Information Technology

SentinelOne on Tuesday published its third quarter financial results, beating market estimates thanks to solid growth in customers with an annualized recurring revenue (ARR) over $100,000. The autonomous cybersecurity company’s total Q3 revenue was $56 million, a 128% increase over a year prior. Non-GAAP net loss per share came to 15 cents. ARR for Q3 was $237 million, a 131% year-over-year increase. Analysts were expecting a loss per share of 18 cents on revenue of $49.58 million. Shares fell in after-hours trading by more than 10%.The company did not provide specific numbers of total customers, but it said it grew more than 75% year-over-year to over 6,000 customers. Customers with ARR over $100,000 grew 140% year-over-year to 416.For the fourth quarter, the company expects total revenue in the range of $60 million to $61 million. For the full fiscal year, the company expects $199 million to $200 million.”Our business is performing extremely well. Q3 marks the third consecutive quarter of triple digit ARR growth,” said Tomer Weingarten, CEO of SentinelOne. “We continued to make progress across all aspects of our growth strategy outlined during the IPO.”

Tech Earnings More

Google announced this morning that it disrupted the command and control infrastructure of Russia-based Glupteba, a blockchain-backed botnet being used to target Windows machines. Google vice president of security Royal Hansen and general counsel Halimah DeLaine Prado wrote in a blog post on Tuesday that the company’s Threat Analysis Group has been tracking Glupteba for months and decided to take technical actions against the group as well as legal ones. Google filed a lawsuit against the blockchain-enabled botnet — litigation they called the first of its kind — hoping to “create legal liability for the botnet operators, and help deter future activity.””After a thorough investigation, we determined that the Glupteba botnet currently involves approximately one million compromised Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day,” the two wrote. “Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers.”Google noted that while they were able to disrupt key Glupteba command and control infrastructure, the actions may prove to be temporary considering the group’s “sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity.”They believe the legal action will help make it harder for the group to take advantage of other devices. The lawsuit names Dmitry Starovikov and Alexander Filippov but notes that other unknown actors are involved. 

The lawsuit was filed in the Southern District of New York and the two are being sued for computer fraud and abuse, trademark infringement, and more. Google also filed for a temporary restraining order, an attempt to “create real legal liability for the operators.”But Google was also honest about the fact that the group’s use of blockchain technology made the botnet resilient. They also noted that more cybercrime organizations are taking advantage of blockchain technology, which allows botnets to recover more quickly because of their decentralized nature. Shane Huntley and Luca Nagy, members of Google’s Threat Analysis Group, explained in a blog post that Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. “TAG has observed the botnet targeting victims worldwide, including the US, India, Brazil, Vietnam, and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS),” the two wrote. “For a period of time, we observed thousands of instances of malicious Glupteba downloads per day. The following image shows a webpage mimicking a software crack download which delivers a variant of Glupteba to users instead of the promised software.”The team and others at Google terminated around 63 million Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with Glupteba distribution. About 3.5 million users were warned before downloading a malicious file through Google Safe Browsing warnings, according to Huntley and Nagy. They noted that they also worked with CloudFlare on the disruption efforts. As part of their investigation, Google used Chainalysis products and investigative services to investigate the botnet. Erin Plante, Chainalysis senior director of investigative services, told ZDNet that the botnet has two main cryptocurrency nexuses: Cryptojacking and a previously unknown tactic used to evade shutdown. Plante explained that Glupteba’s operators used the machines they compromised for several criminal schemes, including utilizing their computing power to mine cryptocurrency. According to Plante, Glupteba also used the Bitcoin blockchain to encode updated command-and-control servers (C2) into the Op_Returns of Bitcoin transactions, meaning that whenever one of Glupteba’s C2 servers was shut down, it could simply scan the blockchain to find the new C2 server domain address, which was then hidden amongst the hundreds of thousands of daily Bitcoin transactions worldwide.Most cybersecurity techniques involve disabling C2 server domains, making this Glupteba botnet tactic particularly difficult to contend with. Plante said this was the first known case of a botnet using this approach.She added that the investigation revealed cryptocurrency transactions originating in Federation Tower East, a luxury office building in Moscow where many cryptocurrency businesses known to launder criminal funds are headquartered. “Glupteba’s blockchain-based method of avoiding the shutdown of its botnet represents a never-before-seen threat vector for cryptocurrencies. In the private sector, cryptocurrency businesses and financial institutions have thus far typically been the ones tackling cases involved in blockchain analysis, usually from an AML/CFT compliance perspective,” Plante said.  “But this case shows that cybersecurity teams at virtually any company that could be a target for cybercriminals must understand cryptocurrency and blockchain analysis in order to stay ahead of cybercriminals.” More

