Information Technology

Microsoft is shining a light on a phishing-as-a-service operation that’s selling fake login pages for cloud services like OneDrive that help non-technical cybercriminals steal business user passwords and usernames. Phishing kits are nothing new, but this phishing-as-a-service service caught the attention of Microsoft’s security teams because it lowers the bar to quality phishing even more. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

That business, called BulletProofLink and a few other names, provides email and web site templates as phishing kits do, but also offers email delivery, hosting services, credential theft. It also claims to provide ‘fully undetected’ (FUD) links and logs and is available for purchase as a weekly, bi-weekly, monthly, or annual subscription. SEE: Half of businesses can’t spot these signs of insider cybersecurity threatsAs Microsoft outlines, phishing service providers are one link in the chain that can help ransomware gangs unload file-encrypting ransomware pain on targets, chiefly by providing passwords to attackers who can try them out on compromised networks. If the ransomware buyer is lucky, the credentials can include passwords for high-value admin accounts, allowing for greater movement within a compromised network. “These [FUD] phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware operations, attackers do not gain access to devices directly and instead simply receive untested stolen credentials,” the Microsoft 365 Defender Threat Intelligence Team notes in a blogpost.   Microsoft is concerned about businesses like these because they offer dozens of templates for the login pages of popular web services and allow anyone on a small budget to beat a path to theft or extortion. It currently offers “login scam” pages for Microsoft OneDrive, LinkedIn, Adobe, Alibaba, American Express, AOL, AT&T, Dropbox, and Google Docs. 

It’s also worried about “double theft”, where the phishing service provider captures the credentials on behalf of one customer and then sells the credentials to other customers.BulletProofLink markets itself openly on the web and on underground forums, and is also known as BulletProftLink or Anthrax. It’s even published ‘how-to’ videos on YouTube and Vimeo to help customers use its fraud tools. Microsoft published its research into this operation to help customers refine email-filtering rules and adopt security technologies it offers. While phishing kits are sold once in a ZIP file with phishing templates to set up a bogus login page or emails, phishing-as-a-service includes the whole package. The company caught Microsoft’s attention while it was investigating a phishing campaign that was using BulletProofLink services. The campaign used a whopping 300,000 subdomains with a technique Microsoft calls “infinite subdomain abuse”, which is where an attacker has compromised a website’s domain name system server (DNS) or when a compromised site is configured with a DNS that allows wildcard subdomains.

These subdomains “allow attackers to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end”, Microsoft says. They’re useful before the attacker can simply compromise the DNS of a site and not bother with hacking the site itself. It also allows phishing businesses to create a ton of unique URLs that are hard to detect. SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recoveringRansomware service provider models are also influencing how phishing businesses operate. One notable ransomware technique is to steal data before encrypting it and then either sell that data or use it as leverage during extortion attempts. “We have observed this same workflow in the economy of stolen credentials in phishing-as-a-service,” Microsoft says. “With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.”    More

Image: Shutterstock
If you haven’t patched vCenter in recent months, please do so at your earliest convenience. Following on from its remote code execution hole in vCentre in May, VMware has warned of a critical vulnerability in the analytics service of vCenter Server. “A file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,” the company said in a blog post. Handed the label CVE-2021-22005, the vulnerability hit a CVSSv3 score of 9.8, and means a malicious actor only needs to access port 443 and have a file to upload that is capable to exploiting an unpatched server. The vulnerability hits versions 6.7 and 7.0 of vCenter Server Appliances, with builds greater than 7.0U2c build 18356314 from August 24 and 6.7U3o build 18485166 released on September 21 patched. The exploit does not impact vCenter 6.5 versions. For those looking for a workaround instead of applying a patch, VMware has issued instructions. The workaround will be reverted once the server instance is patched. VMware said users should patch immediately.

