7 Lessons Every CISO Can Learn From the ANU Cyber Attack

During November of last year, a highly-skilled — possibly nation state threat actor — penetrated the network of the Australian National University. The dwell time, or length of time the attacker went undetected, was around six weeks. Afforded such an extensive period of time, the actor engaged in lateral movement activities, downloaded bespoke malware, conducted further spearphishing campaigns and exfiltrated an unknown amount of data from a possible 19-year treasure trove of records from Human Resources, financial management and student administration. The details of the attack, discovered in June of this year, have recently been published by the university’s Office of the Chief Information Security Officer. In this post, and based on their thorough report, we review the major lessons every CISO can learn from the ANU cyber attack.

image of 7 lessons from ANU attack

1. Don’t Wait Till It’s Too Late | Replace Legacy AV

Without doubt the most startling lesson for CISOs from the ANU breach is that you cannot wait to update your security if you want to match and defeat the skills of today’s threat actors. 

ANU: “The actor was able to, in several cases, avoid detection by altering the signatures of more common malware used during the campaign. Also, the malware and some tools were assembled inside the ANU network after a foothold had been established. This meant that the downloaded individual components did not trigger the University’s endpoint protection.”

The old legacy AV suites that ANU had been using up until last year were no match for the attacker. Indeed, such systems are regularly bypassed by red team engagements, and bypasses are widely known and traded on hacker forums. Legacy AV suites afford very little protection against anything other than accidental or amateur intrusion attempts and need to be replaced as quickly as possible. 

2. Phishing Is King | Block Bad Behavior, Not Users

Users will always be susceptible to phishing and spearphishing attacks. Enterprises need to stop relying on human behavior to recognize phishing campaigns and instead rely on machine learning to detect and block malicious behaviour on endpoints.

ANU: “The actor’s campaign started with a spearphishing email sent to the mailbox of a senior member of staff. Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment. This “interaction-less” attack resulted in the senior staff member’s credentials being sent to several external web addresses.”

image of ANU phishing email

Let’s not blame the user, but there’s a reason why phishing was used in the ANU attack and is by far the most common attack vector. People, unlike computers, need to get things done. But the attacker, like the victim, is also a human and to reach their objectives, the tools, tactics and procedures they use to achieve those objectives can be modelled behaviorally.

A no-interaction phishing email raises interesting and worrying questions. In an attempt to protect the public by not going into details that could help other threat actors, ANU have not released details of how that worked. Possibilities include leveraging the loading of remote content, unpatched email client software or perhaps a zero day vulnerability in either that software or the operating system itself. 

The lesson here is that phishing awareness training and other user-level safeguards would not have helped protect the organization against the initial spearphishing attack. That means the importance of a security solution that can recognize and alert on malicious execution regardless of whether the process is trusted or not is the only sure way to deal with the phishing threat.

3. Make the Invisible, Visible | Know Your Network

Understanding what is connected to your network is vital. In the ANU attack, the threat actor sought out and found little-known network devices that had fallen outside of the organization’s security audits.

ANU: “The actor built a shadow ecosystem of compromised ANU machines, tools and network connections to carry out their activities undetected. Some compromised machines provide a foothold into the network. Others, like the so-called attack stations, provided the actor with a base of operations to map the network, identify targets of interest, run tools and compromise other machines.”

image of ANU attack overview

With a vast organization spanning multiple sites and multiple sub-networks, the only effective solution is to ensure you can map the network, and fingerprint devices in such a way that you can not only determine what is connected, but also what is unprotected. Many current network mapping solutions have implementation issues such as consuming too much in the way of resources or requiring “noisy” additional mapping devices. Consider a solution that uses your existing security infrastructure without adding on top another layer of burden.

4. Knock, Knock, Who’s There? | Enforce 2FA & Multi-FA

No matter how strong your password, or how frequently you change it, simply relying on only what someone knows without the supporting evidence of something the authorized user possesses is always going to present an opportunity to attackers.

ANU: “Forensic evidence also shows the extensive use of password cracking tools at this stage. The combination of the bespoke code and password cracking is very likely to have been the mechanism for gaining access to the above administrative databases or their host systems.”

With the almost universal use of smartphones among employees these days, linking account access to authentication through an additional device should be standard practise in the modern enterprise. Though neither foolproof nor always convenient, 2FA with time-limited OTPs delivered through mobile Authenticator apps will secure accounts from most simple credential stuffing and other password hijacking attempts. For even stricter control, consider hardware authentication devices such as YubiKey and similar where appropriate.

