User blogs

A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.

The Justice Department announced the operation on Tuesday, which it described as “successful.”

In March, Microsoft discovered a new China state-sponsored hacking group — Hafnium — targeting Exchange servers run from company networks. The four vulnerabilities when chained together allowed the hackers to break into a vulnerable Exchange server and steal its contents. Microsoft fixed the vulnerabilities but the patches did not close the backdoors from the servers that had already been breached. Within days, other hacking groups began hitting vulnerable servers with the same flaws to deploy ransomware.

The number of infected servers dropped as patches were applied. But hundreds of Exchange servers remained vulnerable because the backdoors are difficult to find and eliminate, the Justice Department said in a statement.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the statement said. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

The FBI said it’s attempting to inform owners via email of servers from which it removed the backdoors.

Assistant attorney general John C. Demers said the operation “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions.”

The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.

It’s believed this is the first known case of the FBI effectively cleaning up private networks following a cyberattack. In 2016, the Supreme Court moved to allow U.S. judges to issue search and seizure warrants outside of their district. Critics opposed the move at the time, fearing the FBI could ask a friendly court to authorized cyber-operations for anywhere in the world.

Other countries, like France, have used similar powers before to hijack a botnet and remotely shutting it down.

Neither the FBI nor the Justice Department commented by press time.

Spotify wants to have a bigger presence in your car, Apple hints at iPad-centric announcements and Microsoft’s new Surface Laptop goes on sale. This is your Daily Crunch for April 13, 2021.

The big story: Spotify unveils an in-car entertainment system

Spotify’s new device is the oddly (but memorably!) named Car Thing. While there are plenty of other ways to listen to Spotify while driving, the company said this will provide a “more seamless” and personalized experience. Car Thing includes a touchscreen, a navigation knob, voice control and preset buttons to access your favorite music, podcasts and playlists.

This is actually an updated version of an in-car device that Spotify started testing a couple years ago. While Spotify is now making Car Thing available more broadly, it sounds like the company still views this as a bit of an experiment — during this limited U.S. release, it’s available for free, with users just paying for the cost of shipping.

The tech giants

Apple’s next event is April 20 — Invites for its “Spring Loaded” event went out today, sporting what appears to be a doodle drawn on an iPad.

Microsoft’s latest Surface Laptop goes on sale this week, starting at $999 — Sometimes the classics are classics for a reason.

Facebook, Instagram users can now ask ‘oversight’ panel to review decisions not to remove content — The move expands the Oversight Board’s remit beyond reviewing (and mostly reversing) content takedowns.

Startups, funding and venture capital

Fortnite-maker Epic completes $1B funding round — The company is amassing a large portfolio of titles through acquisitions, a trend that is almost certain to continue with this latest massive round.

Home gym startup Tempo raises $220M to meet surge in demand for its workout device — Tempo’s freestanding cabinet, which the company launched in February 2020, includes a 42-inch touchscreen with a 3D motion-tracking camera that consistently scans, tracks and coaches users as they work out.

ConsenSys raises $65M from JP Morgan, Mastercard, UBS to build infrastructure for DeFi — The fundraise looks like a highly strategic one, based around the idea that traditional institutions will need visibility into the increasingly influential world of “decentralized finance.”

Advice and analysis from Extra Crunch

What’s fueling hydrogen tech? — In 2021, the world may be ready for hydrogen.

Five product lessons to learn before you write a line of code — To uncover some basic truths about building products, we spoke to three entrepreneurs who have each built more than one company.

Expect an even hotter AI venture capital market in the wake of the Microsoft-Nuance deal — The $19.7 billion transaction is Microsoft’s second-largest to date, only beaten by its purchase of LinkedIn.

(Extra Crunch is our membership program, which helps founders and startup teams get ahead. You can sign up here.)

Everything else

Republican antitrust bill would block all big tech acquisitions — There are about to be a lot of antitrust bills taking aim at big tech.

Startup Alley at TechCrunch Disrupt 2021 is filling up fast — If you’re busy shoving envelopes and busting down boundaries, don’t miss your chance to exhibit in Startup Alley at TechCrunch Disrupt 2021 in September.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Coinbase, the American cryptocurrency trading giant, has set a reference price for its direct listing at $250 per share. According to the company’s most recent SEC filing, it has a fully-diluted share count of 261.3 million, giving the company a valuation of $65.3 billion. Using a simple share count of 196,760,122 provided in its most recent S-1/A filing, Coinbase would be worth a slimmer $49.2 billion.

Regardless of which share count is used to calculate the company’s valuation, it’s new worth is miles above its final private price set in 2018 when the company was worth $8 billion.

Immediate chatter following the company’s direct listing reference price was that the price could be low. While Coinbase will not suffer usual venture capital censure if its shares quickly appreciate as it is not selling stock in its flotation, it would still be slightly humorous if its set reference price was merely a reference to an overly conservative estimate of its worth.

