SentinelOne Named a Winner of the Oregon Top Workplaces 2020 Award 

We’re honored to announce that SentinelOne has been awarded a Top Workplaces 2020 award by The Oregonian. When we opened our Eugene office in the Spring of 2018, our goal was to not only increase support for our rapidly growing customer base but also to strengthen the area’s flourishing technology scene and provide rewarding career opportunities for its wealth of local talent.

Garnering accolades such as the Top Workplaces honor brings us tremendous satisfaction that we are accomplishing these goals!

The Top Workplaces list is based solely on employee feedback gathered through a third-party survey administered by employee engagement technology provider Energage, LLC. The anonymous survey uniquely measures 15 drivers of engaged cultures that are critical to the success of any organization, including alignment, execution, and connection, just to name a few.

The Eugene-Springfield area holds some of the finest technology and security talent anywhere in the world and is a burgeoning innovation hub,” said Divya Ghatak, Chief People Officer, SentinelOne. “Our team in Eugene has played an integral role these past few years in elevating SentinelOne to where it is today as a global leader in enterprise cyberdefense. It’s been our mission from day one to provide an inclusive and diverse workplace environment that not only rewards employees for their tireless efforts in helping us achieve company goals, but provides opportunities for them to continually grow as both people and professionals. We want to sincerely thank all of our Eugene team members for their invaluable contributions!

Our Eugene office has grown to more than 80 employees today, and we hold aspirations of continued growth over the next year. We’ve received incredible support from organizations such as The Technology Association of Oregon in establishing our home in the Silicon Shire, and look forward to strengthening active engagements with local educational institutions, including the University of Oregon, Oregon State University, and Lane Community College, for work-study internships, research, and course collaboration.

We take great pride in being named an Oregon Top 2020 Workplace and are proud of creating an environment where our team is fulfilled, engaged, and growing. SentinelOne’s future is bright, and we’re hiring. Celebrate this designation with us, and take your career to the next level with SentinelOne in Eugene, Oregon!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

PayCargo raises $35M from Insight for its cloud-based platform targeting the freight industry

Shipping has long been one of the more antiquated, and least technological, segments in the world of commerce, with its physical aspects — rooted in massive cargo tankers, giant fleets of aircraft and trucks, and trains of linked-up containers — underscoring some of the more obvious analogue attributes of the business.

That has also made it a ripe opportunity for startups, and today, one called PayCargo, which has built a suite of cloud-based payment and financing services for the cargo industry, is announcing $35 million in funding to expand its business in the wake of COVID-19.

The investment is coming from a single, high-profile investor, Insight Partners, which back in April announced a monster $9.5 billon fund that it planned to use not just to support portfolio companies through the global health pandemic, but to seek out new opportunities emerging in the wake of it.

PayCargo appears to be one of the latter. Eduardo Del Riego, the CEO (PayCargo was co-founded by COO Juan Carlos Dieppa and chairman Sergio Lemme), said that while the cargo industry has faced a lot of turmoil with the pandemic — production in some places ground to a halt, social distancing rules created new challenges for how shippers could work and move physical goods — it also highlighted how solutions like PayCargo’s were essential in getting things working properly again.

“With COVID, there was tremendous uncertainty about the impact of the global supply chain,” he said in an interview, “and like many other industries, the pandemic accelerated the need and demand for a paperless and contactless solution, which in turn accelerated PayCargo’s business.”

And while many of us brace ourselves for more fallout about how the world economy is contracting, PayCargo is profitable and has been from its start, the company said, and it has been growing — which in itself could be a positive signal about how production is indeed picking up again.

PayCargo provides a platform that offers tools for payers to send payments, vendors to receive them, APIs to integrate the tools into an existing IT, and financing services for those who do not want to pay for the shipments up front. All of these, for the majority of those working in this area, still are fixed in paperwork and can take weeks to resolve, making it a prime area to tackle with electronic services.

These days, PayCargo is processing some $4 billion in payments annually from some 12,000 shippers and carriers and a network of 4,000 vendors — customers span land, sea and air and include Kuehne + Nagel, DHL, DB Schenker, BDP, Seko Logistics, UPS, YUSEN Logistics and vendors like Hapag-Lloyd, MSC, Ocean Network Express, Alliance Ground, Swissport and Air France — with transaction volume up 80% over last year. By way of its APIs, PayCargo also works with a number of partners to serve customers, including the International Air Transport Association (IATA), Cargo Network Services (CNS), CHAMP Cargosystems, IBS, Accelya, Unisys and Kale Logistics.

We have written before about the very fragmented and analogue freight industry, which still bases a lot of transactions around faxes, actual paperwork physically exchanged between parties and people transferring not just goods but documents hand to hand. The same goes for the payments infrastructure that underpins it all.