5. Mind The Traffic | Use Endpoint Firewall Control

Without policies to control what kinds of traffic you want an endpoint to allow and disallow, attackers will have an opportunity to exfiltrate data at will once they have compromised an endpoint.

ANU: “The actor used a variety of methods to extract stolen data or credentials from the ANU network. This was either via email or through other compromised Internet-facing machines.”

Effective endpoint Firewall controls can block unauthorized transfer of data to and from all your endpoints, both on and off the corporate network. In the ANU attack, the threat actor manipulated a commercial tool to query multiple databases, extract records and then exfiltrate the data by sending it to another machine on the network in PDF file format. 

Deploying firewall controls allows you to reduce the risk of this kind of data leakage by setting explicit policies that either allow or disallow particular kinds of traffic from the endpoint. Such policies could have prevented the kind of unauthorized data transfers as used in the ANU breach.

6. Pick Off Low-Hanging Vulns | Patch For The Win

Patching is a time-honored security defensive measure, but it’s becoming increasingly important with vulnerabilities like BlueKeep and Eternalblue now on the loose.

ANU: “The actor also gained access (through remote desktop) to a machine in a school which had a publicly routable IP address. Age and permissiveness of the machine and its operating system are the likely reasons the actor compromised this machine.”

Threat actors have the tools to scan for and exploit vulnerabilities in legacy OS like Windows 7 and unpatched Windows 10, Linux and macOS machines. While many departments struggle to replace ageing hardware and software for either operational or budgetary reasons, those departments will remain vulnerable to various threat actors, from cyber criminals motivated by finance to Advanced Persistent Threat groups who may just be hoovering up as much intel as possible while they can.

7. Console Your Clients | Log Devices Remotely 

A good security posture requires not just knowing what is happening on your devices but what happened in the past. Logging device activity to a secure remote location is essential for both threat hunting and incident response.

ANU: “The actor exhibited exceptional operational security during the campaign and left very little in the way of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign.”

The ANU’s incident response team did a great forensic investigation after-the-fact, but they were hampered by the deletion of logs on vulnerable machines. Modern endpoint detection and response should be backed by a centralized device management console where admins and security teams can access logs from all endpoints regardless of what actions are taken on a device locally. 

Similarly, with the correct solution in place such as a tamper-proof agent installed on the local device, the attackers bespoke tools and malware would also have triggered an alert based on their malicious behaviour, regardless of whether they were unknown to signature detection engines that rely on reputation.

Conclusion

The ANU are to be congratulated for making public their detailed Incident Response report. It’s to be hoped that other organizations that suffer breaches take note. Only through this kind of transparency can we share knowledge of how attackers adapt and evade enterprise and organizational security.

ANU weren’t without defenses, and they weren’t without resources. There are many organizations just like them both in the public and private sector. Attackers long ago learned how to defeat the old AV Suite solutions of the past, and that message is something that the ANU report makes clear. A combination of legacy hardware, software and an opaque network structure played into the threat actor’s hands. It is incumbent on us all to learn these lessons and to raise the bar for attackers in light of this report.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Demodesk scores $2.3M seed for sales-focused online meetings

Demodesk, an early-stage startup that wants to change how sales meetings are conducted online, announced a $2.3 million seed investment today.

Investors included GFC, FundersClub, Y Combinator, Kleiner Perkins and an unnamed group of angel investors. The company was a member of the Y Combinator Winter 2019 cohort.

CEO and co-founder Veronika Riederle says that the fact it’s so closely focused on sales separates it from other more general meeting tools like Zoom, WebEx or GoToMeeting. “We are building the first intelligent online meeting tool for customer-facing conversations. So that is for inside sales and customer service professionals,” Riederle explained.

One of the key pieces of technology is what Riederle calls “a unique approach to screen sharing.” Whereas most meeting software involves downloading software to use the tool, Demodesk doesn’t do this. You simply click a link and you’re in. The two parties online are seeing a live screen and each can interact with it. It’s not just a show and tell.

What’s more, in a sales scenario with a slide presentation, the customer sees the same live screen as the salesperson, but while the salesperson can see their presentation notes, the customer cannot.

She said while this could work for any number of scenarios, from customer service to IT Help desks, at this stage in the company’s development she wants to concentrate on the sales scenario, then expand the vision over time. The service works on a subscription model with tiered per user pricing starting at $19 per user, per month.

When they got to Y Combinator, the company already had a working product and paying customers, but Riederle says the experience has helped them grow the business to moew than 100 customers. “YC was extremely important for us because we immediately got access to an extremely valuable network of founders and potential customers, and also just a base for us to really [develop] the business.