The Israeli government’s Defense Exports Control Agency sent out a notice late on Monday indicating it would be enforcing stricter rules governing the export of offensive cyber tools. The announcement came days after multiple outlets revealed that tools from Israeli cyber firm NSO Group were used to hack into the phones of at least 11 US State Department officials based in Uganda.

The Jerusalem Post reported on Monday that the agency published a revised version of its “Final Customer Declaration”, which countries will have to sign before they can get access to powerful spyware technology like the NSO Group’s Pegasus. The declaration says countries will not use the tools to attack government critics or “political speech” and will only use it to prevent terrorism and “serious crimes.” Any country that ignores the declaration will lose access to cyber-tools, according to the document. The new rules came just days after Reuters, The Wall Street Journal, and The Washington Post reported that 11 workers at the US Embassy in Uganda had their phones hacked using Pegasus, which can be delivered to Apple phones through a text message that doesn’t even need to be opened. Apple has sued NSO Group for creating the tool and said it has already been used to hack into the devices of US citizens, despite claims from the company that it is only used for counter-terrorism efforts. Apple has since patched the vulnerability exploited by Pegasus and now notifies people when they are being targeted. The US government sanctioned NSO Group in November after months of reports showing how the technology was being used widely by dictatorships to hack into the devices of opponents, human rights activists, other world leaders and more. NSO Group continues to face a barrage of bad headlines over how its Pegasus spyware has been used around the world. Last month, a bombshell report from the University of Toronto’s Citizen Lab and the Associated Press said that even the Israeli government’s own spy agency used the tool to hack the phones of six Palestinian human rights activists. 

That report followed another about the ruler of the UAE using Pegasus to spy on his ex-wife and her British lawyers. In July, the “Pegasus Project” used information from Amnesty International, the University of Toronto’s Citizen Lab, and Forbidden Stories to uncover that the NSO Group’s spyware was used to target at least 65 business executives, 85 human rights activists, 189 journalists, and at least 600 politicians. Targeted government officials included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. Cabinet ministers from dozens of countries, including Egypt and Pakistan, were also targeted. Last month, on the heels of the sanctions announcement, several US Congress members demanded the State Department further investigate how Pegasus and other spyware is being used to abuse human rights around the world.John Scott-Railton, senior researcher at Citizen Lab, told ZDNet that the latest news about Pegasus being used against US officials was years in the making.”NSO knew exactly what it was doing by selling this hacking tool and has known for years that Pegasus is used against diplomats. They are a blinking national security threat for the United States and a threat to human rights. That’s what earned them the blocklist designation by Congress,” Scott-Railton said. Scott-Railton was skeptical of the new rules handed down by the Israeli government’s Defense Exports Control Agency, questioning what good a signed declaration would do for dictators or repressive governments that have significant power within their borders. “I’m puzzled. You are asking a rogues’ gallery of dictators to promise they won’t behave badly? This sounds like a distraction, not an effective regulation. In fact, NSO has apparently made its customers certify that they wouldn’t abuse the tech for years. We’ve seen just how badly that fared,” he added, noting the wider difficulties countries will face now that the spyware industry has become so lucrative. “The problem with mercenary spyware is that it is arriving in the hands of security services long before there is effective oversight and accountability. Predictably, companies like NSO are driving the rapid proliferation of this tech, and the harms can be found wherever you look,” Scott-Railton added. “Democracies should decide what kind of technological powers they want to vest in their police services. Citizens of dictatorships don’t have the luxury of a say, and selling spyware to these regimes will help them stay undemocratic.” More