“The ramifications of this vulnerability are serious and it is a matter of time — likely minutes after the disclosure — before working exploits are publicly available,” it said. Other vulnerabilities addressed in VMware’s advisory included CVE-2021-21991, a CVSSv3 8.8 local privilege escalation involving session tokens that would see users gain administrator access; CVE-2021-22006, a CVSSv3 8.3 reverse proxy bypass that could allow access to restricted endpoints; and CVE-2021-22011 that could allow for unauthenticated VM network setting manipulation. All up, of the 19 vulnerabilities listed in its advisory, 10 were found by George Noseevich and Sergey Gerasimov of SolidLab. Elsewhere, Claroty Team 82 detailed how it chained together a number of vulnerabilities in Nagios XI to gain a reverse shell with root remote code execution. Although 11 vulnerabilities were found — four of which were handed a CVSSv3 score of 9.8 and included an SQL injection — only two were needed for the reverse shell: CVE-2021-37343, a path traversal vulnerability that allows for code to be executed as the Apache user; and CVE-2021-37347 that allows for local privilege escalation. The auto login feature of Nagios XI that allows for read-only access to the Nagios dashboard without credentials greatly expanded the attack surface, Team 82 said. “While this feature might be useful for NOC purposes, allowing users to easily connect to the platform and view information without the need for credentials also allows attackers to gain access to a user account in the platform, thus rendering any post-auth vulnerability exploitable without authentication,” they said. Patched versions of vulnerable Nagios XI products were released in August.One reverse root shell coming up
Image: Claroty
Related Coverage More

Image: Freedom House
Democracy advocate Freedom House has published findings that indicate a growing number of governments are forcing tech businesses to comply with online censorship and surveillance. The findings were released as part of the non-profit, non-governmental organisation’s (NGO) annual Freedom on the Net 2021 report [PDF], which found that 48 out of 70 countries covered in the report — which account for 88% of the world’s internet users — have pursued new rules for tech companies on content, data, or competition over the past year. “While some moves reflected legitimate attempts to mitigate online harms, rein in misuse of data, or end manipulative market practices, many new laws imposed excessively broad censorship and data-collection requirements on the private sector,” the report said. Of specific concern to the NGO was that at least 24 countries have passed or announced new laws or rules governing how platforms treat content, which it worries could lead to increased censorship of political dissent, investigative reporting, and expressions of ethnic, religious, sexual, or gender identity. According to Freedom House, this has culminated in global internet freedom declining again for the 11th consecutive year, with the greatest deteriorations being in Myanmar, Belarus, and Uganda. Freedom House’s measurement of internet freedom is done through assessing 21 different indicators pertaining to obstacles to access, limits on content, and violations of user rights, it explained.China, meanwhile, remained as the world’s worst abuser of internet freedom, the NGO claimed. This was due to the country introducing new legislation criminalising online expression that insults members of the armed forces, “heroes”, and “martyrs”, and its continued online censorship.

It also said China’s crackdown on tech has been “among the most aggressive” in addressing anti-competitive practices, raising concerns that the government is more interested in reining in the private sector’s autonomy and influence, rather than creating fairer markets. Other statistics unveiled in the report included 80% of countries that were analysed in the report arrested people for their online speech; 64% of those countries’ authorities deployed pro-government commentators to manipulate online discussions; 41% of countries disconnected internet or mobile networks for political reasons; and 46% of countries blocked or restricted social media platforms, which primarily occurred during protests and elections. On the surveillance front, authorities in at least 45 of the 70 countries covered by the report are suspected of having access to sophisticated spyware or data-extraction technology supplied by companies like NSO Group, Cellebrite, Circles, and FinFisher, Freedom House said. In providing this warning, the organisation has called for policymakers responsible for drafting data privacy laws to focus on protecting users while preventing greater fragmentation of the internet, such as by ensuring government surveillance programs adhere to the International Principles on the Application of Human Rights to Communications Surveillance. It also said policymakers should view encryption as being fundamental to cybersecurity, commerce, and human rights, and that weakening encryption would endanger the lives of activists, journalists, and members of marginalised communities. For other areas of legislation, Freedom House said competition policy should foster innovation that responds to user demand for greater personalisation, security, and interoperability and regulation should ensure that power does not accumulate in the hands of a few dominant actors, whether in government or the private sector.Related Coverage More

Image: Shutterstock
The Chrome security team has said it is willing to make the browser slightly slower if it means the tradeoff is a much more secure browser. Pointing to previous figures that 70% of all security problems are related to memory safety, the team said in a blog post that it was looking at three approaches: Compile-time checks, runtime checks, and using a memory safe language. Thanks to the use of C++, the first option was not possible, but it was looking at solutions such as MiraclePtr for runtime checking. “MiraclePtr prevents use-after-free bugs by quarantining memory that may still be referenced. On many mobile devices, memory is very precious and it’s hard to spare some for a quarantine,” the team said. “Nevertheless, MiraclePtr stands a chance of eliminating over 50% of the use-after-free bugs in the browser process — an enormous win for Chrome security, right now.” At the same time, the browser is continuing to look at how to integrate the Rust language to allow for compile-time checks which subsequently do not impact performance. “There are open questions about whether we can make C++ and Rust work well enough together,” the team said.

