Zebeth Media Solutions

cybersecurity

Twilio hack investigation reveals second breach, as the number of affected customers rises • ZebethMedia

U.S. messaging giant Twilio confirmed it was hit by a second breach in June that saw cybercriminals access customer contact information. Confirmation of the second breach — carried out by the same “0ktapus” hackers that compromised Twilio again in August — was buried in an update to a lengthy incident report that Twilio concluded on Thursday. Twilio said the “brief security incident,” which occurred on June 29, saw the same attackers socially engineer an employee through voice phishing, a tactic whereby hackers make fraudulent phone calls impersonating the company’s IT department in an effort to trick employees into handing over sensitive information. In this case, the Twilio employee provided their corporate credentials, enabling the attacker to access customer contact information for a “limited number” of customers. “The threat actor’s access was identified and eradicated within 12 hours,” Twilio said in its update, adding that customers whose information was impacted by the June Incident were notified on July 2. When asked by ZebethMedia, Twilio spokesperson Laurelle Remzi declined to confirm the exact number of customers impacted by the June breach and declined to share a copy of the notice that the company claims to have sent to those affected. Remzi also declined to say why Twilio has only just disclosed the incident. Twilio also confirmed in its update that the hackers behind the August breach accessed the data of 209 customers, an increase from 163 customers it shared on August 24. Twilio has not named any of its impacted customers, but some — like encrypted messaging app Signal — have notified users that they were affected by Twilio’s breach. The attackers also compromised the accounts of 93 Authy users, Twilio’s two-factor authentication app it acquired in 2015. “There is no evidence that the malicious actors accessed Twilio customers’ console account credentials, authentication tokens, or API keys,” Twilio said about the attackers, which maintained access to Twilio’s internal environment for two days between August 7 and August 9, the company confirmed. The Twilio breach is part of a wider campaign from a threat actor tracked as “0ktapus,” which targeted at least 130 organizations, including Mailchimp and Cloudflare. But Cloudflare said the attackers failed to compromise its network after having their attempts blocked by phishing-resistant hardware security keys. As part of its efforts to mitigate the efficacy of similar attacks in the future, Twilio has announced that it will also roll out hardware security keys to all employees. Twilio declined to comment on its rollout timeline. The company says it also plans to implement additional layers of control within its VPN, remove and limit certain functionality within specific administrative tooling, and increase the refresh frequency of tokens for Okta-integrated applications.

Versa raises $120M for its software-defined networking and security stack • ZebethMedia

Networking and cybersecurity firm Versa today announced that it raised $120 million in a mix of equity and debt led by BlackRock, with participation from Silicon Valley Bank. CEO Kelly Ahuja tells ZebethMedia that the proceeds, which bring Versa’s total capital raised to $316 million, will be put toward go-to-market efforts and scaling the company. He demurred when asked what percentage of the financing was equity versus debt. Versa’s large round suggests that, despite the market downturn, VCs haven’t lost faith in cybersecurity vendors yet. According to data from PitchBook, venture capital investments have reached about $13.66 billion so far this year, up from $11.47 billion compared to 2020 (albeit down from $26.52 billion in 2021). It helps these vendors have customers — or at least potential customers — in droves. A December 2021 survey by CSO found that 44% of security leaders at large companies expected their budgets to increase in the upcoming 12 months. And Gartner estimates spending on information security and risk management will total $172 billion in 2022, up from $155 billion in 2021 and $137 billion the year prior. “The pandemic drove enterprises to accelerate their transition to cloud and saw their workforce become fully distributed. This has led to a dramatic increase in cybersecurity issues — leading businesses to look for new ways to protect and connect their users, networks, and applications,” Ahuja told ZebethMedia in an email interview. “We find ourselves in an extremely good place to have the right solution that meets the market needs.” Apurva Mehta and Kumar Mehta, two brothers, co-founded Versa in 2012. They came from Juniper Networks, where Apurva Mehta was the CTO and chief architect of the mobility business unit and Kumar Mehta was the VP of engineering. Kelly Ahuja, a Cisco alum, was tapped as Versa’s CEO in 2016. Versa provides a vast range of subscription-based software services — too many to list here — but positions itself primarily as a secure access service edge (SASE) provider. As described by Gartner in 2019, SASE combines software-based wide area networking and security principles like zero trust into a single service model. Through partnerships with service providers, Versa connects users to apps in the cloud or data centers with security layered on top — like data loss prevention tools and gateway firewalls. Concretely, the company offers a hardware-agnostic software stack that provides a single interface — via the cloud, on-premises or both — to implement corporate security and networking policies. “Versa’s portfolio in SASE converges security and networking,” Ahuja said, noting that Versa has a “sizable” team working on machine learning and AI-based malware detection. “Versa has developed a differentiated platform that combines AI and machine learning-powered security services edge and software-defined WAN (SD-WAN) solutions that helps customers reduce cybersecurity risk.” When asked about current clientele, Ahuja said that 625-employee Versa’s solutions have been deployed by “tens of thousands” of enterprises globally. He declined to reveal revenue figures, instead pointing to San Jose-based Versa’s annual contract value, which he says grew 60% over the “past few years.” “Every industry and business are facing similar macro challenges — high inflation, risk of recession, and supply chain and geopolitical challenges,” Ahuja said. “[But] Versa provides a clear value proposition and ROI of reducing cybersecurity risk.” In a June 2021 piece covering Versa’s last funding round, CRN’s Gina Narcisi pointed out that the SD-WAN and SASE space has seen a great deal of consolidation in recent years. Cisco Systems acquired Viptela and VMware bought SD-WAN vendor VeloCloud, and more recently, HPE’s Aruba snapped up Silver Peak while Palo Alto Networks absorbed CloudGenix. Last year, Ahuja told Fierce Telecom’s Linda Hardesty that Versa wasn’t shopping itself. Plans haven’t changed, he says — Ahuja sees the latest financing as setting the firm on a path toward an initial public offering.

