Annual Protest Raises $250K to Cure Krebs

/0 Comments/in /by

For the second year in a row, denizens of a large German-language online forum have donated more than USD $250,000 to cancer research organizations in protest of a story KrebsOnSecurity published in 2018 that unmasked the creators of Coinhive, a now-defunct cryptocurrency mining service that was massively abused by cybercriminals. Krebs is translated as “cancer” in German.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted thousands of thank you receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”).

All told, thousands of Pr0gramm’s members donated more than USD $250,000 to cancer cure efforts within days of that March 2018 story. This week, the Pr0gramm administrators rallied members to commemorate that successful fundraiser with yet another.

“As announced there will be a donation marathon at anniversary day of Krebsaction,” Pr0gramm’s administrators announced. “Today, March 27th, we’re firing the starting shot for the marathon. Please tag your donation bills properly if they shall be accounted. The official tag is ‘krebsspende.’

According to a running tally on Pr0gramm’s site, this year’s campaign has raised 252,000 euros for cancer research so far, or about USD $284,000. That brings the total that Pr0gramm members have donated to cancer research to more than a half-million dollars.

As a bonus, Coinhive announced last month that it was shutting down, citing a perfect storm of negative circumstances. Coinhive had made structural changes to its systems following my 2018 story so that it would no longer profit from accounts used on hacked Web sites. Perhaps more importantly, the value of the cryptocurrency Coinhive’s code helped to mine dropped precipitously over the past year.

ASUS ShadowHammer Episode – A Custom Made Supply Chain Attack

/0 Comments/in /by

Users of ASUS computers have become the latest victims in a unique and highly-targeted supply chain attack dubbed “Operation ShadowHammer”. The attack was propagated to perhaps as many as 1 million ASUS users, but it seems the threat actors behind the malware were only interested in several hundred specific targets. In this post, we explain what ShadowHammer is and what it means for the enterprise.

ASUS ShadowHammer Episode - A Custom Made Supply Chain Attack

ShadowHammer – A Timeline

According to Kaspersky researchers, ASUS update servers were compromised by hackers at least as early as June 2018, and possibly even earlier. One theory is that the initial compromise of the company’s servers may have occurred through the earlier CCleaner supply chain attack in which ASUS was a known target.

Regardless of how the hackers gained access to the servers, once in they were able to use a valid ASUS signing certificate to deliver a poisoned update to the ASUS Live Update utility itself, a tool that comes pre-installed on the majority of ASUS computers. Since the update appeared to be both correctly signed and a normal part of the machine’s operation, it escaped detection by both users and most AV solutions, which typically whitelist components from trusted vendors that are correctly signed. Although the campaign appears to have been terminated by the attackers in November 2018, possibly indicating they had achieved their aims, it remained undiscovered until January 2019.

ShadowHammer Targets Users by MAC Address

One of the things that makes ShadowHammer so unique is the fact that it uses a mass-infection vector to compromise a select number of targets. By one estimate, up to 1 million ASUS users may have downloaded the malware. Yet, incredibly, analysis suggests that the real targets may have numbered only a few dozen at a time, and perhaps no more than 600 throughout the life of the entire campaign.

In order to achieve this selectivity, the malware computes an MD5 hash of the infected machine’s MAC address. It then compares that against a table of hashes hardcoded into the malware. If there’s a match, the code begins the second stage of the attack by downloading further malware from the attacker’s C2 server. If there isn’t a match – the overwhelming majority of the cases – the malware remains dormant.  

While this is certainly good news for the unintended victims of the hack, it remains the case that all infected machines have effectively been “backdoored”; therefore, all ASUS users are recommended to check for the malware and remove it.

How To Check If You Are Infected By ShadowHammer

The first thing to remember is that ShadowHammer is limited to ASUS machines and is not a general piece of malware that affects other devices, so if you’re not using an ASUS computer, you are not infected.

SentinelOne customers are automatically protected from ShadowHammer malware. As the demo below shows, SentinelOne recognizes and prevents ShadowHammer. This is not a new capability, nor does it require an update. Our behavioral AI engine was able to detect and block ShadowHammer even before it became publicly known.



