Quill, the messaging app backed by Index, quietly comes out of stealth to take on Slack

Slack took the workplace communications landscape by storm after it launched its integration-friendly, GIF-tastic chat platform in 2013. Within the space of a decade it entered into the pantheon of Big Tech: First with massive growth and usage, then a series of giant VC rounds and valuations, spawning controversial competition from incumbents, followed by a public listing and ultimately a $27.7 billion acquisition by Salesforce. Now that the cycle is complete, the decks are clear for a Slack disruptor!

Today, a new app quietly launched out of stealth called Quill, available by way of apps for the web, MacOS, Windows, Linux, Android and iOS.

Like Slack, Quill is a messaging app for co-workers to update each other on what they are doing, have conversations about projects and more. It is (also like Slack) priced as a freemium service, with a $15 per user, per month tier giving users more message history and storage. An enterprise tier is also on the cards.

Unlike Slack — the implication seems to be — the difference is that Quill is about delivering messaging in a nondistracting way that doesn’t take up too much of your time, your concentration and your energy. Quill bills itself as “messaging for people that focus.”

So while you get a lot of the same features you have in Slack for chatting with workers, creating channels, integrating other apps, and having video and voice conversations — one of my colleagues quipped, “It looks like Slack, but more colorful!” — it also includes a bunch of features that put the focus on, well, focus.

“We grew exhausted having to skim thousands of messages every day to keep up, so we built a way to chat that’s even better than how we already communicate in person,” Quill notes on its website. “A more deliberate way to chat. That’s what Quill is all about.”

For example, “structured channels” let you enforce threads in a channel for different conversations rather than view chatter in a waterfall. Automatic sorting in the app moves up active conversations you’re in above others. Limitations on notifications mean you can have more nuance in what ultimately might end up distracting you. For example, senders can alter a setting (with a !!) to notify you if something is critical and needs to ping you. Video chats come automatically with a sidebar to continue texting, too.

Then, you get separate channels for social and nonwork chat; and a series of features that let you manipulate conversations after they’ve already started: You can recast conversations into threads after they’ve already started and you have a fast way to reply to messages. There is an easier and more obvious way to pin important things to the tops of channels; and in addition to creating new threads after a conversation starts, you can also move messages from one channel or thread to another.

You can also interact with Quill chats using SMS and email, and like Slack, it offers the ability to integrate other app notifications into the process.

It’s also working on adding a Clubhouse-like feature for voice channels, end-to-end encryption, context-based search (it already has keyword search), and user profiles.

Managing “high load”

The app has been in stealth mode for nearly three years, and while some projects might never go noticed in that time, this one is a little different because of the pedigree and the context.

For starters, Quill was founded by the former creative director of Stripe, Ludwig Pettersson, who was given a lot of the credit for the simplicity and focus of the payment company’s flagship product and platform (simplicity that became the hallmark of the service and helped it balloon into a commerce behemoth).

His involvement signaled that the effort might get at least a little attention. In a landscape that seemed to be all but dominated by Slack and a few huge, well-funded rivals in the form of Microsoft and Facebook, it’s notable that when Quill was just an idea, it had already picked up $2 million in seed funding from Sam Altman (at the time the head of Y Combinator) and General Catalyst.

Following that it raised a Series A of $12.5 million led by Sarah Cannon of Index Ventures, totaling some $14.5 million in funding in all. The Series A valued the company at $62.5 million, as we reported at the time.

Added to this is the story behind Quill and what brought Pettersson and others on his team to the idea of building it. From what we understand, the idea in its earliest inception was to capture something of the magic of communication that you get from messaging apps, and specifically from workplace communication tools like Slack, but without the distraction and resulting frustration that often come along with them.

By 2018, Slack was already a big product, valued at over $7 billion and attracting millions of users. But there was also a growing number of people criticizing it for being the opposite of productive. “It’s hard to track everything that’s going on in Slack, it can be distracting. Given the network effect, Slack has become powerful, but it was not designed as a high-load system,” Sam Altman, the investor and former head of both Y Combinator and OpenAI, said to me back in 2018 when I asked him what he knew about Quill after I first got wind of it.

