Spectro Cloud launches with $7.5M investment to help developers build Kubernetes clusters their way

By now we know that Kubernetes is a wildly popular container management platform, but if you want to use it, you pretty much have to choose between having someone manage it for you or building it yourself. Spectro Cloud emerged from stealth today with a $7.5 million investment to give you a third choice that falls somewhere in the middle.

The funding was led by Sierra Ventures with participation from Boldstart Ventures.

Ed Sim, founder at Boldstart, says he liked the team and the tech. “Spectro Cloud is solving a massive pain that every large enterprise is struggling with: how to roll your own Kubernetes service on a managed platform without being beholden to any large vendor,” Sim told TechCrunch.

Spectro co-founder and CEO Tenry Fu says an enterprise should not have to compromise between control and ease of use. “We want to be the first company that brings an easy-to-use managed Kubernetes experience to the enterprise, but also gives them the flexibility to define their own Kubernetes infrastructure stacks at scale,” Fu explained.

Fu says that the stack, in this instance, consists of the base operating system to the Kubernetes version to the storage, networking and other layers like security, logging, monitoring, load balancing or anything that’s infrastructure related around Kubernetes.

“Within an organization in the enterprise you can serve the needs of your various groups, down to pretty granular level with respect to what’s in your infrastructure stack, and then you don’t have to worry about lifecycle management,” he explained. That’s because Spectro Cloud handles that for you, while still giving you that control.

That gives enterprise developers greater deployment flexibility and the ability to move between cloud infrastructure providers more easily, something that is top of mind today as companies don’t want to be locked into a single vendor.

“There’s an infrastructure control continuum that forces enterprises into trade-offs against these needs. At one extreme, the managed offerings offer a kind of nirvana around ease of use, but it’s at the expense of control over things like the cloud that you’re on or when you adopt new ecosystem options like updated versions of Kubernetes.”

Fu and his co-founders have a deep background in this, having previously been part of CliQr, a company that helped customers manage applications across hybrid cloud environments. They sold that company to Cisco in 2016 and began developing Spectro Cloud last spring.

It’s early days, but the company has been working with 16 beta customers.

Coronavirus Widens the Money Mule Pool

With many people being laid off or working from home thanks to the Coronavirus pandemic, cybercrooks are almost certain to have more than their usual share of recruitable “money mules” — people who get roped into money laundering schemes under the pretense of a work-at-home job offer. Here’s the story of one upstart mule factory that spoofs a major nonprofit and tells new employees they’ll be collecting and transmitting donations for an international “Coronavirus Relief Fund.”

On the surface, the Web site for the Vasty Health Care Foundation certainly looks legitimate. It includes various sections on funding relief efforts around the globe, explaining that it “connects nonprofits, donors, and companies in nearly every country around the world.” The site says it’s a nonprofit with offices based in Nebraska and Quebec, Canada.

Vasty is a phony charity that pretends to raise money for Coronavirus victims but instead hires people to help launder stolen funds. This and the rest of the content at Vasty’s site was lifted from GlobalGiving, a legitimate charity that is helping people affected by the pandemic.

The “Vasty Health Care Foundation” is one of several fraudulent Web sites that recruit money mules in the name of helping Coronavirus victims. The content on Vasty’s site was lifted almost entirely from globalgiving.org, a legitimate charity that actually is trying to help people affected by the pandemic.

“We have been contacted by job seekers asking if we are related to some of these job opportunities they’ve been finding on Indeed.com and Monster.com,” said Kevin Conroy, chief product officer at GlobalGiving. “And we always tell them no that’s not from us, and not to cash any checks someone may be giving them in relation to those offers.”

The Vasty domain — vastyhealthcarefoundation[.]com — was registered just weeks ago, although the site claims its organization has been around for years.

The crooks behind this scheme also seem to have submitted the Vasty name in custom links at vetting sites like The Better Business Bureau and Guidestar that ultimately take one to a summary of data on GlobalGiving. No doubt this is part of an effort to lend legitimacy to the Vasty name (hovering over the links above reveals the trickery).

What proof is there that Vasty isn’t a legitimate charity? None of the dozens of Canadian mules contacted by this author responded to requests for comment. But KrebsOnSecurity received copious amounts of information about this scam from Milwaukee, Wisc. based Hold Security, which managed to intercept key file exchanges between threat actors through public file sharing services.

Among those files were a set of form letters and boilerplate email messages that describe the ideal candidate for the job at Vasty and welcome new recruits to the Vasty payroll. Here’s a look at part of the job description, which includes (not pictured) a description of the healthcare plans and other benefits allegedly offered to Vasty employees.

After congratulating applicants (everyone who applies is “hired”) on their new positions, Vasty asks the recruits to do some busy work. In this case, new hires are sent to local pharmacies on some bogus errand, such as to inspect the pricing of face masks and hand sanitizer products for price-gouging.

“Now we have the first task for you. You will have to perform a trip within your city. So that we can compensate for transportation costs along with your hourly rate, I ask you to keep receipts confirming your expenses.

