More stories

  • in

    Zigbee inside the Mars Perseverance Mission and your smart home

    Have you been following the Perseverance rover that landed on Mars in February? It was fun to watch as the robot landed on the surface of Mars, ready to explore. And it’s been even more mesmerizing to watch as videos — with sound — and pictures have made their way back to Earth. Part of the technology that makes the communication between the rover and NASA possible is Zigbee. 
    My ZDNet Jason Squared co-host, Jason Cipriani, and I recently had the opportunity to interview Tobin Richardson, the CEO, and president of the Zigbee Alliance, about this project, as well as the future of the Zigbee wireless standard. 

    Jason Cipriani: Tobin, thanks for joining us today. If you don’t mind, tell our readers and listeners a little bit about yourself. 
    Tobin Richardson: Tobin Richardson, CEO of the Zigbee Alliance. I’ve been with the organization for the better part of a decade and first joined Zigbee Alliance to help it get into smart meters around the planet. And then, as it became a more mature technology, I stayed on as a CEO to help the organization grow into a lot of different market segments, which is why you’re seeing us in smart homes, smart buildings, industrial automation, and its use on the Perseverance Mars mission.
    Jason Perlow: We have occasionally discussed Zigbee and other wireless data communications technologies used in the home automation industry and other verticals such as wireless sensors and industrial control systems. For our listeners who may not be familiar with it, can you tell us a bit about the Zigbee standard and the typical use cases? 
    Tobin Richardson: It started almost two decades ago, and I had some experience with Wi-Fi and Bluetooth early on when they were more on the proprietary side. Those two have excellent use cases, but the use cases that drove Zigbee early on were around Personal Area Networking (PANs) or industrial wireless sensor controls and networking. This was based on an IEEE 802.15.4 standard, specifying how to implement that standard with what we call the Zigbee Stack. And early on, that was really about lighting systems, industrial controls, and wireless sensor control networks. And that was the first area where it entered the marketplace.
    Jason Perlow: Today, the Zigbee protocol has a maximum transmission rate of 250kbps. That’s significantly slower than other low-power data communications protocols like Bluetooth Low Energy which caps out at about 2Mbps. I understand that there are important differences between the two in how they perform and what situations you might choose one over the other, and what distances they are effective at. Do you see them as complementary technologies? 

    Feature Set



    Frequency Operation


    2.4Ghz and 900MHz

    RF Channels






    Cell Nodes



    Bandwidth/Transmission Rate




    10 Meters

    > 100M using 2.4Ghz, 1km with Sub-Gigahertz

    IEEE Standard



    Tobin Richardson: So, as an organization, we have a lot of different technologies and applications. The number of technologies we have and how we relate to Bluetooth and Wi-Fi use cases is growing. Zigbee can have up to thousands of nodes and is a much longer range. There are other use cases where there are one or two devices, and it’s OK to use the Wi-Fi or Bluetooth standard for those. For Zigbee, we’ve seen it grow for lighting applications, especially if you are at the San Diego Convention Center. At one point, I think virtually all the lighting there was done with ZigBee; you’ve got hundreds and hundreds of devices off a single network controller. So it’s perfect for really large, diverse networks, and the range is still pretty impressive. 
    On Zigbee, you’re going to get 50 meters using a Smart Home application. On Bluetooth, you’ll experience drop-off on your headphones or speaker after five or ten meters, depending on your specific use case. Bluetooth is doing some good work. And a lot of these standards will evolve. And we’d love to see what Bluetooth and what Wi-Fi is doing in a lot of complementary areas and where Zigbee continues to evolve. The original Zigbee stack is on revision 23. So we keep growing, exploring how that looks, how the technology functions, and it’s got a really good sweet spot around diverse networks that take advantage of mesh.
    Jason Perlow: What is the history of the protocol, and where are we at today with its feature set, with 3.0?
    Tobin Richardson: It’s been a fascinating kind of evolution. And honestly, one of the things that have kept me personally involved is how the standard is evolving. So if you think back to where it started, Wi-Fi, at that point, was really about the network — so a typical use case is a laptop or a desktop and an access point, where you’ve got a limited number of devices. You’re just really throwing packets over a network and gaining access to a web server, and for things like that, it’s fantastic. Zigbee came in with kind of the same approach; we’re just going to connect all these devices, we’re going to figure out how the networking works. And then we’ll just let people figure out what they’re going to do with that, with one node connected to a controller or another node connected to 25 different nodes, let them route appropriately. So that’s kind of the origin story, as you have these really lightweight communications. 
    You mentioned the new 250Kbps transmission. When you’re looking at the packet sizes and things like that, you’re not going to be serving web pages over that. But also, you might build a light bulb; I might make a light bulb, and someone else a light switch. And if we’re all doing that, in proprietary ways, all our on-off commands are different. And as you and your audience probably know, you can argue about on and off and what that looks like; you would think it’s binary. However, it’s not quite so much in terms of how you turn that into something that’s implemented. Again, this is part of that evolution, where we started, it was about how to apply the IEEE 802.15.4 standard and choosing how best to do the networking, and getting into the application. 

