SentinelOne Detects and Blocks New Variant of Powershell CryptoWorm

Introduction

Late last year, Marco Ramilli posted an article on in-memory Powershell-WMI CryptoWorm. Here at SentinelOne, we found a new active variant of this spreading CryptoWorm. In this post we will review what’s new in this variant and suggest how to remove it from an infected network.

What’s new in this version?

Communication

This CryptoWorm communicates through HTTP. It uses an IP address for the main server and DNS addresses as a fallback.

Figure 1 – Command-and-Control Servers Fallback

The malicious addresses are 195.22.127.93 and the subdomains of windowsdefenderhost.club (port 8000). Unlike the CryptoWorm previous version, this time the server replies with 403 Forbidden HTTP error code if content is downloaded outside of Powershell. The worm can also get updated from its CNC server. It checks its own version and compares it to the version written in the ver.txt file on the server. If higher version is available, it will download it and update itself.

Figure 2 – Version Control

Right now, the CryptoWorm version is 1.4. It has 2 Powershell scripts, one for each operating system architecture: info3.ps1 for 32bit, and info6.ps1 for 64bit.

Persistency

The malware uses WMI timer method for persistence. It sets timer and uses WMI Event Consumer. The current version uses the names `SCM Events Log Filter`, `SCM Events Log Consumer` for the timer and the event consumer. The previous version used `SCM Event Filter` and `SCM Event Consumer` respectively.

Spreading

Like the older version, this worm uses few methods in order to spread across the network. It steals credentials by issuing Invoke-ReflectivePEInjection and loading Mimikatz.

Afterwards it spreads using Invoke-WMIExec and Eternal Blue implemented in Powershell. Finally, it runs remote installation command on the remote machine. 

Block SMB Connections

The CryptoWorm blocks incoming SMB connections to the infected machines. Probably in order to prevent other types of malware from spreading using the same methods, deleting the CryptoWorm or utilizing the CPU.

Figure 3 – Firewall Blocking Rules

Conclusion

SentinelOne customers should not worry from any version of this CryptoWorm because SentinelOne agent detects and blocks it using the Behavioral AI engine starting from version 2.0. For readers who don’t have SentinelOne, here is an explanation how to remove this CryptoWorm from their network:

It’s a cumbersome process to run the same command on all the network computers simultaneously. Because of that, the most difficult part of removing a worm from your network is preventing it from spreading back from other computers to the newly cleaned computer.

Therefore, in order to remove this worm, it’s first recommended to blacklist its remote command lines. This measure will prevent it from spreading back again.

Afterwards, we recommend to kill the CryptoWorm Powershell process, remove its firewall rules and also the WMI timer filter and the WMI event consumer. 

Here is a remover PS script that deletes the firewall rules and removes the WMI entries. It should be run as administrator.

At the Appendix, we detail the relevant command lines and IPs to block.

Demo

In this demo, we run fileless CryptoWorm, which is downloaded from its real CNC straight into memory.

It can be seen how SentinelOne agent detects and blocks it.

Appendix

 

IOCs

Malicious IP and domain addresses:

  • 195.22.127.93
  • windowsdefenderhost.club

 Malicious files (SHA1 hashes):

  • Info3.ps1 – 266D7C2E7F48EB0C1778EBCF76658575982BA41E
  • Info6.ps1 – ABAAC4E9005BFE692AA583DDBD10AA5429E49F87

Malicious Command Lines

Available here.

The post SentinelOne Detects and Blocks New Variant of Powershell CryptoWorm appeared first on SentinelOne.

Okta introduces ‘Sign in with Okta’ service

Consider that there are millions of Okta users out there using the service to sign into their company applications with a single set of credentials. Yet getting customers to work together using Okta authentication was an enormous task for developers. Okta wanted to simplify it, so they created a service they are calling it ‘Sign in with Okta.’

The new API allows developers to add a few lines code and give Okta customers the ability to sign into one another’s websites in a similar way that OAuth allows you to use your Google or Facebook credentials to sign onto consumer sites.

Frederic Kerrest, COO and co-founder at Okta, says the ‘Sign in with Okta’ uses an extension of OAuth called OpenID Connect, which his company has been supporting since 2016. He says the new service gives customers the ability to expand the use of their Okta credentials beyond their own set of internal applications to sign into customer and partner sites. This extends the Okta functionality and brand and helps to make it a kind of standard way of logging in (or that’s the hope).