LOCATION: Sam’s Geneva Street Pharmacy

ADDRESS:  284 Geneva St, St. Catharines, ON L2N 2E8

I ask you to go to the pharmacy at the specified address. We are increasingly receiving reports of private sellers violating the pricing policy for products such as: aspirin, face masks are loose surgical masks with elastic loops that go around the ears, hand sanitizers.”

New recruits are then asked to assemble and submit a written report of their observations at the store in question.

These types of menial, meaningless tasks are a typical tactic of money mule recruitment schemes and they serve two main purposes: They separate out slackers from people who really need and want a job, and they help the employee feel like he’s doing something useful and legitimate (aside from just moving money around, which if brought up too soon might make him question whether the job is legit).

Eventually, after successfully completing one or more of these busy work tasks, the new hire is asked to process a “donation” from someone who wants to help fight the Coronavirus outbreak:

“Please read the instructions carefully. One donor wants to make donations to help fight the coronavirus. As you know, this is a big problem for most countries of the world. Every day we receive information from the World Health Organization that more and more people are sick. Quite a lot of people died from this virus. Some people simply don’t have enough funds to provide themselves with standard face masks and disinfectants to fight the virus.”

“The donor requests that Bitcoins be bought with his funds. For this task, you need to create your Bitcoin wallet, or use the QR code that we send you in this letter. You will receive from the donor up to 3000 CAD. Your commission up to 150 CAD will be included in this amount to cover your expenses. I remind you that you do not need to use your funds to buy bitcoins. The funds will be sent to you. You will need to receive cash atm or at your bank branch.”

What happens next is the employee then receives an electronic transfer of money into his bank account, is asked to withdraw the cash, and to keep 150 Canadian dollars for himself. He’s then instructed to take the remainder of the funds to a Bitcoin ATM and scan an emailed QR code with his mobile phone. This causes the cash he deposits into the Bitcoin ATM to be sent in an irreversible transaction to a Bitcoin wallet controlled by the scammers.

What’s going on behind the scenes is the funds that get deposited in the employee’s account are invariably stolen from other hacked bank accounts, and the employee is merely helping the crooks launder the stolen money into a form of payment that can’t be reversed.

Another boilerplate email intercepted by Hold Security shows Vasty’s new hires manager offering advice to employees who are asked by nosey bank employees about the nature of the funds withdrawal.

“Important: If you receive any questions from the bank regarding the purpose of the payment, you can open part of the instructions if necessary and inform that these funds are intended for payment of medicines. In any case, it is a personal payment and it will not be taxed. However, I strongly recommend that you not divulge the rest of the instructions for paying for medicines against coronavirus so as not to aggravate panic among the population.”

Americans shouldn’t feel left out of the scam: Hold Security founder Alex Holden says his analysts also intercepted a nearly identical set of scam templates targeting job seekers in the United States.

Money mule scammers specialize in hacking employer accounts at job recruitment Web sites like Monster.com, Hotjobs.com and other popular employment search services. Armed with the employer accounts, the crooks are free to search through millions of resumes and reach out to people who are currently between jobs or seeking part-time employment.

If you receive a job solicitation via email that sounds too-good-to-be-true, it probably is related in some way to one of these money-laundering schemes. Even if you can’t see the downside to you, someone is likely getting ripped off. Also, know that money mules — however unwitting — may find themselves in hot water with local police, and may be asked by their bank to pay back funds that were illegally transferred into the mules’ account.

Overall, Holden said, established cybercriminals who specialize in recruiting and grooming money mules for financial crimes have been cooing of late over the potential glut of new mules. One mule vendor on a popular Russian-language crime forum posted Tuesday that his “drops” — the hacker slang term for money mules — weren’t scared of Coronavirus concerns.

“We got drops in masks!,” one vendor proclaimed.

“We continue to work despite the Coronavirus,” declared another drops vendor.

Any readers interested in helping others affected by the Coronavirus outbreak should consider giving through the organization Vasty is impersonating here; Global Giving. Alternatively, these two stories link to a number of other reputable organizations facilitating Coronavirus relief efforts.

How Offensive Actors Use AppleScript For Attacking macOS

When we think about security on macOS and the tools used by offensive actors, whether those are real in the wild attacks or red team exercises, we tend to think of things like python scripts, shell scripts, malicious documents, shady extensions and of course, the fake, doctored or trojan application bundle. There is much less attention in the security field on AppleScript – a built-in macOS technology – despite the fact it’s been around for as long as Python and predates macOS 10 itself by 8 or 9 years.

As I’ll show in this post, AppleScript is widely used by offensive actors. This includes its use in adware, its use for tasks such as persistence, anti-analysis, browser hijacking, spoofing and more. Worryingly, given the lack of attention paid to AppleScript in the research community, that is all without even leveraging some of AppleScript’s most powerful or unique features, some of which we’ll cover below (others I’ve written about before here).

Why Have the Good Guys Ignored AppleScript?