“Even if we started writing new large components in Rust tomorrow, we’d be unlikely to eliminate a significant proportion of security vulnerabilities for many years. And can we make the language boundary clean enough that we can write parts of existing components in Rust? We don’t know yet. ” The team said it is trying out some limited usage of Rust, but this has yet to make it through to production builds of Chrome. Invented by Mozilla, Rust has been used in parts of Firefox since 2016, and Google’s Android team has pushed to introduce Rust into the Linux kernel.Related Coverage More

Image: Shutterstock
Zoom’s proposed $14.7 billion deal to acquire Five9 is now under investigation by a government committee for potential national security risks. In a letter sent to the Federal Communications Commission (FCC) last month, the Department of Justice (DOJ) requested for FCC’s review of the Zoom-Five9 deal to be halted until a telecommunications security committee could assess for potential national security risks. The FCC is responsible for reviewing whether deals such as the one made between Zoom and Five9 can be approved. Meanwhile, the telecommunications security committee is responsible for providing the FCC with reviews of potential foreign threats in the telecommunications sector. The committee was established last year by former US President Donald Trump.”USDOJ believes that such risk may be raised by the foreign participation (including the foreign relationships and ownership) associated with the application, and a review by the committee is necessary to assess and make an appropriate recommendation as to how the Commission should adjudicate this application,” DOJ foreign investment review acting chief David Plotinsky wrote in the letter. Zoom announced the deal back in July, touting the move as a serious foray into contact centre-as-a-service market. “Enterprises primarily communicate with their customers through the contact center. This acquisition can bring together best-in-class video and contact centre solutions to create a leading customer engagement platform that will redefine how companies of all sizes engage with their customers,” Zoom CEO Eric Yuan said at the time. In Zoom’s most recent financial results, the company reported its total quarterly revenue exceeded $1 billion for the first time in the company’s history.

The letter to FCC was first reported by the Wall Street Journal earlier on Tuesday. Related Coverage More

Digital identity management firm FYEO says it has discovered hundreds of instances of breached credentials from employees of NEW Cooperative, the Iowa-based farm service provider hit with a ransomware attack in recent days. Tammy Kahn, COO of FYEO, told ZDNet that when researchers searched through the company’s database, they found 653 instances of breached credentials connected to NEW Cooperative.The password “chicken1″ was common among the company’s 120 employees and was used over 10 times.Kahn added that the firm’s CEO Brent Bunte appeared to have the second highest number of instances of breached credentials while other current executives also had passwords that had been leaked. NEW Cooperative did not respond to multiple requests for comment.”The NewCoop ransomware situation is concerning for a number of reasons, the first being that hackers are still going after critical infrastructure and seeking to disrupt supply chains even when explicitly stating otherwise. Beyond that, it’s indicative of a larger problem: password management,” Kahn said. “We saw that the Colonial Pipeline breach was ultimately a result of a bad password, and it’s likely a similar case here. A majority of internet users and the companies they work for are likely sitting ducks for hackers as they have a limited number of stale passwords and believe someone else should take responsibility for cybersecurity.”