When developers add this functionality, the user sees a “Sign in with Okta” button on the website or service they are accessing. They can then use their Okta login to get into these sites under whatever rules the site owner has defined.

Site with ‘Sign in with Okta’ button. Photo: Okta

While Okta has provided APIs for developers prior to today, they didn’t provide a package like this that simplifies the process. This forced developers to use the SAML standard to make it work. While there’s nothing wrong with this approach, it can be time-consuming and put a lot of burden on developers to write software and connectors, while updating and maintaining them, Kerrest explained. This removes all of that complexity from the process.

This means that when two businesses are on Okta, they can trust one another because they do business together, and instead of setting up the SAML connection, a process that could take days, they can do it an hour with the Okta API tool, according to Kerrest.

“[Sign in with Okta] is a much easier way for customers or partners to seamlessly integrate into our environment. They could do it before, but we are ‘widgetizing’ it now,” he said.

Square brings its Stand for iPad tablets to the UK

Square, the company that provides payments and other business services to merchants, is today taking another step in its gradual expansion outside of the U.S. Stand — one of Square’s key pieces of hardware, turning an iPad into a point of sale system — is launching in the U.K.

It will sell for £64 (+VAT) and will be sold alongside existing products that Square offers in the U.K. — Square Reader, its Point of Sale app, Instant Deposit, Virtual Terminal and Cash app. (Square Register, the company’s all-in-one product for larger businesses that sells for $999, is not yet available outside the U.S.)

The move comes just over a year after Square launched in the U.K., its first market in Europe, and also on the heels of a big move from two of its biggest competitors: last week, PayPal said it would acquire iZettle, sometimes referred to as “the Square of Europe,” for $2.2 billion.

Those two developments underscore both the challenges and opportunities ahead for Square.

On the one hand, the company is tapping into a big market opportunity by creating services that cater to the often-overlooked small and medium business sector — and the Stand, which extends a tablet into a more interactive payment terminal, plays into that.

On the other hand, the consolidation underway between iZettle and PayPal points to how stronger competitors — PayPal’s market cap is nearly four times that of Square — going after the same business as Square, will put pressure on the company. (As a point of comparison, iZettle’s tablet stands range in price from £49 to £99.)

Square may be smaller, but it has picked up a lot of loyalty for its services and innovations. Square says that today the company has two million business customers using its products globally. It doesn’t break out numbers by geography or product. But given how many merchants use more than just a phone to take payments and run other sales software (a phone being the basic building block of Square’s original card payment processor), it was a much-requested feature.

“Square Stand was built to provide sellers with a unique and beautiful solution that makes taking in-person payments simple, elegant and fast,” said Jesse Dorogusker, Square’s hardware lead and designer of the Stand. “Sellers in the U.K. have been asking for a full countertop solution for their businesses since we first introduced Square.”

Despite its popularity and how it seemed to appear and take off amid a surge of smartphone and tablet adoption and use in the U.S., Square has taken a very deliberate route when it’s come to growing outside its home country, where payment methods, regulations and languages might all be different. Today, the company has operations in the United States, Canada, Japan, Australia and the U.K. It also has an office in Ireland but not active payments or other business.

Asked about where Square might like to go next, the company has remained mum.

“Nothing to share on that front,” a spokesperson said. “We are just getting started here in the U.K. and iterating fast to bring new services to market. Since we entered the U.K. market in 2017 we have continued to bring our U.K. sellers important products at a steady pace.”

Box expands Zones to manage content in multiple regions

When Box announced Zones a couple of years ago, it was providing a way for customers to store data outside the U.S., but there were some limits. Each customer could choose the U.S. and one additional zone. Customers wanted more flexibility, and today the company announced it was allowing them to choose to multiple zones.

The new feature gives a company the ability to store content across any of the 7 zones (plus the U.S) that Box currently supports across the world. A zone is essentially a Box co-location datacenter partner in various locations. The customer can now choose a default zone and then manage multiple zones from a single customer ID in the Box admin console, according to Jeetu Patel, chief product officer at Box.

Current Box Zones. Photo: Box

Content will go to a defined default zone unless the admin creates rules specifying another location. In terms of data sovereignty, the file will always live in the country of record, even if an employee outside that country has access to it. From an end user perspective, they won’t know where the content lives if the administrators allow access to it.

This may not seem like a huge deal on its face, but from a content management standpoint, it presented some challenges. Patel says the company designed the product with this ability in mind from the start, but it took some development time to get there.