    So for Zigbee Alliance members, there were many lighting companies and a lot of building automation companies who effectively were doing things a little bit differently. However, they said, let’s build a standard, let’s agree on what that looks like, let’s agree on what on and off looks like, let’s agree on what kinds of currents we’re going to use, as well. So this turned into a new area of work for the Alliance, but it was still tied together in one stack. And so you’ve got the Zigbee professional networking component, we started building this application layer on top. And that’s really what’s led us to where we are today, in the Zigbee stack. 
    We still have a flexible mindset. But we could have a lot of applications in medicine — cool. Let’s go off and do that. We might have some really good energy applications, so let’s define that application layer in energy. Super. How about home automation? Great, let’s go to that. 
    But in home automation and energy, both have thermostats. So are we going to define thermostats differently? And these separate application profiles, okay, we’re defeating the purpose. So we brought that back together — and that’s what Zigbee 3.0 is today, which is a really good natural evolution, right? So today, 18 years later, starting with the lightweight personal era and industrial, you now have a full-stack Zigbee 3.0 standard that defines all this. And that’s in our revision 22. We’re working on our revision 23 right now, where we’ll start getting into usability across various hubs. And it’s all part of that kind of Zigbee evolution, to standardize as much as possible with that alignment of the nodes. So the controllers all work together seamlessly, with a consistent language for those devices that are attached as well. 
    Jason Cipriani: What role is Zigbee playing with the Perseverance rover and the Ingenuity drone on Mars?
    Tobin Richardson: I had the good fortune of being part of a retreat put on by Amazon five years ago, where I met the project lead for the Mars Rover and finding out about amazing work that they’re doing, which we didn’t even know about early back then. And I don’t know if Zigbee was part of it. But this is about communication between the rover and the helicopter. The helicopter flies autonomously when it’s up in flight, but it can transmit data back about the location or other information about battery and things like that when it lands. So it’s the mission telemetry that can get back to it. You’ve got a Zigbee 900 megahertz radio on the rover and another one on the helicopter itself that can communicate that way.
    Jason Cipriani: Why is Zigbee suitable for data communication between the Perseverance rover and the Ingenuity drone? What sort of data is being transmitted? 
    Tobin Richardson: Zigbee is the way to go. And, and I will defer kindly to them and let them explain that, but from my perspective, I think we’re making a lot of sense for them as the low power component to this with the low data rate. Looking at really extreme environments, like Mars, it’s good to have a very lightweight purpose-built standard. So it was built up from that perspective, where it’s essential to get the basic information across and makes it possible for extended battery usage for those kinds of applications on Mars. I haven’t seen a power system up there yet — I don’t think Matt Damon’s put in one yet, as far as I know. I believe that that low-power component makes it a really attractive solution for that application as well as the sub-gigahertz frequency range for longer distance communications.