Unlike Bash and other shell languages, and unlike Python, a cross-platform, beginner-friendly scripting language that has achieved widespread adoption and praise, AppleScript is a language peculiar to macOS; not only can you NOT use it on other Desktop operating systems like Windows and Linux, you can’t even use it on Apple’s other operating systems like iOS and iPadOS.

As a language, AppleScript has a reputation for being quirky, slow and difficult to develop even simple scripts with. It’s quirky because it attempts to use “natural language” but in a grammar that is entirely artificial, often inconsistent and frustratingly unintuitive. It’s also incredibly verbose. Compare the code for the simple task of counting the number of items in /usr/bin directory. As ever, a shell script will always be the most concise:

ls -l /usr/bin | wc -l

Python is a little more verbose, but still fairly clean and familiar:

#!/usr/bin/python
import os
path, dirs, files = next(os.walk("/usr/bin"))
print len(files)

The AppleScript version, however, is something of an entirely different nature.

tell application "System Events"
	set theFiles to name of every file of folder "bin" of folder "usr" of startup disk
	count of theFiles
end tell

AppleScript is also slow in execution because, among other things, the underlying technology involves constructing and sending Apple Events through an archaic interface called the Apple Event Manager that was written for Apple’s System 7 operating system (released in 1991) and not optimized for performance even back then.


Source: AppleScript Overview,  © 2002, 2007 Apple Inc.

And it’s historically been difficult to develop scripts with AppleScript because most people who come to it will attempt to use the free, built-in but notoriously spartan (Apple)Script Editor.app, which lacks almost every and any feature developers normally expect and need. There’s no debugger, there’s no variable introspection, there’s no code snippets or effective code completion, to name just a few missing features.

Until recently, the only 3rd party alternative to Script Editor was priced at $200 and had a time-limited, 20-day demo period.

In short, the investment in time, effort and money required to produce something that still, after all that, can only be used on the macOS Desktop, effectively puts AppleScript at the bottom of the list for most people when it comes to choosing a useful or productive programming language. As a result, despite being with us for nearly 30 years, AppleScript is barely used by the majority of Mac admins, Mac developers or Mac end users. Indeed, AppleScript may have a good claim to being the Most Unloved and Unlovable Programming Language Ever.

So Why Do the Bad Guys Love Using AppleScript?

AppleScript was designed for automation and interapplication communication: the goal being to allow ordinary users to chain together repetitive tasks and execute them without further user interaction. For example, you can have Mail.app automatically trigger a script when it receives an email from a certain sender, or with a particular keyword in the subject line or content, extract whatever details you want from the email, and then populate a database in Excel or Numbers with the desired information, formatted and sorted on-the-fly as the data comes in. There’s no need for the user to be involved in any of this once the script is set up.

And as it turns out, automating interapplication communication and sidestepping user interaction is a godsend for malware authors. What could be more useful than bending popular applications like email clients, web browsers and the Microsoft Office suite to your will without needing to involve the user (aka in this scenario, the victim)?

And so, despite its general lack of appeal in almost all possible audiences for a scripting or programming language, there is one audience that does use AppleScript widely, if not particularly artfully or cleverly, and that is threat actors. Let’s look at some examples.

Recent Examples of AppleScript in macOS malware

A recent browser hijacker targeting Safari installs a hidden LaunchAgent that, via a shell script, loads, compiles and executes AppleScript.

It starts with a shell installer script packaged inside a DMG that’s supposed to contain an application called ‘PDFConverter4u’. But in a hidden .assets folder on the disk image is a first stage shell script:

5f198e82c0cf9a9f7d7a8d01273a6ad75a17a95960d8996dcdd028922b3d97bc

This unpacks and executes a second stage shell script:

55529224e9f70f5cab007e2ca98f6aec5cf31eb923fdfc09f60c01cc45c80666

Which eventually produces the hidden launch agent that executes another shell script containing the following AppleScript code, launched via osascript.

cdaa2121d79031cf39159198dfe64d3695a9c99ff7c3478a0b8953ade9052ecc

The purpose of the AppleScript is to replace the user’s search query on popular search engines google, bing and yahoo, with one provided by the attacker’s shell script. It’s a quick and easy way for bad actors to make money out of clicks which negatively impacts the victim’s productivity.

While this particular sample comes packed in a separate file, many others write their AppleScript directly into a MachO binary, either in plain text strings or in obfuscated base64 or similar encoding.

The following strings extracted from a Bundlore installer show that the code tries to force enable JavaScript execution in Google Chrome, then uses AppleScript to execute it in the active tab of the browser’s front window.

Strings from 41e0d31d52cb93f6a5020a278e8f360a6e134e6cc7092b4a5e575ac8b96a8d74

The next sample is a variant of a Pirrit malware.

21331ccee215801ca682f1764f3e37ff806e7510ded5576c0fb4d514b4cf2b7c

The authors use both plain text AppleScript and base64 encoded AppleScript, targeting Safari, Chrome and Firefox browsers.