December 7th, 2021 won’t be a day that will live in infamy, but it is a day that will annoy many Amazon Web Services (AWS) users. And, it will also vex many more people who didn’t realize until today that Disney+, Venmo, and Robinhood all rely on AWS. No AWS, no Star Wars: The Bad Batch.  The problem? According to the AWS Service Health Dashboard: We are seeing an impact on multiple AWS APIs in the US-EAST-1 Region. This issue is also affecting some of our monitoring and incident response tooling, which is delaying our ability to provide updates. We have identified the root cause and are actively working towards recovery.So, we should be back to business as usual soon. The problem first manifested at about 10:45 AM Eastern Time. It got its start in the major US East 1 AWS region hosted in Virginia.  It may have been sparked there, but the problems showed up across AWS. Internet administrators reported that there were problems with AWS Identity and Access Management (IAM), a web service that securely controls access to AWS resources, globally.  Adding insult to injury, AWS customer service was down. So, even if your service or site wasn’t at US East 1, you could still feel the problem’s effects.  Fortunately, according to DownDetector results, AWS seems to have a handle on the problem. In a few hours, all should be back to normal. More

It wasn’t that long ago that the very idea that another language besides C would be used in the Linux kernel would have been laughed at. Things have changed. Today, not only is Rust, the high-level system language moving closer to Linux, it’s closer than ever with the next “patch series to add support for Rust as a second language to the Linux kernel.”

The biggest change in these new packages is that the Rust code proposed for the kernel now relies on the stable Rust compiler rather than the beta compilers. Going forward, Rust on Linux will be migrating every time a new stable Rust compiler is released. Currently, it’s using Rust 1.57.0.By doing this, as Linux kernel and lead Rust on Linux, developer Miguel Ojeda, put it, “By upgrading the compiler, we have been able to take off the list a few unstable features we were using.” This, in turn, means Rust on Linux will be more stable. Looking ahead, Ojeda wrote, “We will keep upgrading until we do not rely on any unstable features; at which point we may want to start declaring a minimum Rust version is supported like it is done, e.g. GCC and Clang.Senior Linux kernel developer Greg Kroah-Hartman had told me he believes “drivers are probably the first place for” Rust to appear in Linux since “they are the ‘end leaves’ of the tree of dependencies in the kernel source. They depend on core kernel functionality, but nothing depends on them.”This has been coming for several years now. At the virtual 2020 Linux Plumbers Conference, where the top Linux kernel developers hash out Linux’s future, the idea of introducing Rust as the kernel’s second language was introduced.While Linus Torvalds is sure, Linux won’t end up being written in Rust. But then, that’s not the goal. No one’s going to rewrite the kernel’s 25 million lines of C in Rust.

Led by Josh Triplett, Rust language lead, and Nick Desaulniers, a Google engineer, they proposed using the system-level Rust language inside the kernel. Why? Because it’s much safer than C, especially at handling memory errors.As Ryan Levick, a Microsoft principal cloud developer advocate, explained, “Rust is completely memory safe.” Since roughly two-thirds of security issues can be traced back to handling memory badly, this is a major improvement. In addition, “Rust prevents those issues usually without adding any runtime overhead,” Levick said.Torvalds sees the advantages. While he’s encouraging a slow but steady approach to introducing Rust into Linux, he has also said that using Rust interfaces for drivers and other non-core kernel programs makes sense: “I’m convinced it’s going to happen. It might not be Rust, but it is going to happen that we will have different models for writing these kinds of things, and C won’t be the only one.”So, as Ojeda told ZDNet this summer, “The project is not finished, but we are ready to get mainlined if high-level maintainers accept the current changes and prefer that we work inside the kernel. Most of the work is still ahead of us.” Still, work well underway now. I expect to see the first Rust code in the Linux kernel sometime in 2022.Related stories:

Enterprise Software More

Many businesses still aren’t willing to spend money on cybersecurity because they view it as an additional cost – and then find they have to spend much more cash recovering from a cyber incident after they get hacked.Cyberattacks like ransomware, business email compromise (BEC) scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents and their expensive fallout, many boardrooms are still reluctant to free up budget to invest in the cybersecurity measures necessary to avoid becoming the next victim.