    Anatomy of the Ingenuity Mars Semi-Autonomous Drone
    Jason Perlow: From my understanding of how the Ingenuity drone works, it’s semi-autonomous; it’s not a fully intelligent thing. It’s more like a ride that you would see in an amusement park running down the track — an invisible telerobotically scripted, pre-programmed route that uses telemetry that will be sent between the rover to the helicopter. As I understand, that track can be adjusted on the fly as needed, but on Mars, there is no Global Positioning System, so any positioning and navigation are being done with cameras and sensors. A lot of telemetry signaling occurs between the drone and the rover and then back to JPL through the four Mars satellites. Zigbee at 900Mhz has a maximum effective distance of about 3000 feet, so that’s within the mission profile of what the helicopter is doing. You’re not going to want to do a 3000 foot Wi-Fi transmission or even a Bluetooth connection. I can barely get Bluetooth to work 15 feet away from my desk, let alone 3000 feet.
    Tobin Richardson: These technologies have great use cases, right? And no, not at all, not good Bluetooth or Wi-Fi use cases. This is not the right application for that. There are a lot of challenges in the operating environment too. We were talking about this on the team as this became public what other real-world cases there are where this might be useful. I’m not going to say there are Mars-like environments on Earth, but there are places where it’s difficult, and you need high reliability — remote areas that don’t have access to a lot of the power capabilities in just a typical building. In places like pipelines and other remote areas, where you want to get good telemetry and want something that you can rely on, there are many good use cases there. And yes, Mars, this is one of those use cases.
    We’re fascinated by what’s happening over this implementation. I think there are a lot of areas really in power usages, such as the transmit power and the transmission rates, and getting a better understanding of how that operates, in negative 40-50 degrees Celsius environments, we’re really very curious about how that works and in terms of what we might learn from that, as well as packet delivery failure. Zigbee is really good for that in terms of retries and things like that. But those are a few of the areas that we think would be really interesting to learn from. Of course, this is a demonstration project, the way that NASA JPL has described it, they’ve set the expectation that this is the first time they’re trying, so they’ve already learned a lot in terms of the data. We certainly hope that they can get good separation, get the missions and the flights to do they’re expecting to, and get some good learning from them. 
    Jason Perlow: Is Zigbee involved with any of these emergency field worker apps, like text device capabilities — like potentially putting a Zigbee chipset inside a smartphone? So, for example, If a 4G or 5G network infrastructure were to go down in an emergency situation, would it be possible to do mesh network texting and maybe some rudimentary burst voice capabilities between handhelds?
    Tobin Richardson: You know, you should be able to do that, but I’m not familiar with these directly. I know there are organizations like FirstNet that are looking to serve first responders as well. It’s happening with fire departments; those are the things you’re talking about, right? There are areas in which the technology is being used in new ways, such as in those field environments, such as where you’re dropping sensors to track where the fire line is in a wildfire. Certainly, from a human perspective, tracking people in distress is instrumental in positioning emergency signals. So certainly, those are areas that Zigbee can be used. And, and as we evolve as an organization, there are other technologies we have in our house, with this common language for devices that we think can be used across technology. So not just a Zigbee network, not just a narrowband IoT, or 5G, but you can do a mix of those together and effectively have one common language kind of going across those different mediums.
    Jason Perlow: A lot has been discussed about Amazon’s new mesh network, Sidewalk, for use in its Echo smart speaker devices, which is implemented over its built-in Zigbee transceiver modules. Zigbee has been designed to be secure so that it may operate over private networks and not interfere with or cross-traffic with other nearby Zigbee networks. Amazon has altered the use case by having all of their Echos, regardless of who owns them, communicate over Sidewalk to share firmware patches and such. What is Zigbee’s position on this? Do you feel there is a good use case scenario for public mesh networking with Zigbee outside of Amazon’s Sidewalk?
    Tobin Richardson: That’s an interesting question; I think we’re still kind of in a wait-and-see on Sidewalk and see where Amazon goes. Amazon is very active in the Zigbee Alliance. In fact, they’re on our board of directors; we have some terrific engineers and principal architects that participate both in the Zigbee side and Project CHIP (Connected Home over IP) and in the MACfi stuff that we do within the Zigbee Alliance. Having a little bit of latency, I think in terms of the public networks, the way Amazon is doing it, that’s a fascinating approach. There are some areas that we want to look at a little more in dealing with privacy and security. And as you said, in terms of how secure this is, how the mixed networks operate together. And that’s an area that we want to investigate a little bit more, let’s say for now, but right now, a little bit of wait and see on Sidewalk.