Inside TheTruthSpy, the stalkerware network spying on thousands • ZebethMedia

A massive cache of leaked data reveals the inner workings of a stalkerware operation that is spying on hundreds of thousands of people around the world, including Americans. The leaked data includes call logs, text messages, granular location data and other personal device data of unsuspecting victims whose Android phones and tablets were compromised by a fleet of near-identical stalkerware apps, including TheTruthSpy, Copy9, MxSpy and others. These Android apps are planted by someone with physical access to a person’s device and are designed to stay hidden on their home screens but will continuously and silently upload the phone’s contents without the owner’s knowledge. SPYWARE LOOKUP TOOL You can check to see if your Android phone or tablet was compromised here. Months after we published our investigation uncovering the stalkerware operation, a source provided ZebethMedia with tens of gigabytes of data dumped from the stakerware’s servers. The cache contains the stalkerware operation’s core database, which includes detailed records on every Android device that was compromised by any of the stalkerware apps in TheTruthSpy’s network since early 2019 (though some records date earlier) and what device data was stolen. Given that victims had no idea that their device data was stolen, ZebethMedia extracted every unique device identifier from the leaked database and built a lookup tool to allow anyone to check if their device was compromised by any of the stalkerware apps up to April 2022, which is when the data was dumped. ZebethMedia has since analyzed the rest of the database. Using mapping software for geospatial analysis, we plotted hundreds of thousands of location data points from the database to understand its scale. Our analysis shows TheTruthSpy’s network is enormous, with victims on every continent and in almost every country. But stalkerware like TheTruthSpy operates in a legal gray area that makes it difficult for authorities around the world to combat, despite the growing threat it poses to victims. First, a word about the data. The database is about 34 gigabytes in size and consists of metadata, such as times and dates, as well as text-based content, like call logs, text messages and location data — even names of Wi-Fi networks that a device connected to and what was copied and pasted from the phone’s clipboard, including passwords and two-factor authentication codes. The database did not contain media, images, videos or call recordings taken from victims’ devices, but instead logged information about each file, such as when a photo or video was taken, and when calls were recorded and for how long, allowing us to determine how much content was exfiltrated from victims’ devices and when. Each compromised device uploaded a varying amount of data depending on how long their devices were compromised and available network coverage. ZebethMedia examined the data spanning March 4 to April 14, 2022, or six weeks of the most recent data stored in the database at the time it was leaked. It’s possible that TheTruthSpy’s servers only retain some data, such as call logs and location data, for a few weeks, but other content, like photos and text messages, for longer. This is what we found. This map shows six weeks of cumulative location data plotted on a map of North America. The location data is extremely granular and shows victims in major cities, urban hubs and traveling on major transport lines. Image Credits: ZebethMedia The database has about 360,000 unique device identifiers, including IMEI numbers for phones and advertising IDs for tablets. This number represents how many devices were compromised by the operation to date and about how many people are affected. The database also contains the email addresses of every person who signed up to use one of the many TheTruthSpy and clone stalkerware apps with the intention of planting them on a victim’s device, or about 337,000 users. That’s because some devices may have been compromised more than once (or by another app in the stalkerware network), and some users have more than one compromised device. About 9,400 new devices were compromised during the six-week span, our analysis shows, amounting to hundreds of new devices each day. The database stored 608,966 location data points during that same six-week period. We plotted the data and created a time lapse to show the cumulative spread of known compromised devices around the world. We did this to understand how wide-scale TheTruthSpy’s operation is. The animation is zoomed out to the world level to protect individuals’ privacy, but the data is extremely granular and shows victims at transportation hubs, places of worship and other sensitive locations. By breakdown, the United States ranked first with the most location data points (278,861) of any other country during the six-week span. India had the second most location data points (77,425), Indonesia third (42,701), Argentina fourth (19,015) and the United Kingdom (12,801) fifth. Canada, Nepal, Israel, Ghana and Tanzania were also included in the top 10 countries by volume of location data. This map shows the total number of locations ranked by country. The U.S. had the most location data points at 278,861 over the six-week span, followed by India, Indonesia, and Argentina, which makes sense given their huge geographic areas and populations. Image Credits: ZebethMedia The database contained a total of 1.2 million text messages, including the recipient’s contact name, and 4.42 million call logs during the six-week span, including detailed records of who called whom, for how long, and their contact’s name and phone number. ZebethMedia has seen evidence that data was likely collected from the phones of children. These stalkerware apps also recorded the contents of thousands of calls during the six weeks, the data shows. The database contains 179,055 entries of call recording files that are stored on another TheTruthSpy server. Our analysis correlated records with the dates and times of call recordings with location data stored elsewhere in the database to determine where the calls were recorded. We focused on U.S. states that have stricter phone call recording laws, which require that more than