FYEO built an active domain intelligence database of over 20 billion leaked credentials and passwords, offering alerts any time email addresses and passwords resulting from third party breaches appear on the darknet. By running the newcoop.com domain through the database, they found the 653 instances of credentials that have previously been exposed.Dozens of studies — and previous ransomware incidents or breaches — have shown that leaked passwords are one of the easiest ways cyberattackers routinely gain access to systems. The problem has gotten so bad that some companies, like Microsoft, are doing away with passwords altogether. “Until organizations find ways to empower their employees to practice good cybersecurity hygiene both in and out of the office, these problems will persist and grow,” Kahn said. “Especially in industries like this, password management should be the first line of defense. FireEye execs were alerted to the SolarWinds breach via 2FA — what some consider ‘basic’ in cyber hygiene can often be the most impactful.”The BlackMatter ransomware group has been implicated in the attack on NEW Cooperative, which is involved in a variety of aspects of the grain business, including running grain storage elevators, selling fertilizer, buying from farmers and providing technology to farmers.The company is in the process of helping customers transport grain to livestock and poultry farms as it tries to restore its systems, which they shut down when notified of the attack. The ransomware group is demanding a $5.9 million ransom and refused to back down when negotiators for the company said it was a critical component of the US agriculture industry and would elicit a forceful response from the US government. Critical Insight CISO Mike Hamilton said the company provides a lot of animal feed, meaning the attack “is probably going to have a long tail.” “There have been a number of recent warnings about vulnerabilities in the food and ag sector, which were apparently accurate,” Hamilton said. “The gang seems pretty adamant in their communication: no ransom, no network. They are not being swayed by the critical infrastructure argument.”Chad Anderson, senior security researcher for DomainTools, said BlackMatter has only been around a few short months and already has netted some large victims and millions in ransom payments. “As the direct heir of DarkSide, BlackMatter shares a lot of interesting features with the other, quickly-rising affiliate program LockBit: speedy encryption, stronger anti-analysis techniques than previous malware families, and double-extortion,” Anderson said. “However, one place BlackMatter interestingly differs is that unlike most ransomware families it does not have a function to check a victim computer’s locale before encrypting, making them a threat everywhere. The most recent batch of ransomware families have truly come a long way and are ever more threatening.” More

The US Treasury Department announced on Tuesday that it was going after Russia-based cryptocurrency exchange Suex for facilitating ransomware payments in some of the first public, concrete action taken against ransomware groups.Last week, the Wall Street Journal reported that the Treasury Department was planning some sort of ransomware-related sanctions but US officials explained its plans in detail on Tuesday. The Department of the Treasury’s Office of Foreign Assets Control’s (OFAC) said Suex was being sanctioned for its role in facilitating “transactions involving illicit proceeds from at least eight ransomware variants.”Data showed that more than 40% of Suex’s transactions involved “illicit actors” according to the Treasury Department, which added that virtual currency exchanges like Suex are “critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity.”US officials said it was the first sanctions designation against a virtual currency exchange and was done in coordination with the FBI. They noted that not all virtual currency exchanges are working with ransomware actors and explained that some are often exploited by malicious actors. But a number of exchanges work directly with ransomware gangs to increase profits. “As a result of today’s designation, all property and interests in property of the designated target that are subject to US jurisdiction are blocked, and US persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50% or more owned by one or more designated persons are also blocked,” the Treasury Department said of Suex. 

