CodeGuru, AWS’s AI code reviewer and performance profiler, is now generally available

AWS today announced that CodeGuru, a set of tools that use machine learning to automatically review code for bugs and suggest potential optimizations, is now generally available. The tool launched into preview at AWS re:Invent last December.

CodeGuru consists of two tools, Reviewer and Profiler, and those names pretty much describe exactly what they do. To build Reviewer, the AWS team actually trained its algorithm with the help of code from more than 10,000 open source projects on GitHub, as well as reviews from Amazon’s own internal codebase.

“Even for a large organization like Amazon, it’s challenging to have enough experienced developers with enough free time to do code reviews, given the amount of code that gets written every day,” the company notes in today’s announcement. “And even the most experienced reviewers miss problems before they impact customer-facing applications, resulting in bugs and performance issues.”

To use CodeGuru, developers continue to commit their code to their repository of choice, no matter whether that’s GitHub, Bitbucket Cloud, AWS’s own CodeCommit or another service. CodeGuru Reviewer then analyzes that code, tries to find bugs and, if it does, it will also offer potential fixes. All of this is done within the context of the code repository, so CodeGuru will create a GitHub pull request, for example, and add a comment to that pull request with some more info about the bug and potential fixes.

To train the machine learning model, users can also provide CodeGuru with some basic feedback, though we’re mostly talking “thumbs up” and “thumbs down” here.

The CodeGuru Application Profiler has a somewhat different mission. It is meant to help developers figure out where there might be some inefficiencies in their code and identify the most expensive lines of code. This includes support for serverless platforms like AWS Lambda and Fargate.

One feature the team added since it first announced CodeGuru is that Profiler now attaches an estimated dollar amount to the lines of unoptimized code.

“Our customers develop and run a lot of applications that include millions and millions of lines of code. Ensuring the quality and efficiency of that code is incredibly important, as bugs and inefficiencies in even a few lines of code can be very costly. Today, the methods for identifying code quality issues are time-consuming, manual, and error-prone, especially at scale,” said Swami Sivasubramanian, vice president, Amazon Machine Learning, in today’s announcement. “CodeGuru combines Amazon’s decades of experience developing and deploying applications at scale with considerable machine learning expertise to give customers a service that improves software quality, delights their customers with better application performance, and eliminates their most expensive lines of code.”

AWS says a number of companies started using CodeGuru during the preview period. These include the likes of Atlassian, EagleDream and DevFactory.

“While code reviews from our development team do a great job of preventing bugs from reaching production, it’s not always possible to predict how systems will behave under stress or manage complex data shapes, especially as we have multiple deployments per day,” said Zak Islam, head of Engineering, Tech Teams, at Atlassian. “When we detect anomalies in production, we have been able to reduce the investigation time from days to hours and sometimes minutes thanks to Amazon CodeGuru’s continuous profiling feature. Our developers now focus more of their energy on delivering differentiated capabilities and less time investigating problems in our production environment.”

Image Credits: AWS

Upsolver announces $13M Series A to ease management of cloud data lakes

There’s a lot of complexity around managing data lakes in the cloud that often requires expensive engineering expertise. Upsolver, an early-stage startup, wants to simplify all of that, so that a database administrator could handle it. Today the startup announced a $13 million Series A.

Vertex Ventures US was lead investor, with participation from Wing Venture Capital and Jerusalem Venture Partners. Today’s investment brings the total raised to $17 million, according to the company.

Co-founder and CEO Ori Rafael says that as companies move data to the cloud and store it in data lakes, it becomes increasingly difficult to manage. The goal of Upsolver is to abstract away a lot of those management tasks and allow users to query the data using SQL, making it a lot more accessible.

“The main criticism of data lakes over the years is they become data swamps. It’s very easy to store data there very cheaply, but making it [easy to query] and valuable is hard. For that you need a lot of engineering, which turns the lake into a swamp. So we take the data that you put into a lake and make it easier to query, and we take the biggest disadvantage of using a lake, which is the complexity of doing that process, and we make that process easy,” Rafael explained.

Investor In Sik Rhee, who is general partner and co-founder at Vertex Ventures US, sees a company that’s creating a cloud-native standard for data lake computing. “Upsolver succeeded in abstracting away the engineering complexity of data pipeline management so that enterprise customers can quickly solve their modern data challenges in real time and at any scale without having to build another silo of expertise within the organization,” he said in a statement.

The company currently has 22 employees spread out between San Francisco, New York and Israel. Rafael says they hope to expand to 50 employees by the end of next year, including adding new engineers for their R&D center in Israel and building sales and customer success teams in the U.S.