That has spawned a number of other startups looking to tackle the market with tech. Emerge has been building a digital marketplace specifically for the trucking industry, while Cargo.com is targeting air freight; Europe’s Zencargo, FreightHub and Sennder are focusing on bringing cloud-based infrastructure into freight-forwarding (and Sennder is positioning itself as a consolidator in this market, recently acquiring Uber’s European business in this area); and Flexport has positioned itself as one to watch in its own take on shipping SaaS.

PayCargo itself also has a number of competitors, which might include those building bigger suites of services, of which payments is just one. In addition to all of the ones we’ve covered, there is GlobalTranz, CloudTrade and others. (Del Riego refused to name any competitors directly. “PayCargo is the premier and most robust solution in the marketplace,” he said flatly.)

Overall, CrunchBase estimates that some $5.5 billion has been invested in shipping-related tech companies looking to bring more updated processes to what is, at the end of the day, ultimately a very physical business.

But with the industry significantly bigger than that — one estimate forecasts that the shipping logistics market in the U.S. alone will be worth $1.3 trillion by 2023 — you can see how building and addressing that would be a lucrative opportunity.

“As the cargo industry rapidly shifts to electronic payments, PayCargo has established itself as the market leading platform for doing business by successfully automating the payments process and ensuring efficiency for both payers and vendors,” said Ryan Hinkle, managing director at Insight Partners, in a statement. “We are excited to work with PayCargo to continue to scale its global payments network and through our Insight Onsite team of ScaleUp and operational experts, help bring additional resources to its impressive list of customers.” Hinkle is joining the board with this round.

Axis Security raises $32M to help companies stay secure while working from home

Axis Security launched last year with the idea of helping customers enable contractors and third parties to remotely access a company’s systems in a safe way, but when the pandemic hit, they saw another use case, one which had been on their road map: helping keep systems secure when employees were working from home.

Today, the company announced a $32 million Series B investment led by Canaan Partners, with participation from existing investors Ten Eleven Ventures and Cyberstarts. Today’s round brings the total raised to $49 million, according to Axis.

Gil Azrielant, co-founder and CTO, says that the company was able to make the shift to a work from home security scenario so quickly because it had built the product from the ground up to support this vision eventually. The pandemic just accelerated that approach.

“We decided to focus on third parties and contractors at first, but we saw where the puck was going and definitely [designed] the infrastructure to become a full-blown, secure access product. So the infrastructure was there, and we just had to add a few things that were planned for later,” Azrielant told TechCrunch.

He says that the company’s product uses the notion of Zero Trust, which, as the name suggests, assumes you can’t trust anyone on your system, and work from there. Using a rules-based engine, customers can create a secure environment based on your role.

“What you can see, or what you can do, or what you can download or get to is fully controlled by our Application Access Cloud. This is based on what device you’re using, where you are, who you are, what role you’re in, and what you usually do and don’t do to determine the level of access you are going to get,” he said.

As the startup emerged from stealth last March just three days after the pandemic shutdown began in California, it had two main customers — a hotel chain and a pharmaceutical company — and CEO Dor Knafo says that as COVID took hold, “necessity became the mother of adoption.”

He added, “Both accounts came to us and asked us to start pursuing all these employee access use cases, and to us that was incredible because that gave them the push they needed to see the [remote access] vision just as vividly as we do,” he said. Today it has added to that initial pair, and, while it wouldn’t share an exact number, it reports it has tens of customers.

Today, the startup has 38 employees almost evenly split between San Mateo, California and Tel Aviv, Israel, with plans to accelerate hiring to reach 100 people next year. As the company scales, Knafo says that he is trying to build a more diverse group as it moves to hire more people in the coming year.

“Today, we have incentive internally to help us hire in a more diverse way. We invest heavily in that, and we continue to [keep that at top of mind] for everyone in the company,” Knafo said.

Azrielant added that the pandemic has shown employees don’t have to be located near the offices, which have been closed for much of this year, and that opens up more possibilities to build a more diverse workforce because they can hire from anywhere.

With a product that has much utility right now, the company will be using the new influx of cash to help build out its sales and marketing operations and expand sales outside of North America.

“With COVID accelerating and with a shift to work from anywhere, we’ll definitely focus on bringing our products to more enterprises, which are facing this urgent challenge of working from home,” Knafo said.

Datasaur snags $3.9M investment to build intelligent machine learning labeling platform

As machine learning has grown, one of the major bottlenecks remains labeling things so the machine learning application understands the data it’s working with. Datasaur, a member of the Y Combinator Winter 2020 batch, announced a $3.9 million investment today to help solve that problem with a platform designed for machine learning labeling teams.

