Information Technology

Crowdstrike published its fourth-quarter financial results on Wednesday, beating market estimates with solid growth from subscription customers. Crowdstrike’s total Q4 revenue was $431 million, a 63% increase over a year prior. Non-GAAP net income came to $70.4 million or 30 cents per share. 

The cybersecurity company added 1,638 net new subscription customers in the quarter for a total of 16,325 subscription customers as of January 31. That represents 65% year-over-year growth. Subscription revenue was $405.4 million, a 66% increase. Analysts were expecting earnings of 20 cents per share on revenue of $412.3 million. Crowdstrike’s annual recurring revenue (ARR) increased 65% year-over-year and grew to $1.73 billion as of of January 31. Of that, $216.9 million was net new ARR added in the quarter. For the full year, revenue was $1.45 billion, a 66% increase, while non-GAAP net income was $160.7 million. “Net new ARR of $217 million in the quarter was a new all-time high, driven by expansion of our leadership in the core endpoint market as well as a record quarter for cloud, identity protection, and Humio,” said George Kurtz, CrowdStrike’s co-founder and chief executive officer.”As our record results, growing scale, and module adoption rates demonstrate, customers are increasingly leveraging the breadth and depth of the Falcon platform as they look to transform their security stack.”In addition to adding a record number of net new subscribers in the quarter, Crowdstrike reported solid growth in the portion of subscribers adopting multiple modules. CrowdStrike’s subscription customers that have adopted four or more modules, five or more modules, and six or more modules increased to 69%, 57%, and 34%, respectively, as of January 31. For the first quarter, the company expects total revenue in the range of $458.9 million and $465.4 million. For the full year, the company predicts a revenue of $2.13 billion and and $2.16 million. 

Tech Earnings More

ServiceNow has published guidance for its customers related to Access Control List (ACL) misconfigurations after an AppOmni security report found that 70% of the instances they tested had the issue. 

Enterprise Software

In a report released on Wednesday, AppOmni explained that the common misconfigurations come from a “combination of customer-managed ServiceNow ACL configurations and overprovisioning of permissions to guest users.”A ServiceNow spokesperson told ZDNet that this is a “well-known” issue that happens when end users do not apply recommended configuration and governance controls to their SaaS platforms. “ServiceNow regularly publishes security configuration and best practice guidance to help our customers. We recommend that customers continuously monitor their security settings and user permissions to ensure that their instances are configured as intended, with an emphasis on permission levels for external users,” the spokesperson said. AppOmni said many major SaaS platforms have this issue because of how complex they are and noted that misconfigurations can happen during the initial implementation phase of a SaaS platform when users or settings change or as part of the regular cadence of SaaS updates that can impact current configurations.AppOmni CEO Brendan O’Connor said securing SaaS is a lot more complicated than just checking a handful of settings or enabling strong authentication for users.”SaaS platforms have become business operating systems because they are so flexible and powerful. There are many valid reasons for workloads and applications running on a SaaS platform to communicate externally, such as to integrate with emails and text messages or host a support portal for your customers,” O’Connor said.  “SaaS adoption skyrocketed during the pandemic, but unfortunately, investments in people, processes, and technology to secure and monitor SaaS has not kept up. In AppOmni’s experience, significant data exposures like this are far more common than customers realize.”Many companies use Role-Based Access Control (RBAC) as a way to grant permissions for users to access resources on a SaaS platform, and the challenge, according to AppOmni, is ensuring the right level of access when organizations update or customize SaaS applications or onboard new users. AppOmni Offensive Security Researcher Aaron Costello said ServiceNow external interfaces exposed to the public could allow a malicious actor to extract data from records.”The high degree of flexibility in modern SaaS platforms has made misconfiguration one of the largest security risks businesses currently face,” said Brian Soby, CTO of AppOmni.”Our goal is to shed light on common misconfigurations and other potential risks in SaaS platforms so users can ensure their system posture and configuration matches their business intent.” More

There’s been a surge in mobile malware attacks as cyber criminals ramp up their attempts to deliver malicious text messages and applications to users in order to steal sensitive information including passwords and bank details. Cybersecurity researchers at Proofpoint say they detected a 500% jump in attempted mobile malware attacks during the first few months of 2022, with significant peaks at the beginning and end of February. 