Rafael says he and his co-founder sat down early on and wrote down the company’s core values, and they see a responsibility of running a diverse company as part of that, as they search for these new hires. Certainly the pandemic has shown them that they can hire from anywhere and that can help contribute to a more diverse workforce as they grow.

He said running the company and raising money has been stressful during these times, but the company has continued to grow through all of this, adding new customers while staying relatively lean, and Rafael says that the investors certainly recognized that.

“We had high revenue compared to the low number of employees with [sales] acceleration during COVID — that was our big trio,” he said.

Kong donates its Kuma control plane to the Cloud Native Computing Foundation

API management platform Kong today announced that it is donating its open-source Kuma control plane technology to the Cloud Native Computing Foundation (CNCF). Since Kong built Kuma on top of the Envoy service mesh — and Envoy is part of the CNCF’s stable of open-source projects — donating it to this specific foundation was likely an obvious move.

The company first open-sourced Kuma in September 2019. In addition to donating it to the CNCF, the company also today launched version 0.6 of the codebase, which introduces a new hybrid mode that enables Kuma-based service meshes to support applications that run on complex heterogeneous environments, including VMs, Kubernetes clusters and multiple data centers.

Image Credits: Kong

Kong co-founder and CTO Marco Palladino says that the goal was always to donate Kuma to the CNCF.

“The industry needs and deserves to have a cloud native, Envoy-based control plane that is open and not governed by a single commercial entity,” he writes in today’s announcement. “From a technology standpoint, it makes no sense for individual companies to create their own control plane but rather build their own unique applications on proven technologies like Envoy and Kuma. We welcome the broader community to join Kuma on Slack and on our bi-weekly community calls to contribute to the project and continue the incredible momentum we have achieved so far.”

Kuma will become a CNCF Sandbox project. The sandbox is the first stage that projects go through to become full graduated CNCF projects. Currently, the foundation is home to 31 sandbox projects, and Kong argues that Kuma is now production-ready and at the right stage where it can profit from the overall CNCF ecosystem.

“It’s truly remarkable to see the ecosystem around Envoy continue to develop, and as a vendor-neutral organization, CNCF is the ideal home for Kuma,” said Matt Klein, the creator of the Envoy proxy. “Now developers have access to the service mesh data plane they love with Envoy as well as a CNCF-hosted Envoy-based control plane with Kuma, offering a powerful combination to make it easier to create and manage cloud native applications.”

Hunters raises $15M Series A for its threat-hunting platform

Hunters, a Tel Aviv-based cybersecurity startup that helps enterprises defend themselves from intruders and analyze attacks, today announced that it has raised a $15 million Series A funding round from Microsoft’s M12 and U.S. Venture Partners. Seed investors YL Ventures and Blumberg Captial also participated in this round, as well as new investor Okta Ventures, the venture arm of identity provider Okta. With this, Hunters has now raised a total of $20.4 million.

The company’s SaaS platform basically automates the threat-hunting processes, which has traditionally been a manual process. The general idea here is to take as much data from an enterprise’s various networking and security tools to detect stealth attacks.

“Hunters is basically this layer, a cognitive layer or connective tissue that you put on top of your telemetry stack,” Hunters co-founder and CEO Uri May told me. “So you have your [endpoint detection and response], your firewalls, cloud, production environment sensors — and all of those are shooting telemetry and detections all over the organization, generating huge amounts of data. And, basically, our place in the world depends on our ability to generate that delta. So without being able to find things that you can’t see with a single point solution or without really expediting response procedures and workflows by correlating things in a nontrivial way, we don’t have any excuse to exist. But we got pretty good at those — at showing that delta — and we onboarded customers — nice logos — and that was a very strong validation.”

Image Credits: Hunters

Hunters’ first customer was actually data management service Snowflake, which functioned as the company’s design partner. In addition to being a customer, Snowflake now also features Hunters in its partner marketplace, as does security service CrowdStrike. May also noted that Crowdstrike is a good example for the kind of customer Hunters is going after.

“Not necessarily Global 2000 or Fortune 500. It’s really high-end mid-market organizations, not necessarily tens of thousand employees, but billions of dollars in revenues, a lot of value at risk, born to the cloud, super mature tech stack, not necessarily a big security operation center, but definitely CISO and a team of security engineers and analysts, and they’re looking for the solution, that on-top solution that can make sense of a lot of the data and give them the confidence and also give them results in terms of cybersecurity, posture and their detection and response capabilities.”

Microsoft already has a large security development center in Israel and so it’s no surprise that Hunters appeared on the company’s radar. Hunters also spent some time proactively looking at the Microsoft ecosystem, May told me, but the company’s VCs also made some introductions. All of this culminated in a number of meetings at the Tel Aviv CyberTech conference in January and the RSA Conference in San Francisco in February, just before the coronavirus pandemic essentially shut down travel.