The funding announcement, which includes a pre-seed amount of $1.1 million from last year and $2.8 million seed right after it graduated from Y Combinator in March, included investments from Initialized Capital, Y Combinator and OpenAI CTO Greg Brockman.

Company founder Ivan Lee says that he has been working in various capacities involving AI for seven years. First when his mobile gaming startup Loki Studios was acquired by Yahoo! in 2013, and Lee was eventually moved to the AI team, and, most recently, at Apple. Regardless of the company, he consistently saw a problem around organizing machine learning labeling teams, one that he felt he was uniquely situated to solve because of his experience.

“I have spent millions of dollars [in budget over the years] and spent countless hours gathering labeled data for my engineers. I came to recognize that this was something that was a problem across all the companies that I’ve been at. And they were just consistently reinventing the wheel and the process. So instead of reinventing that for the third time at Apple, my most recent company, I decided to solve it once and for all for the industry. And that’s why we started Datasaur last year,” Lee told TechCrunch.

He built a platform to speed up human data labeling with a dose of AI, while keeping humans involved. The platform consists of three parts: a labeling interface; the intelligence component, which can recognize basic things so the labeler isn’t identifying the same thing over and over; and finally a team organizing component.

He says the area is hot, but to this point has mostly involved labeling consulting solutions, which farm out labeling to contractors. He points to the sale of Figure Eight in March 2019 and to Scale, which snagged $100 million last year as examples of other startups trying to solve this problem in this way, but he believes his company is doing something different by building a fully software-based solution.

The company currently offers a cloud and on-prem solution, depending on the customer’s requirements. It has 10 employees, with plans to hire in the next year, although he didn’t share an exact number. As he does that, he says he has been working with a partner at investor Initialized on creating a positive and inclusive culture inside the organization, and that includes conversations about hiring a diverse workforce as he builds the company.

“I feel like this is just standard CEO speak, but that is something that we absolutely value in our top of funnel for the hiring process,” he said.

As Lee builds out his platform, he has also worried about built-in bias in AI systems and the detrimental impact that could have on society. He says that he has spoken to clients about the role of labeling in bias and ways of combatting that.

“When I speak with our clients, I talk to them about the potential for bias from their labelers and built into our product itself is the ability to assign multiple people to the same project. And I explain to my clients that this can be more costly, but from personal experience I know that it can improve results dramatically to get multiple perspectives on the exact same data,” he said.

Lee believes humans will continue to be involved in the labeling process in some way, even as parts of the process become more automated. “The very nature of our existence [as a company] will always require humans in the loop, […] and moving forward I do think it’s really important that as we get into more and more of the long tail use cases of AI, we will need humans to continue to educate and inform AI, and that’s going to be a critical part of how this technology develops.”

How Twilio built its own conference platform

Twilio’s annual customer conference was supposed to happen in May, but like everyone else who had live events scheduled for this year, it ran smack-dab into COVID-19 and was forced to cancel. That left the company wondering how to reimagine the event online. It began an RFP process to find a vendor to help, but eventually concluded it could use its own APIs and built a platform on its own.

That’s a pretty bold move, but one of the key issues facing Twilio was how to recreate the in-person experience of the show floor where people could chat with specific API experts. After much internal deliberation, they realized that was what their communication API products were designed to do.

Once they committed to going their own way, they began a long process that involved figuring out must-have features, building consensus in the company, creating a development and testing cycle and finding third-party partnerships to help them when they ran into the limitations of their own products.

All that work culminates this week when Twilio holds its annual Signal Conference online Wednesday and Thursday. We spoke to In-Young Chang, director of experience at Twilio, to learn how this project came together.

Chang said once the decision was made to go virtual, the biggest issue for them (and for anyone putting on a virtual conference) was how to recreate that human connection that is a natural part of the in-person conference experience.

The company’s first step was to put out a request for proposals with event software vendors. She said that the problem was that these platforms hadn’t been designed for the most part to be fully virtual. At best, they had a hybrid approach, where some people attended virtually, but most were there in person.

“We met with a lot of different vendors, vendors that a lot of big tech companies were using, but there were pros to some of them, and then cons to others, and none of them truly fit everything that we needed, which was connecting our customers to product experts [like we do at our in-person conferences],” Chang told TechCrunch.

Even though they had winnowed the proposals down to a manageable few, they weren’t truly satisfied with what the event software vendors were offering, and they came to a realization.

“Either we find a vendor who can do this fully custom in three months’ time, or [we do it ourselves]. This is what we do. This is in our DNA, so we can make this happen. The hard part became how do you prioritize because once we made the conference fully software-based, the possibilities were endless,” she said.

All of this happened pretty quickly. The team interviewed the vendors in May, and by June made the decision to build it themselves. They began the process of designing the event software they would be using, taking advantage of their own communications capabilities, first and foremost.