Its private backers are in for a bonanza either way. Around four years ago in 2017 Coinbase was worth just $1.6 billion, according to Crunchbase data. For investors in that round, let alone its earlier fundraises, the valuation implied by a $250 per-share price represents a multiple of around 40x from the price that they paid.

The Coinbase direct listing was turbocharged recently when the company provided a first-look at its Q1 2021 performance. As TechCrunch reported at the time, the company’s recent growth was impressive, with revenue scaling from $585.1 million in Q4 2020, to $1.8 billion in the first three months of this year. The new numbers set an already-hot company’s public debut on fire.

Place your bets now concerning where Coinbase might open, and how high its value may rise. It’s going to be quite the show.

There are about to be a lot of antitrust bills taking aim at big tech, and here’s one more. Senator Josh Hawley (R-MO) rolled out a new bill this week that would take some severe measures to rein in big tech’s power, blocking mergers and acquisitions outright.

The “Trust-Busting for the Twenty-First Century Act” would ban any acquisitions by companies with a market cap of more than $100 billion, including vertical mergers. The bill also proposes changes that would make it easier for the FTC and other regulators to deem a company’s behavior anti-competitive — a key criticism of the outdated antitrust rules that haven’t kept pace with the realities of the tech industry.

Hawley’s legislation would snip some of the red tape around antitrust enforcement by amending the Sherman Act, which made monopolies illegal, and the Clayton Act, which expanded the scope of illegal anti-competitive behavior.

The bill isn’t likely to get too far in a Democratic Senate, but it’s not insignificant. Sen. Amy Klobuchar (D-MN), who chairs the Senate’s antitrust subcommittee, proposed legislation earlier this year that would also create barriers for dominant companies with a habit of scooping up their competitors. Klobuchar’s own ideas for curtailing big tech’s power similarly focus on reforming the antitrust laws that have shaped U.S. business for more than a century.

Click to access The%20Trust-Busting%20for%20the%20Twenty-First%20Century%20Act.pdf

The Republican bill may have some overlap with Democratic proposals, but it still hits some familiar notes from the Trump era of hyper-partisan big tech criticism. Hawley slams “woke mega-corporations” in Silicon Valley for exercising too much power over the information and products that Americans consume. While Democrats naturally don’t share that critique, Hawley’s bill makes it clear that antitrust reform targeting big tech is one policy era where both political parties could align on the ends, even if they don’t see eye to eye on the why.

Hawley’s bill is the latest, but it won’t be the last. Rep. David Cicilline (D-RI), who spearheads tech antitrust efforts in the House, previously announce his own plans to introduce a flurry of antitrust reform bills rather than one sweeping piece of legislation. Those bills, which will be more narrowly targeted to make them difficult for tech lobbyists to defeat, are due out in May.

Risk and compliance startup LogicGate has confirmed a data breach. But unless you’re a customer, you probably didn’t hear about it.

An email sent by LogicGate to customers earlier this month said on February 23 an unauthorized third-party obtained credentials to its Amazon Web Services-hosted cloud storage servers storing customer backup files for its flagship platform Risk Cloud, which helps companies to identify and manage their risk and compliance with data protection and security standards. LogicGate says its Risk Cloud can also help find security vulnerabilities before they are exploited by malicious hackers.

The credentials “appear to have been used by an unauthorized third party to decrypt particular files stored in AWS S3 buckets in the LogicGate Risk Cloud backup environment,” the email read.

“Only data uploaded to your Risk Cloud environment on or prior to February 23, 2021, would have been included in that backup file. Further, to the extent you have stored attachments in the Risk Cloud, we did not identify decrypt events associated with such attachments,” it added.

LogicGate did not say how the AWS credentials were compromised. An email update sent by LogicGate last Friday said the company anticipates finding the root cause of the incident by this week.

But LogicGate has not made any public statement about the breach. It’s also not clear if the company contacted all of its customers or only those whose data was accessed. LogicGate counts Capco, SoFi, and Blue Cross Blue Shield of Kansas City as customers.

We sent a list of questions, including how many customers were affected and if the company has alerted U.S. state authorities as required by state data breach notification laws. When reached, LogicGate chief executive Matt Kunkel confirmed the breach but declined to comment citing an ongoing investigation. “We believe it’s best to communicate developers directly to our customers,” he said.

Kunkel would not say, when asked, if the attacker also exfiltrated the decrypted customer data from its servers.

Data breach notification laws vary by state, but companies that fail to report security incidents can face heavy fines. Under Europe’s GDPR rules, companies can face fines of up to 4% of their annual turnover for violations.

In December, LogicGate secured $8.75 million in fresh funding, totaling more than $40 million since it launched in 2015.

Are you a LogicGate customer? Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.