US charges Ukrainian national over alleged role in Raccoon Infostealer malware operation • ZebethMedia

U.S. officials have charged a Ukrainian national over his alleged role in the Raccoon Infostealer malware-as-a-service operation that infected millions of computers worldwide. Mark Sokolovsky — also known online as “raccoonstealer,” according to an indictment unsealed on Tuesday — is currently being held in the Netherlands while waiting to be extradited to the United States. The U.S. Department of Justice accused Sokolovsky of being one of the “key administrators” of the Raccoon Infostealer, a form of Windows malware that steals passwords, credit card numbers, saved username and password combinations, and granular location data. Raccoon Infostealer was leased to individuals for approximately $200 per month, the DOJ said, which was paid to the malware’s operators in cryptocurrency, typically Bitcoin. These individuals employed various tactics, such as COVID-19-themed phishing emails and malicious web pages, to install the malware onto the computers of unsuspecting victims. The malware then stole personal data from their computers, including login credentials, bank account details, cryptocurrency addresses, and other personal information, which were used to commit financial crimes or sold to others on cybercrime forums. An example of one of the phishing emails sent by the crime group. Image Credits: U.S. Justice Department. According to U.S. officials, the malware stole more than 50 million unique credentials and forms of identification from victims around the world since February 2019. These victims include a financial technology company based in Texas and an individual who had access to U.S. Army information systems, according to the unsealed indictment. Cybersecurity firm Group-IB said the malware may have been used to steal employee credentials during the recent Uber breach. But the DOJ said it “does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate.” The Justice Department said it worked with European law enforcement to dismantle the IT infrastructure powering Raccoon Infostealer in March 2022, when Dutch authorities arrested Sokolovsky. According to one report, the malware operation claimed it was suspending its operations after one of its lead developers was allegedly killed during Russia’s invasion of Ukraine. A new version of Raccoon Infostealer was reportedly launched in June this year. The FBI also announced on Tuesday that it has created a website that allows anyone to check if their data is contained in the U.S. government’s archive of information stolen by Raccoon Infostealer. “This case highlights the importance of the international cooperation that the Department of Justice and our partners use to dismantle modern cyber threats,” said Deputy Attorney General Lisa O. Monaco. “As reflected in the number of potential victims and global breadth of this attack, cyber threats do not respect borders, which makes international cooperation all the more critical. I urge anyone who thinks they could be a victim to follow the FBI’s guidance on how to report your potential exposure.” Sokolovsky is charged with computer fraud, wire fraud, money laundering, and identity theft and faces up to 20 years in prison if found guilty. The DOJ said Sokolovsky is appealing a September 2022 decision by the Amsterdam District Court granting his extradition to the United States.