The first thing they needed to do was meet with various stakeholders inside the company and figure out the must-have features in their custom platform. She said that reeling in people’s ambitions for version 1.0 of the platform was part of the challenge that they faced trying to pull this together.

“We only had three months. It wasn’t going to be totally perfect. There had to be some prioritization and compromises, but with our APIs we [felt that we] could totally make this happen,” Chang said.

They started meeting with different groups across the company to find out their must-haves. They knew that they wanted to recreate this personal contact experience. Other needs included typical conference activities like being able to collect leads and build agendas and the kinds of things you would expect to do at any conference, whether in-person or virtual.

As the team met with the various constituencies across the company, they began to get a sense of what they needed to build and they created a priorities document, which they reviewed with the Signal leadership team. “There were some hard conversations and some debates, but everyone really had goodwill toward each other knowing that we only had a few months,” she said.

Signal Concierge Agent for virtual Twilio Signal Conference

Signal Concierge Agent helps attendees navigate the online conference. Image Credits: Twilio

The team believed it could build a platform that met the company’s needs, but with only 10 developers working on it, they had a huge challenge to get it done in three months.

With one of the major priorities putting customers together with the right Twilio personnel, they decided to put their customer service platform, Twilio Flex, to work on the problem. Flex combines voice, messaging, video and chat in one interface. While the conference wasn’t a pure customer service issue, they believed that they could leverage the platform to direct requests to people with the right expertise and recreate the experience of walking up to the booth and asking questions of a Twilio employee with a particular skill set.

“Twilio Flex has Taskrouter, which allows us to assign agents unique skills-based characteristics, like you’re a video expert, so I’m going to tag you as a video expert. If anyone has a question around video, I know that we can route it directly to you,” Chang explained.

They also built a bot companion, called Signal Concierge, that moves through the online experience with each attendee and helps them find what they need, applying their customer service approach to the conference experience.

“Signal Concierge is your conference companion, so that if you ever have a question about what session you should go to next or [you want to talk to an expert], there’s just one place that you have to go to get an answer to your question, and we’ll be there to help you with it,” she said.

The company couldn’t do everything with Twilio’s tools, so it turned to third parties in those cases. “We continued our partnership with Klik, a conference data and badging platform all available via API. And Perficient, a Twilio SI partner we hired to augment the internal team to more quickly implement the custom Twilio Flex experience in the tight time frame we had. And Plexus, who provided streaming capabilities that we could use in an open-source video player,” she said.

They spent September testing what they built, making sure the Signal Concierge was routing requests correctly and all the moving parts were working. They open the virtual doors on Wednesday morning and get to see how well they pulled it off.

Chang says she is proud of what her team pulled off, but recognizes this is a first pass and future versions will have additional features that they didn’t have time to build.

“This is V1 of the platform. It’s not by any means exactly what we want, but we’re really proud of what we were able to accomplish from scoping the content to actually building the platform within three months’ time,” she said.

Salesforce creates for profit platform to help governments distribute COVID vaccine when it’s ready

For more than 20 years, Salesforce has been selling cloud business software, but it has also used the same platform to build ways to track other elements besides sales, marketing and service information including Work.com, the platform it created earlier this year to help companies develop and organize a safe way to begin returning to work during the pandemic.

Today, the company announced it was putting that same platform to work to help distribute and track a vaccine whenever it becomes available along with related materials like syringes that will be needed to administer it. The plan is to use Salesforce tools to solve logistical problems around distributing the vaccine, as well as data to understand where it could be needed most and the efficacy of the drug, according to Bill Patterson, EVP and general manager for CRM applications at Salesforce.

“The next wave of the virus phasing, if you will, will be [when] a vaccine is on the horizon, and we begin planning the logistics. Can we plan the orchestration? Can we measure the inventory? Can we track the outcomes of the vaccine once it reaches the public’s hands,” Patterson asked.

Salesforce has put together a new product called Work.com for Vaccines to put its platform to work to help answer these questions, which Patterson says ultimately involves logistics and data, two areas that are strengths for Salesforce.

The platform includes the core Work.com command center along with additional components for inventory management, appointment management, clinical administration, outcome monitoring and public outreach.

While this all sounds good, what Salesforce lacks of course is expertise in drug distribution or public health administration, but the company believes that by creating a flexible platform with open data that government entities can share that data with other software products outside of the Salesforce family.

“That’s why it’s important to use an open data platform that allows for aggregate data to be quickly summarized and abstracted for public use,” he said. He points to the fact that some states are using Tableau, the company that Salesforce bought last year for a tidy $15.7 billion, to track other types of COVID data.