    ZDNet Recommends

    Home Office Tours
    ZDNet contributors welcome you inside their home-based workspaces and show off the tech gear that drives their productivity.
    Read More

    Jason Cipriani: Narrowing down more on Zigbee, how does the relatively new IoT Thread protocol compare? I say new, only in that consumers can finally start using it with Apple’s HomePod mini and some accessories. 
    Tobin Richardson: In terms of low power mesh networking, we really kind of are sitting in the same area. The Zigbee network is not native IP, necessarily.  Of course, you can easily map to it, and you can address a single device on a MAC address and things like that. So it’s not without addressing, but the notion of IP has been one that we’ve been tracking closely over the 20-year history of the organization. And Thread came around right about the time as an organization we were looking at developing a similar low power IP stack with a lot of the same functionality. When we learned about that, with our sister organization, we said, do we create a competing one, or do we partner with them, because we knew that that language is going to operate not just on Zigbee networks, but also on other IP networks. So we decided at that point that we would partner with Thread Group. And we’ve contributed quite a bit to their development as well, even on the McAfee side of Thread. And so we’re effectively a good sister organization with Thread Group. As they get to commercial rollout, we will have an application layer on that and Project CHIP. The differences today between Zigbee and Thread today are mainly around the IP addressability, probably the most known difference between the two. But we see a lot of synergies there with the organizations. Today, if you want to build a quickly usable product and in virtually every ecosystem on the planet, Zigbee is a great choice for you. As you look at this evolutionary piece, we kind of see this competence in terms of IP with Thread as a fantastic solution. And, and we think the right language and the right standard on top of that will be Project CHIP on top of Thread. And that will have a lot in common with what we do on the ZigBee side and the development side will be a lot easier there as well. 
    Jason Perlow: Is there a Zigbee 4.0 in the planning stages yet? What improvements can we expect to see from Zigbee in the future? Have we improved data rates?
    Tobin Richardson: Zigbee 3.0 is kind of how we’re describing the complete stack. We did that when we brought the different profiles together. And so we’re continuing on that path. Right now, we’re working on our revision 23. One of the biggest functionalities in R23 is focused on what we call “All Hubs.” And that’s effectively trying to get all the hub operators to effectively treat devices with the same route joining processes and other pieces. So there’s a lot of good improved functionality for consumers. Hopefully, consumers will just enjoy it in a cleaner, crisp experience getting devices into the network, regardless of which hub or devices they use. Also, we’re going to be adding some support for sub-gigahertz in R23. So we’ll start taking advantage of other channels and frequencies. And we’ve had some demand for that in different markets and market segments, whether it’s home automation and smart energy, as utility companies want to try and reach larger places. Sub-gigahertz and 2.4 gigahertz have different behaviors regarding how they act with interference and barriers, and sub-gigahertz in big thick concrete buildings is a nice solution. In the UK, we’ve actually already done that. So we’ll bring that over into our R23. So I don’t think we’re going to be calling it anything different, but there will be more functionality in the next release, which should be a really good improvement for consumer experiences on smart homes. 
    Jason Perlow: Thanks, Tobin. Looking forward to everything that Zigbee is doing on Earth and other planets.

    Innovation More

  • in

    Microsoft: We've found three more pieces of malware used by the SolarWinds attackers

    Microsoft has disclosed more malware that was used by the suspected Russian-government-backed hackers who planted malware in software from US software vendor SolarWinds. 

    ZDNet Recommends

    Microsoft has named the threat actors as Nobelium, continuing its tradition of naming notable nation-state hacking groups after chemical elements, such as Russia’s Strontium, China’s Barium, Iran’s Phosphorus, and North Korea’s Thallium.  
    Until now, Microsoft and security vendor FireEye had identified Sunburst (which Microsoft called Solorigate) and Teardrop malware. In January, security firm CrowdStrike found Sunspot, a piece of software dedicated to monitoring the build server for build commands that assembled Orion. 
    Orion is the SolarWinds network monitoring software that Nobelium attackers used to broadly distribute the Sunburst backdoor to 18,000 organizations throughout 2020, prior to cherrypicking nine US federal agencies and about 100 US companies to actually compromise and steal information from, according to the White House’s investigation. 
    Microsoft has now disclosed three new malware components used by the Nobelium hackers: GoldMax, GoldFinder, and Sibot. FireEye calls the group UNC2452 has called the newly discovered malware Sunshuttle. 
    GoldMax is considered by Microsoft as an implant that serves as a command-and-control (C2) backdoor. The backdoor was written in Google’s popular system programming language, Go. 
    FireEye said it does not know how this malware is installed but guesses it is a second-stage backdoor that’s dropped after an initial compromise. The company described the design of Sunshuttle as “sophisticated” and “elegant”. 

