Accenture has announced its intention to acquire French cybersecurity firm Openminded.

Announced on Thursday, the services and consultancy company said the purchase will expand the Accenture security arm’s presence in France and into Europe as a whole. Financial terms of the deal were not disclosed.  Founded in 2008, Openminded provides cybersecurity services including management, consultancy, and cloud & infrastructure solutions with a focus on risk analysis, remediation, and regulatory compliance.   Openminded reported a €19 million turnover during the 2020 financial year. The company has roughly 105 employees and 120 clients including Sephora, Talan, and Thales.  Once the deal has been finalized, Openminded’s staff will join Accenture Security’s existing workforce.  “Joining forces with Accenture is a great opportunity for our teams and our clients,” commented Hervé Rousseau, Openminded founder and CEO. “The alliance of our talent and capabilities perfectly leverages our expertise and would allow us to deliver on a global scale. Today, the fight against cyberattacks requires the implementation of the most advanced technologies, as well as the human resources to make them efficient.”

The deal is subject to standard closing conditions.  Earlier this month, Accenture acquired cloud analytics firm Core Compete. The vendor leverages machine learning (ML) and artificial intelligence (AI) to provide managed services, cloud data warehousing, data analysis tools, and SAS on cloud services.  The latest acquisition builds upon the purchase of Businet System, Real Protect, and Wolox this year, among other companies.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

isak55 — Shutterstock Just what every Linux system administrator wants just before the holidays: A serious Linux kernel security bug. The Zero Day Initiative (ZDI), a zero-day security research firm, announced a new Linux kernel security bug. This hole allows authenticated remote users to disclose sensitive information and run code on vulnerable Linux kernel versions.  […] More

Image: Geralt on Pixabay
A report published today by blockchain investigations firm Chainalysis confirms that cybercrime groups engaging in ransomware attacks don’t operate in their own bubbles but often switch ransomware suppliers (RaaS services) in a search for better profits.

The report analyzed how Bitcoin funds were transferred from victims to criminal groups, and how the money was divided among different parties involved in the ransomware attack, and how it was eventually laundered.
But to understand these dynamics, a short intro into the current ransomware scene is needed. Today, the ransomware landscape is very similar to how modern businesses operate.
There are coders who create and rent the actual ransomware strain via services called RaaS — or Ransomware-as-a-Service — similar to how most modern software is provided today.
Some RaaS operators rent their ransomware to anyone who signs up, while others prefer to work with small groups of verified clients, which are usually called “affiliates.”
The affiliates are the ones to usually spread the ransomware via email or orchestrate intrusions into corporate or government networks, which they later infect and encrypt with the ransomware they rented from the RaaS operator.
In some cases, the affiliates are also multiple groups themselves. Some are specialized in breaching a company’s network perimeter, and are called initial access vendors, while some groups are specialized in expanding this initial access inside hacked networks to maximize the ransomware’s damage.

All in all, the ransomware landscape has evolved from previous years and is now a collection of multiple criminal groups, each providing its own highly-specialized service to one another, often across different RaaS providers.
BTC transactions show collaborations between criminal groups
The Chainalysis report released today confirms these informal theories with undisputable and unforgeable cryptographic proof left behind by the Bitcoin transactions that have taken place among some of these groups.
For example, based on the graph below, Chainalysis said it found evidence to suggest that an affiliate for the now-defunct Maze RaaS was also involved with SunCrypt RaaS.
“We see that the Maze affiliate also sent funds — roughly 9.55 Bitcoin worth over $90,000 — via an intermediary wallet to an address labeled ‘Suspected SunCryptadmin,’ which we’ve identified as part of a wallet that has consolidated funds related to a few different SunCrypt attacks,” Chainalysis said.
“This suggests that the Maze affiliate is also an affiliate for SunCrypt, or possibly involved with SunCrypt in another way.”

Image: Chainalysis
Similar findings also show a connection between the Egregor and DoppelPaymer operations.
“In this case, we see that an Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected Doppelpaymer administrator wallet,” researchers said.
“Though we can’t know for sure, we believe that this is another example of affiliate overlap. Our hypothesis is that the Egregor-labeled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators.”

Image: Chainalysis
And last but not least, Chainalysis researchers also found evidence that the operators of the Maze and Egregor operations also used the same money-laundering service and over-the-counter brokers to convert stolen funds into fiat currency.
Since several security firms have suggested that the Egregor RaaS is a rebrand and continuation of the older and defunct Maze operation, such findings come to support these theories, showing how old Maze tactics permeated to the new Egregor operation.