“Many states today are running all their COVID testing and positive case reporting through the Tableau platform. We want to do the same kind of exchange of data with things like inventory management [for a vaccine],” he said.

While this sounds like a public service kind of activity, Salesforce intends to sell this product to governments to manage vaccines. Patterson says that to run a system like this at what they envision will be enormous scale, it will be a service that governments have to pay for to access.

This isn’t the first time that Salesforce has created a product that falls somewhat outside of the standard kind of business realm, but which takes advantage of the Salesforce platform. Last year it developed a tool to help companies measure how sustainable they are being. While the end goal is positive, just like Work.com for Vaccines and the broader Work.com platform, it is a tool that they charge for to help companies implement and measure these kinds of initiatives.

The tool set is available starting today. Pricing will vary depending on the requirements and components of each government entity.

The real question here is should this kind of distribution platform be created by a private company like Salesforce for profit, or perhaps would be better suited to an open source project, where a community of developers could create the software and distribute it for free.

Papaya Global raises $40M for a payroll and HR platform aimed at global workforces

Workforces are getting more global, and people who work day in, day out for organizations don’t always sit day in, day out in a single office, in a single country, to get a job done. Today, one of the startups building HR to help companies provision services for and manage those global workers better is announcing a funding round to capitalise on a surge in business that it has seen in the last year — spurred in no small part by the global health pandemic, the impact it’s had on travel and the way it has focused the minds of companies to get their cloud services and workforce management in order.

Papaya Global, an Israeli startup that provides cloud-based payroll, as well as hiring, onboarding and compliance services for organizations that employ full-time, part-time, or contractors outside of their home country, has raised $40 million in a Series B round of funding led by Scale Venture Partners. Workday Ventures — the corporate investment arm of the HR company — Access Industries (via its Israeli vehicle Claltech), and previous investors Insight Partners, Bessemer Venture Partners, New Era Ventures, Group 11, and Dynamic Loop also participated

The money comes less than a year after its Series A of $45 million, following the company growing 300% year-over-year annually since 2016. It’s now raised $95 million and is not disclosing valuation. But Eynat Guez, the CEO who co-founded the company in that year with Ruben Drong and Ofer Herman, said in an interview that it’s 5x the valuation it had in its round last year.

Its customers include fast-growing startups (precisely the kind of customer that not only has global workforces, but is expanding its employee base quickly) like OneTrust, nCino and Hopin, as well as major corporates like Toyota, Microsoft, Wix, and General Dynamics.

Guez said Papaya Global was partly born out of the frustrations she herself had with HR solutions — she’s worked in the field for years. Different countries have different employment regulations, varied banking rules, completely different norms in terms of how people get paid, and so on. While there have been some really modern tools built for local workforces — Rippling, Gusto, Zenefits now going head to head with incumbents like ADP — they weren’t built to address these issues.

Other HR people who have dealt with international workers would understand her pain, those who control the purse strings might have been less aware of the fragmentation. All that changed in the last eight months (and for the foreseeable future), a period when companies have had to reassess everything about how they work to make sure that they can get through the current period without collapsing.

“The major impact of Covid-19 for us has been changing attitudes,” said Guez. “People usually think that payroll works by itself, but it’s one of the more complex parts of the organization, covering major areas like labor, accounting, tax. Eight months ago, a lot of clients thought, it just happens. But now they realize they didn’t have control of the data, some don’t even have a handle on who is being paid.”

As people moved into and out of jobs, and out of offices into working from home, as the pandemic kicked off, some operations fell apart as a result, she said. “Payroll continuity is like IT continuity, and so all of a sudden when Covid started its march, we had prospects calling us saying they didn’t have data on, for example, their Italian employees, and the office they were using wasn’t answering the phone.”

Guez herself is walking the walk on the remote working front. Papaya Global itself has offices around the world, and Guez herself is normally based in Tel Aviv. But our interview was conducted with her in the Maldives. She said she and her family decided to decamp elsewhere before Israel went into a second lockdown, which was very tough to handle in a small flat with small children. Working anywhere, as we have found out, can work.

The company is not the only one that has identified and is building to help organizations handle global workforces. In fact, just when you think the unemployment, furlough and layoff crunch is affecting an inordinate number of people and the job market is in a slump, a rush of them, along with other HR companies, have all been announcing significant funding rounds this year on the back of surges in business.

Others that have raised money during the pandemic include Deel, which like Papaya Global is also addressing the complexities of running global workforces; Turing, which helps with sourcing and then managing international teams; Factorial with its platform targeting specifically SMBs; Lattice focused on the bigger challenges of people management; and Rippling, the second act from Zenefits’ Parker Conrad.