    “The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its “blend-in” traffic capabilities for C2 communications,” FireEye notes in its analysis. 
    GoldMax is used to exclusively communicate with the attacker’s C2 and relied on resold domains with high reputations that were built over time. This choice of domains helped GoldMax avoid setting off alarms in most security products that looked at reputation scores in this way, according to Microsoft.  
    “The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running,” explains Microsoft. 
    “GoldMax establishes a secure session key with its C2 and uses that key to securely communicate with the C2, preventing non-GoldMax-initiated connections from receiving and identifying malicious traffic.”
    Sibot, built with Microsoft’s Visual Basic Scripting (VBScript), is a dual-purpose malware, according to Microsoft. 
    “The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task,” Microsoft notes.
    Its main goal was persistence on an infected machine so that it could download and execute a payload from a remote C2 server. Microsoft has identified three variants of Sibot that all download a malicious payload.  
    GoldFinder, which is also written in Go, is thought to be a custom HTTP trace tool that logs the route or hops that a packet takes to reach a hardcoded C2 server.  
    As part of the broader Russia-backed hacking campaign, some of the cyber security companies were compromised via SolarWinds’ tainted Orion update, such as Microsoft, but this wasn’t the only way the hackers infiltrated systems; as many as 30% of the organisations breached had no direct link to Solar Winds and were attacked by other means. More

  • in

    These two unusual versions of ransomware tell us a lot about how attacks are evolving

    Two newly discovered forms of ransomware with very different traits show just how diverse the world of ransomware has become as more cyber criminals attempt to join in with cyber extortion.
    Both forms of ransomware emerged in February and have been detailed by cybersecurity researchers at Trend Micro –AlumniLocker and Humble – with the two versions attempting to extort a bitcoin ransom in different ways.
    AlumniLocker is a variant of Thanos ransomware and immediately stands out for demanding a payment of 10 Bitcoins from the infected victim – a figure currently equivalent to around $450,000.
    The ransomware is delivered to victims via a malicious PDF attachment claiming to be an invoice which is distributed in phishing emails. The PDF contains a link which will extract a ZIP archive which runs a PowerShell script to drop the payload and execute the ransomware.
    Like an increasing number of ransomware campaigns, the attackers behind AlumniLocker threaten to publish data stolen from the network of their victim if they’re not paid within 48 hours – although given the ransom demand is so large, victims may decide it’s too much to pay.
    The ambitious ransom demand and other inconsistencies in their attack techniques – including how the data leak site doesn’t actually work – could indicate that those behind AlumniLocker are probably just starting out.
    “It does seem like this might be a new group that does not have experience in successfully ransoming their victims as the ransom demand is much higher than typical. Being that the leak site doesn’t work is another example of showing their hand of being newbies. ” Jon Clay, director of global threat communications at Trend Micro told ZDNet.

    Humble ransomware also first appeared during February, but is very different in a number of ways. Firstly, the ransomware is much smaller, demanding just 0.0002 Bitcoins – currently just under $10 – for the return of files, indicating that Humble might be targeting individuals rather than organisations.
    It’s still unknown how exactly Humble is distributed, but researchers note that it’s likely to be via phishing attacks.
    SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
    In an effort to push victims towards paying the ransom, Humble threatens the victim by stating that if they restart their system, the Master Boot Record (MBR) will be rewritten, rendering the machine unusable. A second version of Humble carries the same threat, but instead says this will happen if the victim doesn’t pay after five days.
    Humble is unusual for ransomware in being compiled with an executable wrapper (Bat2Exe) in batch file. What’s also strange is that it uses Discord – a voice, text and video communications service popular among gamers – to send reports back to its author.
    Both forms of new ransomware are unusual, but both demonstrate that ransomware continues to be appealing to cyber criminals who see how the top gangs are making so much money, and want to do the same.
    Organisations can help protect themselves from ransomware attacks with cybersecurity procedures including applying patches and using multi-factor authentication.