Hunters says it will use the new funding to build out its go-to-market capabilities in the U.S. and expand its R&D team in Israel. As for the product itself, the company will look to broaden its product integration and machine learning capabilities to help it generate better attack stories. May also noted that it plans to give its users capabilities to customize the system for their needs by allowing them to develop their own signals and detections to augment the company’s default tools. This, May argued, will allow the company to go after higher-end enterprise customers that already have threat-hunting teams but that are looking to automate more of the process. With that, it will also look to partner with other security firms to leverage its system to provide better services to their customers as well.

Fivetran snares $100M Series C on $1.2B valuation for data connectivity solution

A big problem for companies these days is finding ways to connect to various data sources to their data repositories, and Fivetran is a startup with a solution to solve that very problem. No surprise then that even during a pandemic, the company announced today that it has raised $100 million Series C on a $1.2 billion valuation.

The company didn’t mess around with top flight firms Andreessen Horowitz and General Catalyst leading the investment with participation from existing investors CEAS Investments and Matrix Partners. Today’s money brings the total raised so far to $163 million, according to the company.

Martin Cassado from a16z described the company succinctly in a blog post he wrote after its $44 million Series B in September 2019, which his firm also participated in. “Fivetran is a SaaS service that connects to the critical data sources in an organization, pulls and processes all the data, and then dumps it into a warehouse (e.g., Snowflake, BigQuery or RedShift) for SQL access and further transformations, if needed. If data is the new oil, then Fivetran is the pipes that get it from the source to the refinery,” he wrote.

Writing in a blog post today announcing the new funding, CEO George Fraser added that in spite of current conditions, the company has continued to add customers. “Despite recent economic uncertainty, Fivetran has continued to grow rapidly as customers see the opportunity to reduce their total cost of ownership by adopting our product in place of highly customized, in-house ETL pipelines that require constant maintenance,” he wrote.

In fact, the company reports 75% customer growth over the prior 12 months. It now has over 1100 customers, which is a pretty good benchmark for a Series C company. Customers include Databricks, DocuSign, Forever 21, Square, Udacity and Urban Outfitters, crossing a variety of verticals.

Fivetran hopes to continue to build new data connectors as it expands the reach of its product and to push into new markets, even in the midst of today’s economic climate. With $100 million in the bank, it should have enough runway to ride this out, while expanding where it makes sense.

COVID-19 ‘Breach Bubble’ Waiting to Pop?

The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change — and likely for the worse.

The economic laws of supply and demand hold just as true in the business world as they do in the cybercrime space. Global lockdowns from COVID-19 have resulted in far fewer fraudsters willing or able to visit retail stores to use their counterfeit cards, and the decreased demand has severely depressed prices in the underground for purloined card data.

An ad for a site selling stolen payment card data, circa March 2020.

That’s according to Gemini Advisory, a New York-based cyber intelligence firm that closely tracks the inventories of dark web stores trafficking in stolen payment card data.

Stas Alforov, Gemini’s director of research and development, said that since the beginning of 2020 the company has seen a steep drop in demand for compromised “card present” data — digits stolen from hacked brick-and-mortar merchants with the help of malicious software surreptitiously installed on point-of-sale (POS) devices.

Alforov said the median price for card-present data has dropped precipitously over the past few months.

“Gemini Advisory has seen over 50 percent decrease in demand for compromised card present data since the mandated COVID-19 quarantines in the United States as well as the majority of the world,” he told KrebsOnSecurity.

Meanwhile, the supply of card-present data has remained relatively steady. Gemini’s latest find — a 10-month-long card breach at dozens of Chicken Express locations throughout Texas and other southern states that the fast-food chain first publicly acknowledged today after being contacted by this author — saw an estimated 165,000 cards stolen from eatery locations recently go on sale at one of the dark web’s largest cybercrime bazaars.

“Card present data supply hasn’t wavered much during the COVID-19 period,” Alforov said. “This is likely due to the fact that most of the sold data is still coming from breaches that occurred in 2019 and early 2020.”

A lack of demand for and steady supply of stolen card-present data in the underground has severely depressed prices since the beginning of the COVID-19 pandemic. Image: Gemini Advisory

Naturally, crooks who ply their trade in credit card thievery also have been working from home more throughout the COVID-19 pandemic. That means demand for stolen “card-not-present” data — customer payment information extracted from hacked online merchants and typically used to defraud other e-commerce vendors — remains high. And so have prices for card-not-present data: Gemini found prices for this commodity actually increased slightly over the past few months.