Here’s some of the decoded base64 targeting Firefox and attempting to perform automated keystrokes to copy the current URL to the user’s clipboard before replacing the URL to that of the attacker’s choice:

Using AppleScript Without Apple Events

Speaking of base64, the next example illustrates something that many ordinary users and developers have overlooked about AppleScript, but which offensive actors have not: you can use AppleScript to execute any other kind of script, including python scripts like this one which drops the Empire exploit kit.

And what’s true of AppleScript and Python, is true of AppleScript and Perl, AppleScript and Bash and indeed AppleScript and absolutely any command line tool at all: you can call them all and bring their functionality into your AppleScript and combine that with other utilities.

The examples above all use what we might call ‘vanilla AppleScript’. That is, the native AppleScript language that’s been around since the early days of the platform. But starting in Yosemite, 10.10 and continuing up to and including the most recent version of macOS, AppleScript has been given increasing power through access to Cocoa frameworks, and this opens up the possibility of creating full-blown, powerful programs and applications with nothing other than AppleScript itself. Objective C executed through AppleScript is, speed-wise, more or less on a par with Objective C executed in a MachO binary.

And interestingly, although we haven’t seen threat actors making use of these powerful capabilities so far, there’s at least two reasons why we may well do so in the future: first to avoid detection, and second, because of the easy availability of a good development environment.

Using AppleScript to Avoid Detection

Avoiding detection on execution is a primary objective for all malware (even ransomware, which doesn’t want to get noticed until after execution). AppleScript offers offensive actors a plethora of ways to execute. In addition to simply executing a .scrpt file, you can run AppleScripts from Mail rules, from a shell script, in memory, from the command line, from within a MachO, in a plain text, uncompiled file, from an Automator workflow, from a Folder Action, a Finder Service or from a Calendar event.

Because of AppleScript’s ability to execute Objective C code without needing a compiled binary, this opens up a number of interesting attack possibilities. It also potentially opens up the ability to bypass detection tools based on Apple’s new kextless security framework introduced in macOS Catalina 10.15.

In an excellent post by Cedric Owens called Taking the macOS Endpoint Security Framework For A Quick Spin, Owens sets out to test what can and cannot be detected using three recently developed 3rd-party security tools that leverage the new Apple Endpoint Security framework.

One of the interesting things that Owens found was that if you tried capturing the user’s clipboard via osascript and vanilla AppleScript, this activity would be easily picked up by all the tools he was testing.

osascript -e 'the clipboard'

However, when using the native Cocoa API, NSPasteboard, none of the Endpoint Security framework-powered tools Owens tested appeared to capture that activity. But now, of course, we can execute NSPasteboard natively from AppleScript, too!

Notice that our one line, simple but also detectable osascript has turned into about 14 lines of complex-looking AppleScript-ObjC. Few people, certainly not I, would want to try and construct that kind of code in Script Editor.

However, the problem of developing complex AppleScripts is now more or less a thing of the past. The 3rd party alternative mentioned earlier in this post now has an unlimited free trial version and retails at half of its old price; more importantly, it also allows you to drag and drop a great deal of boilerplate code like that used in the script above straight into your scripts. And it provides developer-friendly functionality like code completion and API lookups that really take the pain out of developing AppleScript code.

Let’s look at another example. A lot of offensive operations want to avoid targets that are running particular software. Little Snitch is a prime example, various VM software is another. We can easily get a list of running apps by name and test for those, again directly by calling into Cocoa APIs, this time via NSWorkspace.

If we just want a true/false test for the existence of specific apps, we can just put the app names in a list and return true on the first hit.

In other words, by leveraging AppleScript’s hook into Cocoa frameworks, we can execute native code without the overhead of building MachO binaries or MachO apps (although you can do both of those with AppleScript, too!). We can do this filelessly so that we don’t get caught by new ‘kextless’ tools such as those tested by Owens, and we can execute this code in far more ways than any other kind of code available on macOS, whether that’s shell scripts, Python scripts or native macOS bundles.

Conclusion

The upshot here is that the main reasons why the good guys have typically eschewed AppleScript are in fact no longer relevant or true. Since we’ve already seen threat actors taking advantage of AppleScript despite those obstacles in the past, it’s only reasonable to assume that they may delve deeper into what this unique language has to offer in the future. Thanks to the native hook into Objective C and the powerful Cocoa frameworks, the variety of execution methods and now the availability of an excellent, free-to-use IDE, AppleScript has become a tool that is powerful, versatile and easy-to-develop with.

Attackers will always look to exploit the things defenders ignore, and to say that AppleScript has been ignored by the security community thus far is an understatement. I have elsewhere described AppleScript as “the PowerShell of macOS”. Certainly, it’s time we stopped thinking of AppleScript as the Most Unlovable Programming Language Ever and recognize that it may actually be the One macOS Programming Language to Rule Them All.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

To make locks touchless, Proxy bluetooth ID raises $42M

We need to go hands-off in the age of coronavirus. That means touching fewer doors, elevators, and sign-in iPads. But once a building is using phone-based identity for security, there’s opportunities to speed up access to WIFI networks and printers, or personalize conference rooms and video call set-ups. Keyless office entry startup Proxy wants to deliver all of this while keeping your phone in your pocket.

