Ryuk Malware Outbreak Cripples L.A. Times and Tribune Papers Nationally

On the evening of Dec 29, 2018, the Los Angeles Times reported a malware attack disrupting the delivery of newspapers across Tribune Publishing’s national network of papers.  Several individuals with knowledge of the Tribune breach said the attack appeared to be in the form of “Ryuk” ransomware.  SentinelOne blocks Ryuk pre-execution using static AI as well as on-execution using behavioral AI. Ryuk highlights the importance of a security solution like SentinelOne that provides defense in depth and is immune to tampering.

At SentinelOne, our global research team saw Ryuk on the rise since the summer months of 2018. As the LA Times/Tribune breach shows, legacy AV and backup solutions aren’t sufficient to combat what the U.S. Department of Health and Human Services’ cybersecurity program dubbs – a “highly targeted, well-resourced and planned” attack.  Aside from bypassing legacy AVs, Ryuk also disables 3rd-party backup services, including Acronis, SQLSafe, VEEAM, and Zoolz.

“Every market across the company was impacted,” said Marisa Kollias, spokeswoman for Tribune Publishing. She declined to provide specifics on the disruptions, but the company’s properties include the Chicago Tribune; Baltimore Sun; Capital Gazette in Annapolis, Md.; Hartford Courant; New York Daily News; South Florida Sun Sentinel and Orlando Sentinel.

At SentinelOne, we help our customers stay out of the news – even if they’re in the news business. With the right defenses in place, The Tribune would be enjoying their new years holiday weekend and their subscribers would be reading their papers.

To learn more about Ryuk ransomware and how SentinelOne provides autonomous prevention, detection, and response capabilities that thwarts this malware, check out our blog covering the rise of Ryuk.

Like this article? Follow us on LinkedInTwitter, YouTube or Facebook to see the content we post.

Read more about Windows Security

Happy 9th Birthday, KrebsOnSecurity!

Hard to believe we’ve gone another revolution around the Sun: Today marks the 9th anniversary of KrebsOnSecurity.com!

This past year featured some 150 blog posts, but as usual the biggest contribution to this site came from the amazing community of readers here who have generously contributed their knowledge, wit and wisdom in more than 10,000 comments.

Speaking of generous contributions, more than 100 readers have expressed their support in 2018 via PayPal donations to this site. The majority of those funds go toward paying for subscription-based services that KrebsOnSecurity relies upon for routine data gathering and analysis. Thank you.

Your correspondence and tips have been invaluable, so by all means keep them coming. For the record, I’m reachable via a variety of means, including email, the contact form on this site, and of course Facebook, LinkedIn, and Twitter (direct messages are open to all). For more secure and discreet communications, please consider reaching out via Keybase, Wicker (krebswickr), or Signal (by request).

Many of you have requested a redesign to make this site more mobile-friendly. We’d targeted for that to happen in 2018, but multiple unforeseen circumstances conspired to delay that project this year. Rest assured, that long-overdue change will be coming soon in 2019. Thanks for your patience.

Below are some of the most-read and commented-on enterprise stories throughout 2018, a year marked by a relentless onslaught of data breaches, data leaks and increasingly sneaky scams. It seems unlikely that 2019 will be any different, and while I will endeavor to keep readers abreast of the latest threats and trends, I’m also interested to hear what you would like to see more of in the coming year. So please sound off in the comments below or drop me a note.

By the way, if you’d prefer to keep up with KrebsOnSecurity posts via email, please consider signing up for the newsletter (expect ~3-4 emails per week).

Thanks again for your readership, encouragement and support. Happy New Year!

A Chief Security Concern for Executive Teams

What the Marriott Breach Says About Security

Half of All Phishing Sites Now Have the Padlock

Voice Phishing Scams Are Getting More Clever

Hanging Up on Mobile in the Name of Security

Google: Security Keys Neutralized Employee Phishing

Plant Your Flag, Mark Your Territory

Panerabread.com Leaks Millions of Customer Records

Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers

Don’t Give Away Historical Details About Yourself

7 Signs You Have a Weak Password

As we usher in the New Year, it’s as good a time as any to think about password security. Is it time to refresh those stale and potentially leaked passwords you’ve been hanging on to for so long? Possibly. December 2018 saw yet another huge data breach, this time at question-and-answer site Quora, with over 100 million user passwords said to have been leaked. If you haven’t already followed our advice for beating holiday season cybercriminals, let us offer you another opportunity to push yourself in the right direction!

