The 10 Most Controversial Companies Of 2021

Some of the biggest companies in the tech industry were also some of the most controversial companies in 2021, as cyberattacks and channel conflict dominated the headlines on CRN.

Cyber criminals once again got the best of some of the biggest and most respected technology brands in 2021.

Ransomware breaches – which were off the charts in 2020- reached pandemic proportions in 2021. No business was safe in a technology landscape ruled by cyber criminals and nation state attacks.

One of the top MSP platform providers became infamous as the attack victim for what became known as one of the biggest ransomware heists in the history of computing. The attack highlighted yet again the constant threat faced by MSPs and solution providers as the targets of choice for cyber criminals.

This even as the nation’s number one technology solution provider with $55 billion in annual revenue found itself trying to limit the fallout from a ransomware attack.

The world’s largest software maker was also in the crosshairs of cyber-criminals with its on premise email server being hit in one of the largest attacks in history. An estimated 30,000 U.S. organizations and 60,000 organizations globally were hit by the Exchange server attack.

Log4j – which was described by one prominent software executive as a “Fukishima moment for cybersecurity” – put one of the top multicloud software makers into the sights of the Conti Russian Ransomware group.

Channel conflict is a closely watched measure for solution providers of all stripes. This year, one of the largest infrastructure makers in the world was hit with charges of channel conflict that started with PCs and then moved into storage, server and hyperconverged infrastructuredeals, sources told CRN.

The list of most controversial organizations also included a software channel darling that faced unprecedented turmoil with a new CEO, layoffs and report of a potential play to take the company private; a cloud behemoth grappling with outages and a chip behemoth being sued by the Federal Trade Commission to stop a $40 billion blockbuster deal.

10. Nvidia: Sued By FTC To Block $40B Arm Deal

When Nvidia announced in September that it planned to acquire British chip designer Arm in a $40 billion mega deal Nvidia CEO Jensen Huang boasted that the deal would transform Nvidia into the “world’s premier computing company.”

By acquiring Arm, Nvidia would have the underlying technologies for the GPU, CPU and network in the data center and beyond, allowing the chipmaker to more tightly integrate those technologies. The blockbuster deal was an expansion of the Nvidia strategy that was kicked into gear by the company’s $7 billion acquisition of interconnect vendor Mellanox Technologies in April.

With the Arm deal, Nvidia would also own the underlying CPU technology for most of the world’s smartphones as well as millions of IoT devices. Arm also licenses CPU technology for laptops.

Responding to a question about regulatory concerns, Huang said at the time that Nvidia and Arm are “completely complementary,” just in the same way that Nvidia and Mellanox are.

“Nvidia doesn’t design CPUs. We have no CPU instruction set. Nvidia doesn’t license IP to semiconductor companies,” he said. “In that very way, we’re not competitors, and we have every intention to add IP. And also, unlike Arm, Nvidia does not participate in the cell phone market.”

That optimistic view of the deal was not shared by the Federal Trade Commission which on December 2 filed suit to block the $40 billion Nvidia mega-deal, alleging that the deal would “stifle innovative next-generation technologies,” including technologies for data centers.

The U.S. agency named Nvidia, Arm and Arm’s current owner, Japan-based SoftBank Group, as defendants. It alleges that the deal, announced last year, would “harm competition” in three global markets where Nvidia competes using Arm-based products: high-level advanced driver assistance systems for passenger cars, data processing units, and Arm-based CPUs for cloud service providers.

“The FTC is suing to block the largest semiconductor chip merger in history to prevent a chip conglomerate from stifling the innovation pipeline for next-generation technologies,” said FTC Bureau of Competition Director Holly Vedova in a statement.

“Tomorrow’s technologies depend on preserving today’s competitive, cutting-edge chip markets,” Vedova said. “This proposed deal would distort Arm’s incentives in chip markets and allow the combined firm to unfairly undermine Nvidia’s rivals. The FTC’s lawsuit should send a strong signal that we will act aggressively to protect our critical infrastructure markets from illegal vertical mergers that have far-reaching and damaging effects on future innovations.”