US to launch ‘labeling’ rating program for internet-connected devices in 2023 • ZebethMedia

The Biden administration said it will launch a cybersecurity labeling program for consumer Internet of Things devices starting in 2023 in an effort to protect Americans from “significant national security risks.” It’s no secret that IoT devices generally have weak security postures. Weak default passwords have allowed botnet operators to hijack insecure routers to pummel victims with floods of internet traffic, knocking entire websites and networks offline. Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside. As American consumers continue to fill their homes with more of these potentially insecure devices, from routers and smart speakers to internet-connected door locks and security cameras, the U.S. government wants to help educate them about the security risks. Inspired by Energy Star, a labeling program operated by Environmental Protection Agency and the Department of Energy to promote energy efficiency, the White House is planning to roll out a similar IoT labeling program to the “highest-risk” devices starting next year, a senior Biden administration official said on Wednesday following a National Security Council meeting with consumer product associations and device manufacturers. Attendees at the meeting included White House cyber official Anne Neuberger, FCC chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Sen. Angus King, alongside leaders from Google, Amazon, Samsung, Sony and others. The initiative, described by White House officials as “Energy Star for cyber,” will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Though specifics of the program have not yet been confirmed, the administration said it will “keep things simple.” The labels, which will be “globally recognized” and debut on devices such as routers and home cameras, will take the form of a “barcode” that users can scan using their smartphone rather than a static paper label, the administration official said. The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation. The announcement comes after the White House last year ordered NIST and the FTC to explore two labeling pilot programs on cybersecurity capabilities for IoT devices. It also comes after the U.K. government last year introduced an IoT security bill in Parliament, requiring device manufacturers, importers, and distributors to meet certain cybersecurity standards.

Cyber training platform pulls in another $66M after post-pandemic remote working increases cyber threats • ZebethMedia

It was only in June last year when we reported how Immersive Labs, a platform which teaches cybersecurity skills to employees in a “gamified” way, had closed a $75 million Series C funding round. As of today, the company just pulled in another $66 Million, taking the total raised to $189 million. And it can perhaps put its success partly to COVID-19. The company has previously said the new wave of interest in cyber security by organizations has been caused by so many people shifting to working remotely, a habit which was acquired during the pandemic and which now increasingly companies implement by default. Ten Eleven Ventures led the latest raise, while existing investors Goldman Sachs Asset Management, Summit Partners, Insight Partners, Menlo Ventures, and Citi Ventures all participated in the round. Immersive Labs originated from the CYLON cyber accelerator in London, an idea borne of founder James Hadley, a former GCHQ security researcher, and trainer, who realized ordinary employees needed a better way to learn cyber security as they were the weakest links in most organizations. The capital will be used to boost its “Cyber Workforce Resilience” category and deliver solutions to enterprise customers like Citi, Goldman Sachs, HSBC, Pfizer, Daimler, Humana, Atos, and the UK National Health Service. In a statement Hadely said: “Attracting new investment during a difficult time overall for the tech sector underscores the incredible demand for Immersive Labs’ disruptive, people-centric approach to cybersecurity. Proving cyber resilience has increasingly become a Board and C-level consideration.” Immersive has also beefed-up its executive team, adding Sandra McDevitt as Chief Human Resources Officer (CHRO) and Lucian Lui as Chief Marketing Officer (CMO). Dave Palmer (Ten Eleven General Partner and Darktrace Founder and former Chief Product Officer) will join the company’s Board, while Jack Huffard (Tenable Co-Founder and current Non-Executive Director of Immersive) becomes Chair. Palmer added: “As we see more focus on proving cyber resilience across public and private sectors, Immersive Labs stands to play a key role in the future of cybersecurity.

Toyota exposed 300,000 customer email addresses for 5 years • ZebethMedia

Automotive giant and car maker Toyota has warned that the personal information of roughly 300,000 customers may have been exposed for close to five years. The possible exposure relates to T-Connect, an official Toyota app that allows customers to connect their smartphone to their vehicle’s dashboard infotainment system. In a statement, Toyota admitted that a subcontractor developing the T-Connect website inadvertently uploaded part of the site’s source code to a public GitHub repository in December 2017, where it sat undiscovered until last month. This source code contained an access key to a server that stored customer email addresses and customer management numbers that it assigns to each customer. Toyota said that a total of 296,019 email addresses could have been accessed by anyone who found the access key until the access to the GitHub repository was closed on September 15, 2022. Toyota, which confirmed it has since changed the server’s access key on September 17, said that no other information, such as customer names, phone numbers and credit card information, was affected. But the company was forced to admit that it could not rule out the possibility of someone having accessed and stolen the data during the five-year span. “As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time, we cannot completely deny it,” Toyota said in a statement. Toyota advised customers whose details may have been leaked to be on alert for phishing attempts and to avoid opening email attachments from unknown senders that claim to be from Toyota. A similar security lapse recently led to the leak of a huge amount of sensitive data from Shanghai’s police database, including the names, addresses, phone numbers, national identifications, birthplaces, and criminal records of more than 70 percent of the country’s population — approximately 1 billion Chinese residents.

