraction of that.
Xue’s vision is to take ThreatBook global. The company had plans to expand overseas last year but was held back by the COVID-19 pandemic.
“We’ve had a handful of inquiries from companies in Southeast Asia and the Middle East. There may even be room for us in markets with mature [cybersecurity companies] like Europe and North America,” said Xue. “As long as we are able to offer differentiation, a customer may still consider us even if it has an existing security solution.”
When you think of the core members of the C-suite, you probably think of the usual characters: CEO, CFO, COO and maybe a CMO. Each of these roles is fairly well defined: The CEO controls strategy and ultimately answers to the board; the CFO manages budgets; the CMO gets people to buy more, more often; the COO keeps everything running smoothly. Regardless of the role, all share the same objective: maximize shareholder value.
But the information age is shaking up the C-suite’s composition. The cyber market is exploding in an attempt to secure the modern enterprise: multicloud environments, data generated and stored faster than anyone can keep up with and SaaS applications powering virtually every function across the org, in addition to new types of security postures that coincide with that trend. Whatever the driver, though, this all adds up to the fact that cyber strategy and company strategy are inextricably linked. Consequently, chief information security officers (CISOs) in the C-Suite will be just as common and influential as CFOs in maximizing shareholder value.
As investors seek outsized returns, they need to be more engaged with the CISO beyond the traditional security topics.
It’s the early ’90s. A bank heist. A hacker. St. Petersburg and New York City. Offshore bank accounts. Though it sounds like the synopsis of the latest psychological thriller, this is the context for the appointment of the first CISO in 1994.
A hacker in Russia stole $10 million from Citi clients’ accounts by typing away at a keyboard in a dimly lit apartment across the Atlantic. Steve Katz, a security executive, was poached from JP Morgan to join Citi as part of the C-suite to respond to the crisis. His title? CISO.
After he joined, he was told two critical things: First, he would have a blank check to set up a security program to prevent this from happening again, and second, Citi would publicize the hack one month after he started. Katz flew over 200,000 miles during the next few months, visiting corporate treasurers and heads of finance to reassure them their funds were secure. While the impetus for the first CISO was a literal bank heist, the $10 million stolen pales in comparison to what CISOs are responsible for protecting today.
Clothing giant FatFace had a data breach, but doesn’t want you to tell anyone about it.
The company sent an email to customers this week disclosing that it first detected a breach on January 17. A hacker made off with the customer’s name, email and postal address, and the last four-digits of their credit card. “Full payment card information was not compromised,” the notice reiterated.
But despite going out to thousands of customers, the email said to “keep this email and the information included within it strictly private and confidential,” an entirely unenforceable request.
Under the U.K. data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident, but there are no legal requirements on the customer to keep the information confidential. It didn’t take long for the company to face flack from the public. The company didn’t have much to say in response, asking instead to “DM us with any questions.”
Through a spokesperson at a crisis communications firm, FatFat said: “The notification email was marked private and confidential due to the nature of the communication, which was intended for the individual concerned. Given its contents, we wanted to make this clear, which is why we marked it private and confidential.”
TechCrunch obtained a near-identical email sent to its staff from a former employee who asked not to be named. The email to employees was largely the same as the customer email, but warned that staff may have had their bank account information and their National Insurance numbers — the U.K. equivalent of Social Security — compromised.
FatFace confirmed “a select number of employees, former employees and customers and providing appropriate guidance and support,” but would not say specifically how many customers and employees were affected by the breach.
Facebook on Wednesday announced new actions to disrupt a network of China-based hackers leveraging the platform to compromise targets in the Uyghur community.
The group, known to security researchers as “Earth Empusa” “Evil Eye” or “Poison Carp,” targeted around around 500 people on Facebook, including individuals living abroad in the United States, Turkey, Syria, Australia and Canada. Through fake accounts on Facebook, the hackers posed as activists, journalists and other sympathetic figures in order to send their targets to compromised websites beyond Facebook.
Facebook’s security and cyber espionage teams began seeing the activity in 2020 and opted to disclose the threat publicly to maximize the impact on the hacking group, which has proven sensitive to public disclosures in the past.
Though Facebook says social engineering efforts on the platform are “a piece of the puzzle,” most of the hacking group’s efforts take place elsewhere online. They focus on attempts to gain access to targets’ devices with watering hole attacks and lookalike domains, including a fake Android app store offering prayer apps and Uyghur-themed keyboard downloads.
When downloaded, those fake apps infected devices using two strains of Android trojan malware, ActionSpy and PluginPhantom. On iOS devices, the hackers leveraged malware known as Insomnia.
While the hackers targeted a small number of users relative to what the company sees in disinformation operations, Facebook stressed that a small, well-chosen group of targets can result in huge impacts. “You can imagine surveillance, you can imagine a range of secondary consequences” Facebook Head of Security Policy Nathaniel Gleicher said.
The Uyghurs are a predominantly Muslim ethnic minority in China that continues to face brutal repression from the Chinese government, including being forced into labor camps in the country’s Xinjiang province.
Facebook declined to link what it observed to the Chinese government, saying that it defers to the broader security community to make those determinations when it lacks the technical indicators to do so itself. Researchers believe that adjacent hacking campaigns are Beijing’s efforts to extend its surveillance of communities it already subjugates within China’s bounds.
Researchers say a botnet targeting Windows devices is rapidly growing in size, thanks to a new infection technique that allows the malware to spread from computer to computer.
The Purple Fox malware was first spotted in 2018 spreading through phishing emails and exploit kits, a way for threat groups to infect machines using existing security flaws.
But researchers Amit Serper and Ophir Harpaz at security firm Guardicore, which discovered and revealed the new infection effort in a new blog post, say the malware now targets internet-facing Windows computers with weak passwords, giving the malware a foothold to spread more rapidly.
The malware does this by trying to guess weak Windows user account passwords by targeting the server message block, or SMB — a component that lets Windows talk with other devices, like printers and file servers. Once the malware gains access to a vulnerable computer, it pulls a malicious payload from a network of close to 2,000 older and compromised Windows web servers and quietly installs a rootkit, keeping the malware persistently anchored to the computer while also making it much harder to be detected or removed.
Once infected, the malware then closes the ports in the firewall it used to infect the computer to begin with, likely to prevent reinfection or other threat groups hijacking the already-hacked computer, the researchers said.
The malware then generates a list of internet addresses and scans the internet for vulnerable devices with weak passwords to infect further, creating a growing network of ensnared devices.
Botnets are formed when hundreds or thousands of hacked devices are enlisted into a network run by criminal operators, which are often then used to launch denial-of-network attacks to pummel organizations with junk traffic with the aim of knocking them offline. But with control of these devices, criminal operators can also use botnets to spread malware and spam, or to deploy file-encrypting ransomware on the infected computers.
But this kind of wormable botnet presents a greater risk as it spreads largely on its own.
Serper, Guardicore’s vice president of security research for North America, said the wormable infection technique is “cheaper” to run than its earlier phishing and exploit kit effort.
“The fact that it’s an opportunistic attack that constantly scans the internet and looks for more vulnerable machines means that the attackers can sort of ‘set it and forget it’,” he said.
It appears to be working. Purple Fox infections have rocketed by 600% since May 2020, according to data from Guardicore’s own network of internet sensors. The actual number of infections is likely to be far higher, amounting to more than 90,000 infections in the past year.
Guardicore published indicators of compromise to help networks identify if they have been infected. The researchers do not know what the botnet will be used for but warned that its growing size presents a risk to organizations.
“We assume that this is laying the groundwork for something in the future,” said Serper.