ZDNet Recommends

The main aim of a substantial proportion of mobile malware is to steal usernames and passwords for email or bank accounts, but many forms of mobile malware are also equipped with invasive snooping capabilities to record audio and video, track your location, or even wipe your content and data. As mobile malware evolves, more attacks are employing these advanced capabilities. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Both Apple and Android smartphones are targets for cyber criminals, but researchers note that the more open nature of the Android marketplace and the ability to download apps from third-party app stores makes devices using Google’s operating system more vulnerable to being compromised. Users of both Apple and Android smartphones can also find themselves the victim of SMS phishing (smishing) attacks, which sees text messages sent to users containing links designed to trick them into entering their bank details or login credentials into a fake website for cyber criminals to see and steal. Common lures include fake missed delivery notifications and fake alerts related to the COVID-19 pandemic. One of the most notorious forms of mobile malware is FluBot, which has been active since November 2020 and is designed to steal usernames and passwords from banks and other sites the user visits.  What makes FluBot so potent is that it’s also equipped with a worm-like ability to spread itself by accessing the infected user’s address book and sending SMS messages to their friends. It’s this ability to virtually spread itself which is why it’s been dubbed FluBot. Another form of mobile malware causing problems for smartphone users is TangleBot. Described as “powerful but elusive,” TangleBot first appeared in 2021 and is delivered mainly via fake package-delivery notifications. In addition to being able to steal sensitive information and control devices, TangleBot can overlay other mobile apps and intercept camera footage and audio recordings. Other mobile threats detailed by Proofpoint include Moghau, which is SMS-based malware that deploys multi-lingual attacks to target users around the world with fake landing pages based on their country and which is designed to trick victims into downloading trojan malware. Meanwhile, TianySpy is malware that infects both Apple and Android users by spreading via messages that claim to come from the victim’s mobile network operator. While the number of detected mobile attacks has declined since the surge last month, mobile malware is still a threat to users – but researchers warn that many people aren’t aware of the potential danger posed by phishing or malware attacks targeting smartphones. SEE: How Russia’s invasion of Ukraine threatens the IT industryResearchers recommend that users should be wary of any unexpected or unrequested messages containing links or requests for data. “Consumers need to be very skeptical of mobile messages that come from unknown sources. And it’s important to never click on links in text messages, no matter how realistic they look. If you want to contact the purported vendor sending you a link, do so directly through their website and always manually enter the web address/URL,” said Jacinta Tobin, vice president of Cloudmark operations for Proofpoint. “It’s also vital that you don’t respond to strange texts or texts from unknown sources. Doing so will often confirm you’re a real person to future scammers,” she added. Advice from the National Cyber Security Centre says users who receive a suspected malicious text message shouldn’t click the link or install any apps if prompted. Instead, they’re urged to forward the message to 7726, a free spam-reporting service provided by phone operators – then to delete the message.  MORE ON CYBERSECURITY More

Image: Armis
Security researchers at Armis have detailed a trio of vulnerabilities in so-called Smart-UPS devices sold by Schneider Electric subsidiary APC that allow for unnoticeable remote code execution, replacing of firmware, and potentially burning out the entire unit. Naturally in 2022, the flaws in the system stem from a combination of bad TLS implementation and being able to be controlled through a cloud-based system in newer devices. “Since the TLS attack vector can originate from the internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall,” Armis said. “They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.” If a TLS connection has an error, rather than closing the connection as recommended by Mocana nanoSSL library writers, APC ignores some of the errors, which leaves the connection open and the library in a state it is not built to handle. “Ignoring the nanoSSL library errors causes the UPS to cache the TLS key in its uninitialized state,” Arris said. “When an attacker uses the TLS resumption functionality, the uninitialized key (all zero) is fetched from the cache and the attacker can communicate with the device as if it was a genuine Schneider Electric server. As a seemingly verified server, the attacker can issue a firmware upgrade command and remotely execute code over the UPS device.” Additionally, all Smart-UPS devices use the same symmetric key for encryption and decryption, and it can be extracted from the devices. As a bonus, the devices do not check if any firmware is signed, allowing attackers to remain persistently on the device. In the words of the Bloodhound Gang: We don’t need no water.
Image: Armis
On the extreme physical end of the equation, replacing the firmware allows an attacker bypass software-based physical protections, such as a short circuit alert turning off the UPS. “By using our RCE vulnerability we were able to bypass the software protection and let the current spike periods run over and over until the DC link capacitor heated up to ~150 degrees celsius (~300F), which caused the capacitor to burst and brick the UPS in a cloud of electrolyte gas, causing collateral damage to the device,” the researchers state in a white paper [PDF]. “The exploitation risk is no longer limited to the IT world — an attacker can turn the UPS to a physical weapon. From a cyber security point of view, these kinds of systems must be handled as a flammable substance that sits in the heart of an organization.” Armis recommends users install the patches from Schneider Electric, and use access control lists to restrict and encrypt communications with the UPS to management devices and Schneider Electric Cloud. If the device has a network management card, Armis recommends changing the default password from “apc” to something else, and installing a publicly-signed certificate to prevent password sniffing. The security company said it believes 80% of organisations are vulnerable, with healthcare organisations hitting over 92% with a vulnerable device and retail just behind on 89%. Updated at 3:52pm AEST, 9 March 2022: Clarified technical information. Related Coverage More