An Nvidia spokesperson told CRN that the company believes the deal would still be beneficial to the industry at-large — a case that it will make to the FTC. The spokesperson reiterated Nvidia’s plans to invest in Arm’s research and development, maintain Arm’s open licensing model and a “create more opportunities for all Arm licensees and expand the Arm ecosystem.”

Analysts say the FTC lawsuit makes the Nvidia-Arm deal unlikely.Ben Bajarin, CEO and principal analyst at Creative Strategies, told CRN that the Bajarin said he was already pessimistic about it because of scrutiny by the United Kingdom’s Competition and Markets Authority, which initiated a phase two investigation in November over concerns that the deal would significantly lessen competition in data centers and other markets.

“I haven’t felt this was going to go through for a long time, but I think those points [made by the U.K. government] were feeding it. So this is just, I think, the final straw,” he said.

9. Citrix: New CEO, Layoffs And A Possible Sale

2021 was a year of unprecedented turmoil for longtime VDI (Virtual desktop infrastructure) software channel darling Citrix.

The upheaval included the unexpected departure of President and CEO David Henshall in October, the appointment of Chairman Bob Calderoni as interim president and CEO; layoffs that took hold in November and as the year came to a close a report that the company would be taken private by activist investor Elliott Management Corp. and Vista Equity Partners.

The news of a potential move to take Citrix private sent the company’s shares up about 12 percent to $94 a share on December 21.

News of a potential Citrix sale surfaced in September after Elliott Management bought a 10 percent stake in the software maker.

In an 8K filing with the Securities and Exchange Commission on November 12, Citrix said its board had approved a restructuring plan that included the “the elimination of full-time positions” with $65 to $90 million related employee severance agreements.

Overall, Citrix said it expected to record $130 million to $240 million in pre-tax restructuring and impairment charges associated with its restructuring including the the “termination of certain contracts and asset impairments, primarily related to facilities consolidations.”

In the company’s most recent quarterly earnings conference call, Calderoni promised to increase compensation for partners and “shore up” Citrix’s channel programs. He said Citrix had invested in sharing stalled and uncovered pipelines with partners “to give them leads and opportunities” for new business.

“The channel hasn’t gone away,” Calderoni said. “They’re not selling somebody else’s products. They’re just focusing on other parts of their business. And like any part of a sales organization, and the channel is part of our sales organization, we want to make it more profitable for them to do business with us.”

8. Splunk: CEO Doug Merritt Exits After $1 Billion Silver Lake Investment

Splunk President and CEO Doug Merritt – who had been at the helm for six years- resigned unexpectedly on Nov. 15- less than five months after Silver Lake invested $1 billion into the data platform giant.

The news sents Splunk’s stock plummeting $31.83 (18.97 percent) to $136.08 per share in trading, the lowest the company’s stock had traded since July 19. As the year came to a close, the stock traded at $109.61 on December 20- near the 52 week low of $105.45.

“As the board and I considered how to best position Splunk for long-term success and continued growth, we determined now is the right time to transition to our next phase of leadership,” Merritt said in a statement. “In particular, the board is focused on identifying a leader with a proven track record of scaling operations and growing multi-billion dollar enterprises.”

The San Francisco-based vendor tapped longtime Salesforce CFO and current Splunk board chairman Graham Smith to serve as the company’s interim CEO as the board begins its search for Splunk’s next permanent chief executive.

After the $1 billion Silver Lake investment, Kenneth Hao, chairman and managing partner of Silver Lake, joined Splunk’s board of directors.

“It has become increasingly clear that a cloud-driven transformation is critical to modernization and Splunk is ideally positioned to help organizations throughout the world manage the complexity associated with this transition,” Hao said at the time. “We are confident in the opportunities ahead and eager to work with [Splunk CEO Doug Merritt] and his team to support Splunk’s next phase of growth.”