For those who are not SentinelOne customers, a number of tools have already been made available, including one from ASUS themselves.

Conclusion

ShadowHammer is audacious in that the hackers behind it were unconcerned about potentially infecting every ASUS user in order to achieve a very limited objective. At the same time, they appear to have succeded in pulling off a mass infection without being detected during the life of their campaign. It’s no surprise that threat actors have no qualms about “collateral damage” – infecting any computer that happens to be in their way – but ShadowHammer is an alarming escalation compared to anything seen before. Given the success of campaigns like this and the CCleaner attack before it, there is no doubt that supply chain attacks will continue to be leveraged by both criminal gangs and nation-state actors as many vendors do not take adequate security precautions.

For enterprise, ShadowHammer is a timely reminder that security solutions which rely on reputation and whitelisting will always have a “blindspot” to supply chain attacks. Given the mammoth task of auditing and securing all 3rd-party software and dependencies, the only effective enterprise solution is to use security software like SentinelOne Next Gen AV that autonomously detects any process that is behaving maliciously in real time, rather than simply looking at where a process comes from or who it is signed by.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Alibaba has acquired Teambition, a China-based Trello and Asana rival, in its enterprise push

/0 Comments/in /by

Alibaba has made an acquisition as it continues to square up to the opportunity in enterprise services in China and beyond, akin to what its U.S. counterpart Amazon has done with AWS. TechCrunch has confirmed that the e-commerce and cloud services giant has acquired Teambition, a Microsoft and Tencent-backed platform for co-workers to plan and collaborate on projects, similar to Trello and Asana.

There were rumors of an acquisition circulating yesterday in Chinese media. Alibaba has now confirmed the acquisition to TechCrunch but declined to provide any other details.

Teambition had raised about $17 million in funding since 2013, with investors including Tencent, Microsoft, IDG Capital and Gobi Ventures. Gobi also manages investments on behalf of Alibaba, and that might have been one route to how the two became acquainted. Alibaba’s last acquisition in enterprise was German big data startup Data Artisans for $103 million.

As with others in the project management and collaboration space, Teambition provides users with mobile and desktop apps to interact with the service. In addition to the main planning interface, there is one designed for CRM, called Bingo, as well as a “knowledge base” where businesses can keep extra documentation and other collateral.

The deal is another sign of how Alibaba has been slowly building a business in enterprise powerhouse over the last several years as it races to keep its pole position in the Chinese market, as well as gain a stronger foothold in the wider Asian region and beyond.

In China alone, it has been estimated that enterprise services is a $1 billion opportunity, but with no clear leader at the moment across a range of verticals and segments that fall under that general umbrella, there is a lot to play for, and likely a lot more consolidation to come. (And it’s not the only one: ByteDance — more known for consumer services like TikTok — is rumored to be building a Slack competitor, and Tencent also has its sights on the sector, as does Baidu.)

As with AWS, Alibaba’s enterprise business stems out of the cloud-based infrastructure Alibaba has built for its own e-commerce powerhouse, which it has productised as a service for third parties that it calls Alibaba Cloud, which (like AWS) offers a range of cloud-storage and serving tiers to users.

On top of that, Alibaba has been building and integrating a number of apps and other services that leverage that cloud infrastructure, providing more stickiness for the core service as well as the potential for developing further revenue streams with customers.

These apps and services range from the recently launched “A100” business transformation initiative, where Alibaba proposes working with large companies to digitise and modernize (and help run) their IT backends, through to specific products, such as Alibaba’s Slack competitor DingTalk.

With Alibaba declining to give us any details beyond a confirmation of the acquisition, and Teambition not returning our requests for comment, our best guess is that this app could be a fit in either area. That is to say, one option for Alibaba would be to integrate it and use it as part of a wider “business transformation” and modernization offering, or as a standalone product, as it currently exists.