Riederle founded the company with CTO Alex Popp in 2017 in Munich. Prior to this seed round, the founders mostly bootstrapped the company. With the $2.3 million, it should be able to hire more people and begin building out the product further, while investing in sales and marketing to expand its customer base.

Bill McDermott aims to grow ServiceNow like he did SAP

Bill McDermott has landed. Two weeks ago, he stepped down as CEO at SAP after a decade leading the company. Yesterday, ServiceNow announced that he will be its new CEO.

It’s unclear how quickly the move came together but the plan for him is clear: to scale revenue like he did in his last job.

Commenting during the company’s earning’s call today, outgoing CEO John Donahoe said that McDermott met all of the board’s criteria for its next leader. This includes the ability to expand globally, expand the markets it serves and finally scale the go-to-market organization internally, all in the service of building toward a $10 billion revenue goal. He believes McDermott checks all those boxes.

McDermott has his work cut out for him. The company’s 2018 revenue was $2.6 billion. Still, he fully embraced the $10 billion challenge. “Well let me answer that very simply, I completely stand by [the $10 billion goal], and I’m looking forward to achieving it,” he said with bravado during today’s call.

It’s worth noting that as the company strives to reach that lofty revenue goal in the coming years, it will be doing with a new CEO in McDermott, as well as a new CFO. The company is in the midst of a search to fill that key position, as well.

McDermott has been here before though. He points out that in the decade he was at SAP, under his leadership the company moved the market cap from $39 billion to $163 billion. Today, ServiceNow’s market cap is similar to when McDermott started at SAP at a little over $41 billion.

He also recognizes that this is going to be a new challenge. “I’ve seen a lot of different business models, and [SAP has] a very different business model than ServiceNow. This is a pure play cloud,” he said. That means as a leader, he says that has to think about product changes differently, how they fit in the overall platform, while maintaining simplicity and keeping the developer community in mind.

Ray Wang, founder and principal analyst at Constellation Research said that ServiceNow is at a point where it needs an enterprise-class CEO who understands tech, partnerships, systems integrators and real enterprise sales and marketing — and McDermott brings all of that to his new employer.

Behind Enemy Lines | Looking into Ransomware as a Service (Project Root)

Ransomware-as-a-Service (RaaS) offerings have been a staple of the “underground” for many years now. From TOX to SATAN to Petya and beyond, we have seen services continue to appear and thrive. Often times they are short-lived, but that is not always the case. Services like DataKeeper and Ranion have been available for over two years now. These ‘services’ are an attractive way for enterprising criminals to create, distribute, and manage their ransomware (and subsequent profits) with almost no barrier to entry. That is, they require zero prior coding or development knowledge. They also offer instant results and are cheap to launch. Typically, these services either require an “up front” payment or a share of the profits once the victims pay. In this post, we take a journey into the dark web and explore a new RaaS offering that appeared for the first time earlier this month known as ‘Project Root’.

image project root

Ransomware As A Service: Meet Project Root

We recently came across a new offering known as ‘Project Root’. This service, like many others, requests a low, “up front” fee to get started. From there, clients can generate ransomware binaries on-demand. Both Windows and Linux are supported (for 32-bit and 64-bit architectures). 

image of project root site

Project Root payloads are written in Golang, and thus resemble previous (similar) threat families like LockerGoga. Payloads written in Golang are often able to bypass both traditional signature-based detection as well as some static machine-learning detection engines given how few samples (and therefore extractable features) are found in the wild.

image of project root banner

Project Root: How Much Does It Cost?

Project Root is available in two versions. The ‘standard” version (initially) costs $150 USD up front, payable in bitcoin (BTC), and allows for unlimited generation of “basic” payloads via their portal, along with the management and key distribution components. Updates to this version are ‘free’ for 6 months. Over the course of the last two weeks, the standard version price has fluctuated between $50 and ‘Free’. A “Pro” version exists which

allows for better ‘support , longer term of free updates, and increased evasion options. Buyers will also have full access to the source code for increased “customization options”.’

image of project root pro

The “Pro” version has been advertised all along but appears to have officially “launched” as of October 17th.

image of project root price plans

How To Build Ransomware Binaries

For users of the service, building binaries is very straightforward. The RaaS customers need only specify the desired architecture (x86 or x64) along with the platform (Linux or Windows). It should be noted that an Android version is promised for the future. Along with the above options, the user needs to supply a contact email address for the victim, along with a customized recovery key associated with the campaign.

image of project root builder window

image of project root win binary

This builder interface is also used to access specific decrypters for either Linux or Windows platforms (also provided in x86 and x64 varieties)

image of project root decrypter menu

The “How to Use” section also serves as the service’s FAQ section. While seemingly straightforward, it does reveal that the actor behind this is most likely not a native English speaker.

image of project root FAQ

Teething Trouble or Scamming the Scammers?