Cloudflare and Akamai have each confirmed they will continue to operate in Russia, despite being urged to do otherwise.Both companies have argued that if they were to pull their services, they would be hurting Russian citizens who are trying to access information from outside of the country, but said they condemn Russia’s unprovoked invasion of Ukraine. Cloudflare CEO Matthew Prince wrote in a blog post acknowledging that the company has received “several calls to terminate” all of its services inside Russia, including by government. “Our conclusion … is that Russia needs more internet access, not less,” he said.”As the conflict has continued, we’ve seen a dramatic increase in requests from Russian networks to worldwide media, reflecting a desire by ordinary Russian citizens to see world news beyond that provided within Russia.”He continued: “Indiscriminately terminating service would do little to harm the Russian government, but would both limit access to information outside the country, and make significantly more vulnerable those who have used us to shield themselves as they have criticized the government”.Prince also claimed that if Cloudflare were to stop operating in Russia, the Russian government would “celebrate us shutting down”. “We absolutely appreciate the spirit of many Ukrainians making requests across the tech sector for companies to terminate services in Russia. However, when what Cloudflare is fundamentally providing is a more open, private, and secure Internet, we believe that shutting down Cloudflare’s services entirely in Russia would be a mistake,” he said.A similar sentiment was echoed by Akamai, saying that deliberately choosing to maintain its network presence in Russia means it can continue to support customers. “This supports our global customers, including many of the world’s largest news services, social networks, and democratic government institutions, as they endeavor to provide vital and accurate information to all corners of the globe, including to the citizens of Russia,” the company said. Despite the decision to stay, Akamai outlined that it will suspend all sales efforts in Russia and Belarus; terminate business with state-majority-owned Russian and Belarusian customers; comply with all application sanctions; and address humanitarian needs through the Akamai Foundation. The company said it has also made it products and cybersecurity teams available to Ukrainian government agencies to help “keep the country’s citizens protected and connected to the information they need to defend their country”. See also: Ukraine crisis: Russian cyberattacks could affect organisations around the world, so take action nowMeanwhile, Cloudflare has joined forces with Crowdstrike and Ping Identity to launch what is being dubbed as a critical infrastructure defense project where the trio will provide free cybersecurity services support for four months to help eligible organisations in the US — hospitals, energy utilities, and water utilities — ramp up cybersecurity defence. Under the project, organisations will have access to the full suite of Cloudflare Zero Trust solutions, endpoint protection and intelligence services from CrowdStrike, and Zero Trust identity solutions from Ping Identity. A roadmap featuring step-by-step security measures to help businesses defend themselves from cyber attacks will also be available to all business in any industry as part of the project. “We rely on our infrastructure to power our homes, to provide access to water and basic necessities, and to maintain critical access to healthcare. That’s why it’s more important than ever for the security industry to band together and ensure that our most critical industries are protected and prepared,” Prince said. The move to ramp up cybersecurity defences is in response to the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency issuing a “Shields Up” advisory last month urging all US businesses to prepare for heightened cyber risk activity in light of the Russian invasion of Ukraine. In further updates by Meta regarding its response to the Ukrainian invasion, the social media giant said it will now be hiding information about people’s followers, who they’re following, and people who are following each other for private Instagram accounts based in Ukraine and Russia.  “This means that people following private accounts based in Ukraine and Russia will no longer be able to see who those accounts are following, or who follows them. We’re also not showing these accounts in other people’s follower or following lists, or in our ‘mutual follows’ feature,” the company said. Instagram stories that contain a link sticker pointing to a Russian state-controlled media website will also be demoted and labelled to let people know that they lead to Russian state-controlled media websites, Meta said. These steps are in addition to a range of efforts the company announced last week to limit news spread by Russian state-backed media outlets.

Ukraine Crisis More

Microsoft’s latest round of Patch Tuesday fixes includes a fix for a bug that could result in some user data not being erased after a Windows 10 or Windows 11 PC reset. That issue, originally discovered by Microsoft Most Valuable Professional Rudy Ooms in late February, resulted in some user data still being readable in the “Windows.old” folder after completing a remote or local wipe of a Windows 10 or 11 device. This issue affected Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; and Windows 10, version 20H2. Microsoft published a suggested workaround, which involved signing out from or unlinking OneDrive before resetting a Windows device. But today’s patches for Windows 11 and Windows 10 fix the issue outright.