Teambition today counts a number of Chinese giants, and giants with Chinese outposts, as customers, including Huawei, Xiaomi, TCL and McDonald’s in its customer list. The company currently has nothing on its site indicating an acquisition or any notices regarding future services, so it seems to be business as usual for now.

The opportunity around collaboration and workplace communication has become a very hot area in the last few years, spurred by the general growth of social media in the consumer market and people in business environments wanting to bring in the same kinds of tools to help them get work done. Planning and project management — the area that Teambition and its competitors address — is considered a key pillar in the wider collaboration space alongside cloud services to store and serve files and real-time communication services.

Slack, which is now valued at more than $7 billion, has said it has filed paperwork for a public listing, while Asana is now valued at $1.5 billion and Trello’s owner Atlassian now has a market cap of nearly $26 billion.

ServiceNow teams with Workplace by Facebook on service chatbot

/0 Comments/in /by

One of the great things about enterprise chat applications, beyond giving employees a common channel to communicate, is the ability to integrate with other enterprise applications. Today, Workplace, Facebook’s enterprise collaboration and communication application, and ServiceNow announced a new chatbot to make it easier for employees to navigate a company’s help desks inside Workplace Chat.

The beauty of the chatbot is that employees can get answers to common questions whenever they want, wherever they happen to be. The Workplace-ServiceNow integration happens in Workplace Chat and can can involve IT or HR help desk scenarios. A chatbot can help companies save time and money, and employees can get answers to common problems much faster.

Previously, getting these kind of answers would have required navigating multiple systems, making a phone call or submitting a ticket to the appropriate help desk. This approach provides a level of convenience and immediacy.

Companies can brainstorm common questions and answers and build them in the ServiceNow Virtual Agent Designer. It comes with some standard templates, and doesn’t require any kind of advanced scripting or programming skills. Instead, non-technical end users can adapt pre-populated templates to meet the needs, language and workflows of an individual organization.

Screenshot: ServiceNow

This is all part of a strategy by Facebook to integrate more enterprise applications into the tool. In May at the F8 conference, Facebook announced 52 such integrations from companies like Atlassian, SurveyMonkey, HubSpot and Marketo (the company Adobe bought in September for $4.75 billion).

This is part of a broader enterprise chat application trend around making these applications the center of every employee’s work life, while reducing task switching, the act of moving from application to application. This kind of integration is something that Slack has done very well and has up until now provided it with a differentiator, but the other enterprise players are catching on and today’s announcement with ServiceNow is part of that.

The great enterprise chat race

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

/0 Comments/in /by

On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.

Some 2.1 million+ credit and debit card accounts stolen from dozens of Earl Enterprises restaurant locations went up for sale on a popular carding forum on Feb. 20, 2019.

In a statement posted to its Web site today, Orlando, Fla. based hospitality firm Earl Enterprises said a data breach involving malware installed on its point-of-sale systems allowed cyber thieves to steal card details from customers between May 23, 2018 and March 18, 2019.

Earl Enterprises did not respond to requests for specifics about how many customers total may have been impacted by the 10-month breach. The company’s statement directs concerned customers to an online tool that allows one to look up breached locations by city and state.

According to an analysis of that page, it appears the breach impacts virtually all 67 Buca di Beppo locations in the United States; a handful out of the total 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando. Also impacted were Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles.

KrebsOnsecurity contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis.

Joker’s Stash typically organizes different batches of stolen cards around a codename tied to a specific merchant breach. This naming convention allows criminals who purchased cards from a specific batch and found success using those cards fraudulently to buy from the same batch again when future cards stolen from the same breached merchant are posted for sale.

While a given batch’s nickname usually has little relation to the breached merchant, Joker’s Stash does offer a number of search options for customers that can sometimes be used to trace a large batch of stolen cards back to a specific merchant.

This is especially true if the victim merchant has a number of store locations in multiple smaller U.S. towns. That’s because while Joker’s Stash makes its stolen cards searchable via a variety of qualities — the card-issuing bank or expiration date, for example — perhaps the most useful in this case is the city or ZIP code tied to each card.