ZDNet Recommends

The cost of falling victim to a major cyber incident like a ransomware attack can be many times more than the cost of investing in the people and procedures that can stop incidents in the first place – something many organisations only fully realise after it’s too late.SEE: A winning strategy for cybersecurity (ZDNet special report) “Organisations don’t like spending money on preventative stuff. They don’t want to overspend, so a lot of organisations will sort of be penny-wise and pound-foolish kind of places where they wait for the event to happen, and then they have the big expense of cleaning it up,” Chris Wysopal, co-founder and CTO of cybersecurity company Veracode, told ZDNet Security Update.It’s then that they realise that they could have spent less if they had prevented the attack, he said: “A lot of organisations are going through that right now”.For example, an organisation might end up paying millions of dollars to ransomware criminals for the decryption key for an encrypted network – then there’s the additional costs associated with investigating, remediating and restoring the IT infrastructure of the whole business after the incident.

“Just the ransoms that organisations are paying, if they don’t have cyber insurance, could certainly pay for a lot of cybersecurity professionals. And cyber-insurance rates are going up, so it’s getting more expensive across the board for organisations because of the threat,” said Wysopal.Even for organisations that do have a fully fledged cybersecurity strategy, training, hiring and retaining staff can still pose a challenge because of the high demand for employees with the required skills. The supply and demand issue isn’t going to be solved overnight and, while Wysopal believes long-term investment in cybersecurity is vital, there are additional measures that can be taken to help get more people with cybersecurity skills into the workforce to help protect organisations from attacks.”One thing I would like to see is cybersecurity become part of every IT or computer science students’ training, so that they they had some understanding of cybersecurity as a professional, whether it’s building and managing systems in an IT environment or building software,” he explained.SEE: This new ransomware encrypts your data and makes some nasty threats, tooIf IT or development staff have at least some understanding of cybersecurity, that can help organisations, particularly smaller ones that might not have a big budget. “I’m really pushing for that to be part of the curriculum and I’ve been working with a few colleges to make that part of the computer science curriculum,” Wysopal said.MORE ON CYBERSECURITY More

Security company Check Point Research has uncovered a hacking campaign that involves cyberattackers impersonating Iranian government bodies to infect the mobile devices of Iranian citizens through SMS messages. The SMS messages urge victims to download Android applications related to official Iranian services, such as the Iranian Electronic Judicial Services. The first messages typically claim that a complaint has been filed against the victim and that an application needs to be downloaded in order to respond. Once downloaded, the applications allow hackers to access the victim’s personal messages. Victims are asked to enter credit card information in order to cover a service fee, giving attackers access to card information that can now be used. With access to a victim’s personal messages, the attackers can also get past two-factor authentication. Check Point Research said the campaign is ongoing and is being used to infect tens of thousands of devices. In addition to the Check Point report, Iranian citizens have taken to social media to complain about the scams. Some Iranian news outlets are also covering the issue. “The threat actors then proceed to make unauthorized money withdrawals and turn each infected device into a bot, spreading the malware to others. CPR attributes attacks to threat actors, likely in Iran, who are financially motivated,” the cybersecurity company explained. “CPR estimates tens of thousands of Android devices have fallen victim, leading to theft of billions of Iranian Rial. Threat actors are using Telegram channels to transact malicious tools involved for as low as $50. CPR’s investigation reveals that data stolen from victims’ devices has not been protected, making it freely accessible to third parties online.”Check Point’s Shmuel Cohen said in one campaign, more than 1,000 people downloaded the malicious application in less than 10 days. Even if they did not enter credit card information, their device became part of the botnet. 
Check Point Research