He said he was “super impressed” by Ludwig’s work at Stripe, and then OpenAI (where he stayed for a year after leaving Stripe), so much so that when Ludwig suggested building “a better version of Slack,” it seemed like a “credible idea” and one worth backing even without a product yet to be built.

It’s quite fitting that for an app focused on focus, Quill launched today quietly and without much fanfare: Why worry about PR distraction when you can just get something out there?

In any case, we’re hoping to hear more and see what kind of momentum it picks up. We’ve asked Index if we can talk to Sarah Cannon about the investment, and we are still waiting to hear back. We are also trying to see if we can talk to Pettersson. But I should mention we have been trying to talk to him since first getting wind of this app back in August of 2018, so we’re not holding our breath (nor this story).

Checkout Skimmers Powered by Chip Cards

Easily the most sophisticated skimming devices made for hacking terminals at retail self-checkout lanes are a new breed of PIN pad overlay combined with a flexible, paper-thin device that fits inside the terminal’s chip reader slot. What enables these skimmers to be so slim? They draw their power from the low-voltage current that gets triggered when a chip-based card is inserted. As a result, they do not require external batteries, and can remain in operation indefinitely.

A point-of-sale skimming device that consists of a PIN pad overlay (top) and a smart card skimmer (a.k.a. “shimmer”). The entire device folds onto itself, with the bottom end of the flexible card shimmer fed into the mouth of the chip card acceptance slot.

The overlay skimming device pictured above consists of two main components. The one on top is a regular PIN pad overlay designed to record keypresses when a customer enters their debit card PIN. The overlay includes a microcontroller and a small data storage unit (bottom left).

The second component, which is wired to the overlay skimmer, is a flexible card skimmer (often called a “shimmer”) that gets fed into the mouth of the chip card acceptance slot. You’ll notice neither device contains a battery, because there simply isn’t enough space to accommodate one.

Virtually all payment card terminals at self-checkout lanes now accept (if not also require) cards with a chip to be inserted into the machine. When a chip card is inserted, the terminal reads the data stored on the smart card by sending an electric current through the chip.

Incredibly, this skimming apparatus is able to siphon a small amount of that power (a few milliamps) to record any data transmitted by the payment terminal transaction and PIN pad presses. When the terminal is no longer in use, the skimming device remains dormant.

The skimmer pictured above does not stick out of the payment terminal at all when it’s been seated properly inside the machine. Here’s what the fake PIN pad overlay and card skimmer looks like when fully inserted into the card acceptance slot and viewed head-on:

The insert skimmer fully ensconced inside the compromised payment terminal. Image: KrebsOnSecurity.com

Would you detect an overlay skimmer like this? Here’s what it looks like when attached to a customer-facing payment terminal:

The PIN pad overlay and skimmer, fully seated on a payment terminal.

REALLY SMART CARDS

The fraud investigators I spoke with about this device (who did so on condition of anonymity) said initially they couldn’t figure out how the thieves who plant these devices go about retrieving the stolen data from the skimmer. Normally, overlay skimmers relay this data wirelessly using a built-in Bluetooth circuit board. But that also requires the device to have a substantial internal power supply, such as a somewhat bulky cell phone battery.

The investigators surmised that the crooks would retrieve the stolen data by periodically revisiting the compromised terminals with a specialized smart card that — when inserted — instructs the skimmer to dump all of the saved information onto the card. And indeed, this is exactly what investigators ultimately found was the case.

“Originally it was just speculation,” the source told KrebsOnSecurity. “But a [compromised] merchant found a couple of ‘white’ smartcards with no markings on them [that] were left at one of their stores. They informed us that they had a lab validate that this is how it worked.”

Some readers might reasonably be asking why it would be the case that the card acceptance slot on any chip-based payment terminal would be tall enough to accommodate both a chip card and a flexible skimming device such as this.

The answer, as with many aspects of security systems that decrease in effectiveness over time, has to do with allowances made for purposes of backward compatibility. Most modern chip-based cards are significantly thinner than the average payment card was just a few years ago, but the design specifications for these terminals state that they must be able to allow the use of older, taller cards — such as those that still include embossing (raised numbers and letters). Embossing is a practically stone-age throwback to the way credit cards were originally read, through the use of manual “knuckle-buster” card imprint machines and carbon-copy paper.