As with a number of other carding sites, Joker’s Stash indexes cards by the city and/or ZIP code of the store from which the card was stolen (not the ZIP code of the affected cardholders).

On Feb. 20, Joker’s Stash moved a new batch of some 2.15 million stolen cards that it dubbed the “Davinci Breach.” An analysis of the cities and towns listed among the Davinci cards for sale included a number of hacked store locations that were not in major cities, such as Burnsville, Minn., Levonia, Mich., Midvale, Utah, Norwood, Ohio, and Wheeling, Ill.

Earl Enterprises said in its statement the malicious software installed at affected stores captured payment card data, which could have included credit and debit card numbers, expiration dates and, in some cases, cardholder names. The company says online orders were not affected.

Malicious hackers typically steal card data from organizations by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers.

Cardholders are not responsible for fraudulent charges, but your bank isn’t always going to detect card fraud. That’s why it’s important to regularly review your monthly statements and quickly report any unauthorized charges.

Man Behind Fatal ‘Swatting’ Gets 20 Years

/0 Comments/in /by

Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.

Tyler Barriss, in an undated selfie.

Barriss has admitted to his role in the Kansas man’s death, as well as to dozens of other non-fatal “swatting” attacks. These dangerous hoaxes involve making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident.

On Dec. 28, 2017, Barriss placed a call from California to police in Wichita, Kan., claiming that he was a local resident who’d just shot his father and was holding other family members hostage.

When Wichita officers responded to the address given by the caller — 1033 W. McCormick — they shot and killed 28-year-old Andrew Finch, a father of two who had done nothing wrong.

Barriss admitted setting that fatal swatting in motion after getting in the middle of a dispute between two Call of Duty online gamers, 18-year-old Casey Viner from Ohio and Shane Gaskill, 20, from Wichita. Viner and Gaskill are awaiting their own trials in connection with Finch’s death.

Barriss pleaded guilty to making hoax bomb threats in phone calls to the headquarters of the FBI and the Federal Communications Commission in Washington, D.C. He also made bomb threat and swatting calls from Los Angeles to emergency numbers in Ohio, New Hampshire, Nevada, Massachusetts, Illinois, Utah, Virginia, Texas, Arizona, Missouri, Maine, Pennsylvania, New Mexico, New York, Michigan, Florida and Canada.

“I hope that this prosecution and lengthy sentence sends a strong message that will put an end to the juvenile and reckless practice of ‘swatting’ within the gaming community, as well as in any other context,” said Kansas U.S. Attorney Stephen McAllister said in a written statement. “Swatting is just a terrible idea. I also hope that today’s result helps bring some peace to the Finch family and some closure to the Wichita community.”

Many readers have commented here that the officer who fired the shot which killed Andrew Finch should also face prosecution. However, the district attorney for the county that encompasses Wichita decided in April 2018 that the officer will not face charges, and will not be named because he isn’t being charged with a crime.

As the victim of a swatting attack in 2013 and two other attempted swattings, I’m glad to finally see a swatting prosecution that may actually serve as a deterrent to this idiotic and extremely dangerous crime going forward.

But as I’ve observed in previous stories about swatting attacks, it would also be nice if more police forces around the country received additional training on exercising restraint in the use of deadly force, particularly in responding to hostage or bomb threat scenarios that have hallmarks of a swatting hoax.

For example, perpetrators of swatting often call non-emergency numbers at state and local police departments to carry out their crimes precisely because they are not local to the region and cannot reach the target’s police department by calling 911. This is exactly what Tyler Barriss did in the Wichita case and others. Swatters also often use text-to-speech (TTY) services for the hearing impaired to relay hoax swat calls, as was the case with my 2013 swatting.

Trickbot | Technical Analysis of a Banking Trojan Malware

/0 Comments/in /by

Banking trojans have been around forever—and they’ll be around for as long as we use the web for money transactions—but that doesn’t mean they are not useful to look at. Trickbot and Emotet have been on the increase recently, evolving with new features to escape sandboxes and bypass legacy security solutions. In this post, we’ll take a look inside a sample that was caught by SentinelOne.