The management shakeup at Splunk comes as the company continues to shift from selling on-premises software with traditional software license pricing to cloud-based software sold on a subscription basis. The move has been a significant transformation for the company and its partners.

In October, Splunk launched a significant update to its partner program, rebranding the program as the “Splunk Partnerverse” and expanding the enablement resources and certifications offered to help partners improve and showcase their cloud computing skills

Many of Splunk’s 2,200 partners have been transforming themselves by adopting service provider business models and building up their cloud skills to meet customer demands for cloud migration and hybrid-cloud capabilities, said Brooke Cunningham, Splunk area vice president, global partner marketing and experience, in an interview with CRN.

7. AWS: High Profile Outages Speaks To Need For ‘Independent Visibility’

Amazon Web Services – the $64.4 billion cloud services market leader- ended the year with high profile outages that led to downtime for a wide range of services including AWS’ Alexa, Ring and Prime video.

The Dec. 7 outage began at approximately 7:35 a.m. Pacific Time and lasted more than eight hours with multiple Amazon services and a number of business services impacted, according to ThousandEyes, a business owned by Cisco that provides real-time visibility into outages. The service disruption occurred in the the AWS Northern Virginia (US-EAST-1) Region

“The incident affected everything from home consumer appliances to various business services,” said ThousandEyes Senior Technical Marketing Manager Chris Villemez in a blog post.

Among the businesses that rely on AWS that were disrupted by the December 7 outage were Ticketmaster, which said it was delaying ticket sales for pop music star Adele’s upcoming concerts; the McDonald’s app, the Boston Parking Department, which could not collect parking fees with its ParkBoston app; airline websites including Delta Airlines, and streaming services Disney + and Roku.

“This single internal disruption, in the example of Amazon’s reported event on December 7, prevented people from voice activating their smart home-enabled lights and even affected flight bookings and many other seemingly commonplace activities,” wrote Villemez. “All of this speaks to the need for independent visibility and verification.”

AWS said the Dec. 7 network issues impacted multiple services, including Elastic Compute Cloud, AWS Management Console, DynamoDB and Amazon Connect.

In a post mortem on the outage, AWS said the networking issues began with an “automated activity” to scale capacity of one of the AWS services hosted in the main AWS network. That triggered “an unexpected behavior from a large number of clients inside the internal network,”” said the company. That, AWS said, resulted in a “large surge of connection activity that overwhelmed the networking devices between the internal network and the main AWS network, resulting in delays for communication between these networks.”

Oracle Chief Technology Officer and Co-Founder Larry Ellison took swipes at AWS just days after the December 7 outage, citing “fundamental differences” in the Oracle Cloud versus AWS.

“They are building a small number of very, very large data centers,” Ellison said during an Oracle earnings call on December 9. “Our strategy is to build a large number of smaller, less expensive data centers. We think that improves reliability dramatically. We won‘t have this giant data center going down. It reduces the blast radius of what happens when things go down. Less goes down.”

Ellison said that one customer in particular – only described as a large telecommunications company that uses Oracle, Google, Amazon and Microsoft’s clouds – complimented Oracle’s cloud resiliency in a note.“The note basically said, ‘The one thing we’ve noticed about Oracle’s cloud is that it never, ever goes down – We can’t say that about any of the other clouds,’” Ellison said. “We think this is a critical differentiator – availability.”

On December 10, another “major AWS incident caused significant disruption to multiple services,” according to ThousandEyes, which referred to it as an “outage aftershock.” That incident started at 13:05 UTC a last more than an hour resolving at approximately 14:30, ThousandEyes said.

Five days later, AWS was hit with another outage which lasted about 45 minutes. That outage impacted AWS and other Amazon-owned services like Twitch, Amazon.com and Ring. Users also reported issues services for Intuit Quickbooks, Okta, Cisco-owned Duo Security and Doordash
“Between 7:14 AM PST and 7:59 AM PST, customers experienced elevated network packet loss that impacted connectivity to a subset of Internet destinations,” said AWS in a service status tweet.