“When we launched Zones we knew we would [eventually require] multi-zone capability, and we had to make sure the architecture could handle that,” Patel explained. They did this by abstracting the architecture to separate the storage and business logic tiers. Creating this modular approach allowed them to increase the capabilities as they built out Zones.

It doesn’t hurt that this feature is being made available just days before the EU’s GDPR data privacy rules are going into effect. “Zones is not just for GDPR, but it does help customers meet their GDPR obligations,” Patel said.

Overall, Zones is part of Box’s strategy to provide content management services in the cloud and give customers, even regulated industries, the ability to control how that content is used. This expansion is one more step on that journey.

InVision design tool Studio gets an app store, asset store

InVision, the startup that wants to be the operating system for designers, today introduced its app store and asset store within InVision Studio. In short, InVision Studio users now have access to some of their most-used apps and services from right within the Studio design tool. Plus, those same users will be able to shop for icons, UX/UI components, typefaces and more from within Studio.

While Studio is still in its early days, InVision has compiled a solid list of initial app store partners, including Google, Salesforce, Slack, Getty, Atlassian, and more.

InVision first launched as a collaboration tool for designers, letting designers upload prototypes into the cloud so that other members of the organization could leave feedback before engineers set the design in stone. Since that launch in 2011, InVision has grown to 4 million users, capturing 80 percent of the Fortune 100, raising a total of $235 million in funding.

While collaboration is the bread and butter of InVision’s business, and the only revenue stream for the company, CEO and founder Clark Valberg feels that it isn’t enough to be complementary to the current design tool ecosystem. Which is why InVision launched Studio in late 2017, hoping to take on Adobe and Sketch head-on with its own design tool.

Studio differentiates itself by focusing on the designer’s real-life workflow, which often involves mocking up designs in one app, pulling assets from another, working on animations and transitions in another, and then stitching the whole thing together to share for collaboration across InVision Cloud. Studio aims to bring all those various services into a single product, and a critical piece of that mission is building out an app store and asset store with the services too sticky for InVision to rebuild from Scratch, such as Slack or Atlassian.

With the InVision app store, Studio users can search Getty from within their design and preview various Getty images without ever leaving the app. They can then share that design via Slack or send it off to engineers within Atlassian, or push it straight to UserTesting.com to get real-time feedback from real people.

InVision Studio launched with the ability to upload an organization’s design system (type faces, icons, logos, and hex codes) directly into Studio, ensuring that designers have easy access to all the assets they need. Now InVision is taking that a step further with the launch of the asset store, letting designers sell their own assets to the greater designer ecosystem.

“Our next big move is to truly become the operating system for product design,” said Valberg. “We want to be to designers what Atlassian is for engineers, what Salesforce is to sales. We’ve worked to become a full-stack company, and now that we’re managing that entire stack it has liberated us from being complementary products to our competitors. We are now a standalone product in that respect.”

Since launching Studio, the service has grown to more than 250,000 users. The company says that Studio is still in Early Access, though it’s available to everyone here.

Central Park Feature Glance – Analyze View Improvements

In this Central Park blog post we will focus on the enhancements made to the Analyze View within the SentinelOne console. 

First, please let me provide a bit of background.  If you are unfamiliar with the Analyze View in previous versions before Central Park, it was a tab within the Sentinelone console that provided the following functionality:

  1. Threats – A historical reference of all threats found within the environment
  2. Applications – A listing of all applications discovered within the environment
  3. Applications by Agents- A listing of applications discovered for a given endpoint

    Below is a screenshot showing these details:

So why the need for improvement?   Although previous versions had captured all threat related data, the problem was that is was not easy to search through this data.  With Central Park we have fixed that!  We still capture all of the threat data that you need, but we have the ability to apply an array of filters to search through the data.  The filters include both pre-built criteria and also free text search.  This makes searching much easier and more robust, not to mention that it will also save you time.  Below are a few examples of this exciting enhancement:

Example 1: Search across all endpoints for a given user login (i.e. which workstations did a user log into).  In this example I generated a “Free Text Search” for the user “Gary”.  Please keep in mind that Free Text Search can accommodate many other options such as IP Address, Machine Name, MAC Address, Domain, & etc.

Example 2: Search for all threats that were convicted by a specific engine.  In this example I am conducting a search that will show all threats that were convicted via our Behavioral-AI engine (DBT-Executables)

 

Example 3: Search for all threats that were classified as “Exploit”.  Please keep in mind that there are over 25 different classifications we are now assigning to threats

On top of making our search abilities much more robust, we have taken things a step further and made our searches actionable.  In other words, once you have generated a search you can do something with the results directly from within the search interface.