This malware came to a customer as an email distributed payload:

File Hash (SHA1): 8cad6d7f47553b363698230c36c36cb39a80112

Decoding the First Stage of the Attack

While the file was blocked and no harm was done to the system, sometimes I like to see what would happen without protection. With the use of OLETOOLS we can take a look at the payloads embedded in the malicious file:

$: olevba Bofa_Charge01312019.xlsm

The code that gets returned is a little messy, but we can easily get what we need:

image of oletools

The main thing that we are looking at is the base64 encoded string:

image of encoded base64

Next, let’s decrypt and verify if it’s actually a file:

Image of decoding base64

Now that we know it’s a file, we can either rename and extract the gzip file or simply decompress the base64 string as we decode it. The first method is nice if you are trying to keep a copy of each attack phase:

Image of decoding base64 file

But if you really don’t need to keep the extra file, you can just decompress the stream as it decrypts.

Image of decode base64

Either way, we can get what we need for the next step:

image of function to download file

Now this looks pretty ugly, so we can clean it up with a “beautifier” plug-in for SublimeText or any other similar tool of your choice:

Image of cleaning up code

There’s a couple of key bits of information that we can collect from this.

First, this is a VBScript Function that is compressed and stored as a base64 string within the Excel Macro. The function is called and executes the script upon opening the document.

image of function call

We can also see that the payload is fetched from one of two remote servers:

image of code for each server

The code tells us that the payload is stored in the User’s Temp directory:

image of saving to temp file

Take note that the payload on the C2 server is called ‘za.liva’, but it will be saved as ‘tmp0281.exe’ on the local disk. After the payload is saved to the Temp directory, it is then executed.

image of executing temp file

Inspecting the Payloads

Let’s take a look at the payloads that are downloaded and see if the addresses are still active:

image of first payload

The first address looks to have since been taken offline, so it will not be of much use to us.

image of second payload

The second server looks to be still active, so we can continue the investigation. Since we have a C2 server up and running, we can attempt to download the malicious payload and see what this Excel document actually does.

image of using wget

Now that we have a SHA1 hash we can use VirusTotal to check it out.

image of checking virustotal

Based on what we see in VT, we can see that the file has a reputation for being malicious and that some of the detections are reporting it as a sample of the TrickBot banking trojan.

What Happens When Trickbot Executes?

So what happens when we execute it? To start with, there are a few interesting things that Procmon can show us. Initially, the malware duplicates itself to a new directory which is hidden in the User’s Roaming Profile:

image of roaming profile

Then, the payload targets and disables Windows Defender:

image of windows defender
image of windows defender

This is how Windows Defender looks before execution:

image of windows defender on

And after:

Image of Windows Defender Disabled

A scheduled task is then created.

image of scheduled task

image of general tab

image of triggers tab

image of actions tab

The History Tab is also set to ‘Disabled’ so that it will be hard to determine how long the machine has been infected.

The malware next creates a ‘Settings.ini’ file and a ‘Data’ folder.

image of creating settings ini file

Multiple modules will then be created within the ‘Data’ Folder starting with ‘systeminfo64’ (Testing was done on an amd64 machine).

image of multiple modules created

Here are the file hashes for the modules:

99BCA3D20DA3AF4DD53018EB7CD75E3E50922EE8
694132E09D7A24AA6597C07379844A3A121840AB
37F7F788C0BCBE92E58348A981FFD2609D847C21
02D14610C2B5829EC19C8EAE4E27F01DDEE3DED8
A58B2CD90D08E5E36B36C94DC018F87042E1D04A
9E823026C6DEF9736D3C33F70FB11EAACE597EDC
517429BD284236FAD97055B99110D5ACDA188590
3677933612060E4D5ECA257C58B8F7873287AD7E

There are also signs of the payload attempting to access the "HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsStorage2" key, which matches the behavior of other known TrickBot versions. These have been known to use this to store hashes of URLs and their respective login information that have been collected.

image of hkey current user key

At the same time, Trickbot will examine the registry to verify which browser type is currently set as default.