Andrew Barratt is an investigator with Coalfire, the cyber forensics firm hired by Chicken Express to remediate the breach and help the company improve security going forward. Barratt said there’s another curious COVID-19 dynamic going on with e-commerce fraud recently that is making it more difficult for banks and card issuers to trace patterns in stolen card-not-present data back to hacked web merchants — particularly smaller e-commerce shops.

“One of the concerns that has been expressed to me is that we’re getting [fewer] overlapping hotspots,” Barratt said. “For a lot of the smaller, more frequently compromised merchants there has been a large drop off in transactions. Whilst big e-commerce has generally done okay during the COVID-19 pandemic, a number of more modest sized or specialty online retailers have not had the same access to their supply chain and so have had to close or drastically reduce the lines they’re selling.”

Banks routinely take groups of customer cards that have experienced fraudulent activity and try to see if some or all of them were used at the same merchant during a similar timeframe, a basic anti-fraud process known as “common point of purchase” or CPP analysis. But ironically, this analysis can become more challenging when there are fewer overall transactions going through a compromised merchant’s site, Barratt said.

“With a smaller transactional footprint means less Common Point of Purchase alerts and less data to work on to trigger a forensic investigation or fraud alert,” Barratt said. “It does also mean less fraud right now – which is a positive. But one of the big concerns that has been raised to us as investigators — literally asking if we have capacity for what’s coming — has been that merchants are getting compromised by ‘lie in wait’ type intruders.”

Barratt says there’s a suspicion that hackers may have established beachheads [breachheads?] in a number of these smaller online merchants and are simply biding their time. If and when transaction volumes for these merchants do pick up, the concern is then hackers may be in a better position to mix the sale of cards stolen from many hacked merchants and further confound CPP analysis efforts.

“These intruders may have a beachhead in a number of small and/or middle market e-commerce entities and they’re just waiting for the transaction volumes to go back up again and they’ve suddenly got the capability to have skimmers capturing lots of card data in the event of a sudden uptick in consumer spending,” he said. “They’d also have a diverse portfolio of compromise so could possibly even evade common point of purchase detection for a while too. Couple all of that with major shopping cart platforms going out of support (like Magento 1 this month) and furloughed IT and security staff, and there’s a potentially large COVID-19 breach bubble waiting to pop.”

With a majority of payment cards issued in the United States now equipped with a chip that makes the cards difficult and expensive for thieves to clone, cybercriminals have continued to focus on hacking smaller merchants that have not yet installed chip card readers and are still swiping the cards’ magnetic stripe at the register.

Barratt said his company has tied the source of the breach to malware known as “PwnPOS,” an ancient strain of point-of-sale malware that first surfaced more than seven years ago, if not earlier.

Chicken Express CEO Ricky Stuart told KrebsOnSecurity that apart from “a handful” of locations his family owns directly, most of his 250 stores are franchisees that decide on their own how to secure their payment operations. Nevertheless, the company is now forced to examine each store’s POS systems to remediate the breach.

Stuart blamed the major point-of-sale vendors for taking their time in supporting and validating chip-capable payment systems. But when asked how many of the company’s 250 stores had chip-capable readers installed, Stuart said he didn’t know. Ditto for the handful of stores he owns directly.

“I don’t know how many,” he said. “I would think it would be a majority. If not, I know they’re coming.”

How a New macOS Malware Dropper Delivers VindInstaller Adware

After this year’s action-packed WWDC 2020, it’s time to catch up with developments in macOS malware! Just prior to Apple’s big event, researchers at Intego posted details of what they called a “new macOS malware” they had seen being delivered to unwitting victims through Google searches. The details provided by the researchers were strikingly similar to other script-based malware that we’ve posted about <a href="https://www.sentinelone.com/blbefore. However, there are a few interesting characteristics in these new samples that Intego didn’t cover in their post and which we felt were worth a closer look.

From our analysis, it appears that this malware is a dropper for VindInstaller.B adware, which adopts the increasingly-common technique of using a shell script to install known malware and evade detection by legacy AV and signature-based security solutions.

A Malicious Shell-Script with Helpful IoCs

The earlier research showed that this malware was being propagated via a DMG disk image containing a shell script, which itself contained a compressed application bundle.

Inspecting the disk image shows that it does not contain an application bundle but rather a shell script with an Adobe Flash icon.

Opening the flashinstaller file in a text editor reveals its contents.

The shell script commands are worth pausing over to understand how this installer works.

As we noted recently, mktemp is widely used in script-based, macOS malware to create randomly named paths to help them evade simple detection heuristics. Note that in the form used in this sample, however, there is use of the -t switch followed by the character x.

This offers a nice clue for defenders and detection algorithms, as that combination of options means the malware will always create a temporary folder in Darwin_User_Temp_Dir with the prefix x followed by a random character string. The Darwin_User_Temp_Dir folder can also be accessed via the $TMPDIR environment variable.