How Criminals Get Your Password

Password theft can occur in multiple ways, from phishing attacks and keylogging to shoulder surfing and mass data breaches like the Quora one mentioned above. In the case of a data breach, plain text password dumps are the dream ticket for cybercriminals, but even hashed passwords dumps like the Quora breach are of great value. A hash of a password isn’t directly reversible — there’s no way to take the hash and decode it — but hashes are determinate. That means the hash for any given string like a password will always produce the same hash. If this wasn’t so, hashes wouldn’t be much good for security purposes. Thus, the sha256 for “hello world” will always produce


Given that determinacy, password crackers can build hash tables of common words and known passwords and then check those against the hashes revealed in data dumps.

sha hash 123456

If criminals find the hash for say, 123456 in the data dump, then they can easily search their tables for that hash and find it belongs to the most popular password used for the last 6 years in a row! That password hash, and millions of others generated from plain-text dumps and password cracking utilities, is sure to be in every cracker’s look-up tables.

top 5 popular passwords

Signs of a Weak Password

There’s a bunch of tell-tale signs that you’re using a password that can easily be cracked, but beware of online services that claim to test your password strength. They’re not all entirely reliable. For example, a study in 2017 found that

the password password$1 is deemed “Very Weak” by Dropbox, “Weak” by Apple, “Fair” by Google and “Very Strong” by Yahoo!

Earlier work concluded much the same thing, with Twitter and FedEx serving up very different conclusions to Dropbox and Google about password strength of the same password string:

 password indicator strength

The explanation for these differences revolves around two competing demands on good password choice: security versus usability. Password strength meters typically try to make a compromise between what makes something difficult to crack with what makes something memorable enough to be usable. Studies have shown that when employers try to enforce uncrackable passwords on staff, it can have a negative impact on productivity. As a result, many employees try to circumvent restrictive workplace password policies. Also:

For e-commerce sites like eBay, portals like Yahoo! and order accepting sites like Kaspersky, usability is very crucial because every login event is a revenue opportunity. Anything that undermines user experience impairs the success of the business. So they tend to have less restrictive password policies.

While password strength meters may at least provide one indication of password vulnerability – a sign that a password is weak shouldn’t be ignored – there’s also a number of things you can check to help avoid creating a weak password. Here’s 7 signs of a weak password:

1. Your password is widely used by others

Every year SplashData compile a list of the worst (i.e., most common) passwords. Here’s their top 25 for 2018; make sure yours isn’t in it!

1     123456    (Rank unchanged from last year)
2     password    (Unchanged)
3     123456789 (Up 3)
4     12345678 (Down 1)
5     12345 (Unchanged)
6     111111 (New)
7     1234567 (Up 1)
8     sunshine (New)
9     qwerty (Down 5)
10    iloveyou (Unchanged)
11    princess (New)
12    admin (Down 1)
13    welcome (Down 1)
14    666666 (New)
15    abc123 (Unchanged)
16    football (Down 7)
17    123123 (Unchanged)
18    monkey (Down 5)
19    654321 (New)
20    !@#$%^&* (New)
21    charlie (New)
22    aa123456 (New)
23    donald (New)
24    password1 (New)
25    qwerty123 (New)

2. Your password is a superhero, plus a number

Batman, Spiderman, Supergirl and friends may be cool in some contexts, but not in passwords. Think of every superhero in popular culture, add some iconic movie characters like Neo and Trinity from the Matrix, Mr Spock and Captain Kirk from Star Trek, and you’ve still only got a couple of thousand words for hackers to add to their hash tables.

Ah, of course, but you added a number to it for extra security, right? In an analysis of over 10 million leaked passwords, nearly half a million were found to end with a number between 0 and 99.

a decent password cracker can very easily append a number, or several thousand, to its dictionary of words or brute-force approach

Regex to test for this and similar patterns are simple for hackers to construct and take only seconds to crack.

regex number

3. Your password contains your birthdate

Birthdates are one of the things many naive users will instantly think of when creating a password, as it’s the simplest thing for almost everybody to remember. Unfortunately, it’s also information that is easily discovered by bad actors. Many social media sites will require or encourage users to input their birthdate, and who doesn’t like getting lots of birthday cheers on Facebook?

Hackers, of course, know this and they know how to find this data. It’s also a trend that seems common among younger users, so a guess of the present year minus anything between 13 and 30 years is another easy pattern for password crackers to test.

4. You’re too cool to care!

In 2018, “whatever”, “blahblah” and “trustno1” were the 91st, 66th and 79th most popular passwords, respectively. Being original is incredibly hard, and password attackers are ready for society’s disenchanted!

5. Your password is a word backwards

This, too, isn’t as original as many people naively suppose. Reversing a word doesn’t improve the security of a bad password in the slightest, since it’s the easiest thing for a hacker to do in one line of code in almost every scripting and programming language ever invented.

reverse string in bash

6. Your password is a keyboard pattern

What do the following random-looking passwords have in common, aside from being easily crackable?

  • 1q2w3e
  • 1qaz2wsx
  • zxcvbnm
  • !@#$%^&*

Well, two things, actually. First, they are all in the top 100 most commonly used passwords for 2018; secondly, they are all based on keyboard patterns.

7. Your password is too short

What’s a good password length that will be both secure and memorable? Anything less than 10 characters is easy to crack. A 6-character password drawn from a 74-character characterset (upper & lower case, numerals and special characters) can be cracked in 0.16 seconds:

password length cracking time

And surprisingly, shorter isn’t necessarily more memorable. There are ways to remember even the longest passwords. Compare this difficult-to-remember 12 character string:


with this lengthy passphrase, which contains all the same special characters:


A passphrase of 35 characters is far less likely to get brute-forced in anyone-round-here’s lifetime!