Image of default browser setting

After dropping the modules to the ‘Data’ folder, the Trickbot malware creates and populates registry keys for ‘CertificateTransparencyEnforcementDisabledForUrls’ at the following path: HKLMSOFTWAREPoliciesGoogleChromeCertificateTransparencyEnforcementDisabledForUrls:

Image of disable Certificate transparency in browsers

This allows SSL encryption levels to be downgraded to less secure algorithms without the browser raising a big red flag.

How to Decode Trickbot Modules

Knowing that this is TrickBot we can take advantage of a tool from HASHEREZADE, who has a bunch of awesome tools for reversing and analyzing malware.

On the infected machine, we need to run the ‘make_bot_key-exe’ PE to gather the system botkey for decryption.

image of make bot key

This ‘botkey’ is then used to decrypt the modules:

./trick_config_decoder.py --botkey {BotKey} --datafile Data/{Module File Name}

image of trick bot config modules decoder

Now we can get a list of hashes for the decrypted DLLs:

cbd80eb5112a9560fbe7d9ce6fc0258af6415827 importDll64.dll
d37415147f5cdc74d4c0dbf5c67d5fc909643d5e injectDll64.dll
744a928e828c4f06f92a5354f63a14f15a98bff9 mailsearcher64.dll
374b411a00f513b002902870e216e56186b8c9b8 networkDll64.dll
de9caa99ca6c4f7892b3b9dfb9c9747bd503d753 psfin64.dll
70883aa0f396e0a2099a6eaa501cc2f7ce8c9ff8 shareDll64.dll
a3b021cf9dbb9e9bc67fa25f27be7ab71ce55d69 systeminfo64.dll
52a59062686fcfedbc207fddbed84395b4df0175 tabDll64.dll
8ad57a9acfd3940f2b044c2ab7777f8d051941f0 tpwgrabu64.dll
4f4601059e70e1d726ed10f44d989e00e7b21bbd wormDll64.dll

This also allows us to extract IPs and URLs from the Module config files, such as injectDll64_configs/dpost.out:

image of decoding iocs from injectDLL64

Summary

In this post, we have explored how to inspect a malicious file and determine its actions, the C2 servers it contacts, and the payloads it drops. We’ve also looked at some useful ways to analyse the payloads and extract indicators of compromise that we can feed into a SOC team or security solution software. Even without diving deep into the DLLs or the PEs themselves, we were able to obtain a great deal of information and a really nice list of IOCs for the Trickbot malware.

IOCs:

File Paths:
C:WindowsSystem32TasksSpeedNetworkTask
C:Users{Username}AppDataRoamingspeedNetwork

Registry Key:
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsStorage2

Scheduled Tasks:
SpeedNetworkTest

PE/Document Hashes:
8cad6d7f47553b363698230c36c36cb39a80112
f91ed88e61b431ce883f75797ad36c5a4a9ca212

Module Hashes:
99BCA3D20DA3AF4DD53018EB7CD75E3E50922EE8
694132E09D7A24AA6597C07379844A3A121840AB
37F7F788C0BCBE92E58348A981FFD2609D847C21
02D14610C2B5829EC19C8EAE4E27F01DDEE3DED8
A58B2CD90D08E5E36B36C94DC018F87042E1D04A
9E823026C6DEF9736D3C33F70FB11EAACE597EDC
517429BD284236FAD97055B99110D5ACDA188590
3677933612060E4D5ECA257C58B8F7873287AD7E

Decrypted Module Hashes:
cbd80eb5112a9560fbe7d9ce6fc0258af6415827
d37415147f5cdc74d4c0dbf5c67d5fc909643d5e
744a928e828c4f06f92a5354f63a14f15a98bff9
374b411a00f513b002902870e216e56186b8c9b8
de9caa99ca6c4f7892b3b9dfb9c9747bd503d753
70883aa0f396e0a2099a6eaa501cc2f7ce8c9ff8
a3b021cf9dbb9e9bc67fa25f27be7ab71ce55d69
52a59062686fcfedbc207fddbed84395b4df0175
8ad57a9acfd3940f2b044c2ab7777f8d051941f0
4f4601059e70e1d726ed10f44d989e00e7b21bbd