It is also interesting to note that until recently (on or around October 14th), the ransomware payloads we analyzed did not work. All the samples we investigated prior to October 14th did not proceed past the initial execution phase. No further activity occurs and the victim’s files are not encrypted. This was true across x86 and x64 samples. This is an interesting phenomenon that maybe does not get enough attention. All malware authors have a varying degree of skill, and their ability to ‘QA test’ their creations is equally idiosyncratic. It is possible that, during the early stage of the service’s launch, they were still working out kinks. Despite that, it appears that the service was happy to continue ‘selling stuff” and accepting payments from hopeful criminals.

There is quite a large ‘scam the scammer” market on the ‘Deep Web’ and other dark corners of the threat landscape. There are scammers out there that deliberately target lesser-skilled scammers to make a quick buck. There are many examples of this in recent history (Aspire Crypter and INPIVIX RaaS come to mind).  Also, for every ‘legitimate’ service, there are dozens or more clones/phish sites that just serve to mine credentials, account data, and more. Even the relatively well-known ransomware services like DataKeeper, Ranion, and MegaCortex are shadowed by a confusing vortex of copy-cat sites which blur the line between the scammy sites and the legit services.  

When we first encountered these executables, and located the corresponding portal for the RaaS service, this was our first thought. However, it turns out, if you are patient enough, sometimes the scams turn out to be ‘real’. Starting around October 14th onwards, the Windows and Linux payloads that we have been able to intercept and analyze are functional, so this does not appear to be an outright scam, which seemed like a distinct possibility early on.  

Inside The Ransomware Payload

The generated Ransomware payloads are written in Golang.   

image of project root strings

Project Root’s payloads follow in the footsteps of other, similar, ransomware families also written in Golang such as LockerGogoa and shifr .

The samples we have analyzed to date are delivered in an unpacked state. Golang binaries tend to be somewhat large (over 1MB) and therefore you often see them mutated or compressed via a packer. Such is not the case with those generated by Project Root, and the size of the analyzed binaries range from 5MB to 6MB.

Functionally, there is nothing ground-breaking or novel about the executables generated via Project Root. Upon execution, the code will perform a few checks in an attempt to evade analysis. The executables are ‘sandbox-aware” and will fail to run in both VMware and Oracle VirtualBox. In addition to the local system/host checks, the ransomware binary will attempt to reach out remotely to verify network connectivity by contacting the following IP address:

ec2-3-18-214-41[.]us-east-2[.]compute[.]amazonaws.com (3[.]18[.]214[.]41).   

If successful, the executable will communicate a base64 encoded string to the remote host. The encoded string contains identifiable details of the infected system. This is for tracking as well as infection/payment reporting on the portal side.

image of project root key value pairs

Files are encrypted using AES-256. The samples we have analyzed only appear to target the following 195 specific file types for encryption.

odt, ods, odp, odm, odc, csv, odb, doc, docx, docm, wps, xls, xlsx, xlsm, xlsb, xlk, ppt, pptx, pptm, mdb, accdb, pst, dwg, xf, dxg, wpd, rtf, wb2, mdf, dbf, psd, pdd, pdf, eps, ai, indd, cdr, jpg, jpe, dng, 3fr, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrwref, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, c, cpp, txt, jpeg, png, gif, mp3, html, css, js, sql, mp4, flv, m3u, py, desc, con, htm, bin, wotreplay, unity3d , big, pak, rgss3a, epk , bik , slm , lbf, sav , lng ttarch2 , mpq, re4, apk, bsa , cab, ltx , forge ,asset , litemod, das , upk, bar, hkx, rofl, DayZProfile, db0, mpqge, vfs0 , mcmeta , m2, lrf , vpp_pc , ff , cfr, snx, lvl , arch00, ntl, fsh, w3x, rim ,psk , tor, vpk , iwd, kf, mlx, fpk , dazip, vtf, 001, esm , blob , dmp, menu, ncf, sid, sis, ztmp, vdf, mcgame, fos, sb, itm , wmo , itm, map, wmo, sb, svg, cas, gho,iso ,rar ,mdbackup , hkdb , hplg, hvpl, icxs, itdb, itl, sidd, sidn, bkf , qic, bkp , bc7 , bc6 ,pkpass, tax, gdb, qdf, t12,t13, ibank, sum, sie, sc2save ,d3dbsp, wmv, avi, wma, m4a, 7z, torrent


Once encryption occurs, affected files are given a .Lulz extension. The desktop background is changed to an image which instructs the victim to refer to ‘Fuck.txt’ for instructions on how to proceed with decryption.