Passwords The Right Way

Avoiding these common pitfalls will help reduce your chances of having your passwords cracked if they are hoovered up in some mass data breach during 2019 or later. However, user-created passwords are always going to be prone to predictability, and hackers have the best tool for parsing predictable human-created data: computers that can run automated scripts!

The only sure way to defeat cracking attempts is to have a password with maximum entropy that is unique to each site. Our advice is use a good password manager to both create and manage passwords and, wherever available, turn on 2FA or similar authenticator protocols.

On top of that, don’t forget to change your passwords on a regular basis. With passwords responsible for protecting some of your most vital assets, what could be a better resolution to start New Year 2019?

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Salesforce keeps rolling with another banner year in 2018

The good times kept on rolling this year for Salesforce with all of the requisite ingredients of a highly successful cloud company — the steady revenue growth, the expanding product set and the splashy acquisitions. The company also opened the doors of its shiny new headquarters, Salesforce Tower in San Francisco, a testament to its sheer economic power in the city.

Salesforce, which set a revenue goal of $10 billion a few years ago is already on its way to $20 billion. Yet Salesforce is also proof you can be ruthlessly good at what you do, while trying to do the right thing as an organization.

Make no mistake, Marc Benioff and Keith Block, the company’s co-CEOs, want to make obscene amounts of money, going so far as to tell a group of analysts earlier this year that their goal by 2034 is to be a $60 billion company. Salesforce just wants to do it with a hint of compassion as it rakes in those big bucks and keeps well-heeled competitors like Microsoft, Oracle and SAP at bay.

A look at the numbers

In the end, a publicly traded company like Salesforce is going to be judged by how much money it makes, and Salesforce it turns out is pretty good at this, as it showed once again this year. The company grew every quarter by over 24 percent YoY and ended up the year with $12.53 billion in revenue. Based on its last quarter of $3.39 billion, the company finished the year on a $13.56 billion run rate.

This compares with $9.92 billion in total revenue for 2017 with a closing run rate of $10.72 billion.

Even with this steady growth trajectory, it might be some time before it hits the $5 billion-a-quarter mark and checks off the $20 billion goal. Keep in mind that it took the company three years to get from $1.51 billion in Q12016 to $3.1 billion in Q12019.

As for the stock market, it has been highly volatile this year, but Salesforce is still up. Starting the year at $102.41, it was sitting at $124.06 as of publication, after peaking on October 1 at $159.86. The market has been on a wild ride since then and cloud stocks have taken a big hit, warranted or not. On one particularly bad day last month, Salesforce had its worst day since 2016 losing 8.7 percent in value,

Spending big

When you make a lot of money you can afford to spend generously, and the company invested some of those big bucks when it bought Mulesoft for $6.5 billion in March, making it the most expensive acquisition it has ever made. With Mulesoft, the company had a missing link between data sitting on-prem in private data centers and Salesforce data in the cloud.

Mulesoft helps customers build access to data wherever it lives via APIs. That includes legacy data sitting in ancient data repositories. As Salesforce turns its eyes toward artificial intelligence and machine learning, it requires oodles of data and Mulesoft was worth opening up the wallet to provide the company with that kind of access to a variety of enterprise data.

Salesforce 2018 acquisitions. Chart: Crunchbase.

But Mulesoft wasn’t the only thing Salesforce bought this year. It made five acquisitions in all. The other significant one came in July when it scooped up Dataorama for a cool $800 million, giving it a market intelligence platform.

What could be on board for 2019? If Salesforce sticks to its recent pattern of spending big one year, then regrouping the next, 2019 could be a slower one for acquisitions. Consider that it bought just one company last year after buying a dozen in 2016.

One other way to keep revenue rolling in comes from high-profile partnerships. In the past, Salesforce has partnered with Microsoft and Google, and this year it announced that it was teaming up with Apple. Salesforce also announced another high-profile arrangement with AWS to share data between the two platforms more easily. The hope with these types of cross pollination is that the companies can both increase their business. For Salesforce, that means using these partnerships as a platform to move the revenue needle faster.

Compassionate capitalism

Even while his company has made big bucks, Benioff has been preaching compassionate capitalism using Twitter and the media as his soap box.

He went on record throughout this year supporting Prop C, a referendum question designed to help battle San Francisco’s massive homeless problem by taxing companies with greater than $50 million in revenue — companies like Salesforce. Benioff was a vocal proponent of the idea, and it won. He did not find kindred spirits among some of his fellow San Francisco tech CEOs, openly debating Twitter CEO Jack Dorsey on Twitter.

Speaking about Prop C in an interview with Kara Swisher of Recode in November, Benioff talked in lofty terms about why he believed in the measure even though it would cost his company money.