“In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. Today’s action against Suex does not implicate a sanctions nexus to any particular Ransomware-as-a-Service (RaaS) or variant.”Blockchain analysis company Chainalysis — which assisted in the investigation — said that while Suex is registered in the Czech Republic, it does not have a physical office there and has multiple branches in Moscow and St. Petersburg. There are also Suex branches across Russia and in the Middle East.The exchange has become popular among cybercriminals because it claims to be able to convert cryptocurrency holdings into cash at branch locations and even facilitate the exchange of cryptocurrency for physical assets like real estate, cars and yachts, according to Chainalysis. The sanctions are part of a larger effort to disrupt ransomware, which brought in at least $400 million in ransoms in 2020. Treasury Secretary Janet Yellen highlighted that ransomware groups have not stopped their attacks on businesses, schools and hospitals since the White House ramped up efforts to stop the spate of incidents crippling hundreds of organizations. This week a US agriculture company was knocked out of commission due to a ransomware attack. “We will continue to crack down on malicious actors,” Yellen said. “As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.”The US is trying to institute an anti-money laundering/countering the financing of terrorism (AML/CFT) framework among virtual currency exchanges and companies as a way to disrupt how ransomware groups manage to get away with their crimes. OFAC also released an updated advisory discouraging companies from paying ransoms and urging organizations to promote more stringent cybersecurity practices. The advisory implores organizations to contact US government agencies in the event of an attack and work with them “to avail themselves of OFAC’s significant mitigation related to OFAC enforcement matters and receive voluntary self-disclosure credit in the event a sanctions nexus is later determined.”The government noted that through its Financial Crimes Enforcement Network, it has been collecting information on ransomware payments. The Treasury Department used the Chainalysis platform and tools from the company to conduct its investigation into Suex.Gurvais Grigg, global public sector CTO at Chainalysis, told ZDNet the company has a long history of supporting government efforts by providing insight into how cryptocurrencies are used, and in some cases, abused by bad actors.”With Suex specifically, we have been following them for a while. We first identified them in 2019 as one of a relatively small group of OTC brokers who were helping bad actors cash out a large amount of ill-gotten gains,” Grigg said. “It’s a common misconception that cryptocurrency is anonymous and untraceable. Chainalysis has a long history of providing technology to government agencies to help them investigate illicit activity using cryptocurrency. Our investigative tools have been used in some of the most high-profile recent cybercrime investigations including ransomware, child sexual abuse, darknet markets, and more.” Grigg added that the company anticipates further actions as governments and agencies grow their proficiency and access to the data and tools necessary to conduct investigations into cryptocurrency.When asked whether the company was working with other law enforcement agencies around the world, Grigg said they work “with many partners around the world and our data and services are leveraged in over 60 countries.”  “These partners are actively working similar cases and leverage our data and tools in a similar manner as did Treasury in the actions taken today,” Grigg said.The company released a blog post explaining some of their role in the investigation, noting that Suex has moved hundreds of millions of dollars worth of cryptocurrency — mostly in Bitcoin, Ether, and Tether — much of which is from illicit and high-risk sources. 
Chainalysis
“In Bitcoin alone, Suex’s deposit addresses hosted at large exchanges have received over $160 million from ransomware actors, scammers, and darknet market operators. Chainalysis’ investigation reveals that the OTC is converting cryptocurrency into cash at physical branches located in Moscow and St. Petersburg, and possibly also at other offices outside of Russia as well,” Chainalysis said. “Suex is also found to have received over $50 million worth of Bitcoin sent from addresses hosted at illicit cryptocurrency exchange BTC-e from 2018 through 2021, well after BTC-e was shut down by U.S. authorities for its own money laundering activity on behalf of cybercriminals.”Chainalysis said it had been tracking money laundering on Suex for a while, finding that multiple addresses associated with the site are included in the group of 273 service deposit addresses they identified as receiving 55% of all funds sent from illicit addresses in 2020 in their recent Crypto Crime Report. Suex addresses also appeared widely in other lists of addresses connected to money laundering. The company said due to Suex’s size, shutting it down would “represent a significant blow to many of the biggest cyber threat actors operating today, including leading ransomware attackers, scammers and darknet market operators.””Suex operates as a nested service, meaning it operates using addresses hosted by larger exchanges in order to tap into those exchanges’ liquidity and trading pairs. While many nested services are legitimate, some exchanges don’t hold nested services to high enough compliance standards, meaning they can be exploited for money laundering,” Chainalysis found. “Blockchain analysis reveals that Suex has received tens of millions worth of cryptocurrency payments from addresses associated with several forms of cybercrime, as well as from addresses associated with the now-shuttered exchange BTC-e.”Chainalysis researchers said there are significant financial ties between SUEX and BTC-e. Despite being shut down in 2017, Suex facilitated transfers on behalf of BTC-e administrators, associates, or former users who were “attempting to liquidate cryptocurrency trapped at the exchange.” Some of the BTC-e transfers took place this year even, despite the platform being shut down years ago. $481 million in Bitcoin has made its way to Suex since it emerged in February 2018, including almost $13 million from ransomware gangs like Ryuk, Conti, Maze and others. Other cybercriminals, like those involved in Finiko, have also spent millions on the site. “A small group of illicit services facilitate the majority of cryptocurrency-based money laundering, and Suex is one of the worst offenders, so today’s action represents a positive step forward in the fight against cybercrime,” Chainalysis said. “We commend OFAC for making this designation and look forward to working with our partners in the public and private sectors to continue the fight against money laundering service providers.” More