“Papaya Global’s accelerating growth is a testament to their top-notch executive leadership as well as their ability to streamline international payroll management, a first for many enterprises that have learned to live with highly manual payroll processes,” said Rory O’Driscoll, a partner at Scale Venture Partners, in a statement. “The complexity and cost of managing multi-region workforces cannot be understated. Eynat and her team are uniquely serving their customers’ needs, bringing an advanced SaaS platform into a market long-starved for more effective software solutions.”

Who’s Behind Monday’s 14-State 911 Outage?

Emergency 911 systems were down for more than an hour on Monday in towns and cities across 14 U.S. states. The outages led many news outlets to speculate the problem was related to Microsoft‘s Azure web services platform, which also was struggling with a widespread outage at the time. However, multiple sources tell KrebsOnSecurity the 911 issues stemmed from some kind of technical snafu involving Intrado and Lumen, two companies that together handle 911 calls for a broad swath of the United States.

Image: West.com

On the afternoon of Monday, Sept. 28, several states including Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania and Washington reported 911 outages in various cities and localities.

Multiple news reports suggested the outages might have been related to an ongoing service disruption at Microsoft. But a spokesperson for the software giant told KrebsOnSecurity, “we’ve seen no indication that the multi-state 911 outage was a result of yesterday’s Azure service disruption.”

Inquiries made with emergency dispatch centers at several of the towns and cities hit by the 911 outage pointed to a different source: Omaha, Neb.-based Intrado — until last year known as West Safety Communications — a provider of 911 and emergency communications infrastructure, systems and services to telecommunications companies and public safety agencies throughout the country.

Intrado did not respond to multiple requests for comment. But according to officials in Henderson County, NC, which experienced its own 911 failures yesterday, Intrado said the outage was the result of a problem with an unspecified service provider.

“On September 28, 2020, at 4:30pm MT, our 911 Service Provider observed conditions internal to their network that resulted in impacts to 911 call delivery,” reads a statement Intrado provided to county officials. “The impact was mitigated, and service was restored and confirmed to be functional by 5:47PM MT.  Our service provider is currently working to determine root cause.”

The service provider referenced in Intrado’s statement appears to be Lumen, a communications firm and 911 provider that until very recently was known as CenturyLink Inc. A look at the company’s status page indicates multiple Lumen systems experienced total or partial service disruptions on Monday, including its private and internal cloud networks and its control systems network.

Lumen’s status page indicates the company’s private and internal cloud and control system networks had outages or service disruptions on Monday.

In a statement provided to KrebsOnSecurity, Lumen blamed the issue on Intrado.

“At approximately 4:30 p.m. MT, some Lumen customers were affected by a vendor partner event that impacted 911 services in AZ, CO, NC, ND, MN, SD, and UT,” the statement reads. “Service was restored in less than an hour and all 911 traffic is routing properly at this time. The vendor partner is in the process of investigating the event.”

It may be no accident that both of these companies are now operating under new names, as this would hardly be the first time a problem between the two of them has disrupted 911 access for a large number of Americans.

In 2019, Intrado/West and CenturyLink agreed to pay $575,000 to settle an investigation by the Federal Communications Commission (FCC) into an Aug. 2018 outage that lasted 65 minutes. The FCC found that incident was the result of a West Safety technician bungling a configuration change to the company’s 911 routing network.

On April 6, 2014, some 11 million people across the United States were disconnected from 911 services for eight hours thanks to an “entirely preventable” software error tied to Intrado’s systems. The incident affected 81 call dispatch centers, rendering emergency services inoperable in all of Washington and parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota and Florida.

According to a 2014 Washington Post story about a subsequent investigation and report released by the FCC, that issue involved a problem with the way Intrado’s automated system assigns a unique identifying code to each incoming call before passing it on to the appropriate “public safety answering point,” or PSAP.

“On April 9, the software responsible for assigning the codes maxed out at a pre-set limit,” The Post explained. “The counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure.”

Compounding the length of the 2014 outage, the FCC found, was that the Intrado server responsible for categorizing and keeping track of service interruptions classified them as “low level” incidents that were never flagged for manual review by human beings.

The FCC ultimately fined Intrado and CenturyLink $17.4 million for the multi-state 2014 outage. An FCC spokesperson declined to comment on Monday’s outage, but said the agency was investigating the incident.

How to Catch a Spy | Detecting FinFisher Spyware on macOS

A report last week from human rights advocates Amnesty International brought to light a macOS variant of a cross-platform spyware suite known as FinSpy, developed and marketed by German-based outfit FinFisher. The FinSpy tool was written with multiple capabilities in mind, with everything from keylogger, audio recording, camera and screenshot tools to a remote access shell, file enumeration and exfiltration functions. In this post, we look at how to detect the macOS variant and list some previously unpublished IoCs.

What is FinFisher Spyware?