ThousandEyes said the December 15 incident occurred within the main AWS network, with “traffic from sources both inside and outside AWS” getting dropped.

“In the first incident (on December 7), AWS devices performing critical functions involving traffic forwarding and network address translation (NAT) were overwhelmed,” said ThousandEyes. “In today’s incident (December 15), a large increase in traffic loss similarly suggests that some network functions in the data path, such as routing or NAT, were not able to operate at normal capacity (for an, as yet, unknown reason), preventing full reachability of apps and services.”

On December 22, AWS was hit with yet another outage that resulted from a “loss of power within a single data center within a single Availability Zone (USE-AZ4) in the US-East-1 Region, said AWS in a service dashboard update. AWS restores power to all “instances and network devices” by 6:13 am. But five hours later, AWS was still working on recovering remaining instances and volumes.

“We believe this is related to the way in which the data center lost power, which has led to failures in the underlying hardware that we are working to recover,” said AWS. “While EC2 instances and EBS volumes that have recovered continue to operate normally within the affected data center, we are working to replace hardware components for the recovery of the remaining EC2 instances and EBS volumes. We have multiple engineers working on the underlying hardware failures and expect to see recovery over the next few hours.”

6. CompuCom: Hit By Darkside Ransomware, Sold In $305M Private Equity Deal

CompuCom, No. 46 on the 2021 CRN SP500, told customers in early March that it had suffered a DarkSide ransomware attack after the hackers acquired administrative credentials for the Office Depot subsidiary.

The ransomware group started by installing Cobalt Strike beacons on several systems in the ecosystem of Dallas-based CompuCom. That’s according to a ‘Customer FAQ Regarding Malware Incident’ document shared with BleepingComputer. Hackers used Cobalt Strike to proactively test victim’s defenses against advanced tactics and procedures.

The Cobalt Strike beacons gave remote adversaries access to the network to steal data and spread to other machines, according to BleepingComputer. As a result, BleepingComputer said the hackers were able to achieve their objective of deploying the ransomware.

The malware attack forced CompuCom to temporarily suspend certain services to certain customers, while other services not directly impacted by the malware continued to be delivered to customers throughout March, Office Depot said.

The Fort Mill, S.C.-based Office Depot subsidiary said it wasn’t able to substantially restore its service delivery capabilities until March 17, 16 days after the malware attack took place.

CompuCom ended the year by announcing on December 31 that it had been sold to an affiliate of Variant Equity Advisors, a Los Angeles based equity firm specializing in corporate divestitures, for up to $305 million.

Variant will pay up to $305 million via a mix of cash, an interest-bearing promissory note, and a contingent future earn out.

The deal, which is significantly lower that the $1 billion Office Depot paid in 2017 for CompuCom, could open the door for rival Staples to execute on its planned acquisition Office Depot.

The sale of CompuCom has been expected ever since Office Depot, a leading provider of business services and supplies and technology, early last year unveiled a bid by rival Staples.

USR Parent, the corporate name of Staples, in January offered to acquire Office Depot in a $2.1 billion deal. As part of that deal, Staples proposed the eventual divestiture of Office Depot’s business-to-business-focused holdings, including IT managed service provider CompuCom.

Office Depot in May also unveiled plans to separate into two organizations. The first consists of its company’s retail consumer and small business services that are sold through ecommerce and about 1,100 retail Office Depot and OfficeMax location.

5. VMware: Targeted By Conti Ransomware With Log4J Exploit

There are few software vendors with the installed base of multicloud/virtualization kingpin VMware.

With the Log4j exploit - the equivalent of what one prominent security executive called a “Fukishima moment for cybersecurity”- that installed base became an attractive target for the Conti Russian Ransomware group.