Connections to:
185[.]20[.]184[.]74:80
188[.]246[.]233[.]53:443
92[.]38[.]149[.]49:443
hxxp://103[.]119[.]144[.]250:8082
hxxp://107[.]175[.]132[.]141:443
hxxp://141[.]255[.]167[.]125:443
hxxp://14[.]102[.]107[.]114:8082
hxxp://172[.]97[.]71[.]127:443
hxxp://181[.]115[.]156[.]218:80
hxxp://185[.]117[.]119[.]89:443
hxxp://185[.]20[.]184[.]74
hxxp://190[.]152[.]125[.]162:80
hxxp://192[.]210[.]152[.]173:443
hxxp://200[.]21[.]51[.]30:80
hxxp://212[.]80[.]216[.]228:443
hxxp://212[.]80[.]216[.]69
hxxp://31[.]202[.]132[.]5:443
hxxp://36[.]91[.]93[.]114:80
hxxp://75[.]183[.]130[.]158:8082
hxxp://96[.]36[.]253[.]146:8082
hxxp://97[.]87[.]127[.]198:80
hxxps://212[.]80[.]216[.]69:446

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Vizion.ai launches its managed Elasticsearch service

/0 Comments/in /by

Setting up Elasticsearch, the open-source system that many companies large and small use to power their distributed search and analytics engines, isn’t the hardest thing. What is very hard, though, is to provision the right amount of resources to run the service, especially when your users’ demand comes in spikes, without overpaying for unused capacity. Vizion.ai’s new Elasticsearch Service does away with all of this by essentially offering Elasticsearch as a service and only charging its customers for the infrastructure they use.

Vizion.ai’s service automatically scales up and down as needed. It’s a managed service and delivered as a SaaS platform that can support deployments on both private and public clouds, with full API compatibility with the standard Elastic stack that typically includes tools like Kibana for visualizing data, Beats for sending data to the service and Logstash for transforming the incoming data and setting up data pipelines. Users can easily create several stacks for testing and development, too, for example.

Vizion.ai GM and VP Geoff Tudor

“When you go into the AWS Elasticsearch service, you’re going to be looking at dozens or hundreds of permutations for trying to build your own cluster,” Vision.ai’s VP and GM Geoff Tudor told me. “Which instance size? How many instances? Do I want geographical redundancy? What’s my networking? What’s my security? And if you choose wrong, then that’s going to impact the overall performance. […] We do balancing dynamically behind that infrastructure layer.” To do this, the service looks at the utilization patterns of a given user and then allocates resources to optimize for the specific use case.

What VVizion.ai hasdone here is take some of the work from its parent company Panzura, a multi-cloud storage service for enterprises that has plenty of patents around data caching, and applied it to this new Elasticsearch service.

There are obviously other companies that offer commercial Elasticsearch platforms already. Tudor acknowledges this, but argues that his company’s platform is different. With other products, he argues, you have to decide on the size of your block storage for your metadata upfront, for example, and you typically want SSDs for better performance, which can quickly get expensive. Thanks to Panzura’s IP, Vizion.ai is able to bring down the cost by caching recent data on SSDs and keeping the rest in cheaper object storage pools.

He also noted that the company is positioning the overall Vizion.ai service, with the Elasticsearch service as one of the earliest components, as a platform for running AI and ML workloads. Support for TensorFlow, PredictionIO (which plays nicely with Elasticsearch) and other tools is also in the works. “We want to make this an easy serverless ML/AI consumption in a multi-cloud fashion, where not only can you leverage the compute, but you can also have your storage of record at a very cost-effective price point.”

User Interviews, a platform for product feedback, raises $5 million

/0 Comments/in /by

It’s not uncommon to hear CEOs and business leaders talk about focusing on the consumer. But the only way to build for the consumer is to hear what they want, which can be a resource-intensive thing to retrieve.