Google released the results of its Accelerate State of DevOps report on Tuesday, finding that respondents who use hybrid or multicloud were 1.6 times more likely to exceed their organizational performance targets. Elite performers in the survey deploy 973 times more frequently than low performers, have a 6,570 times faster lead time to deploy, a 3 times lower change failure rate and a 6,570 times faster time-to-recover from incidents when failure does happen. Google has worked on the report for seven years, querying more than 32,000 professionals worldwide over the last few years. Dustin Smith, research lead with Google Cloud’s DevOps Research and Assessment (DORA) team, said the study continues to show that excellence in software delivery and operational performance drives organizational performance in technology transformations. “This year we also investigated the effects of SRE best practices, a secure software supply chain, quality documentation, and multicloud — all while gaining a deeper understanding of how this past year affected team’s culture and burnout,” Smith said. “Based on key findings from previous Accelerate State of DevOps reports, we again used four metrics to classify teams as elite, high, medium or low performers based on their software delivery: deployment frequency, lead time for changes, mean-time-to-restore, and change fail rate. This year we saw that elite performers continue to accelerate their pace of software delivery, increasing their lead time for changes from less than one day to less than one hour.”Smith said they asked respondents to rate their ability to meet or exceed their reliability targets, finding that teams with varying degrees of delivery performance see better outcomes when they also prioritize operational performance.

Smith added that this year, 1,200 working professionals from a variety of industries around the globe shared their experiences with the researchers. More than half of all respondents said they used a public cloud, a 5% bump compared to 2019, and 21% additionally said they deploy multiple public clouds. About 21% said they used data centers or on-premises solutions instead of the cloud and 34% said they used hybrid clouds. The study found that those using hybrid and multi-cloud were 1.6 times more likely to exceed their organizational performance targets than those who did not and 1.4 times more likely to excel in terms of deployment frequency, lead time for changes, time to recover, change failure rate and reliability.One in every four respondents said they used multiple cloud providers because of the unique benefits offered by each one, with the second most common reason being availability. Nearly 75% of respondents use on-demand self-service, a 16% increase from 2019, and 74% used broad network access, a 14% increase from 2019. How teams implement their cloud services was also a major focus of the report, with the researchers finding that elite performers were 3.5 times more likely to have met all essential NIST cloud characteristics.”Only 32% of respondents who said they were using cloud infrastructure agreed or strongly agreed that they met all five of the essential characteristics of cloud computing defined by NIST, an increase of 3% from 2019. Overall, usage of NIST’s characteristics of cloud computing have increased by 14-19%, with rapid elasticity showing the largest increase,” the study found. “73% of respondents used resource pooling, a 15% increase from 2019, 77% of respondents used rapid elasticity, a 18% increase from 2019, 78% of respondents used measured service, a 16% increase from 2019. In analyzing the results, we found evidence that teams who excel at these modern operational practices are 1.4 times more likely to report greater SDO performance, and 1.8 times more likely to report better business outcomes.” More than half of all respondents said they use SRE practices to some extent. The Google study found that regardless of performance, teams saw benefits from the increased use of SRE practices.Quality documentation is also important, and the report found that teams with higher quality documentation are 2.4 times more likely to see better software delivery and operational performance. Teams with good documentation also are 3.8 times more likely to implement security practices, 2.4 times more likely to meet or exceed their reliability targets, 3.5 times more likely to implement Site Reliability Engineering practices and 2.5 times more likely to fully leverage the cloud. Continuous testing and continuous integration are also both indicators of success, according to the report. Trunk-based development is key as well, with elite performers who meet their reliability targets being 2.3 times more likely to use it. Maintaining databases is very important, Google researchers found, with elite performers being 3.4 times more likely to exercise database change management compared to their low-performing counterparts.Observability was cited as another metric that separated elite performers from the rest. Teams who successfully meet their reliability targets are 4.1 times more likely to have solutions that incorporate observability into overall system health.The study takes time to note that the COVID-19 pandemic forced significant changes on how teams worked. Nearly 90% of respondents worked from home and just 20% said they had ever worked from home before the pandemic started. “Respondents who worked from home because of the pandemic experienced more burnout than those who stayed in the office (a small portion of our sample). Inclusive teams with a generative culture were half as likely to experience burnout during the COVID-19 pandemic,” Smith said, adding that security was also an important part of the survey.”Security can no longer be an afterthought—it must be integrated throughout every stage of the software development lifecycle to build a secure software supply chain. Elite performers who met or exceeded their reliability targets were twice as likely to have shifted their security practices left, i.e., implemented security practices earlier on in the software development lifecycle, and deliver reliable software quickly, and safely.” More