Conti, it was revealed, is pursuing lateral movement on vulnerable Log4j VMware vCenter servers, making them the first major ransomware gang revealed to be weaponizing the massive bug.

AdvIntel – a leading cybersecurity threat prevention company- reported on December 17 that Conti’s campaign resulted in the ransomware operator obtaining access to victim’s vCenter networks across the United States and Europe.

The Log4j exploit sent shockwaves throughout the industry given how frequently that open-source library is used to develop enterprise software. Vulnerable code can be found in products from some of the most prominent technology vendors like Cisco, IBM, as well as businesses serving the MSP community like Connectwise and N-able.

VMware is one of the most susceptible vendors to Log4j exploits, with the critical bug potentially allowing for remote code execution in nearly 40 of the Palo Alto, Calif.-based virtualization giant’s tools. The company disclosed that both the Windows-based and virtual vCenter appliances have vulnerable Log4j code as does the vCenter Cloud Gateway, with patches not yet available for any of these products.

“A malicious actor with network access to an impacted VMware product may exploit these issues to gain full control of the target system,” VMware wrote in a security advisory first issued on Dec. 10

“Any service connected to the internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j,” according to a VMware statement released to CRN.

“It is only a matter of time until Conti and possibly other groups will begin exploiting Log4j2 to its full capacity,” AdvIntel CEO Vitali Kremez and Head of Research Yelisey Boguslavskiy wrote in a ransomware advisory . “It is recommended to patch the vulnerable system immediately and view the Log4j2 as a ransomware group exploitation vector.”

VMware said it expects to fully address the critical vulnerability by updating Log4j to version 2.16 in forthcoming releases of vCenter Server. But for now, the virtualization giant is offering workarounds that it cautions are “meant to be a temporary solution only,” according to VMware Knowledge Base articles.

The Log4j exploit impact came after a year of momentous changes for VMware which appointed longtime VMware technologist Raghu Raghuram as its new CEO in May. Raghuram replaced former CEO Pat Gelsinger who left to take the CEO job at Intel in January.

Among the executives that left VMware this year: Sanjay Poonen, former global chief operating officer who oversaw all of VMware’s sales, alliances and customer operations; Sanjay Jindal , who led VMware’s national partners and commercial sales for nearly nine years before leaving the company to lead Facebook’s WhatsApp global partner sales; and former VMware Cloud Services General Manager Fidelma Russo who was hired as the new CTO of Hewlett Packard Enterprise.

4. Dell: Channel Conflict On PCs, Partner Account Manager Cuts; Conflict Spreads To Infrastructure Systems Group

Dell, which launched its first channel program 14 years ago, was hit with charges of channel conflict in the Fall as the company moved aggressively to capture a larger share of PC sales in North America.

The channel conflict concerns arose with Dell cutting the number of partner account managers (PAMs) in North America, reducing the ranks of veteran Channel managers and slashing the on-target earnings (OTE) for rep positions by as much as 30 percent, sources told CRN.

Executives at multiple top Dell partners, all Platinum level or higher, told CRN they have lost highly respected, veteran partner managers that were best in class and have been replaced by PAMs with less experience who are being compensated at a lower pay level.

The stepped-up client direct sales charge, sources told CRN, was being driven by Dell Technologies North America President John Byrne. They told CRN that Byrne, a onetime fierce channel advocate, had informed Dell partner reps that taking client business direct is a “top priority.”

“The way I see it is the Dell direct reps are now in competition with the channel on client systems,” said the CEO of a national Dell solution provider who has already seen one of his company’s recent Dell PC deals taken direct. “This is a direct kick in the face to the VAR community. Based on how this all plays out, it will force partners to become uber aggressive to try to take Dell out to protect their turf.”

When asked how he would describe Dell’s client systems sales strategy: direct-led, partner-led or channel neutral, Byrne responded: “All of the above. We want both routes. We want both to be growing and both to be growing dramatically. We are taking share from HP, Lenovo and other competitors in this space.”