Microsoft’s note about the fixes for this failure-to-erase-data issue says “some devices might take up to seven (7) days after you install this update to fully address the issue and prevent files from persisting after a reset. For immediate effect, you can manually trigger Windows Update Troubleshooter using the instructions in Windows Update Troubleshooter.”Microsoft also rolled out today, March 8, an update for the Windows Subsystem for Android on Windows 11. This update — version 2203.40000.1.0 from the Microsoft Store — is available to Insiders in all channels (Dev, Beta, and Release Preview). The Windows Subsystem for Android, along with the Amazon Android app store, is what enables users to run a selection of Android games and apps on Windows 11. Today’s update includes support for H.264 video hardware decoding; various networking changes; better integration between the subsystem and various Windows email clients; improved scrolling in the Amazon Appstore and Kindle apps and more.Today’s Patch Tuesday fixes and updates also should bring to Windows 11 users some of the new features that Microsoft began rolling out in preview a couple of weeks ago, including the aforementioned Android apps on Windows. Mainstream (non-Insider tester) customers could manually download the handful of new Windows 11 features as of February 15.

Windows 11 More

Last week, the Utah House of Representatives unanimously passed a consumer privacy bill — the Utah Consumer Privacy Act — moving it one step closer to becoming the fourth state to enact privacy legislation in the US. The bill will head back to the Utah Senate, where it was passed earlier this year. Officials there need to decide whether they will accept the amendments added by House members before it heads to the desk of Utah Governor Spencer Cox. Cox did not respond to requests for comment about whether he will sign the bill if it makes it to his desk.  

The Utah Consumer Privacy Act applies to companies with an annual gross revenue of $25 million and those that conduct business in Utah or produce goods for Utah residents. The bill also only applies to businesses that “control or process” the personal information of 100,000 Utah residents or “derive over 50% of its gross revenue from the sale of personal data and controls or processes personal data of at least 25,000 residents.”The bill would take effect in December 2023 and would offer Utah residents the right to notice, access, portability, and deletion — but does not offer people the right of correction. There are also exemptions for certain businesses. It includes an opt-out section that allows people to deny companies the right to target them with advertising or sell their personal information. But the bill still allows companies to conduct automated profiling and largely excludes employee data as well as any data shared between businesses. There is an opt-out provision for “sensitive” information that forces companies to also notify customers if they are collecting biometric or genetic data, health information, citizenship data, sexual orientation, racial origin, and religious beliefs.  Like other US privacy laws, enforcement is managed by the Utah Attorney General’s office but controversially does not allow for a private right of action. The Utah Department of Commerce Division of Consumer Protection will investigate companies based on customer complaints before handing the cases off to the Attorney General’s office. Dan Clarke, a US privacy law expert who has been consulted by lawmakers in multiple states on potential privacy legislation, told ZDNet that the Utah bill is modeled after Virginia’s law, even though it does not include a requirement for assessments and is silent on following the Global Privacy Control signal. 

“Laws like Utah that follow in the footsteps of Virginia are a good step towards consumer privacy at the state level, but they are generally more business-friendly and less restrictive. Many of the laws have a predominately opt-out mindset and have lower penalties, especially for non-compliance by companies that are endeavoring to try their best,” Clarke said. “There is nothing really groundbreaking in the Utah Consumer Privacy Act. UCPA’s passage really just cements the trend that’s been proliferating across legislatures in 2022, most of which follow Virginia as a template. One element that is unique is a provision for the attorney general to propose changes after an ‘enforcement assessment,’ but that won’t happen until 2025.”Consumer Reports senior policy analyst Maureen Mahoney said the bill is “far too weak to protect consumers” and added that Consumer Reports has urged the Governor to veto the measure. “It’s important that any privacy law is workable for consumers — that at the very least, as in California, they can opt out of the sale of their personal information at all companies in a single step, rather than having to hunt through hundreds if not thousands of sites one-by-one, looking for a way to opt out,” Mahoney said. “And the definitions should cover targeted advertising ,so that consumers can meaningfully opt out. Unfortunately, Utah’s bill is even weaker than Virginia’s industry-friendly measure, which lacked these key elements. Utah’s measure does not have opt-in rights for sensitive data, has a weaker opt-out, and an even weaker enforcement scheme.”Mahoney added, “All of this means that consumers won’t be able to control their data. It’s a victory for companies like Google and Facebook.”