According to FinFisher’s own website and marketing material, the company produces tools for “tactical intelligence gathering”, “strategic intelligence gathering”, and “deployment methods and exploitation”. The company states that it only partners with “Law Enforcement and Intelligence Agencies” and has a “worldwide presence”.

Amnesty International and other civil rights organizations  (e.g., the Citizen Lab), however, have noted FinSpy being used in campaigns targeting “activists, journalists and dissidents” in Egypt, Ethiopia, and the United Arab Emirates (UAE) among others. What ties these various campaigns together, aside from the use of FinFisher products, is that the targets are very frequently “human rights defenders”.

Although elements of the toolkit targeting macOS users have been known for some while to malware researchers, and some components of the macOS suite do not appear to be functional on the latest iterations of Apple’s desktop platform, our tests confirmed the malware samples shared by Amnesty will still launch and infect a macOS Catalina install, and that some of dropped malware is not well-known to reputation services like VirusTotal.

How Does FinSpy for macOS Work?

In their report, Amnesty provided the following hash for this sample on VirusTotal which we used for our analysis:

4f3003dd2ed8dcb68133f95c14e28b168bd0f52e5ae9842f528d3f7866495cea

Although some engines on VT have caught up with this sample, the majority still do not recognize it as malware at the time of writing, with only 12/59 detections.

As the sample is not Notarized, the user will need to be socially engineered to override the Notarization check on macOS Catalina, something that commodity malware authors at least have become very successful at achieving.

The trojan installer’s MacOS folder contains two executable files and a directory.

The Bash script, Install Çağlayan, contains the logic for executing the malicious application bundle in the hidden .log folder:

The ARA0848.app’s Mach-O executable contains logic to detect execution in a Virtual Machine environment as a means to thwart macOS malware researchers using any one of Parallels, VMWare or VirtualBox virtualization software:

Since it is always wise to reverse macOS malware in an isolated test environment, we had to alter the sample slightly in order to beat its built-in anti-analysis detection routine. In our case, we are using an isolated Parallels Virtual Machine for this lab, so some light binary patching should take care of the VM detection.

First, we copy the binary off the DMG to local disk, and then open the binary in the vi editor:

Then we call the xxd utility from vi’s command line:

%!xxd

Next, we search for instances of “parallels”. Fortunately, there are only two:

We now edit the first character of each and change it from ‘parallels’ to ‘xarallels’ by substituting the hex 70 (‘p’) for 78 (‘x’). We then use %!xxd -r to reverse the hex back to binary format and save out of vi with the command wq.

Launching the sample on macOS Catalina requires overriding the Notarization check (more on this below), after which we immediately observe a request from the malware to elevate privileges. After obliging, the malware immediately writes the following files to the user’s Library Caches folder:

Aside from that, the FinFisher spyware seeks to maintain persistence by writing a domain level LaunchAgent called logind.plist to /Library/LaunchAgents folder.

The program argument targets /private/etc/logind, where we find the following setuid, setgid file:

While the path at /etc/logind (or /private/etc/logind) is well-known for this malware (see the next section), the executable dropped in our test is currently unknown on VirusTotal and, to our knowledge, has not been shared before:

02e4d0e23391bbbb75c47f5db44d119176803da74b1c170250e848de51632ae9

A different file with the same name, but also apparently virtually unknown on VT, appears at

/Library/Frameworks/Storage.framework/Contents/MacOS/logind

1cf36a2d8a2206cb4758dcdbd0274f21e6f437079ea39772e821a32a76271d46

Is FinSpy A New Kind of Fully Undetectable Malware?

Malware authors and resellers are always keen to paint their products as ‘undetectable’ or ‘fully undetectable’ (FUD) to attract customers, and we are sure those who market tools to “Law Enforcement and Intelligence Agencies” are just as concerned to make the same claims. If you’re in the market for buying malware, particularly spyware, then being undetectable is pretty much the first feature on your shopping list.

Despite such claims, very little malware is truly “fully undetectable”, simply because it needs to behave in certain, predictable ways in order to fulfil its objectives (for example, log keystrokes, communicate with a C2 and so on), and in this regard FinSpy is no different.

In fact, elements of FinSpy have been known to security researchers and static search engines for some time. In particular, a user path used by FinFisher for the persistence agent:

~/Library/LaunchAgents/logind

has been known since at least 2017. Other path elements can be seen added to Apple’s MRT.app in stages over recent months, with new detection paths added in v1.52 and v1.64:

Despite that, even the current MRT.app, v1.66, still doesn’t search for the LoginAgent at the domain level.

More importantly, however, is that MRT.app’s detections don’t prevent Mac users from becoming victims of FinSpy. Apple’s MRT.app is a post-infection tool that runs at periodic intervals: primarily, when the user boots the Mac or logs in to a user account, as well as when the tool is silently updated by Apple in the background.