The background image is pulled from the following URL:

hxxps[:]//i.postimg[.]cc/pdbqqS5P/new.jpg

image of project root splash

The ransom note simply provides instructions on whom to email for details on decryption along with a corresponding uniquely identifying key. At that point, it is up to the attacker to respond, accept payment, and provide details on how to proceed.

image of project root ransomware note

The threat also attempts to clear out local event logs (Windows version), as well as attempts to install a new root certificate. The certificate installation appears to still be problematic as we were unable to reproduce or observe that behavior during our analysis.  

Defending Against Project Root and RaaS

SentinelOne Endpoint Protection is capable of fully preventing malicious binaries generated by the Project Root service across platforms. In scenarios where the threat has been able to make malicious changes, those can be fully reversed via SentinelOne’s “Rollback” feature.

Of course, aside from having a strong security solution in place, user education and a well-established Disaster Recovery Plan/Business Continuity Play (DRP/BCP) will go a long way here, too.

Conclusion

It is always good to stay aware and keep up to date with the types of malware and ransomware services that are currently available, as well as the efficacy of them. While there are many that launch as either deliberate scams or are simply poorly written, there are also many that function quite well and present a real threat to users. This service, Project Root, straddles the line between those two extremes.

Indicators of Compromise (IOCs):

ade0d7fbdcb34d7cbd220beb9c3c2484f7ce05c11043bd5ed64df239f5039ba7 Ransomware sample (x86)
930b10c9413156bc91aafd0d3dd88e927b1c938707349070b35d2700a1b37f2f Ransomware sample (x64)
432ebc85724f52ff1bbe205b22c68c15675a0f03321a9abae04c87415f10fa37 Ransomware sample (Linux)
576ce4198bd883a01f50535588109a0a78b5af2ce3a1ee69842a34b237bfeed5 Decryption Tool (x86)
7292dd52392e36826a48f15be0e185a4d34a4716e4bed8e77704fb1c05aa8b48 Decryption Tool (x64)
70c518fd0bf8ba099b9e87c951e2b72f79a637334e981140f7e0d0616d0c6905 Decryption Tool (Linux x86)
ff4b1f56244d0887d3fbc62956b742cb4b43048c92f68f4aa09bb54b8a415d12 Decryption Tool (Linux x64)
h t t ps[:]//i.postimg[.]cc/pdbqqS5P/new.jpg Network / HTTP Request
prootk6nzgp7amie[.]onion RaaS Portal (TOR)
ec2-3-18-214-41.us-east-2.compute.amazonaws.com RaaS Portal Mirror (Clearnet)
6dd74824ce2f34df13ccba4b6567b00bfdf42daeecc9a12196eee4c8ade29224 Ransomware sample (x64)
b226c3b4d8634f9ede3d526c5ee287287c20cf7173154c4db64ec5235800ddcd Ransomware sample (x86)

MITRE ATT&CK

  • T1130 – Install Root Certificate
  • T1486 – Data Encrypted for Impact (Ransomware)
  • T1089 – Disabling Security Tools
  • T1497 – Virtualization/Sandbox Evasion

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Google picks up Microsoft veteran, Javier Soltero, to head G Suite

Google has hired Microsoft’s former Cortana and Outlook VP, Javier Soltero, to head up its productivity and collaboration bundle, G Suite — which includes consumer and business tools such as Gmail, Hangouts, Drive, Google Docs and Sheets.

He tweeted the news yesterday, writing: “The opportunity to work with this team on products that have such a profound impact on the lives of people around the world is a real and rare privilege.”

 

Soltero joined Microsoft five years ago, after the company shelling out $200M to acquire his mobile email application, Acompli — staying until late last year.

His LinkedIn profile now lists him as vice president of G Suite, starting October 2019.

Soltero will report to Google Cloud CEO Thomas Kurian — who replaced Dianne Green when she stepped down from the role last year — per a company email reported by CNBC.