As to whether he recently directed both channel and direct reps to move Dell’s client business to a direct-first sales model versus partner-led, Byrne reiterated, “We want both routes of market to grow—both direct and channel.”

Nearly three months after the initial CRN report on Dell channel conflict, CRN reported in December that the conflict was getting worse, moving beyond PCs into lucrative storage, server and hyperconverged infrastructure deals.

Some of Dell’s most strategic solution providers said the conflict has reached a breaking point, forcing them to shift resources toward Dell competitors that won’t battle them in the sales trenches.

“Dell direct is our biggest competitor,” said the president of a longtime Dell Titanium partner, who went all-in with Dell after its $67 billion acquisition of EMC five years ago and is now shifting deals to Lenovo. “It’s not just for client systems anymore. Our biggest issue across the board is the Dell direct mentality, because there are just no checks and balances. … It’s just like the Wild West out there.”

Dell’s direct sales team recently swooped into one of the solution provider’s longtime existing customers that he’s been selling Dell storage infrastructure and services to for years and undercut his team’s price for the project, which included a large order for servers and VMware licensing, the executive said.

“Losing that deal cost our company hundreds of thousands of dollars of operating income, millions of dollars of revenue, and tens of thousands of dollars of services,” said the frustrated solution provider.

In an exclusive interview with CRN, Bill Scannell, president of global sales and customer operations at Dell Technologies, vehemently denied that there is widespread channel conflict.

“Are there a couple of partners that have an issue?” asked Scannell rhetorically in an interview with CRN. “I’m sure they do. And as I’ve said to them on stage at FRS [Field Readiness Seminar, Dell’s sales kickoff] and at the partner Advisory Boards—call us. I’m [email protected]—publish that. If people have an issue, call me. Our partners are our most important assets. It’s our route to markets. It’s why we’re growing so well.”

Several partners told CRN they will look closely at the new Dell partner program terms and conditions, rules of engagement and incentives for Dell’s new fiscal year, which begins Feb. 1, 2022.

“Let’s see where [Chairman and CEO] Michael [Dell] and [Vice Chairman and Co-Chief Operating Officer] Jeff [Clarke] decide to put their bets related to the channel in fiscal year 2023,” said a top executive from a Titanium Black partner.

3. Accenture: Hit By Ransomware Attack

Accenture, the $50.5 billion global solution provider with 624,000 employees, No. 1 on the 2021 CRN SP500, became the latest behemoth to fall victim to cyber-criminals when it confirmed in August that it was hit by a ransomware attack.

A hacker group using the LockBit ransomware reportedly threatened to release the company’s data and sell insider information.

CNBC reporter Eamon Javers Wednesday first broke the news about the attack in a tweet, writing that the hacker group in a post on the Dark Web wrote, “These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you’re interested in buying some databases, reach us.”

Accenture, in an emailed response to a request for information from CRN, confirmed the ransomware attack, but said there was no impact on the company.

The hacker group behind the attack made a ransom demand for $50 million, according to a cybersecurity firm that reports seeing the demand. Lockbit demanded $50 million in exchange for more than 6 TB of data, according to a tweet from Cyble, a dark web and cybercrime monitoring firm.

Accenture said it did not have any updates to its original statement— saying that it “contained the matter and isolated the affected servers” and that “there was no impact on Accenture’s operations, or on our clients’ systems.”

The lack of public disclosure from Accenture about attack on its systems has been a missed opportunity by an IT heavyweight to help others in the industry become better informed about the ransomware threat, solution providers told CRN.

“They’re trying to limit the brand tarnishing to themselves. But I just feel like it sets a bad example in this day and age,” said Dave Mahoney, cybersecurity practice lead and enterprise services architect at Blue Bell, Pa.-based Anexinet, No. 213 on CRN’s Solution Provider 500 for 2021. “I wish they would’ve said, ‘We’re going to be open and honest and candid, so that we can all shut down digital extortion as a thing in this world.’”