“You’ve got to really be mindful and think about what it is that you want your company to be for and what you’re doing with your business and here at Salesforce, that’s very important to us,” he told Swisher in the interview.

He also talked about how employees at other tech companies were driving their CEOs to change their tune around social issues, including supporting Prop C, but Benioff had to deal with his own internal insurrection this year when 650 employees signed a petition asking him to rethink Salesforce’s contract with the U.S. Customs and Border Protection (CBP) in light of the current administration’s border policies. Benioff defended the contract, stating that that Salesforce tools were being used internally at CBP for staff recruiting and communication and not to enforce border policy.

Regardless, Salesforce has never lost its focus on meeting lofty revenue goals, and as we approach the new year, there is no reason to think that will change. The company will continue to look for new ways to expand markets and keep their revenue moving ever closer to that $20 billion goal, even as it continues to meld its unique form of compassion and capitalism.

Serial Swatter and Stalker Mir Islam Arrested for Allegedly Dumping Body in River

A 22-year-old man convicted of cyberstalking and carrying out numerous bomb threats and swatting attacks — including a 2013 swatting incident at my home — was arrested Sunday morning in the Philippines after allegedly helping his best friend dump the body of a housemate into a local river.

Suspects Troy Woody Jr. (left) and Mir Islam, were arrested in Manila this week for allegedly dumping the body of Woody’s girlfriend in a local river. Image:  Manila Police Dept.

Police in Manila say 22-year-old U.S citizens Mir Islam and Troy Woody Jr., 21, booked an Uber to pick them up at Woody’s condominium in Mandaluyong City, and when the driver arrived the two men stuffed a large box into the trunk of the vehicle.

According to the driver, Islam and Woody asked to be driven to a nearby shopping mall, but told the driver along the way to stop at a compound near the Pasig River in Manila, where the two men allegedly dumped the box before getting back in the Uber.

The Inquirier reports that authorities recovered the box and identified the victim as Tomi Michelle Masters, 23, also a U.S. citizen from Indiana who was reportedly dating Woody and living in the same condo. Masters’ Instagram profile states that she was in a relationship with Woody.

Brooklyn, NY native Islam, a.k.a. “Josh the God,” has a long rap sheet for computer-related crimes. He briefly rose to Internet infamy as one of the core members of UGNazi, an online mischief-making group that claimed credit for hacking and attacking a number of high-profile Web sites.

On June 25, 2012, Islam and nearly two-dozen others were caught up in an FBI dragnet dubbed Operation Card Shop. The government accused Islam of being a founding member of carders[dot]org — a credit card fraud forum — trafficking in stolen credit card information, and possessing information for more than 50,000 credit cards.

JoshTheGod’s (Mir Islam’s ) Twitter feed, in April 2012 warning fellow carding forum carderprofit members that the forum was being run by the FBI.

In June 2016, Islam was sentenced to a year in prison for an impressive array of crimes, including stalking people online and posting their personal data on the Internet. Islam also pleaded guilty to reporting phony bomb threats and fake hostage situations at the homes of celebrities and public officials (as well as this author).

At that 2016 sentencing, Islam’s lawyer argued that his client suffered from multiple psychological disorders, and that he and his co-conspirators orchestrated the swattings of a sense of “anarchic libertarianism.”

Islam was let out of prison under supervised release before serving the whole sentence, but soon was back inside after violating the terms of his release. Earlier this year, Islam filed a typosquatting lawsuit from prison that named Woody Jr. In that bizarre handwritten complaint (PDF), Islam refers to Woody variously as “TJ” and “Josh,” and says the two men were best friends and have known each other for eight years.

An anti-cybersquatting domain dispute filed by Mir Islam earlier this year while in jail. In it, Islam refers to Woody as “TJ” and says the two have been best friends for years.

Troy Woody Jr. describes himself as an “early crypto investor,” but sources say Woody — like Islam — was a core member of the UGNazi group who went by the nicknames “MrOsama,” and “Everlife.” His Instagram profile suggests he was in a relationship with Ms. Masters. Both are pictured in the first of the three large photos below, taken from Woody’s Instagram account.

The Instagram profile of Troy Woody Jr., a.k.a. “titled,” and “MrOsama,” one of two Americans arrested today for allegedly dumping a woman’s body in a Manila river. The woman pictured on the left is believed to the victim, identified as Woody’s condo roommate, Tomi Michelle Masters, 23.

People are innocent in proven guilty in a court of law, at least in the United States. But I can’t say any of this surprises me. Most I’ve encountered who were involved serial swatting and stalking attacks definitely had a few screws loose and were fairly scary individuals. Case in point: Tyler Barriss, the 25-year-old admitted serial swatter and stalker who pleaded guilty to a swatting attack last year that ended with police shooting and killing an innocent, unarmed man.

A Review of Malware affecting macOS in 2018

As 2018 starts to wind down, we take a look at how the macOS security situation has unfolded throughout the year.