Previously, Google’s Prabhakar Raghavan — now SVP for its Advertising and Commerce products — was in charge of the productivity bundle, as VP of Google Apps and Google Cloud. But Mountain View has created a dedicated VP role for G Suite. Presumably to woo Soltero into his next major industry move — and into competing directly with his former employer.

The move looks intended to dial up focus on the Office giant, in response to Microsoft’s ongoing push to shift users from single purchase versions of flagship productivity products to subscription-based cloud versions, like Office 365.

This summer Google CEO, Sundar Pichai, announced that its cloud business unit had an $8 billion annual revenue run rate, up from $4BN reported in early 2018, though still lagging Microsoft’s Azure cloud.

He added that Google planned to triple the size of its cloud sales force over the next few years.

Aurora Insight emerges from stealth with $18M and a new take on measuring wireless spectrum

Aurora Insight, a startup that provides a “dynamic” global map of wireless connectivity that it built and monitors in real time using AI combined with data from sensors on satellites, vehicles, buildings, aircraft and other objects, is emerging from stealth today with the launch of its first publicly available product, a platform providing insights on wireless signal and quality covering a range of wireless spectrum bands, offered as a cloud-based, data-as-a-service product.

“Our objective is to map the entire planet, charting the radio waves used for communications,” said Brian Mengwasser, the co-founder and CEO. “It’s a daunting task.” He said that to do this the company first “built a bunker” to test the system before rolling it out at scale.

With it, Aurora Insight is also announcing that it has raised $18 million in funding — an aggregate amount that reaches back to its founding in 2016 and covers both a seed round and Series A — from an impressive list of investors. Led by Alsop Louie Partners and True Ventures, backers also include Tippet Venture Partners, Revolution’s Rise of the Rest Seed Fund, Promus Ventures, Alumni Ventures Group, ValueStream Ventures and Intellectus Partners.

The area of measuring wireless spectrum and figuring out where it might not be working well (in order to fix it) may sound like an arcane area, but it’s a fairly essential one.

Mobile technology — specifically, new devices and the use of wireless networks to connect people, objects and services — continues to be the defining activity of our time, with more than 5 billion mobile users on the planet (out of 7.5 billion people) today and the proportion continuing to grow. With that, we’re seeing a big spike in mobile internet usage, too, with more than 5 billion people, and 25.2 billion objects, expected to be using mobile data by 2025, according to the GSMA.

The catch to all this is that wireless spectrum — which enables the operation of mobile services — is inherently finite and somewhat flaky in how its reliability is subject to interference. That in turn is creating a need for a better way of measuring how it is working, and how to fix it when it is not.

“Wireless spectrum is one of the most critical and valuable parts of the communications ecosystem worldwide,” said Rohit Sharma, partner at True Ventures and Aurora Insight board member, in a statement. “To date, it’s been a massive challenge to accurately measure and dynamically monitor the wireless spectrum in a way that enables the best use of this scarce commodity. Aurora’s proprietary approach gives businesses a unique way to analyze, predict, and rapidly enable the next-generation of wireless-enabled applications.”

If you follow the world of wireless technology and telcos, you’ll know that wireless network testing and measurement is an established field — about as old as the existence of wireless networks themselves (which says something about the general reliability of wireless networks). Aurora aims to disrupt this on a number of levels.

Mengwasser — who co-founded the company with Jennifer Alvarez, the CTO who you can see presenting on the company here — tells me that a lot of the traditional testing and measurement has been geared at telecoms operators, who own the radio towers, and tend to focus on more narrow bands of spectrum and technologies.

The rise of 5G and other wireless technologies, however, has come with a completely new playing field and set of challenges from the industry.

Essentially, we are now in a market where there are a number of different technologies coexisting — alongside 5G we have earlier network technologies (4G, LTE, Wi-Fi); and a potential set of new technologies. And we have a new breed of companies building services that need to have close knowledge of how networks are working to make sure they remain up and reliable.

Mengwasser said Aurora is currently one of the few trying to tackle this opportunity by developing a network that is measuring multiples kinds of spectrum simultaneously, and aims to provide that information not just to telcos (some of which have been working with Aurora while still in stealth) but the others kinds of application and service developers that are building businesses based on those new networks.

“There is a pretty big difference between us and performance measurement, which typically operates from the back of a phone and tells you when have a phone in a particular location,” he said. “We care about more than this, more than just homes, but all smart devices. Eventually, everything will be connected to network, so we are aiming to provide intelligence on that.”

One example are drone operators that are building delivery networks: Aurora has been working with at least one while in stealth to help develop a service, Mengwasser said, although he declined to say which one. (He also, incidentally, specifically declined to say whether the company had talked with Amazon.)