“The bad guys are taking advantage of that, because most smart cards are way thinner than the specs for these machines require,” the source explained. “In fact, these slots are so tall that you could fit two cards in there.”

IT’S ALL BACKWARDS

Backward compatibility is a major theme in enabling many types of card skimming, including devices made to compromise automated teller machines (ATMs). Virtually all chip-based cards (at least those issued in the United States) still have much of the same data that’s stored in the chip encoded on a magnetic stripe on the back of the card. This dual functionality also allows cardholders to swipe the stripe if for some reason the card’s chip or a merchant’s smartcard-enabled terminal has malfunctioned.

Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But thieves are adept at exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep key chip card security features and effectively create usable, counterfeit cards.

Many people believe that skimmers are mainly a problem in the United States, where some ATMs still do not require more secure chip-based cards that are far more expensive and difficult for thieves to clone. However, it’s precisely because some U.S. ATMs lack this security requirement that skimming remains so prevalent in other parts of the world.

Mainly for reasons of backward compatibility to accommodate American tourists, a great number of ATMs outside the U.S. allow non-chip-based cards to be inserted into the cash machine. What’s more, many chip-based cards issued by American and European banks alike still have cardholder data encoded on a magnetic stripe in addition to the chip.

When thieves skim non-U.S. ATMs, they generally sell the stolen card and PIN data to fraudsters in Asia and North America. Those fraudsters in turn will encode the card data onto counterfeit cards and withdraw cash at older ATMs here in the United States and elsewhere.

Interestingly, even after most U.S. banks put in place fully chip-capable ATMs, the magnetic stripe will still be needed because it’s an integral part of the way ATMs work: Most ATMs in use today require a magnetic stripe for the card to be accepted into the machine. The main reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time.

And there are the tens of thousands of fuel pumps here in the United States that still allow chip-based card accounts to be swiped. The fuel pump industry has for years won delay after delay in implementing more secure payment requirements for cards (primarily by flexing their ability to favor their own fuel-branded cards, which largely bypass the major credit card networks).

Unsurprisingly, the past two decades have seen the emergence of organized gas theft gangs that take full advantage of the single weakest area of card security in the United States. These thieves use cloned cards to steal hundreds of gallons of gas at multiple filling stations. The gas is pumped into hollowed-out trucks and vans, which ferry the fuel to a giant tanker truck. The criminals then sell and deliver the gas at cut rate prices to shady and complicit fuel station owners and truck stops.

A great many people use debit cards for everyday purchases, but I’ve never been interested in assuming the added risk and pay for everything with cash or a credit card. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

The next skimmer post here will examine an inexpensive and ingenious analog device that helps retail workers quickly check whether their payment terminals have been tampered with by bad guys.

5 Things You Need to Know About Silver Sparrow

Researchers at Red Canary recently broke news of a novel macOS infection dubbed Silver Sparrow. Given headlines that suggest this is a new malware threat that has infected “30,000 devices”, targets both Intel and Apple Silicon M1 devices, and has “security pros stumped”, end users and enterprise security teams alike are expressing concerns about what Silver Sparrow is, whether they are protected (spoiler: if you are a SentinelOne customer, yes you are) and how they can hunt for it on devices that are not protected by a modern next-gen security platform. In this post, we explain what Silver Sparrow is, how dangerous it is, and whether you should be concerned about it.

1. What is Silver Sparrow?

Silver Sparrow is the name given to an infection threat identified by researchers that uses the Apple installer package format and a novel mechanism for running a preinstall script.

While the installer package, readily identifiable from the .pkg file extension, typically uses dedicated preinstall and postinstall shell scripts for preparing and cleaning up software installations, Silver Sparrow takes a different approach and (ab)uses the Distribution file to run JavsScript code during the installation process.

 

While macOS malware has long-abused preinstall and postinstall scripts, this is the first known case of malware using the Distribution file to execute bash commands via the JavaScript API.