Lisa Sotto, head of the global privacy and cybersecurity practice at law firm Hunton Andrews Kurth, explained that the Utah law differs from the Virginia law because it lacks a correction right — which she said is out-of-step with global data protection laws — and an opt-out, rather than opt-in, right for the use of sensitive data, which also is defined more narrowly than in the Virginia law.  “The Utah law is privacy protective but also reasonably business friendly. This is a welcome development in light of the current plethora of comprehensive privacy laws in the US, with a high likelihood of more to come,” she said. “Companies that have complied with the other three state privacy laws, whose effective dates precede that of the Utah law, are well-positioned to readily comply with the Utah requirements. It should be a relatively simple exercise to comply with the Utah law once a framework is in place for California, Virginia, and Colorado compliance.”The Utah legislation follows recent privacy laws enacted in Virginia and Colorado in 2021, as well as multiple laws in California over the last three years. Several states have spent years attempting to pass their own privacy laws due to the lack of any movement on privacy legislation at the federal level. New York, Texas, Washington, and dozens of other states have faced issues in pushing through their own privacy laws through due to backlash from businesses that complain the bills will create a significant amount of extra work for effectively any business with a website. Clarke, president at privacy company IntraEdge, said Washington just narrowly advanced their privacy law from the House appropriations committee, while laws in Indiana, Wisconsin, Oklahoma, and Florida are all currently cross-chamber and advancing rapidly.”I think Utah’s quick movement is more a result of off-screen negotiation to level the bill and unify after the 2021 debates with consumer advocate groups for a more comprehensive bill with private right of action, and opt-in didn’t yield the results they wanted,” Clarke said.  “The key stakeholders that wanted a more comprehensive law joined a collation deciding that something is better than nothing. This bill is a compromise between aggressive consumer privacy advocates and business-friendly supporters that was pre-wired.” More

Microsoft has released 71 security fixes for software, including 41 patches for Microsoft Windows vulnerabilities, five vulnerabilities in Microsoft Office and two in Microsoft Exchange. 

Two of the vulnerabilities are rated critical — CVE-2022-22006 and CVE-2022-24501 — while the rest are rated important.In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) vulnerabilities, denial of service bugs, privilege escalation bugs, spoofing issues, information leaks, and policy bypass exploits. None of the vulnerabilities are being actively exploited, but Sophos noted that a public proof-of-concept has been released for CVE-2022-21990.March’s security update impacted products include Exchange, Visual Studio, the Xbox app for Windows, Intune, Microsoft Defender, Express Logic, Azure Site Recovery, and the Chromium-based Microsoft Edge browser, which had 21 vulnerabilities. 

They released updates for the following products:o Microsoft Windows: 41 vulnerabilitieso Microsoft Office: 5 vulnerabilitieso Microsoft Exchange: 2 vulnerabilities 3/11 pic.twitter.com/kBSg5r08FC— SophosLabs (@SophosLabs) March 8, 2022

Some of the other vulnerabilities of interest in this update are: CVE-2022-24502: Internet Explorer Security Feature Bypass VulnerabilityCVE-2022-24508: SMB Server Remote Code Execution VulnerabilityCVE-2022-24512: .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2022-21990: Remote Desktop Client Remote Code Execution VulnerabilityCVE-2022-23277: Microsoft Exchange Server Remote Code Execution VulnerabilityCVE-2022-24459: Windows Fax and Scan Service Elevation of Privilege VulnerabilityMicrosoft also announced a slate of updates to Windows 11 on Tuesday. Recorded Future’s Allan Liska noted that Microsoft labeled CVE-2022-21990 as “Exploitation More Likely” because there is Proof of Concept code publicly available. “In order to exploit this vulnerability, the attacker must control the Remote Desktop Server that the client is connected to and launch the attack from there,” Liska said. “We have seen a number of similar vulnerabilities against the Remote Desktop Client over the last few years, none of which have been widely exploited in the wild. Even though previous vulnerabilities of this type have not been widely exploited, that doesn’t mean this one won’t be.”Liska added that CVE-2022-24501 and CVE-2022-22006 can be exploited if an attacker convinces a victim to download a “specially crafted file” which would crash and exploit the vulnerability when it is opened.”This is the kind of attack that a sophisticated phishing campaign could easily carry out,” Liska explained. Also: Microsoft is working on these new Windows 11 features hidden in test buildsIn February, the tech giant released 48 security fixes for software, including a patch for a zero-day bug but no critical-severity flaws.Cisco and Google also published security updates on Tuesday.   More