In order to actually try and prevent launch and execution of malicious code, Apple uses a number of different technologies: namely, Gatekeeper, Notarization and XProtect. While useful, the first two suffer from the weakness that they are overridable by the user, meaning that the malware can be installed either by socially engineering the victim or by a malicious user with temporary access to the victim’s computer.

On macOS 10.15 Catalina, XProtect has become far more robust and resistant to user bypassing, but XProtect is only as useful as the signatures it contains. Since in our test we were able to execute both the FinSpy trojan installer and the hidden malicious application bundle it includes on a macOS Catalina 10.15.7 installation, we surmise that XProtect has yet to catch up with the latest FinSpy samples.

Does SentinelOne Protect Against FinSpy / FinFisher Malware?

Our test of the above samples shows that the SentinelOne agent correctly detects and blocks FinFisher/ FinSpy for macOS malware.

Our behavioral detection reveals that the FinSpy malware attempts Defense Evasion and Persistence, which we map to MITRE ATT&CK TTPs T1211 and T1160, respectively.

The SentinelOne management console Process Tree accurately maps the execution of malicious processes, correctly convicting those that belong to the malware (in red):

Conclusion

FinFisher’s FinSpy malware for macOS is a commercially produced and distributed product aimed at infecting Mac users for the purposes of spying, stealing data and remotely controlling the target machine. While we pass no judgement on whether this spyware is being ‘legitimately’ used by law enforcement or intelligence agencies around the world, we remain committed to ensuring that SentinelOne customers are fully protected from infection by this or any other unauthorized software on their endpoints. If you would like to see how SentinelOne can help protect your business, contact us today or request a free demo. For more insight into macOS malware threats, see here.

Indicators of Compromise

/Volumes/caglayan-macos/Install Çağlayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (Mach-O)
SHA256: 651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673
SHA1: 2584f1119c65ffd0936e2916b285389404b942c9

/private/etc/logind (Mach-O)
SHA256: 02e4d0e23391bbbb75c47f5db44d119176803da74b1c170250e848de51632ae9
SHA1: 62e5dc40bfabaa712cd9e32ac755384db07f0dab

/Library/Frameworks/Storage.framework/Contents/MacOS/logind (Mach-O)
SHA256: 1cf36a2d8a2206cb4758dcdbd0274f21e6f437079ea39772e821a32a76271d46
SHA1:d3dab40d51e1b4ff332b6be1c993c916c3d58481

~/Library/Caches/org.logind.ctp.archive/helper (Mach-O)
SHA256: 562c420921f5146273b513d17b9f470a99bd676e574c155376c3eb19c37baa09
SHA1: 72cb14bc737a9d77c040affa60521686ffa80b84

~/Library/Caches/org.logind.ctp.archive/helper2 (Python Script)
SHA256: af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0
SHA1: 9a0ede8fad59e7252502881554be0c21972238c9

~/Library/Caches/org.logind.ctp.archive/helper3 (Mach-O)
SHA256: 6ab836d19bc4b69dfe733beef295809e15ace232be0740bc326f58f9d31d8197
SHA1: 427a1c1daf9030069f0c771ce172c104513a7722

~/Library/Caches/org.logind.ctp.archive/installer (Mach-O)
SHA256: ac414a14464bf38a59b8acdfcdf1c76451c2d79da0b3f2e53c07ed1c94aeddcd
SHA1: a65965b960b3d322bbae467f51bf215d574b00cc


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Skydio partners with EagleView for autonomous residential roof inspections via drone

Skydio only just recently announced its expansion into the enterprise and commercial market with hardware and software tools for its autonomous drone technology, and now it’s taking the lid off a brand new big partnership with one commercial partner. Skydio will work with EagleView to deploy automated residential roof inspections using Skydio drones, with service initially provide via EagleView’s Assess product, launching first in the Dallas/Ft. Worth area of Texas.

The plan is to expand coverage to additional metro areas starting next year, and then broaden to rural customers as well. The partners will use AI-based analysis, paired with Skydio’s high-resolution, precision imaging to provide roofing status information to insurance companies, claims adjustment companies and government agencies, providing a new level of quality and accuracy for property inspections that don’t even require an in-person roof inspection component.

Skydio announced its enterprise product expansion in July, alongside a new $100 million funding round. The startup, which has already delivered two generations of its groundbreaking fully autonomous consumer drone, also debuted the X2, a commercial drone that includes additional features like a thermal imaging camera. It’s also offering a suite of “enterprise skills,” software features that can provide its partners with automated workflows and AI analysis and processing, including a House Scan feature for residential roof inspection, which is core to this new partnership.