  • in

    FTC joins 38 states in takedown of massive charity robocall operation

    The US Federal Trade Commission (FTC) has closed down a huge charity fundraising scam that duped victims out of $110 million.

    The FTC said on Thursday that together with 46 agencies from 38 states, the organization was able to stamp out the telefunding operation, which has made an estimated 1.3 billion “deceptive” calls to at least 67 million US citizens. 
    According to the FTC, the communication “bombardment” was mainly comprised of illegal robocalls, but after residents were told they would be funding charity projects related to firefighters, veterans, and children, millions of dollars were still raised by the group using “deceptive solicitations.” 
    The complaint, filed in the US District Court for the Eastern District of Michigan, alleges that Associated Community Services (ACS) and associated defendants “knew that the organizations for which they were fundraising spent little or no money on the charitable causes they claimed to support,” and out of every dollar generated, the ACS and others kept as much as 90 cents. 
    Since at least 2008, the FTC says solicitations were made on behalf of “numerous organizations” that claimed to help homeless veterans, children with autism, house fire sufferers, breast cancer patients, and more.  
    ACS was also allegedly the main fundraiser for sham cancer charities that were shut down in 2015. ACS defendants have been the subject of 20 prior law enforcement actions over fundraising. 
    The complaint claims that US Telemarketing Sales Rule (TSR) violations were constant, in which soundboards were used to generate robocalls originating from the Philippines and India. In addition, the FTC says that the agency’s own regulations were broken alongside numerous state laws. 

    ACS was also charged with making harassing calls in the complaint. According to the agency, over 1.3 million phone numbers were called more than 10 times in a single week, and more than 500 numbers were called over 5,000 times. 
    ACS and sister companies Central Processing Services and Community Services Appeal, as well as their owners, have agreed to settle with the FTC over the charges. Under the terms of the settlement, pending court approval, the defendants will be banned from fundraising and from utilizing existing donor lists or conducting any kind of telemarketing. 
    Monetary judgments have been issued but many are either partly or fully suspended due to inabilities to pay. 
    “Robocall technology such as soundboards allows users to reach a significant target population, and when utilized for deceptive or misleading practices — especially in charitable solicitations, it, unfortunately, means a significant number of potential victims,” commented Michigan Attorney General Dana Nessel. “We must take swift action to hold accountable those who are unlawfully using this technology to serve their own agendas and preying on unsuspecting, hardworking people.”
    Previous and related coverage
    Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    $100 in crypto for a kilo of gold: Scammer pleads guilty to investor fraud

    A Swedish citizen who promised investors huge returns in a gold and cryptocurrency investment scheme has pleaded guilty to securities fraud. 

    On Thursday, the US Department of Justice (DoJ) said Roger Nils-Jonas Karlsson pleaded guilty to securities fraud, wire fraud, and money laundering in a case that the agency says defrauded investors out of over $16 million. 
    The 47-year-old was the operator of Eastern Metal Securities (EMS), a now-defunct company that used a website to lure investors into participating in a scheme that promised incredible returns for their cryptocurrency. 
    According to the US agency, Karlsson offered investors a share of a “plan” that would eventually pay out in gold, a high-value commodity, from 2012 to 2019.
    For only $100 per share, each investor was promised an eventual return of 1.15kgs in gold, worth over $45,000 as of January 2019. Each share was purchased through cryptocurrency including Bitcoin (BTC).
    Investors were also assured that in the event this return didn’t happen, they would receive 97% of their funds back.
    A second website was used to “delay” the moment investors in the “Pre Funded Reversed Pension Plan” (PFRPP) would realize they had been scammed, prosecutors claim, and Karlsson allegedly kept false and frequent dialogues going to this end.

    “For example, on one occasion, Karlsson explained that a payout had not occurred because releasing so much money all at once could cause a negative effect on financial systems throughout the world,” the DoJ says. “Karlsson also falsely represented that EMS was working with the US Securities and Exchange Commission (SEC) to prepare the way for a payout.”
    Investor cash was sent to Karlsson’s personal bank accounts, the DoJ says, where it was later used to purchase homes and a resort in Thailand. At least 3,575 investors parted with over $16 million. 
    The criminal complaint was issued against Karlsson and EMS on March 4, 2019.
    Karlsson, who went by at least six aliases, was arrested in Thailand on June 17, 2019, and extradited to the United States. Karlsson has pleaded guilty to all charges and the EMS website has been seized. 