A second giveaway helpful for macOS threat hunters is also provided by the use of the nohup utility at Line 5. This tool is used to invoke a process that is immune from hangups. However, nohup has a nice side-effect when called from non-writable disk like a DMG: it leaves a log file in the User’s $HOME directory, nohup.out.

While presence of the nohup.out file is perfectly normal, threat hunters noticing the sudden or unexpected appearance of this file can use it as a possible indicator for this malware and ensure they check for the $TMPDIR/x./ folder and other IOCs (detailed below).

Ebook: macOS Threat Hunting & Incident Response
This guide will arm you with the knowledge you need to defend your organization’s macOS fleet.

Unpacking the Embedded Installer.app

Line 3 of the script is perhaps the most interesting. It’s not the first time we’ve seen the POSIX built-in LINENO variable used in these kind of installer scripts, but it is the first time we’ve come across the use of the funzip utility.

The LINENO+4 code simply moves the reference to line 7 (current line +4) of the script – the beginning of the embedded and compressed zip file – and pipes this embedded code into the funzip utility.

The man page for funzip also states “funzip is most useful in conjunction with a secondary archiver program such as tar(1)”.

And this is exactly what the malware does:

tail +$((LINENO+4)) $0 | funzip -9D956F55-1964-48A9-8DDE-7F7618E1D3D1 | tar -C $TEMP_DIR -p -xf -

The resulting decompressed zip file produces an application bundle in the temp directory described earlier called, descriptively enough, “Installer.app”.

Decompressed App Is InstallVibes Bundle Installer

So much for the installer, but what does this malware actually do? The previous researchers suggested that it was related to Shlayer and Bundlore and noted that the hidden application was a downloader for “Mac malware or adware”. Looking at the hidden application plist reveals that it’s actually an installer from a well-known PPI provider, InstallVibes.

com.installvibes.Installer

Among the claims that InstallVibes makes on their (insecure http) website are that they provide a “branded installer” service to optimize downloads and pay-per-install (PPI) software.

At the time of writing, there are two variants of flashinstaller on VirusTotal:

These disk images are recognized by SentinelOne agent as malicious and are either blocked or alerted on-write (depending on the site admin policy)


Scanning the Mach-O executables in the decompressed InstallVibes Installer.app bundle reveals that it’s a known adware installer, which we tag as VindInstaller.B.

What is VindInstaller?

VindInstaller is a form of adware and pay-per-install bundling that typically results in unwanted programs or applications (PUPs or PUAs) on a user’s Mac. Users are tricked into accepting or installing PUPs/PUAs by deceptive marketing practices that may offer some popular or free program the user ostensibly wants (or not).

However, the installation steps will contain hard-to-notice or default opt-in steps that result in various other unwanted applications to be installed alongside the original offer. In some cases, unwanted software is downloaded silently in the background without the user’s explicit or tacit approval.

As in this case, many of these installers are trojans that offer (or pretend to offer, in other cases) a version of Flash Player or an update to Flash player, regardless of whether that was the application the user originally thought they were downloading.

Once installed, the behavior of the unwanted software typically includes displaying nuisance-causing adverts to generate revenue for the developers, aggressively offering poor-quality or ‘skinned’, open-source software at premium prices, and generally having an adverse effect on the Mac’s performance and the user’s productivity.

Is Vindinstaller a new macOS Malware?

No, VindInstaller has been around for some years, but what the previous researchers found was an adaptation of the increasingly-common use of shell scripts, first used by Shlayer malware and later by Bundlore, to install old malware and evade detection by legacy AV and signature-based security solutions.

VindInstaller appears to have been in circulation from 2013 in at least three known variants. Version A is a browser injection/hijacker targeting Chrome, Firefox and Safari that functions, among other things, as a Genieo bundle installer. In those comparatively innocent times, adware developers rarely bothered to do things like obfuscate strings or engage in anti-analysis techniques.

This malware was built on a Mac running OSX 10.8 Mountain Lion back in 2013.

Somewhat surprisingly, the embedded URL for the InstallGenieo.dmg inside this 7-year old adware sample is alive and well, and still delivering two variants of the Genieo malware (one sneakily embedded in the Genieo uninstaller), OSX.Genieo.A, OSX.Genieo.E.

VindInstaller.B

VindInstaller version B, on the other hand, which is dropped by the malware script reported by Intego, gathers details about the victim’s OS version, then calls out to the following URL to retrieve “offers” (in other words, adware and potentially unwanted software):

hxxp://installer[.]installerapi[.]com/offers
172.67.197.161

The URL is flagged by several VT engines as malicious.