2018 has been very much the year of the RAT for macOS, with Empyre leading the way as the exploitation framework of choice for several malware variants. EvilOSX, EvilEgg and a Java-based RAT also made appearances in the wild. Cryptocurrencies have also been big in the malware news this year as bad actors have both targeted bitcoin wallets and made use of cryptocurrency utilities to infect unsuspecting users. Cryptojacking remains on the rise, but confined largely to the ever-present macOS adware problem.

Malware in Development

The year began with OSX.MaMi, a suspected macOS variant of an older Windows malware, DNSUnlocker. Mami alters macOS’s SystemConfiguration.plist in order to hijack the victim’s DNS servers. The malware contains logic for downloading and uploading files remotely, recording mouseClicks, taking screenshots and attempting privilege escalation.

osx.mami disassembly

In the same month, the Java-based CrossRAT was uncovered as part of the toolkit of Dark Caracel APT, a group that gathers intelligence for national security purposes and offensive cyber capabilities allegedly on behalf of the Lebanese government. CrossRAT is a multi-platform surveillance tool that manifests itself on macOS by writing a copy of itself to ~/Library/mediamgrs.jar and installing a user LaunchAgent for persistence.

Interestingly, or perhaps worryingly, both MaMi and CrossRAT had version numbers which indicate that they are in early development, and it would be no surprise to see more advanced versions of both surface in the future.

Lazarus APT

After two important discoveries coming right at the beginning of the year, things remained relatively quiet on the malware front until April, which saw the release of a cryptocurrency trading application named CelasTradePro. Attributed to North Korean-linked APT group Lazarus, the malware consists of three parts. A trojan downloader inserted as an updater in the CelasTradePro.app, a LaunchDaemon with the label “com.celastradepro.plist” and the payload, initially dropped at /var/zdiffsec.

CelasTradePro updater

It’s unclear whether this malware, dubbed OSX.AppleJeus, was a supply chain attack or whether the CelasTradePro.app was specifically created to infect cryptocurrency exchanges. In either case, the application had a valid developer signature and so easily bypassed Apple’s built-in security technologies.

WindShift APT

Although created at the end of April, the AppleJeus campaign was not discovered until August, and that month also brought news of yet another APT group targetting the Mac platform, WindShift APT. Although first believed to have targetted macOS as early as January last year, WindShift appears to have picked up its activity during 2018, as this figure (courtesty of DarkMatter) shows:

Windtail Lazarus APT

WindTail.A targets files on the victim’s machine having the following extensions: .txt .pdf .doc .docx .ppt .pptx .db .rtf .xls .xlsx and uses a LoginItem for persistence. The backdoor WindTape takes a screenshot of the current Desktop, sends it to a C2 server and deletes the local copy. It repeats this procedure every 5 seconds.

Essential to the infection of this particular malware is that Safari preferences by default allow .zip files to automatically unarchive when downloaded. This feature means that macOS will automatically register custom URLs defined in the malicous software, which then contribute to further infection. Safari users are, as a matter of general safety, always wise to uncheck the following setting in the General tab of Safari’s preferences:

Safari safe preferences

The Weakest Links?

In July, OSX.Dummy made an appearance on a number of cryptomining chat groups. The attackers convinced victims to knowingly run a tool with elevated privileges because they believed it was from a trusted source. The scammers didn’t have to try to hard, either, as they offered the malware as an answer to a problem the victims had themselves sought help for. The tool installs a bash script which leverages python to open a reverse shell:

Malware osx.dummy

OSX.Dummy was so named because it took an extraordinary amount of compliance from the victim to successfully compromise a target. In that respect, at least, it is the polar opposite of the next malware to break in 2018. September saw what many considered the most unlikely source of threat: Apple’s own App Store. Software downloaded from the Mac App Store is trusted implicitly by Apple’s Gatekeeper, so it was no surprise that users without additional defences were left completely unprotected by a spate of approved apps exfiltrating personal data without permission. The offenders included Adware Doctor, Open Any Files, Dr AntiVirus, and Dr Cleaner. All were eventually removed from the store by Apple in September, though at least two of the offenders had been reported to Apple previously with no action taken.

The Other Side of the Coin

In October, CoinTicker marched onto the scene, delivering a trojan backdoor through a cryptomining utility app. Combining open-source exploitation tools, EvilOSX and EggShell, CoinTicker appears to be a simple status bar app that displays the current trading prices of various cryptocurrencies. The app is functional, but at the same time attempts to allow in attackers via a reverse shell.

cointicker malware

Thanks to the nature of the exploitation tools it leverages, attackers have a wide-choice of functions. One can assume that high among the priorities would be stealing the cryptowallets of victims.