The door is just a starting point” Proxy co-founder and CEO Denis Mars tells me. “We’re . . . empowering a movement to take back control of our privacy, our sense of self, our humanity, our individuality.”

With the contagion concerns and security risks of people rubbing dirty, cloneable, stealable key cards against their office doors, investors see big potential in Proxy. Today it’s announcing here a $42 million Series B led by Scale Venture Partners with participation from former funders Kleiner Perkins and Y Combinator plus new additions Silicon Valley Bank and West Ventures.

The raise brings Proxy to $58.8 million in funding so it can staff up at offices across the world and speed up deployments of its door sensor hardware and access control software. “We’re spread thin” says Mars. “Part of this funding is to try to grow up as quickly as possible and not grow for growth sake. We’re making sure we’re secure, meeting all the privacy requirements.”

How does Proxy work? Employers get their staff to install an app that knows their identity within the company, including when and where they’re allowed entry. Buildings install Proxy’s signal readers, which can either integrate with existing access control software or the startup’s own management dashboard.

Employees can then open doors, elevators, turnstiles, and garages with a Bluetooth low-energy signal without having to even take their phone out. Bosses can also opt to require a facial scan or fingerprint or a wave of the phone near the sensor. Existing keycards and fobs still work with Proxy’s Pro readers. Proxy costs about $300 to $350 per reader, plus installation and a $30 per month per reader subscription to its management software.

Now the company is expanding access to devices once you’re already in the building thanks to its SDK and APIs. Wifi router-makers are starting to pre-provision their hardware to automatically connect the phones of employees or temporarily allow registered guests with Proxy installed — no need for passwords written on whiteboards. Its new Nano sensors can also be hooked up to printers and vending machines to verify access or charge expense accounts. And food delivery companies can add the Proxy SDK so couriers can be granted the momentary ability to open doors when they arrive with lunch.

Rather than just indiscriminately beaming your identity out into the world, Proxy uses tokenized credentials so only its sensors know who you are. Users have to approve of new networks’ ability to read their tokens, Proxy has SOC-2 security audit certification, and complies with GDPR. “We feel very strongly about where the biometrics are stored . . . they should stay on your phone” says Mars.

Yet despite integrating with the technology for two-factor entry unlocks, Mars says “We’re not big fans of facial recognition. You don’t want every random company having your face in their database. The face becomes the password you were supposed to change every 30 days.”

Keeping your data and identity safe as we see an explosion of Internet Of Things devices was actually the impetus for starting Proxy. Mars had sold his teleconferencing startup Bitplay to Jive Software where he met his eventually co-founder Simon Ratner, who’d joined after his video annotation startup  Omnisio was acquired by YouTube. Mars was frustrated about every IoT lightbulb and appliance wanting him to download an app, set up a profile, and give it his data.

The duo founded Proxy in 2016 as a universal identity signal. Today it has over 60 customers. While other apps want you to constantly open them, Proxy’s purpose is to work silently in the background and make people more productive. “We believe the most important technologies in the world don’t seek your attention. They work for you, they empower you, and they get out of the way so you can focus your attention on what matters most — living your life.”

Now Proxy could actually help save lives. “The nature of our product is contactless interactions in commercial buildings and workplaces so there’s a bit of an unintended benefit that helps prevent the spread of the virus” Mars explains. “We have seen an uptick in customers starting to set doors and other experiences in longer-range hands-free mode so that users can walk up to an automated door and not have to touch the handles or badge/reader every time.”

The big challenge facing Proxy is maintaining security and dependability since it’s a mission-critical business. A bug or outage could potentially lock employees out of their workplace (when they eventually return from quarantine). It will have to keep hackers out of employee files. Proxy needs to stay ahead of access control incumbents like ADT and HID as well as smaller direct competitors like $10 million-funded Nexkey and $28 million-funded Openpath.

Luckily, Proxy has found a powerful growth flywheel. First an office in a big building gets set up, then they convince the real estate manager to equip the lobby’s turnstiles and elevators with Proxy. Other tenants in the building start to use it, so they buy Proxy for their office. Then they get their offices in other cities on board…starting the flywheel again. That’s why Proxy is doubling down on sales to commercial real estate owners.

The question is when Proxy will start knocking on consumers’ doors. While leveling up into the enterprise access control software business might be tough for home smartlock companies like August, Proxy could go down market if it built more physical lock hardware. Perhaps we’ll start to get smart homes that know who’s home, and stop having to carry pointy metal sticks in our pockets.

HashiCorp soars above $5B valuation in new $175M venture round

The rise of the cloud over the past decade has forced software developers and DevOps engineers to completely rearchitect the modern web application, ensuring scalability, performance, and security. That’s a really painful proposition when done manually, which is where HashiCorp comes in to play. The company’s suite of products helps everyone in the tech workforce from IT admins to software developers operate in the cloud (mostly) effortlessly and natively.