5G is a particularly tricky area of mobile network spectrum and services to monitor and tackle, which is one reason why Aurora Insight has caught the attention of investors.

“The reality of massive MIMO beamforming, high frequencies, and dynamic access techniques employed by 5G networks means it’s both more difficult and more important to quantify the radio spectrum,” said Gilman Louie of Alsop Louie Partners, in a statement. “Having the accurate and near-real-time feedback on the radio spectrum that Aurora’s technology offers could be the difference between building a 5G network right the first time, or having to build it twice.” Louie is also sitting on the board of the startup.

Early-stage privacy startup DataGrail gets boost from Okta partnership

When Okta launched its $50 million Okta Ventures investment fund in April, one of its investments was in an early-stage privacy startup called DataGrail. Today, the companies announced a partnership that they hope will help boost DataGrail, while providing Okta customers with a privacy tool option.

DataGrail CEO and co-founder Daniel Barber says that with the increase in privacy legislation, from GDPR to the upcoming California Consumer Protection Act (and many other proposed bills in various states of progress), companies need tools to help them comply and protect user privacy. “We are a privacy platform focused on delivering continuous compliance for businesses,” Barber says.

They do this in a way that fits nicely with Okta’s approach to identity. Whereas Okta provides a place to access all of your cloud applications from a single place with one logon, DataGrail connects to your applications with connectors to provide a way to monitor privacy across the organization from a single view.

It currently has 180 connectors to common enterprise applications like Salesforce, HubSpot, Marketo and Oracle. It then collects this data and presents it to the company in a central interface to help ensure privacy. “Our key differentiator is that we’re able to deliver a live data map of the customer data that exists within an organization,” Barber explained.

The company just launched last year, but Barber sees similarities in their approaches. “We see clear alignment on our go-to-market approach. The product that we built aligns very similarly to the way Okta is deployed, and we’re a true partner with the industry leader in identity management,” he said.

Monty Gray, SVP and head of corporate development at Okta, says that the company is always looking for innovative companies that fit well with Okta. The company liked DataGrail enough to contribute to the startup’s $5.2 million Series A investment in July.

Gray says that while DataGrail isn’t the only privacy company it’s partnering with, he likes how DataGrail is helping with privacy compliance in large organizations. “We saw how DataGrail was thinking about [privacy] in a modern fashion. They enable these technology companies to become not only compliant, but do it in a way where they were not directly in the flow, that they would get out of the way,” Gray explained.

Barber says having the help of Okta could help drive sales, and for a company that’s just getting off the ground, having a public company in your corner as an investor, as well as a partner, could help push the company forward. That’s all that any early startup can hope for.

Figma’s Community lets designers share and remix live files

As designers grow both in sheer numbers and within the hierarchy of organizations, design tool makers are adapting to their evolving needs in different ways. Figma, the web-based collaborative design tool, is taking a note from the engineering revolution of the early aughts.

“What if there were a GitHub for designers?” mused Dylan Field, early on in the lifecycle of Figma as a company. Today, that vision is brought to life with the launch of Figma Community. (Figma Community is launching in a closed beta for now.)

In a crowded space, with competitors like Adobe, InVision, Sketch and more, Figma differentiates itself on its web-based multiplayer approach. Figma is a design tool that works like Google Docs, with multiple designers in the same file, working alongside one another without disrupting each other.

But that’s just the base level of the overall collaboration that Figma believes designers crave. Field told us that he sees a clear desire from designers to not only share their work, whether it’s on a portfolio webpage or on social media, as well as a desire to learn from the work of other designers.

And yet, when a creative shares a design on social media, it’s just a static image. Other designers can’t see how it went from a blank page to an interesting design, and are left to merely appreciate it without learning anything new.

With Figma Community, designers and even organizations can share live design files that others can inspect, remix and learn from.

Individual designers can set up their own public-facing profile page to show off their designs, as well as intra-organization profile pages so other team members within their organization can learn from each other. On the other hand, organizations can publicly share their design systems and philosophy on their own page.

For example, the city of Chicago has set up a profile on Figma Community for other designers to follow the city’s design system in their own materials.

Screen Shot 2019 10 22 at 11.26.39 AM

As far as remixing design files goes, Figma is using a CC4 license, which allows for a remix but forces attribution. That said, Field says the company is using this closed beta period to learn more about what the community wants around different license types.

Community is free and is not meant to drive revenue for the company, but rather offer further value to designers using the platform.