Targeting cryptocurrency users didn’t stop there in 2018. In November, users of the Exodus cryptowallet were targeted in an email phishing campaign. The attackers had hoped to install malware based on the RealTimeSpy commercial spyware. Although there’s no suggestion the developers of RealTimeSpy were involved, there is no doubt that those behind the email campaign hoped to install a version of RealTimeSpy on victims’ computers. It’s reasonable to assume the aim was to steal the contents of bitcoin wallets, but this macOS spyware can also steal other personal data through screenshots and keylogging. In addition, the program is able to capture social networking activities and website visits.

keylogger keys.dat

Festive Crackers

The year was rounded out by a busy December, with a (relative) rash of three malware discoveries within a week of each other. First came a fake cracking app for Adobe CC, OSX.DarthMiner, that leverages an Automator workflow to install a cryptominer via an Empyre backend. OSX.LamePyre, a fake version of the Discord voice and text chat app for gamers, also used a similar Automator workflow and Empyre backdoor. The primary function of LamePyre seems to be to take regular screenshots of the victim’s Desktop and upload those to a C2 server.

automator malware

It’s not clear whether these two related trojans were authored by the same actor or are simply some generic code recently traded on the DarkNet. We note that the fake Discord app appears to have been localized in Russian and contains some Russian text.

Discord russian

Of course, there’s equally no way of telling whether those clues were left deliberately as misdirection or were a result of carelessness. Either way, we won’t be surprised to see these Automator-based trojans turning up again either before or after New Year 2019.

Finally, OSX.BadWord offered up a different kind of threat by exploiting a Microsoft Word for Mac sandbox escape and delivering a Meterpreter payload. The attackers appear to have weaponized a proof-of-concept first detailed back in August. Like similar Word-based attacks on Windows, this leverages a VBA macro to execute code and infect the user. OSX.BadWord appeared to be distributed via an email to staff of Quidax cryptocurrency platform, inviting them to contribute to “BitCoin Magazine UK”.


Also Ran

Aside from out-and-out malware, we’ve seen a number of adware installers acting as trojans for cryptominers this year, such as PPMiner, CreativeUpdate and SearchPageInstaller.

Adware in general remains a concern, particularly as we see adware developers increasingly expand their range of techniques and begin to cross the line into malware-like behaviour.


Overall, 2018 has seen increased targeting of the macOS platform by APT groups as well as criminals intent on either exploiting cryptomining or targeting those involved in cryptocurrency, both staff and those trading in the currency. Open-source exploitation kits like Empyre have been the tool of choice for macOS malware over the last 12 months. We expect these trends to continue as we reach into 2019, and as ever, here at SentinelOne we’ll keep you posted, and protected.

Have a peaceful and secure festive season!

Like this article? Follow us on LinkedInTwitter, YouTube or Facebook to see the content we post.

Read more about macOS Security

Mojave’s security “hardening” | User protections could be bypassed

Inside Safari Extensions | Malware’s Golden Key to User Data

Inside Safari Extensions | Malicious Plugins Remain on Mojave

Command Line Intrusion | Mojave Blocks Admins, Too

The Weakest Link: When Admins Get Phished | MacOS “OSX.Dummy” Malware

These 10 enterprise M&A deals totaled over $87 billion this year

M&A activity was brisk in the enterprise market this year, with 10 high-profile deals totaling almost $88 billion. Companies were opening up their wallets and pouring money into mega acquisitions. It’s worth noting that the $88 billion figure doesn’t include Dell paying investors more than $23 billion for VMware tracking stock to take the company public again or several other deals of over a billion dollars that didn’t make our list.

Last year’s big deals included Intel buying MobileEye for $15 billion and Cisco getting AppDynamics for $3.7 billion, but there were not as many big ones. Adobe, which made two large acquisitions this year, was mostly quiet last year, only making a minor purchase. Salesforce too was mostly quiet in 2017, only buying a digital creative agency, after an active 2016. SAP also made only one purchase in 2017, paying $350 million for Gigya. Microsoft was active buying nine companies, but these were primarily minor. Perhaps everyone was saving their pennies for 2018.

This year, by contrast, was go big or go home, and we saw action across the board from the usual suspects. Large companies looking to change their fortunes or grow their markets went shopping and came home with some expensive trinkets for their collections. Some of the deals are still waiting to pass regulatory hurdles and won’t be closing until 2019. Regardless, it’s too soon to judge whether these big-bucks ventures will pay the dividends that their buyers hope, or if they end up being M&A dust in the wind.

IBM acquires Red Hat for $34 billion

By far the biggest and splashiest deal of the year goes to IBM, which bet the farm to acquire Red Hat for a staggering $34 billion. IBM sees this acquisition as a way to build out its hybrid cloud business. It’s a huge bet and one that could determine the success of Big Blue as an organization in the coming years.

Broadcom nets CA Technologies for $18.5 billion

This deal was unexpected, as Broadcom, a chip maker, spent the second largest amount of money in a year of big spending. What Broadcom got for its many billions was an old-school IT management and software solutions provider. Perhaps Broadcom felt it needed to branch out beyond pure chip making, and CA offered a way to do it, albeit a rather expensive one.

SAP buys Qualtrics for $8 billion

While not anywhere close to the money IBM or Broadcom spent, SAP went out and nabbed Qualtrics last month just before the company was about to IPO, still paying a healthy $8 billion. The company believes that the new company could help build a bridge between SAP operational data inside its back-end ERP systems and Qualtrics customer data on the front end. Time will tell if they are right.