The company’s products have long garnered rave reviews from technical staffs, and now the company is looking at a brand new massive valuation.

The SF-based startup announced today that it has raised $175 million in Series E financing from Franklin Templeton Investments at a scorching $5.1 billion valuation. For context, when we last covered the company back in late 2018, its valuation was only a “paltry” $1.9 billion following a $100 million round led by growth investor IVP.

The company in its release today touted its success in doubling revenues and customers every year for four straight years as the key reason behind the flush valuation. The company is making a (not so) subtle point that David McJannet, who joined the company as CEO in mid-2016 following a stint as an EIR at Greylock, has seen some success in his new role.

HashiCorp CEO David McJannet. Photo via HashiCorp

The company, founded by Mitchell Hashimoto and Armon Dadgar in 2012, is one of the major pioneers in helping companies build high-quality infrastructure that’s a mix of multi-cloud providers, private cloud, and even legacy systems.

It’s most well-known product is Terraform, which allows developers to write repeatable rules around enterprise infrastructure rather than a patchwork of different scripts that might not work as its writers intended. The idea is that with a consistent framework, HashiCorp’s product can help companies reduce costs (by protecting against, say, over-provisioning of resources) while also helping to balance scale and performance. The company’s other products include Consul around network automation, Vault for security, and Nomad for application deployment.

HashiCorp touches on a bunch of competitive products, but its cohesive set of tools and strong outreach to the developer community has set itself apart from the competition in recent years.

Franklin Templeton is a fairly late stage investor that has funded such enterprise companies as Cloudflare, which went public last year, logs management platform SumoLogic, and cybersecurity business Tanium, all according to Crunchbase.

With a hefty $5.1 billion valuation, the company narrowly missed the catastrophic decline of SaaS stocks over the past few weeks, which have been buffeted by the rapidly spreading global pandemic. But with a new war chest and a focus on a popular and growing enterprise market, the company seems poised to continue its growth.

The Web’s Bot Containment Unit Needs Your Help

Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace: Shadowserver.org, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.

Image: Ghostbusters.

Shadowserver provides free daily live feeds of information about systems that are either infected with bot malware or are in danger of being infected to more than 4,600 ISPs and to 107 national computer emergency response teams (CERTs) in 136 countries. In addition, it has aided the FBI and other nations’ federal law enforcement officials in “sinkholing” domain names used to control the operations of far-flung malware empires.

In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. Typically, a sinkhole is set up in tandem with some kind of legal action designed to wrest control over key resources powering a malware network.

Some of these interventions involving ShadowServer have been documented here, including the Avalanche spam botnet takedown, the Rustock botnet takeover, the Gameover malware botnet seizure, and the Nitol botnet sneak attack. Last week, Shadowserver was instrumental in helping Microsoft kneecap the Necurs malware network, one of the world’s largest spam and malware botnets.

Image: Shadowserver.org

Sinkholing allows researchers to assume control over a malware network’s domains, while redirecting any traffic flowing to those systems to a server the researchers control. As long as good guys control the sinkholed domains, none of the infected computers can receive instructions about how to harm themselves or others online.

And Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.

But very recently, Shadowserver got the news that the company which has primarily funded its operations for more than 15 years, networking giant Cisco Systems Inc., opted to stop providing that support.

Cisco declined to respond to questions about why it withdrew funding. But it did say the company was exploring the idea of supporting the organization as part of a broader support effort by others in the technology industry going forward.

“Cisco supports the evolution of Shadowserver to an industry alliance enabling many organizations to contribute and grow the capabilities of this important organization,” the company said in a written statement. “Cisco is proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape.”

To make matters worse, Shadowserver has been told it needs to migrate its data center to a new location by May 15, a chore the organization reckons will cost somewhere in the neighborhood of $400,000.

“Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control ​by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased,” Shadowserver wrote in a blog post published today about their financial plight.

The Shadowserver Foundation currently serves 107 National computer emergency response teams (CERTs) in 136 countries, more than 4,600 vetted network owners and over 90% of the Internet, primarily by giving them free daily network reports.

“These reports notify our constituents ​about millions of misconfigured, compromised, infected or abusable devices for remediation every day,” Shadowserver explained.

The group is exploring several options for self-funding, but Shadowserver Director Richard Perlotto says the organization will likely depend on a tiered “alliance” funding model, where multiple entities provide financial support.

“Many national CERTs have been getting our data for free for years, but most of these organizations have no money and we never charged them because Cisco paid the bill,” Perlotto said. “The problem for Shadowserver is we don’t blog about our accomplishments very frequently and we operate pretty quietly. But now that we need to do funding it’s a different story.”

Perlotto said while Shadowserver’s data is extremely valuable, the organization took a stance long ago that it would never sell victim data.

“This does not mean that we are anti-commercial sector activities – we definitely believe that there are huge opportunities for innovation, for product development, and to sell cyber security services,” he said. “Shadowserver does not seek to compete with commercial vendors, or disrupt their business models. But we do fundamentally believe that no-one should have to pay to find out that they have been a victim of cybercrime.”