The Distribution file contains over 100 lines of code which function to:

  1. Set up a persistence agent with the filename pattern init-.plist (currently known agentNames are “virx” and “agent”) in ~/Library/LaunchAgents.
  2. Set up the program executable with the filepath pattern: ~/Library/Application Support/_updater/.sh
  3. Attempt to download the payload and write and execute it as /tmp/


That all sounds worrisome, but despite the headlines, there is no imminent threat to users or enterprises from the Silver Sparrow malware. The 30,000 infections reported in the media may or may not be an accurate count, but the fact is that number is based on researchers detecting two variants, neither of which have delivered a payload to date, and more importantly, neither of which can deliver a payload any longer.

The original research title was apt, but ignored by many commentators: “Clipping Silver Sparrow’s Wings: Outing macOS malware before it takes flight”. The title reflects the fact that not only have new installations been blocked by Apple revoking the installers’ signatures but also existing installations cannot deliver a payload since the hardcoded URLs, located on AWS S3 instances, have also been taken down by Amazon. It’s worth repeating for those that didn’t read the original research: no payload was ever delivered prior to the actions taken by Apple and Amazon.

2. How Is Silver Sparrow Related to M1 Chips?

Given that, you might be wondering what all the fuss about Silver Sparrow is. There are two reasons why security researchers (not so much Mac users) should be interested in Silver Sparrow. One good reason, as noted above, is that it uses a novel mechanism of infection by abusing the JavaScript API and the package installer’s Distribution file.

Importantly, if you inspect the Silver Sparrow installer package in a tool like ‘Suspicious Package’, you will not be able to see the malicious script.

Analysts can use the shareware tool Pacifist to inspect the Distribution file, however:

The second reason is that Silver Sparrow is another example of recently compiled malware that targets both of Apple’s hardware architectures: Intel and Apple Silicon.

Seeing malware target the new ARM architecture creates a lot of interest, but that is entirely expected. Basically, any software developer creating or compiling any software using the latest version of Xcode will by default create a universal binary that contains binaries for both Intel and ARM architectures.

So while this is still relatively new (given that Apple Silicon is relatively new), expect to see this increasingly going forward.

3. What Kind of Malware Does Silver Sparrow Deliver?

As noted above, Silver Sparrow is a dropper and persistence mechanism, but there has to date been no known payload. However, from the way the observed components work, we can make some reasonable inferences about what kind of malware Silver Sparrow was designed to deliver.

First, note that the installer uses a ‘tried and tested’ technique typical of adware for campaign tracking. This technique involves scraping the download URL from the user’s LSQuarantineEvents database.


That in itself suggests that Silver Sparrow is likely selling itself as a mechanism to 3rd party “affiliates” or pay-per-install (PPI) partners. The existence of this technique shows that the developers are aiming to monetize the delivery of payloads, and as such puts it firmly in the category of commodity adware/malware.

Second, the Silver Sparrow installer packages observed to date contained what the original researchers called ‘bystander apps’: dummy apps that have no perceived purpose. This suggests that the authors may have been trialling the delivery mechanism in order to later offer it to “bundleware” clients that wrap free or cracked apps around the malicious installer, a technique that is widely used by commodity adware and PUP installers.

4. Am I Protected from Silver Sparrow?

None of the above is a reason not to be concerned. Adware and PUPs are nuisances at best and security concerns at worst. Fortunately, there is very little risk of infection from this threat at the current time.

SentinelOne customers are protected from all known samples of Silver Sparrow, and we are actively engaged in tracking and blocking any new variants of this threat. If you are not a SentinelOne customer yet, the good news is that there is a universal kill switch that can keep you protected. The Silver Sparrow persistence agent runs a program that uninstalls the malware in the event that a certain zero byte file exists in the Users Library folder.


You can create such a file using the touch command, like so:

touch ~/Library/._insu

Again, it is worth reiterating that none of the known samples are capable of either installing or delivering a payload, so even those unprotected users that may have previously ran the Silver Sparrow installer before it was blocked cannot now receive a payload.