Other IOCs within the binary include the following update and tracking URLs:

hxxp://installer[.]yougotupdated[.]com/updates/%@?offer=%@&vid=%@&cid=%@
hxxp://tracking[.]uzasignals[.]com/signals/%@/?element=%@&vid=%@
hxxp://tracker[.]installerapi[.]com/visit/meta?mid=%@
hxxp://tracker[.]installerapi[.]com/visit/meta?response=pipe
hxxp://installer[.]installerapi[.]com/offers/detections?vid=%@&response=json
hxxp://installer[.]installerapi[.]com/offers?response=json&os=Mac%%20OS%%20X&osv=%@&vid=%@%@
hxxp://installer[.]installerapi.com/offers/%@/%@
hxxp://tracker[.]installerapi[.]com/statistics/event?origin=installer&name=%@&attname=%@&attval=%@&vid=%@&mid=%@

Although none of the VindInstaller payloads bother with obfuscation, the distributors of VindInstaller.B are clearly relying on their new shell script delivery mechanism to beat signature-based detections and sandbox engines like VirusTotal.

VindInstaller.Gen

A third variant, Vindinstaller.Gen, is variously tagged on VirusTotal as “mdm.macLauncher” or “osxdl.Downloader” and is distinctive from versions A and B by the use of the NSAppleScript class to achieve various functions. As we noted here, malware authors can use the NSAppleScript class to gain AppleScript functionality without calling it through the osascript utility, thereby avoiding many common detection methods.

Although both “mdm.macLauncher” and “osxdl.Downloader” make use of NSAppleScript, the latter makes far more extensive use of it through its DandIThread class.

For example, in the runProcessAsAdministrator method of the DandIThread class, the code makes a call to NSAppleScript’s executeAndReturnError method to run a do shell script call in an attempt to elevate privileges.

Conclusion

Script-based malware installers like Shlayer and Bundlore have become popular among established bundleware and adware distributors because of the ease with which they can be adjusted to avoid signature-based detections, including Apple’s Yara-rules detection engine XProtect. Fortunately, a behavioral engine recognizes these scripts’ malicious behavior without requiring updates, and indeed all the samples discovered in the previous research were immediately detected by SentinelOne’s macOS agent.

If you would like to learn more about how SentinelOne can protect your enterprise, including your macOS fleet, contact us or request a free demo.

IOCs

VindInstaller.A

58490b58afbb533bbcb28cb756e5f91fe0eeb765ca571ac97e9f7104a317562e

VindInstaller.B

flashInstaller.dmg
97ef25ad5ffaf69a74f8678665179b917007c51b5b69d968ffd9edbfdf986ba0
d49ee2850277170d6dc7ef5f218b0697683ffd7cc66bd1a55867c4d4de2ab2fb
Embedded Installer.app’s Mach-O
907c31b2da15aa14d06c6e828eef6ca627bd1af88655314548f747e5ed2f5697
05b9383b6af36e6bf232248bf9ff44e9120afcf76e50ac8aa28f09b3307f4186

VindInstaller.Gen

mdm.macLauncher
4f47a06190cbdaac457d86f77baa22313ce6b1d3939e0ff4fa3cadf5a680b6c9
709f633b12a335911ce213419c72062d05f538abdc412b659cdb10d4db9006ce
3af1c03214cd194b94c6fe0891de6c5201cc8d13d009c04ef383d67e1a750b2b
osxdl.Downloader
ee7db16ca9eac460b748957cd0a33548ef015e12f9f6fadcea30671204c3c4ba

URLs/IPs

hxxp://installer[.]yougotupdated.com
104.18.51.67
hxxp://tracker[.]installerapi.com
104.31.89.115
hxxp://tracker[.]installerapi.com/statistics/
104.31.88.115
hxxp://tracking[.]uzasignals.com
172.67.186.96


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Fleetsmith customers unhappy with loss of third-party app support after Apple acquisition

When Apple confirmed it had acquired Fleetsmith, a mobile device management vendor, on Wednesday, it seemed like a straightforward purchase, but Fleetsmith customers quickly learned a key piece of functionality had stopped working  — and many weren’t happy about it.

Apple systems administrators began complaining on social media on the morning of the acquisition announcement that the company was no longer allowing them to connect to third-party applications.

“Primarily Fleetsmith maintained a third-party app catalog, so you could deploy things like Chrome or Zoom to your Macs, and Fleetsmith would maintain security updates for those apps. This was the main reason we purchased Fleetsmith,” a Fleetsmith customer told TechCrunch.

The customer added that the company described this functionality as a major feature in a company blog post:

For apps like Chrome, which are managed through the Fleetsmith Catalog, we handle all aspects of testing, packaging, triage, and deployment automatically. Whenever there’s an update (including security patches), we quickly add them to the Catalog so that our customers can enforce the latest version. In this case, we had the Chrome 78.0.3904.87 patch up within a couple hours of the update dropping.

