Tag Archive for: Acquired

Microsoft Details How Chinese Hackers Acquired Signing Key for Outlook Breach

/in


Microsoft says it’s uncovered the mystery to how suspected Chinese hackers acquired a digital signing key to pull off July’s Outlook breach that ensnared several US government agencies. 

According to Microsoft, the key was accidentally leaked when the company computer holding it crashed in April 2021. During the error, the machine generated a crash dump report, which failed to redact the key from the file due to a software bug. 

Microsoft added that company computers that hold such signing keys are “highly isolated,” and have been stripped of various internet services, such as email and video conferencing. However, the crash dump report ended up opening a hole in the security. The unredacted file was automatically passed to a Microsoft computer devoted to debugging, which also happened to be connected to the internet. 

This paved a way for the Chinese hackers to loot the digital key when they compromised a Microsoft engineer’s corporate account, although it remains unclear how this occurred.

“This account had access to the debugging environment containing the crash dump which incorrectly contained the key,” the company said in Wednesday’s report. “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”

Stealing the key then allowed the suspected Chinese hackers to forge the authentication tokens to access customer emails on Microsoft’s Outlook service. That said, the signing key was originally designed for consumer Microsoft accounts—not the enterprise Outlook accounts that the hackers targeted. 

The problem is that Microsoft neglected to update a software library to automatically validate key signing signatures between consumer and enterprise accounts. “Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation,” Microsoft said. “Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key.” 

Microsoft issued the report as the company has come under criticism for failing to…

Source…

EQT Ventures portfolio company Baffin Bay Networks acquired by Mastercard

/in


Stockholm-based Baffin Bay Networks has been acquired by payments tech giant Mastercard for an undisclosed sum. The purchase from Purchase aims to add Baffin Bay’s cybersecurity offer to bolster businesses with further armour in an increasingly challenging cyberattack landscape.

Founded in 2017 by a group of cybersecurity professionals, Baffin Bay Networks offers a cloud-first threat protection platform that leverages AI to mitigate attacks from the IP layer right on through to the application layer. 

The platform also continuously improves as it adds customers since learnings from one attack are shared across networks, creating what Baffin Bay Networks calls a “herd immune system”.

Backed solely by EQT Ventures, in early January 2019, the firm announced its expansion to the US via the acquisition of botnet and IoT research startup Loryka.

Building from strength to strength, Baffin Bay Networks’ lineage and timing couldn’t be better (?). Positioned as it is, the company is playing its part in staving off cyber criminal activities and post-acquisition will see its offer funneled into Mastercard’s single cyber service, a service provided to customers around the world and one that includes RiskRecon. This data analytics tool enables organisations to identify vulnerabilities well in advance of any nefarious actors exploiting them. 

Where Baffin Bay fits into the mix is by shoring up operations on the automated Threat Protection service, which helps to stop attackers from penetrating or taking down cyber systems.

“Our cloud-based Threat Protection service provides a simple and effective way to safeguard against application and network-level attacks,” said Joakim Sundberg, founder, and chief technology officer at Baffin Bay Networks. “Our two companies share this vision: to provide our customers with security and trust. We are thrilled to join the Mastercard family to expand our impact across the globe.”

Source…

Mobile security startup Zimperium acquired by Liberty Strategic Capital for $525M

/in


Mobile cybersecurity provider Zimperium Inc. today announced that it has agreed to be acquired by Liberty Strategic Capital in a transaction worth about $525 million.

Former U.S. Treasury Secretary Steven Mnuchin, the founder and managing partner of Liberty Strategic Capital, will become the chair of Zimperium’s board. Existing investor SoftBank Group Corp. is set to retain its stake in the startup following the acquisition.

Founded in 2010, Zimperium provides cybersecurity software that helps companies protect workers’ handsets from hacking attempts. The startup also offers a suite of tools that developers can use to build more secure mobile apps.

Zimperium’s software product for protecting employee devices is known as zIPS. It runs directly on workers’ handsets and uses machine learning to detect cybersecurity issues. Zimperium says zIPS can detect malware and other threats, as well as vulnerabilities such as insecure device settings that could lead to a data breach if left unaddressed.

Zimperium’s second offering is a suite of mobile development tools called MAPS. One of the tools in the suite enables developers to scan the code of their mobile apps for vulnerabilities regulatory compliance issues. Another component of MAPS can be used to equip apps with the ability to detect hacking attempts. 

The MAPS suite also includes tools for more specialized tasks, such as preventing hackers from extracting encryption keys. Accessing an app’s encryption key can allow hackers to decrypt and read user data. According to Zimperium, MAPS prevents breaches by turning the part of an app’s code that is responsible for protecting data into a form that can’t be reverse engineered by hackers. 

“There’s no question that the world is going mobile,” said Zimperium Chief Executive Officer Shridhar Mittal. “And as that happens, modern operating systems like Android and iOS are playing a more prominent role powering the devices people use in their personal and professional lives. But what many people don’t realize is that protecting these devices is much different from protecting traditional endpoints and requires a new approach.”

Zimperium has more than 7,000…

Source…

Openpath Is Acquired by Motorola for Mobile Security Technology

/in


Openpath’s touchless, mobile-based door lock system.

Openpath’s touchless, mobile-based door lock system.

Openpath Security Inc., a cloud-based mobile access control provider based in Culver City, has been acquired by telecommunications giant Motorola Solutions Inc.
Financial terms of the deal, which was announced July 13, were not disclosed. The transaction is expected to close by the end of July.
 
Openpath’s founders, Chief Executive Alex Kazerani and President James Segil, will report to John Kedzierski, who manages the video security and analytics department for Chicago-based Motorola Solutions.

“With Motorola Solutions, we will continue to pioneer the future of the access control industry,” Kazerani said in a statement. “We couldn’t be more excited to work together in bringing best-in-class, innovative solutions to organizations around the world to make their business a safer place to be.”

The acquisition follows other major purchases of security technology companies by Motorola Solutions. In 2018, the company spent about $1 billion for Avigilon, a Vancouver-based video surveillance and analytics company. And in 2020, it paid $110 million for Pelco, a Fresno-based video security company.  

Motorola Solutions will use Openpath’s capabilities to bolster its security offerings for businesses using video and remote access control.
 
“Securing businesses around the world has never been more critical,” Greg Brown, Motorola’s chairman and chief executive, said in a statement. “This acquisition enables us to combine the power of video security and access control together.”
Openpath creates touchless, mobile-based door lock systems. Its systems use physical sensors installed at doors that can be locked and unlocked through mobile devices. 

For reprint and licensing requests for this article, CLICK HERE.

Source…