5. How Can I Threat Hunt for Silver Sparrow Attempts?

Despite the fact that the Silver Sparrow has no known payload, the mechanism is an interesting proof of concept. Security teams and individuals can look for the following indicators of compromise:

File Paths

/tmp/version.plist
/tmp/version.json
/tmp/agent
~/Library/Application Support/verx_updater/verx.sh
~/Library/LaunchAgents/init_verx.plist
~/Library/LaunchAgents/verx.plist
~/Library/LaunchAgents/init_agent.plist
~/Library/Application Support/agent_updater

Hashes

0a38080d4101dccf056434348527835633dd589c ./agent.sh
1cfad5b29b12f3c27ad9efb84524532e27407547 ./init_agent.plist
debbb192798bb1c89d935257972498278885ccec ./com.tasks.updater
63c9506d704ee873a75abe18163122fcfe114cc5 ./update.pkg
0a2f947b5c844713b7c55188aa2e47917945816e ./updater.pkg
eca8a2fdb052676e96b56fe3559694eab3fe87bc Distribution
c03805a7b2ef8401f4b2c44698f361fb5fa03672 Distribution

URLs

hxxps://mobiletraits[.]s3.amazonaws.com/
hxxps://specialattributes[.]s3.amazonaws.com/

Conclusion

Silver Sparrow represents a novel infection mechanism but to date has no known malicious payload. While users are right to be concerned about any new threat that appears to bypass static signature mechanisms, current evidence suggests that Silver Sparrow is a proof of concept set up by an actor looking to sell an install mechanism to adware/PPI clients.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Winning enterprise sales teams know how to persuade the Chief Objection Officer

Many enterprise software startups at some point have faced the invisible wall. For months, your sales team has done everything right. They’ve met with a prospect several times, provided them with demos, free trials, documentation and references, and perhaps even signed a provisional contract.

The stars are all aligned and then, suddenly, the deal falls apart. Someone has put the kibosh on the entire project. Who is this deal-blocker and what can software companies do to identify, support and convince this person to move forward with a contract?

I call this person the Chief Objection Officer.

Who is this deal-blocker and what can software companies do to identify, support and convince this person to move forward with a contract?

Most software companies spend a lot of time and effort identifying their potential buyers and champions within an organization. They build personas and do targeted marketing to these individuals and then fine-tune their products to meet their needs. These targets may be VPs of engineering, data leaders, CTOs, CISOs, CMOs or anyone else with decision-making authority. But what most software companies neglect to do during this exploratory phase is to identify the person who may block the entire deal.

This person is the anti-champion with the power to scuttle a potential partnership. Like your potential deal-makers, these deal-breakers can have any title with decision-making power. Chief Objection Officers aren’t simply potential buyers who end up deciding your product is not the right fit, but are instead blockers-in-chief who can make departmentwide or companywide decisions. Thus, it’s critical for software companies to identify the Chief Objection Officers that might block deals and, then, address their concerns.

So how do you identify the Chief Objection Officer? The trick is to figure out the main pain points that arise for companies when considering deploying your solution, and then walk backward to figure out which person these challenges impact the most. Here are some common pain points that your potential customers may face when considering your product.

Change is hard. Never underestimate the power of the status quo. Does implementing your product in one part of an organization, such as IT, force another department, such as HR, to change how they do their daily jobs?

Think about which leaders will be most reluctant to make changes; these Chief Objection Officers will likely not be your buyers, but instead the heads of departments most impacted by the implementation of your software. For example, a marketing team may love the ad targeting platform they use and thus a CMO will balk at new database software that would limit or change the way customer segment data is collected. Or field sales would object to new security infrastructure software that makes it harder for them to access the company network from their phones. The head of the department that will bear the brunt of change will often be a Chief Objection Officer.

Is someone’s job on the line?

Another common pain point when deploying a new software solution is that one or more jobs may become obsolete once it’s up and running. Perhaps your software streamlines and outsources most of a company’s accounts payable processes. Maybe your SaaS solution will replace an on-premise homegrown one that a team of developers has built and nurtured for years.

The Good, the Bad and the Ugly in Cybersecurity – Week 8

The Good

This week was another successful week with regards to law enforcement operations against ransomware actors. Early in the week, news broke regarding the arrest of an Egregor ransomware operation running out of the Ukraine. The individuals were affiliate operators as opposed to the actual ‘authors’ or ‘source’ of the ransomware.