Alexandra Gofman, threat intelligence team leader at Check Point, told ZDNet that the attacks appear to be a form of cybercrime and not attributed to any state-backed actors.The velocity and spread of these cyberattacks are unprecedented, Gofman said, adding that it is an example of a monetarily-successful campaign aimed at the general public. “The campaign exploits social engineering and causes major financial loss to its victims, despite the low quality and technical simplicity of its tools. There are a few reasons for its success. First, when official-looking government messages are involved, everyday citizens are inclined to investigate further, clicking the provided link,” Gofman said. “Second, due to the botnet nature of these attacks, where each infected device gets the command to distribute additional phishing SMS messages, these campaigns spread quickly to a large number of potential victims. Although these specific campaigns are widespread in Iran, they can take place in any other part of the world. I think it’s important to raise awareness of social engineering schemes that are employed by malicious actors.”Check Point explained that the cybercriminals behind the attack are using a technique known as “smishing botnets.” Devices that have already been compromised are used to send SMS messages to other devices. The people behind the technique now offer it to others on Telegram for up to $150, providing anyone with the infrastructure to launch similar attacks easily. Even though Iranian police were able to arrest one of the culprits, there are dozens of different cybercriminals in Iran using the tool now. The company estimates that about $1,000 to $2,000 has been stolen from most victims. The attackers are also offering the personal information that was stolen to others online. Gofman added that the general population of Iran is now in a situation where cyberattacks significantly impact day-to-day lives. These attacks began with railways, Gofman said, noting that the company traced that attack to a group called Indra. “The attacks continued with gas stations, and then the national aviation company. Now, we’re seeing yet another cyberattack that shows how even pure cybercrime can make headlines and chaos, hurting many in Iran,” Gofman said. “Although we do not see a direct connection between these latest cyberattacks and the major aforementioned attacks, our latest insights show how even unsophisticated cyber attacks create significant damage on Iran’s general population.” More

Microsoft has announced the seizure of dozens of domains used in attacks by the China-based APT group Nickel on governments and NGOs across Europe, the Americas and the Caribbean. In two blog posts published on Monday, Microsoft vice president Tom Burt, the Microsoft Digital Crimes Unit and the Microsoft Threat Intelligence Center said they have been tracking Nickel since 2016 and that a federal court in Virginia granted the company’s request to seize websites the group was using to attack organizations in the US and and other countries.Burt explained that on December 2, the company filed lawsuits in the US District Court for the Eastern District of Virginia that would allow them to “cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks.” “We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations,” Burt said. “The court quickly granted an order that was unsealed today following completion of service on the hosting providers. Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities. Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”
Microsoft
The attacks — which involved inserting hard-to-detect malware that enabled intrusions, surveillance and data theft — targeted organizations in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the UK, US and Venezuela.The Microsoft Threat Intelligence Center found that sometimes, Nickel was able to compromise VPN suppliers or obtain stolen credentials while in other instances, they took advantage of unpatched Exchange Server and SharePoint systems.

The company noted that no new vulnerabilities in Microsoft products were used as part of the attacks. But once attackers were inside of a network, they looked for ways to gain access to higher-value accounts or other footholds in the system. Microsoft said they saw Nickel actors using Mimikatz, WDigest, NTDSDump and other password dumping tools during attacks.”There is often a correlation between Nickel’s targets and China’s geopolitical interests. Others in the security community who have researched this group of actors refer to the group by other names, including ‘KE3CHANG,’ ‘APT15,’ ‘Vixen Panda,’ ‘Royal APT’ and ‘Playful Dragon,'” Burt explained. “Nation-state attacks continue to proliferate in number and sophistication. Our goal in this case, as in our previous disruptions that targeted Barium, operating from China, Strontium, operating from Russia, Phosphorus, operating from Iran, and Thallium, operating from North Korea, is to take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace.” Burt added that so far, Microsoft has filed 24 lawsuits that allowed them to take down more than 10,000 malicious websites from cybercriminals and almost 600 from nation-state groups. Jake Williams, CTO of BreachQuest, noted that the techniques used by Nickel after initial access are fairly pedestrian, while many of the other tools are readily available and widely used by penetration testers. “While NICKEL certainly has access to tools that are far more capable, they turn back to these commonplace tools because they work,” Williams said. “That these readily available tools can operate at all speaks to the level of security in target networks.” More