Most immediately, Shadowserver needs to raise approximately $400,000 by the end of this month to manage the migration of its 1,300+ servers out of Cisco’s California data center into a new facility.

Anyone interested in supporting that migration effort can do so directly here; Shadowserver’s contact page is here.

Update 10:46 a.m., ET: Added comment from Cisco.

This startup got a meeting with Mark Suster by getting clever with Google ads

Startups have done some wild things to get the attention of VCs. In fact, Instacart founder Apoorva Mehta sent YC partner (at the time) Garry Tan a six-pack of beer through the service after missing the deadline for Y Combinator by two months.

Yesterday, the ingenuity of startups struck again.

Tadabase.io, an enterprise startup that offers no-code tools to help businesses automate their processes, has had an ad running that was… well, hyper targeted.

ProductHunt founder and WeekendFund investor Ryan Hoover discovered the ad and shared it on Twitter.

Hoover told TechCrunch he was Googling Mark Suster to facilitate an introduction between Suster and one of Hoover’s portfolio companies. Instead, he found a Google ad directed squarely at Suster from Tadabase.io.

“Mark Suster, you haven’t invested in nocode” read the paid listing. “Therefore, we put this ad here to get your attention. If you’re not Mark, please don’t click here and save us some money.”

I reached out to Suster, managing partner at UpFront Ventures, to see what he thought of the ad. He told me he “loved it” and has already contacted the CEO to set up a call for next week.

Whether this clever Google ad will result in an actual investment is yet to be determined. Also unclear: will Ryan Hoover get in on the deal?

I reached out to Tadabase founder and CEO Moe Levine via email to ask about the ad, how they went about targeting, and how he feels about his upcoming phone call next week. He hasn’t responded yet. I’ll update if/when he does.

The Good, the Bad and the Ugly in Cybersecurity – Week 11

The Good

This week Microsoft, along with an extensive list of partners, took steps to successfully cripple one of the most prolific malicious botnets of the last decade. The Necurs botnet has been responsible for much of the pharmaceutical, stock pump-and-dump, dating and other common spam lures since 2012, and operated at its peak between 2015 and 2017. It was also heavily leveraged to distribute  prominent malware families including GameOver Zeus, FlawedAmmyy, Locky, Dridex, Scarab, Trickbot and many others.

The turning point came once Microsoft and industry partners were able to uncover the inner-workings of the Necurs DGA (Domain Generation Algorithm), the component of the network responsible for generating and registering C2 (Command-and-control) domains. According to Microsoft’s Digital Crime Unit, they were able to “accurately predict over six million unique domains that would be created in the next 25 months”. As a result, Microsoft were able to prevent these generated domains from being registered. In addition, a court order issued on March 5th allowed Microsoft to seize existing domains, effectively crippling the botnet’s current and future infrastructure.

image of tweet about Necurs takedown

This was a coordinated effort between Microsoft, ISPs, various domain registries, as well as law enforcement entities in India, Japan, France, Mexico, Colombia and many others. We know this is a long slow-burn of a fight, and there is always a chance that the botnet could rebound (ex: Kelihos), but this is a valiant and commendable effort. Cheers to all those involved and keep up the good fight.

The Bad

Alas, Microsoft are also in the bad news this week after the discovery of a critical and potentially wormable vulnerability in Microsoft’s SMBv3,  CVE-2020-0796. Essentially, this is an RCE (remote code execution) flaw in Microsoft Server Message Block 3.1.1 (SMBv3) when handling certain requests. An attacker could exploit the flaw by transmitting a specially crafted packet and gain arbitrary code execution on the targeted server or client. The flaw affects Microsoft Windows 10 Versions 1903 & 1909 (including Windows Server) across supported architectures (x32, x64, ARM64). According to various advisories (published and pulled and republished in the last 36 hours) the issue comes down to a memory corruption condition stemming from a buffer overflow in affected SMB servers. Microsoft has provided an update here and a workaround in their updated advisory for those who cannot patch.

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 1 -Force

The Ugly

Now more than ever, we all need to be extra vigilant and aware of our information sources. We’ve already seen plenty of spam campaigns and blatant misinformation regarding Covid-19/Coronavirus, with the unscrupulous only too happy to try and cash in on a worried, information-hungry public. Sadly, but predictably, this week saw the emergence of an exploit kit playing on those same fears, the “Corona Virus Map Phish Method” kit, which is being sold in multiple underground forums. 

The kit in question is offered for $200 as is, or $700 with the seller’s own code signing certificate. It comes with a preloader that can be attached to an email. The code loads a working map displaying infection data on the victim’s machine, as well as the buyer’s payload of choice. The payload can be embedded directly or called via embedded URL, and the whole package can be bundled and sent via email without triggering a block by popular email providers.

One of the sites hosting a malicious map was highlighted in HC3’s (Health Sector Cybersecurity Coordination Center) March 10 alert, Fake Online Coronavirus Map Delivers Well-known Malware. In the scenario covered in the alert, the site was used to drop the AZORult trojan. That highlighted example is a web-centric attack, but it should be noted that we have seen pointers to these malicious sites spread via email and social media threads as well. 