Vanta lands $40M to automate cybersecurity compliance • ZebethMedia

Vanta, a security compliance automation startup, today announced that it raised $40 million in an extension of its Series B funding round that closed in June, which valued the company at $1.6 billion. Notably, Crowdstrike invested in the extension — which was led by Craft Ventures — through its Falcon Fund, joined by Sequoia, Y Combinator and unnamed existing investors. CEO Christina Cacioppo tells ZebethMedia that the new cash will be used to support Vanta’s customer acquisition, product R&D and go-to-market efforts. It brings the company’s total capital raised to $203 million. Cacioppo founded Vanta in 2016 to — in her words — “help companies achieve and maintain a strong security posture.” Previously a professor at the School of Visual Arts in New York, Cacioppo co-founded Nebula Labs, a software development house, before joining Dropbox as a product manager on Dropbox Paper. “With massive breaches on the rise — like Uber, Sony, Equifax — companies understand that proving their security is a must to doing business. Why? Because enterprises won’t buy a product that is not secure and regulators will crack down on any company with a weak security posture,” Cacioppo told ZebethMedia via email. “The problem is emerging companies lack the resources and expertise in-house to properly secure their perimeter, leaving them open to incoming threats and penalties for non-compliance, and they have no way to prove to their customers that their critical business assets are safe from threats.” Vanta offers services designed to enable businesses to meet regulations, compliance standards and laws, like HIPA and GDPR. The company provides workflows and controls for various apps and services to ensure compliance, allowing auditors to complete audits within Vanta and delivering alerts and guidance via email and apps like Slack. Vanta recently began offering what it calls “Trust Reports,” which aim to summarize a company’s compliance position. Behind the scenes, a monitoring engine collects data from Vanta customers’ software-as-a-service app and cloud stack and runs analyses to surface potential security threats. Cacioppo explained: “A customer’s journey in Vanta is guided by data-driven insights from the thousands of companies that have used Vanta to build and demonstrate their security. Each new customer benefits from the experience of all previous Vanta customers.” Certainly, compliance is a tricky field — one many companies struggle with. A 2021 survey from The Harris Poll found that nearly two-thirds (63%) of organizations see compliance issues as critical barriers to growth. In a separate, recent study from Telos, an IT cybersecurity firm, organizations reporting having to comply with an average of 13 different IT security and privacy regulations and spend $3.5 million annually on compliance activities, with audits taking close to two months each fiscal quarter. That’s been good for business. San Francisco-based Vanta, which employs more than 350 people, now has a customer base numbering north of 4,000 organizations that includes brands like Quaro, Modern Treasury and Autodesk. When asked, Cacioppo didn’t reveal annual recurring revenue figures — save for that revenue has grown “significantly faster” than Vanta’s valuation. “Vanta continues to drive innovation in the space by building beyond ‘check the box compliance’ to a scalable set of security tools that help address the risks inherent in running businesses in the cloud,” Cacioppo said, citing a report from Polaris Market Research that predicts the enterprise governance, risk and compliance software market will be worth $96.98 billion by 2028. “‘Growth at all costs’ has never been our MO. [I] bootstrapped the company until it hit $10 million annual recurring revenue to make sure there was strong product-market fit and the company could stand on its own … The metrics that investors are scrutinizing now — burn rate, capital efficiency, gross margins — are ones Vanta has always excelled at.” The challenge for Vanta will be beating back competitors in the increasingly crowded risk and compliance space. Just in May, Kintent, a startup providing enterprise compliance and security solutions, raised $18 million in venture capital. Earlier this year, Secureframe landed $56 million for its platform that automates an enterprise’s compliance with standards like HIPPA and SOC 2. Other rivals include Ethyca, Ketch, Soveren and Anecdotes, the last of which secured $25 million in its Series A. There’s cash to go around, fortunately. Investors poured $5.1 billion into governance, risk and compliance startups in Q2 2021, a 113% increase from Q2 2020, according to Crunchbase data cited by The Wall Street Journal. In the first 10 weeks of 2022 alone, funding reached nearly $1 billion — spurred by international sanctions and data privacy legislation like the California Consumer Privacy Act. In an emailed statement, CrowdStrike CTO Michael Sentonas said: “Compliance is no longer a siloed function — it’s a boardroom priority and an essential component of the modern security stack. We invested in Vanta because they created a way for every company, large and small, to achieve and maintain compliance by automating the process end-to-end.”

business and solar energy