“It’s early,” said Dylan Field. “This is just the scaffolding of what’s to come. It’s the start of a lot of work that we’re going to be doing in the area of collaboration and community.”

Figma has raised a total of $83 million from investors like Index, Sequoia, Kleiner Perkins and Grelock, according to Crunchbase.

Slack announces new features to help ease app integration pain

As Slack has grown in popularity, one of the company’s key differentiators has been the ability to integrate with other enterprise tools. But as customers use Slack as a central work hub, it has created its own set of problems. In particular, users have trouble understanding which apps they have access to and how to make best use of them. Slack announced several ways to ease those issues at its Spec developer conference today.

Andy Pflaum, director of Slack platform, points out there are 1,800 app integrations available out of the box in Slack, and developers have created 500,000 additional custom apps. That’s obviously far too many for any user to keep track of, so Slack has created a home page for apps. Called App Launcher, it acts a bit like the Mac Launchpad — a centralized place where you can see your installed apps.

Slack App launcher

Slack App Launcher (Image: Slack)

You access App Launcher from the Slack sidebar by clicking Apps. It opens App Launcher with the apps that make sense for you. When you select an app, Pflaum says it takes you to that app’s home screen where it will be ready to enter or display relevant information.

For example, if you selected Google Calendar, you would see your daily schedule along with meeting requests, which you can accept or reject. You also can launch meeting software directly from this page. All of this happens within Slack, without having to change focus. App Home will be available in beta in the next few months, according to Pflaum.

Another way Slack is helping ease the app burden is with a new concept called Actions from Anywhere. The company actually launched Actions last year, enabling users to take an action from a message like attaching a Slack message to a pull request in Jira, as an example. Pflaum said that people liked these actions so much they were requesting the ability to take actions from anywhere in Slack.

“At Spec, we are previewing this new kind of action — Actions from Anywhere — which gives users the ability to take an action from anywhere they are in Slack,” Pflaum said. To really take advantage of this capability, the company is adding a feature to select the five most recent actions from a quick-access menu. These actions fill in automatically based on your most recent activities, and could be a real time-saver for people working inside Slack all day.

Finally, the company is enabling developers to open an external window inside Slack, what they call Modal windows, which open when users have to fill out a form, take a survey, enter expenses or provide additional information outside the flow of Slack itself.

All of these and other announcements at Spec are part of the maturation process of Slack as it moves to solve some of the pain points of growing so quickly. When you grow past the point of understanding what a complex piece of software can do, it’s up to the vendor to provide ways to surface all of the benefits and features, and that’s what Slack is attempting to do with these new tools.

Databricks announces $400M round on $6.2B valuation as analytics platform continues to grow

Databricks is a SaaS business built on top of a bunch of open-source tools, and apparently it’s been going pretty well on the business side of things. In fact, the company claims to be one of the fastest growing enterprise cloud companies ever. Today the company announced a massive $400 million Series F funding round on a hefty $6.2 billion valuation. Today’s funding brings the total raised to almost a $900 million.

Andreessen Horowitz’s Late Stage Venture Fund led the round with new investors BlackRock, Inc., T. Rowe Price Associates, Inc. and Tiger Global Management also participating. The institutional investors are particularly interesting here because as a late-stage startup, Databricks likely has its eye on a future IPO, and having those investors on board already could give them a head start.

CEO Ali Ghodsi was coy when it came to the IPO, but it sure sounded like that’s a direction he wants to go. “We are one of the fastest growing cloud enterprise software companies on record, which means we have a lot of access to capital as this fundraise shows. The revenue is growing gangbusters, and the brand is also really well known. So an IPO is not something that we’re optimizing for, but it’s something that’s definitely going to happen down the line in the not-too-distant future,” Ghodsi told TechCrunch.

The company announced as of Q3 it’s on a $200 million run rate, and it has a platform that consists of four products, all built on foundational open source: Delta Lake, an open-source data lake product; MLflow, an open-source project that helps data teams operationalize machine learning; Koalas, which creates a single machine framework for Spark and Pandos, greatly simplifying working with the two tools; and, finally, Spark, the open-source analytics engine.

You can download the open-source version of all of these tools for free, but they are not easy to use or manage. The way that Databricks makes money is by offering each of these tools in the form of Software as a Service. They handle all of the management headaches associated with using these tools and they charge you a subscription price.

It’s a model that seems to be working, as the company is growing like crazy. It raised $250 million just last February on a $2.75 billion valuation. Apparently the investors saw room for a lot more growth in the intervening six months, as today’s $6.2 billion valuation shows.