Image: Chainalysis
Report confirms observations made by security firms
“Interesting report and very much aligns with what we are seeing,” Allan Liska, a security researcher with threat intel firm Recorded Future, told ZDNet.
“Recorded Future is seeing more fluidity in the RaaS market now than at any other time in the (admittedly short) history of the RaaS market.
“Part of this is because of the reality that there is a growing stratification between the haves and have nots in ransomware. There are fewer actors making a lot of money, so ransomware actors are jumping from one RaaS to another to improve their chances of success,” the Recorded Future analyst said.
Furthermore, Liska says there are other connections and overlaps between other RaaS groups, and not just Maze, SunCrypt, and Egregor.
The Recorded Future analyst pointed to the Sodinokibi (aka REvil) RaaS operation as being one of the services where many groups overlap, primarily because the Sodinokibi administrator, an individual going by the name of Unknown, has often actively and openly recruited affiliates from other RaaS programs.
Interconnected landscape is actually a good sign
But while we might view these connections and overlaps as a sign of successful cooperation between cybercrime groups, Chainalysis believes that this interconnectedness is actually a good sign for law enforcement.
“The evidence suggests that the ransomware world is smaller than one may initially think given the number of unique strains currently operating,” Chainalysis said.
This, in theory, should make cracking down and disrupting ransomware attacks a much easier task since a carefully planned blow could impact multiple groups and RaaS providers at the same time.
According to Chainalysis, these weak spots are the money-laundering and over-the-counter services that RaaS operators and their affiliates often use to convert their stolen funds into legitimate currency.
By taking out legitimate avenues for converting funds and reaching real-world profitability, Chainalysis believes RaaS operations would have a hard time seeing a reason to operate when they can’t profit from their work. More

Voice over Internet Protocol (VoIP) services company Bandwidth.com has confirmed that it was suffering from outages after reports emerged on Monday night that the service was dealing from a DDoS attack. Bandwidth CEO David Morken said in a statement that “a number of critical communications service providers have been targeted by a rolling DDoS attack.”

ZDNet Recommends

“While we have mitigated much intended harm, we know some of you have been significantly impacted by this event. For that I am truly sorry. You trust us with your mission-critical communications. There is nothing this team takes more seriously,” Morken said.  “We are working around the clock to support your teams and minimize the impact of this attack. Our account managers and support teams have been actively reaching out to customers individually to address any issues. We will not rest until we end this incident, and will continue to do all we can to protect against future ones.” In an earlier statement, the company told ZDNet that Bandwidth “has experienced intermittent impacts” to its services. “All our services are currently functioning normally. Our network operations and engineering teams are continuing to monitor the situation and we are actively working with our customers to address any issues. We will post updates to status.bandwidth.com as we have additional information to share,” the company said. Since that statement was shared, the company has updated the status showing partial outages for a number of inbound and outbound calling services. 

Bleeping Computer was the first to report on Monday evening that Bandwidth.com was facing issues because of a distributed denial of service attack, which are routinely targeted at VoIP providers.  The news outlet noted that other VoIP vendors like Accent, RingCentral, Twilio, DialPad and Phone.com were experiencing outages and telling customers that the problems were with an “upstream provider.” On its Cloud Service Status page, Accent said on Tuesday that the “upstream provider continues to acknowledge the DDoS attack has returned to their network however we are seeing a very limited impact to inbound calling for our services.”  “Mitigation steps are being put in place to route inbound phone numbers around the upstream carrier the impact to service grows. We will continue to monitor the situation and update the status as appropriate,” Accent wrote.  A source, who asked to have their name withheld, told ZDNet on Monday that their customers were having major problems with their ported phone numbers and that they could not make any changes like forwarding phones.  The company is a downstream reseller of products hosted by Bandwidth and said they knew of a major telecommunications company that “was in emergency mode” due to the situation with Bandwidth.  Just a few weeks ago, Canada-based VoIP provider VoIP.ms said it was still battling a week-long, massive ransom DDoS attack. The REvil ransomware group demanded a $4.5 million ransom to end the attack.  Recent reports have said DDoS attacks are becoming more frequent, more disruptive and increasingly include ransom demands.  Cloudflare said last month that its system managed to stop the largest reported DDoS attack in July, explaining in a blog post that the attack was 17.2 million requests-per-second, three times larger than any previous one they recorded. More

Your spying gadget needs an anti-spying gadget. Somewhere, John Le Carré sniggers. Paranoid It was the column that launched screams around America. Last week, I wrote about a UK law firm that suggested Amazon’s Alexa and her cohorts should be switched off before you have any confidential work-related conversations. Now that you’re likely working from […] More