As one system administrator pointed out, being able to manage Chrome browser security in an automated way was a huge part of this, and that was also removed along with third party app support.

As it turned out, Apple had made it clear that it was discontinuing this feature in an email to Fleetsmith customers on the day of the transition. The email included links to several help articles that were supposed to assist admins with the transition. (The email is included in full at the end of this article.)

The general consensus among admins that I spoke to was that these articles were not terribly helpful. While they described a way to fix the issues, they said that Apple has turned what was a highly automated experience into a highly manual one, effectively eliminating the speed and ease of use advantage of having the update feature in the first place.

Apple did confirm that it had responded to some help ticket requests after the changes this week, saying that it would soon restore some configurations for Catalog apps, and was working with impacted customers as needed. The company did not make clear, however, why they removed this functionality in the first place.

Fleetsmith offered a couple of key features that appealed to Mac system administrators. For starters, it let them set up new Macs automatically out of the box. This allows them to ship a new Mac or other Apple device, and as soon as the employee powers it up and connects to Wi-Fi, it connects to Fleetsmith, where systems administrators can track usage and updates. In addition, it allowed System Administrators to enforce Apple security and OS updates on company devices.

What’s more, it could also do the same thing with third-party applications like Google Chrome, Zoom or many others. When these companies pushed a new update, system administrators could make sure all users had the most recent version running on their machines. This is the key functionality that was removed this week.

It’s not clear why Apple chose to strip out these features outlined in the email to customers, but it seems likely that most of this functionality isn’t coming back, other than restoring some configurations for Catalog apps.

Email that went out to Fleetsmith customers the day of the acquisition outlining the changes:

 

Attempts to reach Fleetsmith founders for comment were unsuccessful. Should that change we will update the article.

Russian Cybercrime Boss Burkov Gets 9 Years

A well-connected Russian hacker once described as “an asset of supreme importance” to Moscow was sentenced on Friday to nine years in a U.S. prison after pleading guilty to running a site that sold stolen payment card data, and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks.

Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Photo: Andrei Shirokov / Tass via Getty Images.

Alexsei Burkov of St. Petersburg, Russia admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being a founder of DirectConnection — a closely guarded underground community that attracted some of the world’s most-wanted Russian hackers.

As KrebsOnSecurity noted in a November 2019 profile of Burkov’s hacker nickname ‘k0pa,’ “a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.”

Burkov was arrested in 2015 on an international warrant while visiting Israel, and over the ensuing four years the Russian government aggressively sought to keep him from being extradited to the United States.

When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned Israeli citizen Naama Issachar on trumped-up drug charges in a bid to trade prisoners. Nevertheless, Burkov was extradited to the United States in November 2019. Russian President Vladimir Putin pardoned Issachar in January 2020, just hours after Burkov pleaded guilty.

Arkady Bukh is a New York attorney who has represented a number of accused and convicted cybercriminals from Eastern Europe and Russia. Bukh said he suspects Burkov did not cooperate with the Justice Department investigators apart from agreeing not to take the case to trial.

“Nine years is a huge sentence, and the government doesn’t give nine years to defendants who cooperate,” Bukh said. “Also, the time span [between Burkov’s guilty plea and sentencing] was very short.”

DirectConnection was something of a Who’s Who of major cybercriminals, and many of its most well-known members have likewise been extradited to and prosecuted by the United States. Those include Sergey “Fly” Vovnenko, who was sentenced to 41 months in prison for operating a botnet and stealing login and payment card data. Vovnenko also served as administrator of his own cybercrime forum, which he used in 2013 to carry out a plan to have Yours Truly framed for heroin possession.

As noted in last year’s profile of Burkov, an early and important member of DirectConnection was a hacker who went by the moniker “aqua” and ran the banking sub-forum on Burkov’s site. In December 2019, the FBI offered a $5 million bounty leading to the arrest and conviction of aqua, who’s been identified as Maksim Viktorovich Yakubets. The Justice Department says Yakubets/aqua ran a transnational cybercrime organization called “Evil Corp.” that stole roughly $100 million from victims.

In this 2011 screenshot of DirectConnection, we can see the nickname of “aqua,” who ran the “banking” sub-forum on DirectConecttion. Aqua, a.k.a. Maksim V. Yakubets of Russia, now has a $5 million bounty on his head from the FBI.

According to a statement of facts in Burkov’s case, the author of the infamous SpyEye banking trojan — Aleksandr “Gribodemon” Panin— was personally vouched for by Burkov. Panin was sentenced in 2016 to more than nine years in prison.