The arrests were part of a joint operation between French and Ukrainian law enforcement agencies. It is said that the apprehended individuals were responsible for affiliate-based deployment of Egregor ransomware, along with the relevant breaching of the targeted environment.

Egregor has been utilized in numerous high-profile attacks over the last 6 months. It has also been associated with other malware families and is often observed being used in tandem with these threats (e.g., Qbot). It is not confirmed to be related, but the Egregor payment portal and victim blogs (both TOR-based and clearnet) have been down for weeks. The momentum of Egregor has definitely slowed and taken a hit, at least partially due to these law enforcement operations. It remains to be seen what the future holds for Egregor, but at the moment, it appears to be left-for-dead. It may be that the threat actors are also moving away to newer platforms, as they did from Maze. We will be watching these groups closely in the coming weeks.

The Bad

This week, CISA (Cybersecurity and Infrastructure Security Agency) released Alert AA21-048A. This is the latest joint alert covering malicious activity out of North Korea. Specifically, the alert covers AppleJeus, a well-known tool in the DPRK (aka Lazarus) arsenal used for cryptocurrency theft. This latest advisory comes to us from the FBI, CISA, and the Department of Treasury.

According to the alert, Lazarus has been launching targeted cryptocurrency-stealing operations in over 30 countries in the past year alone but has a much longer history going back to at least 2018. The malware is delivered via specially-crafted cryptocurrency trading applications (JMT Trading, Celas Trade Pro, UnionCrypto, Kupay Wallet, CoinGoTrade, Dorusio, Ants2Whale).

gif image of Lazarus JMT Trader malware

For extra credibility, the threat actors built custom websites with SSL certified domains to fool unwary crypto users into using the malicious apps, which were fully functional and based on copies of open-source cryptocurrency exchange programs like Q.T. Bitcoin Trader and Blackbird Bitcoin Arbitrage.

While much of the alert focuses on the macOS platform, it should be noted that there are Windows variants of the malware as well. The alert covers, in detail, seven versions of the cryptocurrency-thieving malware and includes a number of IOCs and other actionable intelligence data. We recommend that all review the latest alert, and stay on top of all malicious behavior coming from the Lazarus APT group.

The Ugly

In this day and age, there is no shortage of ransomware attacks, and this week it was revealed that Kia Motors America had been targeted and infected with DoppelPaymer ransomware.

This past Saturday, Kia noted a widespread outage of many critical systems. The effects were felt internally and externally as the attack also affected the use of many of the company’s mobile applications. In addition, all U.S. dealer-specific platforms, IT Servers, phone-based support systems, and self-payment phone systems were affected by the attack. While availability of Kia systems and services across the United States has been severely impacted, international systems appear to be less affected.

As these attacks become more prevalent, we are increasingly seeing ‘household names’ on the victim list. Once again, this highlights the critical need for quality preventative controls. Attackers knowingly target vulnerable systems, even when certain security tools are installed, because threat actors know it is trivial to bypass them.

In this ongoing cat and mouse game, it is vital to have full visibility across your environment, along with a trusted XDR platform. Mix that with regular and continually updated user education (how to spot phishing attacks and similar) and we are all in a much better position to prevent these attacks all together.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

The Good, the Bad and the Ugly in Cybersecurity – Week 8

The Good

This week was another successful week with regards to law enforcement operations against ransomware actors. Early in the week, news broke regarding the arrest of an Egregor ransomware operation running out of the Ukraine. The individuals were affiliate operators as opposed to the actual ‘authors’ or ‘source’ of the ransomware.

The arrests were part of a joint operation between French and Ukrainian law enforcement agencies. It is said that the apprehended individuals were responsible for affiliate-based deployment of Egregor ransomware, along with the relevant breaching of the targeted environment.

Egregor has been utilized in numerous high-profile attacks over the last 6 months. It has also been associated with other malware families and is often observed being used in tandem with these threats (e.g., Qbot). It is not confirmed to be related, but the Egregor payment portal and victim blogs (both TOR-based and clearnet) have been down for weeks. The momentum of Egregor has definitely slowed and taken a hit, at least partially due to these law enforcement operations. It remains to be seen what the future holds for Egregor, but at the moment, it appears to be left-for-dead. It may be that the threat actors are also moving away to newer platforms, as they did from Maze. We will be watching these groups closely in the coming weeks.