Several days after reportedly discovering the LockBit ransomware breach of its systems, Accenture released a cybersecurity report that included ransomware as a focus—but did not mention the attack on the IT consultancy.

Accenture released a “global incident response analysis” on Aug. 4, which highlighted ransomware as one of the top current threats in cybersecurity.

According to a report from cybersecurity news site CyberScoop, Accenture had spotted the LockBit ransomware attack on its systems on July 30.

Michael Goldstein, CEO of LAN Infotech, a Fort Lauderdale, Fla., solution provider, said the Accenture breach was yet another call to action for every company to review their security technology posture and procedures. “If a $45 billion company like Accenture is vulnerable then everyone is vulnerable,” he told CRN.

2. Microsoft: Exchange Hack, Security Criticism And Microsoft 365 Fee Increase Backlash

Microsoft – the number one software maker in the world with $168.1 billion in annual sales- is a perennial attack vector for the biggest and baddest cyber-criminals. This year, was no exception with Microsoft’s Exchange server hit in what ended up being one of the largest attacks in history. An estimated 30,000 U.S. organizations and 60,000 organizations globally were hit by the Exchange server attack.

Ten different advanced hacking groups took advantage of four zero-day flaws in on-premise versions of Exchange to compromise small and mid-sized businesses at will.

The attack came to light on March 2 when Microsoft said the hackers took advantage of previously unknown vulnerabilities to carry out what Microsoft characterized as limited and targeted attacks against on-premises Exchange servers. This enabled access to victim email accounts, which in turn allowed for the installation of additional malware that paved the way for long-term access.

The campaign took on a terrifying dimension when Microsoft admitted that hackers had begun deploying DearCry ransomware on victim systems after hacking into Exchange servers that remain unpatched. For at least one of the victims, the DearCry ransomware operators demanded a ransom of $16,000, according to BleepingComputer.

The Exchange server hack came just weeks after Microsoft had touted the benefits of cloud technology over on premises software. “Cloud technologies like Microsoft 365, Azure and the additional premium layers of services available as part of these solutions improve a defender’s ability to protect their own environment,” wrote Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, in a blog post in February that referred to the infamous SolarWinds hack in December 2020 as a “moment of reckoning.”

George Kurtz, the CEO of CrowdStrike, one of the most vocal critics of the software giant’s security posture, testified before the U.S. Senate that “systemic weaknesses” in Microsoft’s Windows “authentication architecture” exacerbated the SolarWinds breach. In an interview with CRN published in August, Kurtz told CRN: “In other technologies, you can’t necessarily just steal passwords and use those encrypted passwords to authenticate to something. But in the Microsoft world, you literally can steal an encrypted password, without even decrypting it, and that pass that hash to another Microsoft system and access the system as if you knew what the password was.”

Kurtz told investors during an earnings call in August that a Fortune 500 company ditched Microsoft’s security products and deployed CrowdStrike’s managed detection and response (MDR) platform after suffering a crippling ransomware attack.

Kurtz did not identify the company but noted that the customer experienced a long and difficult deployment process with Microsoft’s legacy security products, particularly in low bandwidth environments where endpoint performance is critical.

The group behind the SolarWinds attack took advantage of Microsoft’s authentication process once again in late 2021, when Microsoft disclosed that the SolarWinds hackers had targeted more than 140 IT resellers and service providers and compromised as many as 14 since May in a new surveillance effort.

The Russian foreign intelligence service (SVR) has set its sight on resellers and other service providers in a months-long campaign to gain administrative level access and spy on their customers, Microsoft said on October 24. The campaign came months after the SVR compromised nine federal agencies as well as more than 100 private sector organizations through a flaw in the SolarWinds Orion network monitoring tool.

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” said Tom Burt, Microsoft’s corporate vice president of customer security and trust, in a blog post. The SVR is also known as APT 29, Cozy Bear and Nobelium.