User Interviews, an ERA-backed company out of New York, is looking to lighten that load with a fresh $5 million in seed funding from Accomplice, Las Olas, FJ Labs, and ERA.

User Interviews actually started out as Mobile Suites, an amenities logistics platform for hotels. It was a dud, and the team — Basel Fakhoury, Dennis Meng and Bob Saris — decided to do far more user research before determining the next product.

In the process of talking to customers to understand their pain points, they realized just how difficult collecting user feedback could be.

That’s how User Interviews was born. The platform’s first product, called Recruit, offers a network of non-users that can be matched with companies to provide feedback. In fact, User Interviews’ first sales were made by simply responding to Craigslist ads posted by companies looking for non-users from which they could collect feedback.

But because the majority of user research is based on existing users, the company also built Research Hub, which is essentially a CRM system for user feedback and research. To be clear, User Interviews doesn’t facilitate the actual emails sent to users, but does track the feedback and make sure that no one from the research team is reaching out to a single user too often.

With Recruit, User Interviews charges $30/person that it matches with a company for feedback. Research Hub costs starts at $150/month.

“Right now, our greatest challenge is that our clients are the best product people in the world, and we have a huge pipeline of amazing ideas that are very valuable and no one is doing yet that our clients would love,” said CEO and founder Basel Fakhoury. “But we have to build it fast enough.”

No mention of what those forthcoming products might be, but the current iteration sure seems attractive enough. User Interviews clients include Eventbrite, Glassdoor, AT&T, DirecTV, Lola, LogMeIn, Thumbtack, Casper, ClassPass, Fandango, NNG, Pinterest, Pandora, Colgate, Uber and REI, to name a few.

Marketing tech vendors need to find right balance between digital and human interactions

/0 Comments/in /by

As I walked the long halls of Adobe Summit this week in Las Vegas and listened to the company’s marketing and data integration story, I thought about the obvious disconnect that happens between brands and their customers. With tons of data, a growing set of tools to bring it together, and a desire to build an optimal experience, you would think we have been set up for thrilling consumer experiences, yet we all know that is not always what happens when the rubber meets the road.

Maybe part of the problem is that data sitting in databases doesn’t always translate into employee action when dealing directly with consumers. In many cases, the experience isn’t smooth, data isn’t passed from one source to another, and when you do eventually reach a person, they aren’t always knowledgeable or even nice.

It’s to the point that when my data does get passed smoothly from bot to human CSA, and I’m not asked for the same information for the second or even third time, I’m pleasantly surprised, even a little shocked.

That’s probably not the story marketing automation vendors like Adobe and Salesforce want to hear, but it is probably far more common than the one about delighted customers. I understand that the goal is to provide APIs to connect systems. It’s to stream data in real time from a variety of channels. It’s about understanding that data better by applying intelligent analytics, and to some extent I’m sure that’s happening and that there are brands who truly do want to delight us.

The disconnect could be happening because brands can control what happens in the digital world much better than the real one. They can know at a precise level when you interact with them and try to right wrongs or inconsistencies as quickly as possible. The problem is when we move to human interactions — people talking to people at the point of sale in a store, or in an office or via any communications channel — all of that data might not be helpful or even available.

The answer to that isn’t to give us more digital tools, or more tech in general, but to work to improve human-to-human communication, and maybe arm those human employees with the very types of information they need to understand the person they are dealing with when they are standing in front of them.

If brands can eventually get these human touch points right, they will build more loyal customers who want to come back, the ultimate goal, but right now the emphasis seems to be more on technology and the digital realm. That may not always achieve the desired results.

This is not necessarily the fault of Adobe, Salesforce or any technology vendor trying to solve this problem, but the human side of the equation needs to be a much stronger point of focus than it currently seems to be. In the end, all the data in the world isn’t going to save a brand from a rude or uninformed employee in the moment of customer contact, and that one bad moment can haunt a brand for a long, long time, regardless how sophisticated the marketing technology it’s using may be.