Microsoft gets GitHub for $7.5 billion

In June, Microsoft swooped in and bought GitHub, giving it a key developer code repository. It was a lot of money to pay, and Diane Greene expressed regret that Google hadn’t been able to get it. That’s because cloud companies are working hard to win developer hearts and minds. Microsoft has a chance to push GitHub users toward its products, but it has to tread carefully because they will balk if Microsoft goes too far.

Salesforce snares MuleSoft for $6.5 billion

Salesforce wasn’t about to be left out of the party in 2018 and in March, the CRM giant announced it was buying API integration vendor Mulesoft for a cool $6.5 billion. It was a big deal for Salesforce, which tends to be acquisitive, but typically on smaller deals. This one was a key purchase though because it gives the company the ability to access data wherever it lives, on premises or in the cloud, and that could be key for them moving forward.

Adobe snags Marketo for $4.75 billion

Adobe has built a strong company primarily on the strength of its Creative Cloud, but it has been trying to generate more revenue on the marketing side of the business. To that end, it acquired Marketo for $4.75 billion and immediately boosted its marketing business, especially when combined with the $1.68 billion Magento purchase earlier in the year.

SAP acquires CallidusCloud for $2.4 billion

SAP doesn’t do as many acquisitions as some of its fellow large tech companies mentioned here, but this year it did two. Not only did it buy Qualtrics for $8 billion, it also grabbed CallidusCloud for $2.4 billion. SAP is best known for managing back-office components with its ERP software, but this adds a cloud-based, front-office sales process piece to the mix.

Cisco grabs Duo Security for $2.35 billion

Cisco has been hard at work buying up a variety of software services over the years, and this year it added to its security portfolio when it acquired Duo Security for $2.35 billion. The Michigan-based company helps companies secure applications using their own mobile devices and could be a key part of the Cisco security strategy moving forward.

Twilio buys SendGrid for $2 billion

Twilio got into the act this year too. While not in the same league as the other large tech companies on this list, it saw a piece it felt would enhance its product set and it was willing to spend big to get it. Twilio, which made its name as a communications API company, saw a kindred spirit in SendGrid, spending $2 billion to get the API-based email service.

Vista snares Apttio for $1.94 billion

Vista Equity Partners is the only private equity firm on the list, but it’s one with an appetite for enterprise technology. With Apttio, it gets a company that can help companies understand their cloud assets alongside their on-prem ones. The company had been public before Vista bought it for $1.94 billion last month.

Crew, a Workplace and Slack messaging rival for shift workers, raises $35M, adds enterprise version

When it comes to shift workers communicating with each other in the workplace when they are not face-to-face, gone are the days of cork announcement boards. Now, the messaging app is the medium, and today one of the startups tackling that opportunity in a unique way has raised a round of funding to get to the next stage of growth.

Crew, a chat app that specifically targets businesses that employ shift workers who do not typically sit at computers all day, has now raised $35 million in Series C funding from DAG Ventures, Tenaya Capital and previous backers Greylock Partners, Sequoia Capital, Harrison Metal Capital and Aspect Ventures. With the funding news, it’s also announcing the launch of a new feature called Crew Enterprise, which helps businesses better manage messaging across large groups of these workers.

The funding and new product come on the heels of the company hitting 25,000 organizations using its service — many of them multi-store retailers with an emphasis in the food industry; household names like Domino’s Pizza and Burger King — with some strong engagement. Its users are together sending some 25 million messages or responses to other messages each week, on average six times per day per user, with more than 55 percent of its whole user base logging in on an average day.

There are quite a lot of messaging apps out in the market today, but the majority of them are aimed at so-called knowledge workers, people who might be using a number of apps throughout their day, who often sit at desks and use computers alongside their phones and tablets. Crew takes a different approach in that it targets the vast swathe of other workers in the job market and their priorities.

As it turns out, co-founder and CEO Danny Leffel tells me that those priorities are focused around a few specific things that are not the same as those for the other employment sector. One is to get the latest shift schedules for work, especially when they are not at work; another is to be able to swap those shifts when they need to; and a third, largely coming from the management end, is to make sure that everything gets communicated to the staff even when they are not in for work to attend a staff meeting.

“Some of the older practices feel like versions of a Rube Goldberg machine,” he said. “The stories we hear are quite insane.” Shift schedules, he said, are an example. “Lots of workplaces have rules, where you can’t call in to check the schedule because it causes employees to come off the floor. One hotel manager told us he couldn’t hold staff meetings with everyone there because he runs a 24/7 workplace so some people would have to come in especially. One store GM from a supermarket chain told us that the whole store has only one email address, so when an announcement goes out, the GM prints that and hands it to everyone. And the problems just compound when you talk to them.”