    Karlsson faces a maximum sentence of 20 years in prison for the wire fraud and securities fraud charges, as well as a further 20 years behind bars for the money laundering charge. A maximum collective fine for the charges could reach $750,000. Forfeiture proceedings are ongoing. 
    Previous and related coverage
    Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments

    An ongoing investigation into the active exploit of four Microsoft Exchange zero-day flaws has revealed attacks against local US government agencies. 

    On March 2, Microsoft warned that the four zero-day vulnerabilities — now tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — were being exploited by threat actors in the wild.  
    If abused, the vulnerabilities could be used to compromise servers running Exchange Server 2013, 2016, and 2019 software. 
    Microsoft has urged customers to immediately apply patches provided to fix the vulnerabilities, but as is often the case with the disclosure of zero-days, cyberattackers are quick to exploit them. 
    According to FireEye’s Mandiant Managed Defense cybersecurity team, a wave of attacks against US targets has been tracked that abuses the Exchange security flaws. 
    Among the latest victims are local government entities, an unnamed university, an engineering company, and a host of retailers in the United States. 
    This month, one threat actor was observed using at least one of the vulnerabilities to deploy a web shell on a vulnerable Exchange server in order to “establish both persistence and secondary access,” according to the team. In two cases, cyberattackers sought to delete existing administrator accounts on Exchange servers. 

    Credential theft, the compression of data for exfiltration, and the use of PowerShell to steal entire email inboxes were also recorded. Covenant, Nishang, and PowerCat tools are being used to maintain remote access. 
    Mandiant added that the compromise of two other entities, a Southeast Asian government and a Central Asian telecommunications firm, may be related to this campaign. 
    “The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments,” Mandiant says. “This activity is followed quickly by additional access and persistent mechanisms.”
    Microsoft has previously attributed attacks to Hafnium, a Chinese state-sponsored advanced persistent threat (APT) group. The APT has been connected to assaults in the past against US defense firms, the legal sector, researchers, and think tanks. 
    Mandiant expects more clusters of intrusions to appear, a problem that will likely be ongoing until more vulnerable servers are patched. Kaspersky says that there is a high risk of ransomware and data theft. 
    Microsoft Exchange users are urged to update their software as quickly as possible.
    In related news this week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing federal agencies to immediately tackle the Microsoft Exchange vulnerabilities. 
    Previous and related coverage
    Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Cyberattack shuts down online learning at 15 UK schools

    15 schools in the United Kingdom have been unable to provide online learning due to a cyberattack. 

    The schools, based in Nottinghamshire, belong to the Nova Education Trust co-operative. 
    On Wednesday, as reported by local publication NottinghamshireLive, several of the schools reported issues across social media and the need to close down the IT systems due to the cyberattack. 
    According to Nova Education Trust, a threat actor was able to access the trust’s central network infrastructure and while an investigation took place, all existing phone, email, and website communication had to be pulled. 
    Students are still learning remotely in England. Schools are set to reopen on March 8, but in the meantime, only a small subset of children are attending school physically, such as the children of key workers.
    The 15 schools impacted by the central cybersecurity incident were not able to provide typical remote learning and teachers have been unable to upload learning materials. However, some of the schools have pivoted to SMS messages, temporary phone numbers, and Microsoft Teams to try and keep lesson disruption to a minimum. 
    Days after, IT teams are still working to restore the trust’s systems. While it is not known who is responsible, the incident highlights how centralized IT infrastructures, when compromised, can have a ripple effect and impact any and all institutions relying on them.