Here is an example of a search for a given threat and the actions available.  In this case you could take a bulk action for a given threat such as Disconnect from Network, Remediation (Kill, Quarantine, Rollback), Mark as Resolved, etc.  Additionally with Central Park, similar threats have now been consolidated into a single view.  This is also reflected in the example below.

In summary, this enhancement not only makes searching much more robust, but taking action is much more simplified.  All of which will save you time!

In our next Central Park blog we will focus on our enhanced reporting capabilities.

The post Central Park Feature Glance – Analyze View Improvements appeared first on SentinelOne.

Fiix raises $12M to smooth out the asset maintenance process

As sensors become cheaper and easier to install, the whole process of maintaining equipment and assets is starting to shift from just scrambling to fix problems to getting a hold of issues before they get out of control.

That’s opened the door for startups like Fiix, which are creating workflow software that helps companies manage equipment and assets. That software enables companies to keep a close eye on equipment and resolve issues quickly before they become more complex to the point of costing companies hundreds of thousands of dollars to fix. Every percentage point of efficiency, for some operations, can translate to revenue significant enough to the point that this kind of software is an easy sell. Fiix said today it has raised $12 million in a new financing round led by BuildGroup.

“It was one of the last bastions of enterprise software that’s yet to go through the same disruption that every other major software company [has gone through],” COO James Novak said. “If you look at human resource software, CRM software, accounting software, they’ve all gone through the same transition. This market was one of the last ones to go through that transition.”

Fiix takes the process of managing work orders, assets and inventories and throws it all into a set of software that’s designed to be easier to use when compared to existing complex asset management software. That includes making sure all of this is available on a phone, where managers and employees can monitor what kinds of work orders are in progress, approve them, or issue them. That’s designed to remove some of the time barriers that may keep managers from starting the maintenance process.

But because there’s a lot of money to be made here, there’s going to be an increasing amount of competition. Already, there are startups like UpKeep, which came out of Y Combinator’s winter class last year. By giving managers a way to prioritize and get work orders done quickly, employees and managers can have a more real-time level of communication — which means they can spot problems earlier and earlier, and keep things running smoothly.

Okera raises $12M to simplify data governance within companies

As companies start to gather more and more data on their users and customers, including a firehose of information from a nigh-endless flow of tests, managing and maintaining that data isn’t the only place companies are hitting a wall — and figuring out who can actually access it is becoming just as big of a problem.

That was the experience Amandeep Khurana had throughout his career and as he kept talking to more and more larger companies. So he and his co-founder decided to start Okera, which is looking to make it easier for stewards of various sets of data to ensure the right people have the right access. With data coming in from a myriad of sources — and hopefully ending up in the same database — it can be increasingly complex to track who has access to what, and the hope is that Okera can reduce that problem to flipping a few switches.

Okera is coming out of stealth mode and said it has raised a new $12 million financing round led by Bessemer Venture Partners, with existing investors Felicis Ventures and Capital One Growth Ventures participating. Bessemer’s Ethan Kurzweil and Felicis’ Wesley Chan are joining the company’s board of directors, and Okera has raised $14.6 million to date.

“I was very underwhelmed by what other vendors were offering, there was pretty much nothing happening,” co-founder Khurana said. “There were not a lot of good solutions, and no vendor was incentivized to solve the problem. What we’d hear is, [employees] were spending so much time in data management and plumbing. We saw a trend — as more and more enterprises are moving into the cloud, so they can be agile, these problems amplified. There is a lot of friction around data management, and people spent a lot of time and resources and money making one-off solutions.”

Part of the problem stems from larger companies looking to move their operations into the cloud. Those companies can run into the problem of data coming in from various discrete locations, where everyone is handling something differently, and everyone has varying levels of access to that data. For example, an analyst might be trying to dig into some customer usage data in order to tweak a product, but they only have access to half of the records they need. To fix that, they would need to hunt down the people who are in control of the rest of the information they need and get the right copies or permissions to access it. All of this includes a robust audit trail for those handling security within the company.

it is going to be an increasingly crowded space just by virtue of the problem, especially as companies collect more and more data while they look to better train various machine learning models. There are startups like Collibra also looking to improve the data governance experience for companies, and Collibra raised an additional $58 million in January this year.