Crew is by no means the only business internal messaging service that is aiming to provide a product specifically for shift workers. Workplace, Facebook’s own take on enterprise communications, has also positioned itself as a platform for “every worker,” and has snagged a clutch of huge clients such as Walmart (2.2 million employees globally) and Starbucks (254,000) to fill out that vision.

Leffel, however, paints a sightly different picture of how this is playing out, since in many cases even when a company has been “won” as a global customer that hasn’t translated to a global roll out.

“Starbucks is theoretically using Workplace, but it’s been deployed only to managers,” he said. “We have almost 1,000 Starbucks locations using Crew. We knew we had a huge presence there, and we were worried when Facebook won them, but we haven’t seen even a dent in our business so far.”

Leffel has had some previous experience of getting into the ring with Facebook — although it hasn’t ended with him the winner. His previous startup, Yardsellr, positioned itself as the “eBay of Facebook,” working as a layer on top of the big social network for people to sell items. It died in 2013, when Facebook took a less friendly turn to Yardsellr using Facebook’s social graph to grow its own business (it was a time when it was cutting off apps from Zynga for similar reasons). Today, Facebook itself owns the experience of selling on its platform via Marketplace.

Crew seems to have found a strong foothold among enterprises in terms of its usefulness, not just use, which is one sign of how it might have more staying power.

survey it conducted among 50,000 of its users found that 63 percent of leaders who use Crew report fewer missed shifts and 70 percent see increased motivation on their team. Crew worked out that among respondents, it is generating time savings of four or more hours per week for 93 percent of surveyed managers. And because of better communication, people are working faster when handing off things to each other on the front line — a Domino’s Pizza franchisee sped up delivery punctuality by 23 percent as one example. (The company offers services on three tiers, ranging from free for small teams, Pro at $10 per month per location and to Enterprise priced on negotiation.)

Crew’s new enterprise tier is aiming to take the company to the next step. Today, Leffel says that a lot of its customers are buying on a location-by-location basis. The idea with Crew Enterprise is that larger organizations will be able to provide a more unified experience across all of those locations (not to mention pay more for the functionality). Managers can use the service to message out details about promotions, and they have a better ability to manage conversations across the platform and also get more feedback from people who are directly interacting with customers. Meanwhile, admins also gain better ability to manage compliance.

If some of this sounds familiar, it’s not just because Workplace is the only one that is also targeting the same users. Dynamic Signal and Zinc (formerly Cotap) are two other startups that are also trying to provide better messaging-based communications to more than just white-collar knowledge workers. Crew will have its work cut out for it, but there is a lot of room for now for multiple players.

“We are seeing a shift in the marketplace, going from ‘absolutely don’t use your phone at work’ to ‘don’t use it when customers are present,’” Leffel said of the opportunity. “Some have started to change the rules to allow workers to use their own phones to perform price checks. We are solving for this evolving workflow.”

Cinven acquires One.com, one of Europe’s biggest hosting providers with 1.5M customers

One of the biggest providers of domain names and web hosting in Europe is changing hands today. One.com, which has around 1.5 million customers mainly across the north of the region, has been sold by private equity firm Accel-KKR to Cinven, another PE player that focuses on investments in Europe.

Terms of the deal are not being disclosed, but as a rough guide, Cinven once owned and sold another European hosting provider of comparable size: it acquired Host Europe Group in 2013 for $668 million and then sold it in 2016 for $1.8 billion to GoDaddy two years ago almost to the day. At the time of the sale, Host Europe Group also had about 1.5 million customers.

One.com and its business segment represent a significant, if not wildly evolving, part of the tech landscape: for as long as businesses and consumers continue to use the web, there will be a need for companies who sell and host domain names and provide services around that.

With a catchy domain name of its own, One.com has been riding the wave of that solidity of purpose for several years already. KKR-Accel says that organic growth at the company has been accelerating at a rate of 20 percent and that revenues under its four-year ownership doubled to €60 million ($69 million) with profitability growing 50x on a marketing pitch in which it positions itself as the ‘budget’ option to businesses.

“The vision of One.com since its founding has been to deliver value-added and easy-to-use solutions to small- and medium-sized businesses and prosumers,” said Jacob Jensen, Founder and CEO of One.com, in a statement. He is staying on to continue leading the company.

Cinven says it is interested in growth the business by way of acquisition, specifically: “There are opportunities to accelerate the growth of the business organically and through acquisition.”

In other words, expect some consolidation moves in the future where some of the smaller providers in Europe potentially get gobbled up to create a bigger entity with better economies of scale. That’s needed not just because GoDaddy has ramped up its presence here, but because the likes of Amazon has only grown in stature and provides a number of other services to users to make its offerings more sticky.

“We are very excited to invest in One.com alongside Jacob. It is a high quality business with an attractive brand and scalable technology platform, operating in a market with structural growth drivers,” said Thomas Railhac, Partner at Cinven, in a statement. “This is a subsector we know well through Cinven’s successful investment in HEG in Fund 5, continuing to invest in both the organic growth story and targeted acquisitions.”

Microsoft Issues Emergency Fix for IE Zero Day

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.

According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.