    “The incident has been reported to the Department for Education and the Information Commissioner’s Office (ICO), and the trust is currently working with the National Cyber Security Centre (NCSC) and additional security professionals to resolve the matter,” Nova Education Trust said. “All trust employees have been advised to take the necessary precautions.”
    Previous and related coverage
    Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    With its acquisition of Auth0, Okta goes all in on CIAM

    Yesterday, identity and access management (IAM) vendor Okta announced plans to acquire customer identity and access (CIAM) vendor Auth0 for $6.5B in an all-stock transaction. Founded in 2013, Auth0 has been rapidly growing its developer-focused offering and has raised more than $330 million in venture financing. Based on Forrester’s estimates of Auth0’s annual revenue, this acquisition price is around an 80-100X revenue multiple, which is considerable and unprecedented in the Identity Access management (IAM) space. For reference, we estimated that Cisco’s acquisition of Duo in 2018 was around a 20X revenue multiple and was done as a cash transaction. With this purchase and valuation, Okta is raising its bet and going all in on CIAM. 
    Also: Okta and Auth0: A $6.5 billion bet that identity will warrant its own cloud

    In Forrester’s opinion, this high acquisition price reflects that: 
    Secure and easy-to-use digital experiences are a must going forward. Even before COVID-19 pushed many companies to all-digital customer interactions, organizations were investing heavily in building and optimizing digital experiences that provided great user experience without sacrificing on security or privacy. While companies may have previously tried this using homegrown or open-source offerings, the pace and velocity of digital transformation requires companies to evaluate turnkey CIAM solutions that can be quickly integrated into existing architectures to support these new digital experiences. This deal reflects that strong overall demand for solutions such as Auth0 help deliver on this promise and positions Okta to leverage that growing demand. 
    The 2020 tech stock market rally-up is an M&A accelerant. Okta’s stock has doubled in the last year as it and many other tech-related companies rode a surge in demand due to changing work conditions caused by the COVID-19 pandemic. These higher stock valuations now give public companies the ability to pursue large deals using the higher stock value. As tech stock prices continue to surge, expect more M&A and more all-stock-type transactions. 
    Okta is under pressure to cater to developers in CIAM. With digital transformation accelerating, identity has become the cornerstone of customer acquisition, management, and retention — traditionally managed by digital product teams, business units, marketing organizations, and buyers’ internal application developers. Access to these organizations’ stakeholders and decision-makers (especially to the app developers) has always been Auth0’s strength. Auth0 gives Okta better access to this developer buying center that Okta has not been as successful reaching. 
    IAM and CIAM markets remain highly competitive, with a wide range of vendors such as ForgeRock, SAP, IBM, Ping Identity, Salesforce, Microsoft, and Akamai, to name a few.  

    While Okta has built a strong leadership position in workforce IAM, the success of this merger will depend on the following: 
    How successfully Okta can further integrate Auth0 with non-IAM and non-security solutions. In CIAM, integration with analytics, business intelligence, portals, and marketing solutions are critical to keep a CIAM platform relevant. Okta will have to expand its application ecosystem quickly to remain competitive and to support these new integrations. 
    How much of a premium customers are willing to pay for identity orchestration. Auth0 had a lot of success through its freemium platform offering, which gave developers easy access to CIAM capabilities. A key factor in the financial success of the acquisition will be Okta’s ability to convert these freemium Auth0 customers into revenue-generating customers ,especially when some other vendors include orchestration for free. 
    How well can Okta apply Auth0 CIAM technology to its existing workforce IAM solution. Okta’s DNA has been providing employee access to cloud apps using its cloud portal — which traditionally has required little orchestration. As Okta expands into protecting legacy on-premises apps and replacing existing on-premises solutions from Broadcom/CA, Oracle, and IBM and starts to compete more with ForgeRock and Ping Identity, Auth0’s orchestration technology will be a critical building block. 
    How well Okta will tolerate and integrate Auth0’s completely different corporate culture. Auth0’s IAM approach has been original, innovative, and technology-led. Okta’s traditional approach has been business-, execution-, and financial-results-focused. As with many similar past IAM acquisitions, the acquiring company must retain the acquired vendor’s product management and engineering team and continue to innovate — which historically has been a challenging task for many acquisitions. 
    How quickly and well Okta will eliminate overlaps to provide the best single CIAM solution. When an acquisition happens, there are usually and naturally significant overlaps between the acquiring and acquired vendors’ solutions. In this case, passwordless authentication, multifactor authentication, and even some of Okta’s preexisting developer-centric APIs overlap with Auth0’s offering. Swiftly arriving at a unified, consolidated solution to minimize customer confusion and maximize Okta’s engineering performance is critical to success. 
    To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
    This post was written by Principal Analyst Andras Cser, VP and Research Director Merritt Maxim, and Senior Analyst Sean Ryan, and it originally appeared here.  More