But streamlining all this, in theory, reduces the overhead of just how much time it takes for those employees to hunt down the right people, and also make sure it’s easier to access everything and get to work faster. For modern systems, it’s an all-or-nothing approach, Khurana said, and the goal is to try to make it easier for the right people to get access to the right data when they need it. That isn’t necessarily limited to analysts, as employees in sales, marketing, and other various roles might also need access to certain databases in their day-to-day jobs.

Parabola raises $2.2 million to simplify programming for employees stuck in Excel all day

While knowledge workers are handling increasingly difficult tasks — ones that may be much easier to handle with just a Python script — Alex Yaseen thinks that in the future not everyone will actually need to learn how to code.

Instead, he hopes that tools like the one he’s building, called Parabola, will bridge that gap between the complex technical problems and otherwise nontechnical employees. Instead of running through massive Excel spreadsheets, Parabola is designed to make it easier for employees who might not be highly technical to piece together the kinds of processes that will help automate mundane tasks that run through each action. The company said it has raised a new $2.2 million financing round led by Matrix Partners.

“The logical version of the future doesn’t look like everyone coding by running Python or whatever language,” Yaseen said. “It’s a very valid opinion, but we talked a lot with various investors about that perspective of the future where all knowledge workers have to increasingly be more productive to compete. We thought about how we could bridge that gap by giving nontechnical people these tools to work like an engineering without being an engineer.”

At its core, Parabola is a more visually oriented way of designing a workflow where users can piece together a complex work problem in a kind of flowchart piece by piece. These are all functions that you might find built into Excel or other spreadsheet tools, like Google Sheets, but Parabola is a tool that is designed to make it easier to automate all those updates into new fields, as well as make the model pretty flexible and easy to manipulate.

Parabola is designed to take those account executives or salespeople that run through hundred-plus-step processes in order to do their jobs through dozens of Excel tabs. Users can figure out how to describe those steps in Parabola and then begin executing them without having to constantly tweak formulas and ensure that everything is operating properly. At the same time, Parabola is designed to ensure that the whole experience feels like a spreadsheet, where making small changes causes the whole data set to update — something that nontechnical users actually gravitate toward, Yaseen said.

“The reason people love using spreadsheets even though they’re not the right tool for most of these experiences, is that they can make a change and see things immediately,” Yaseen said. “Nontechnical people don’t adapt to [an engineering] mindset, they value the process of making a change and everything updating. That’s one of our hypotheses, and other tools don’t give you those options, and therefore are not really geared to a true nontechnical user.”

Still, the whole idea of trying to simplify programming down to something that’s more palatable for a nontechnical user is both a significant challenge and a very crowded market. There are many approaches to the problem, though Yaseen says they target different niches or use cases, like Airtable or Zapier — many of which have raised large sums of money. But some companies have different demands and users may gravitate toward different options, so those aren’t the direct competition. Instead, the competition is larger firms hiring engineers to handle all these processes in the back-end, as well as users just sitting in Excel all day.

Dropbox beefs up mobile collaboration in latest release

Dropbox announced several enhancements today designed to beef up its mobile offering and help employees on the go keep up with changes to files stored in Dropbox .

In a typical team scenario, a Dropbox user shared a file with a team member for review or approval. If they wanted to check the progress of this process, the only way to do it up until now was to send an email or text message explicitly asking if the person looked at it yet — not a terribly efficient workflow.

Dropbox recognized this and has built in a fix in the latest mobile release. Now users can can simply see who has looked at or taken action on a file directly from the mobile application without having to leave the application.

In addition, those being asked to review files can see those notifications right at the top of the Home screen in the mobile app, making the whole feedback cycle much more organized.

Photo: Dropbox

Joey Loi, product manager at Dropbox says this is a much more streamlined way to understand activity inside of Dropbox. “With this feature, we think about the closing loop on collaboration. At its heart, collaboration is feedback flows. When I change something on a file, there are a few steps before [my co-worker] knows I’ve changed it,” Loi explained. With this feature that feedback loop can close much faster.

The company also changed the way it organizes and displays files putting the files that you opened most recently at the top of the Home screen, which is somewhat like Recents in Google Drive. It also provides a way to favorite a file and puts those files that are most important at the top of the list, making it easier to find the files that are likely most important to you more quickly when you access the mobile app.

Finally you can now drag and drop a file from an email into a Dropbox folder in a mobile context.

While none of these individual updates are earth shattering changes by any means, they do make it easier for users to access, share and work with files in Dropbox on a mobile device. “All the features are to help teams collaborate and be efficient on mobile,” Loi said.