Using this against the unassuming public is shameful, but at the same time, unfortunately, it reportedly works on “all Windows (XP-Win10, 32bit and 64bit)” and only requires some (any) version of Java to function. Aside from sidestepping email provider detections, the kit is built to evade Windows Defender and bypass UAC out of the box. SentinelOne customers can rest assured that the SentinelOne agent detects and effectively blocks the “Corona Virus Map Phish” kit, as demonstrated in the video below.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Pentagon asks court for time to reconsider JEDI award to Microsoft

The JEDI contract award process might never be done. Following legal challenges from Amazon after the Pentagon’s massive, $10 billion cloud contract was awarded to Microsoft in October, the Pentagon indicated in court documents last night that it wishes to reconsider the award.

It’s just the latest plot twist in an epic government procurement saga.

Here’s what we know. The Pentagon filing is based on Amazon’s complaints about the technical part of the deal only. Amazon has said that it believes political interference influenced the awarding of the contract. However, the cloud computing giant also believes it beat Microsoft on the technical merits in a majority of instances required in the request for proposals issued by the Pentagon.

In fact, sources told TechCrunch, “AWS’s protest identified evaluation errors, clear deficiencies and unmistakable bias in six of the eight evaluation factors.”

Obviously Amazon was happy to hear this news. “We are pleased that the DoD has acknowledged ‘substantial and legitimate’ issues that affected the JEDI award decision, and that corrective action is necessary,” a spokesperson stated.

“We look forward to complete, fair, and effective corrective action that fully insulates the re-evaluation from political influence and corrects the many issues affecting the initial flawed award.”

As would expect, Microsoft thinks that the DoD made the correct choice, and believes the review will bear that out. “Over two years, the DoD reviewed dozens of factors and sub factors and found Microsoft equal or superior to AWS on every factor. We remain confident that Microsoft’s proposal was technologically superior, continues to offer the best value, and is the right choice for the DoD,” Microsoft VP of communications Frank Shaw said.

The court granted the Pentagon 120 days to review the results again, but indicated it could take longer. In the meantime, the project is at a standstill.

On Friday, the court issued a ruling that Amazon was likely to succeed on its complaint on merit, and that could have been the impetus of this latest action by the Pentagon.

While the political influence piece might not be overtly part of this filing, it does lurk in the background. The president has made it clear that he doesn’t like Amazon founder and CEO Jeff Bezos, who also owns The Washington Post. As we wrote last year:

Amazon, for instance, could point to Jim Mattis’ book where he wrote that the president told the then Defense Secretary to “screw Bezos out of that $10 billion contract.” Mattis says he refused, saying he would go by the book, but it certainly leaves the door open to a conflict question.

As we previously reported, AWS CEO Andy Jassy stated at a press event at AWS re:Invent in December that the company believed there was political bias at play in the decision-making process.

“What I would say is that it’s fairly obvious that we feel pretty strongly that it was not adjudicated fairly,” he said. He added, “I think that we ended up with a situation where there was political interference. When you have a sitting president, who has shared openly his disdain for a company, and the leader of that company, it makes it really difficult for government agencies, including the DoD, to make objective decisions without fear of reprisal.”

The story has been updated with a comment from Microsoft. We have requested comment from DoD and will update the story should they respond.

Yext aims to deliver more coronavirus-related answers by making its site search free

Yext says that in response to the COVID-19 pandemic, it’s making its Yext Answers site search product free for 90 days.

You might not see an obvious connection between site search and a worldwide pandemic. You might even think this sounds like a marketing gimmick. But Yext CEO Howard Lerman said that for the past 10 days, the company has seen a spike in coronavirus-related searches across sites that use Yext Answers.

After all, Lerman said Yext has a lot of customers in the healthcare industry, such as the IHA medical group. But even beyond that, companies are getting related questions, whether it’s a hotel getting asked about their cleaning procedures, or an airline being asked whether it’s safe to fly or a vodka company getting asked about whether vodka can be used as hand sanitizer.

Businesses could try to answer those questions on a single web page or blog post, but that’s probably not going to be comprehensive. Yext Answers offers a way to present and save this information in a much more structured way, so that a visitor can jump to the exact answer that interests them. In addition, it provides data on what visitors are searching for, so companies can answer the questions that people are actually asking.

Yext Answers

Yext is also offering a free plugin that includes frequently asked questions about the coronavirus, with answers sourced directly form the U.S. Centers for Disease Control and Prevention.

“We have a product that could be pretty useful right now,” Lerman said. “We don’t want people to be getting wrong answers in the time of a global pandemic.”

He added that the company would normally charge around $100,000 for three months of Yext Answers. However, the free offering will be limited to 1,000 entities (which can be FAQs, locations or anything else), and Lerman said most paying customers are already using more than that.

While the product is free, the company will still schedule an initial setup call with a Yext administrator and provide ongoing email support. You can read more on Yext’s new website.