Other top DirectConnection members include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

Also on Friday, the Justice Department said it obtained a guilty plea from another top cybercrime forum boss — Sergey “Stells” Medvedev — who admitted to administering the Infraud forum. The government says Infraud, whose slogan was “In Fraud We Trust,” attracted more than 10,000 members and inflicted more than $568 million in actual losses from the sale of stolen identity information, payment card data and malware.

A copy of the 108-month judgment entered against Burkov is available here (PDF).

The Good, the Bad and the Ugly in Cybersecurity – Week 26

The Good

Big technology companies have been the source of many privacy scandals. Some have been accused of disregarding their users’ rights and peddling the immense information they gather about their users’ (us) activities and whereabouts. This week, however, the two largest tech giants that control the phones in our pockets have both announced new features that should improve user privacy safeguards.

First up, Apple announced new privacy features for its devices at its annual Worldwide Developers Conference. One important new feature coming to iOS 14 displays an orange dot indicator on the status bar whenever the iPhone’s camera or microphone is turned on. iOS 14 will also limit the location information shared with apps, making it possible to only share your approximate location with certain apps rather than your precise location. Apple also introduced a new privacy labeling system, resembling those in food products. Erik Neuenschwander, Apple’s user privacy manager said:

“For food, you have nutrition labels, So we thought it would be great to have something similar for apps. We’re going to require each developer to self-report their practices”.

Labels will indicate app permissions to inform people how much data an app requests before they download them in two categories: “Data Linked To You” and “Data Used to Track You.” Apple also updated user tracking on iOS 14, meaning that only users who give explicit permission to an app can be shown targeted ads, share location data with advertisers, share advertising ID or any other identifiers with third parties

Meanwhile, Google followed up with its own privacy update. Google CEO, Sundar Pichai, announced that new Google accounts will auto-delete activity and location every 18 months by default. YouTube history will also auto-delete every 36 months. This will not affect existing accounts, which will still need to proactively turn on the “Auto-delete” feature. Google is also introducing “Incognito Mode” in its Search, Maps, and YouTube mobile apps. In addition, the company is updating its Security Checkup feature to include a Password Checkup mechanism. This will allow users a “one stop shop” for reviewing and improving their security and privacy settings, and ensure their passwords have not been previously exposed in a data breach.

The Bad

The recent political and cultural turmoil in the US has already caused several cyber incidents involving DDoS attacks and social media harassments. But these were rather small scale and benign in nature, until a mega-breach occurred this week involving a million files containing 269-gigabytes worth of police data, including emails, audio, video, and intelligence documents.

The data was obtained and leaked by information-freedom activists known as “Distributed Denial of Secrets”, or DDoSecrets. Sources suggest it was stolen from a web development firm called Netsential. The data trove was then published on a dedicated, searchable portal dubbed “Blueleaks”. The breach contains data from more than 200 state, local, and federal agencies, including intelligence fusion centers. Although the DDoSecrets group said it tried to remove sensitive information prior to publishing, it still contains such information as bank account routing numbers, personally identifiable information, images of criminal suspects and details about law enforcement officers.

Such a massive data breach and subsequent exposure is not just an embarrassment to law enforcement agencies, eroding the already shaken confidence of the public in them. It could potentially also help to single out and target specific members of law enforcement agencies and their families, both online and in the real world.

The Ugly

Data breaches are bad, no question, but when these breaches expose the details of victims of abuse, it becomes seriously ugly. Security and Privacy researchers Noam Rotem and Ran Locar recently discovered a data breach originating from the domestic violence prevention app called “Aspire News App”, operated by a non-profit founded by American TV personalities Robin McGraw and her husband “Dr. Phil” McGraw.

This app, “Aspire News”, can be installed on a user’s phone, where it appears to be yet another news app. However, it also features an emergency help section with resources for domestic abuse victims, a “panic button” to allow them to send an emergency distress message to a trusted contact. These messages can be sent via voice recording and include the victim’s details, home address, the nature of their emergency, and their current location. This is a clever way to allow victims to report abuse and call for help.

Unfortunately, these voice messages were stored on a misconfigured Amazon Web Services (AWS) S3 bucket, allowing them to be viewed and downloaded by external parties. This extremely sensitive data includes:

  • Victims’ full names and home addresses
  • Details of their emergencies and/or personal circumstances
  • Abusers’ names and personal details

While the organization behind Aspire News App secured the misconfigured repository within 24 hours of being contacted by the researchers, this isn’t the first time misconfigured AWS buckets have been the difference between good intentions and serious privacy breaches. Given the media exposure and high public profile that comes with critical data breaches, it’s concerning that here we are midway through 2020 and we still need to reinforce this message: data security is serious business, folks!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security