Downstream customers of resellers and service providers are also being targeted by the SVR in the attack, Microsoft said. In these instances, customers had delegated administrative rights to the resellers and service providers that allow the solution provider to manage the customer’s tenants as if they were an administrator within the customer’s own organization, Microsoft said.

By stealing credentials and compromising accounts at the service provider level, Microsoft said the SVR could take advantage of delegated administrative privileges, leveraging that access to extend downstream attacks through externally facing VPNs or unique tools that enable network access.

Besides the security issues, Microsoft faced a backlash from partners over a 20 percent price fee on month-to-month Microsoft 365 subscriptions, which is expected to take effect in March 2022.

An online petition launched by a solution provider CEO urged Microsoft to reconsider the 20 percent fee on monthly Microsoft 365 subscriptions, with the petition garnering more than 1,765 signatures.

Month-to-month subscriptions “have been an invaluable tool to help with cost reduction during COVID and other economic events. Adding an addition[al] 20 percent on these types of SKUs seems almost punitive in nature and, given the already 15 percent increase, is extreme,” the Change.org petition states.

It goes on to say, “If this policy goes into effect, it will cause ripple effects with our vendors like Ingram, Synnex and Pax8 and many others, as they struggle to implement this change in their automatic procurement portals and try to handle the additional price change management. Help us make sure this increase doesn’t go into effect in 2022 by signing.”

1. Kaseya: REvil Ransomware Breach Sends Shock Waves Through The Channel

The Fourth of July holiday weekend provided MSPs with plenty of fireworks in the form of what has come to be known as one of the biggest ransomware heists in the history of computing.

Kaseya- an MSP platform mainstay- was the victim with the blockbuster breach of its Kaseya’s on-premise VSA remote monitoring and management tool by the Russia based REvil ranswomare gang.

The cyberattack compromised more than 60 MSPs and 1,500 of their end user customers, who were locked out of their systems with the cyber-criminals demanding a record $70 million ransomware payment to decrypt the systems.

Kaseya CEO Fred Voccola told CRN that ransomware gang who attacked Kaseya demanded ransom payment from end user organizations while passing over Kaseya and its MSPs.

The attack, however, ultimately left more than 36,000 MSPs without access to Kaseya’s flagship VSA Product for nearly ten days as the company worked on a patch for the on premises version of the VSA. Kaseya also kept the more widely used SaaS version of VSA offline as a precautionary measure.

Kaseya said the cybercriminals were able to exploit vulnerabilities in its VSA tool to pass authentication and run arbitrary command execution. This allowed REvil to leverage the VSA product‘s standard functionality and deploy ransomware to customer endpoints.

A researcher from The Dutch Institute for Vulnerability Disclosure (DIVD) had warned Kaseya about one of the vulnerabilities that REvil ended up exploiting nearly three months later. Kaseya had resolved four of the vulnerabilities disclosed by DIVDthrough patches released April 10 and May 8, but three vulnerabilities remained unresolved heading into late June, according to DVID.

The sophisticated attack was yet another reminder that MSPs are prime targets because of the ability of the cyber-criminals to attack hundreds and sometimes thousands of customers in one fell swoop through a single MSP.

Voccola, for his part, apologized to MSPs after the attack. “The fact that we had to take down VSA is very disappointing to me personally,” he said. “I feel like I let this community down, I let my company down, [and] our company let you down.”

Voccola told CRNtv in July that Kaseya would pay “millions of dollars of restitution for all of its customers who have suffered for this, whether they were breached or whether they were just held offline for two, three, four, five or six days. We will take care of it financially.” But in an interview with CRN published on Nov. 2 Voccola would not discuss whether Kaseya would reimburse MSPs impacted by the breach. “We don‘t disclose what we do financially,” he told CRN.

Michael Crean, president and CEO of Master MSSP Solutions Granted, which aided MSPs hit by the attack, told CRN that the MSP community needs to “become more forceful” with the RMM and VSA providers. “This is the world that we live in, unfortunately,” he said.