The Bad

This week, CISA (Cybersecurity and Infrastructure Security Agency) released Alert AA21-048A. This is the latest joint alert covering malicious activity out of North Korea. Specifically, the alert covers AppleJeus, a well-known tool in the DPRK (aka Lazarus) arsenal used for cryptocurrency theft. This latest advisory comes to us from the FBI, CISA, and the Department of Treasury.

According to the alert, Lazarus has been launching targeted cryptocurrency-stealing operations in over 30 countries in the past year alone but has a much longer history going back to at least 2018. The malware is delivered via specially-crafted cryptocurrency trading applications (JMT Trading, Celas Trade Pro, UnionCrypto, Kupay Wallet, CoinGoTrade, Dorusio, Ants2Whale).

gif image of Lazarus JMT Trader malware

For extra credibility, the threat actors built custom websites with SSL certified domains to fool unwary crypto users into using the malicious apps, which were fully functional and based on copies of open-source cryptocurrency exchange programs like Q.T. Bitcoin Trader and Blackbird Bitcoin Arbitrage.

While much of the alert focuses on the macOS platform, it should be noted that there are Windows variants of the malware as well. The alert covers, in detail, seven versions of the cryptocurrency-thieving malware and includes a number of IOCs and other actionable intelligence data. We recommend that all review the latest alert, and stay on top of all malicious behavior coming from the Lazarus APT group.

The Ugly

In this day and age, there is no shortage of ransomware attacks, and this week it was revealed that Kia Motors America had been targeted and infected with DoppelPaymer ransomware.

This past Saturday, Kia noted a widespread outage of many critical systems. The effects were felt internally and externally as the attack also affected the use of many of the company’s mobile applications. In addition, all U.S. dealer-specific platforms, IT Servers, phone-based support systems, and self-payment phone systems were affected by the attack. While availability of Kia systems and services across the United States has been severely impacted, international systems appear to be less affected.

As these attacks become more prevalent, we are increasingly seeing ‘household names’ on the victim list. Once again, this highlights the critical need for quality preventative controls. Attackers knowingly target vulnerable systems, even when certain security tools are installed, because threat actors know it is trivial to bypass them.

In this ongoing cat and mouse game, it is vital to have full visibility across your environment, along with a trusted XDR platform. Mix that with regular and continually updated user education (how to spot phishing attacks and similar) and we are all in a much better position to prevent these attacks all together.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

SailPoint is buying SaaS management startup Intello

SailPoint, an identity management company that went public in 2017, announced it was going to be acquiring Intello, an early-stage SaaS management startup. The two companies did not share the purchase price.

SailPoint believes that by helping its customers locate all of the SaaS tools being used inside a company, it can help IT make the company safer. Part of the problem is that it’s so easy for employees to deploy SaaS tools without IT’s knowledge, and Intello gives them more visibility and control.

In fact, the term “shadow IT” developed over the last decade to describe this ability to deploy software outside of the purview of IT pros. With a tool like Intello, they can now find all of the SaaS tools and point the employees to sanctioned ones, while shutting down services the security pros might not want folks using.

Grady Summers, EVP of product at SailPoint, says that this problem has become even more pronounced during the pandemic as many companies have gone remote, making it even more challenging for IT to understand what SaaS tools employees might be using.

“This has led to a sharp rise in ungoverned SaaS sprawl and unprotected data that is being stored and shared within these apps. With little to no visibility into what shadow access exists within their organization, IT teams are further challenged to protect from the cyber risks that have increased over the past year,” Summers explained in a statement. He believes that with Intello in the fold, it will help root out that unsanctioned usage and make companies safer, while also helping them understand their SaaS spend better.

Intello has always seen itself as a way to increase security and compliance and has partnered in the past with other identity management tools like Okta and OneLogin. The company was founded in 2017 and raised $5.8 million according to Crunchbase data. That included a $2.5 million extended seed in May 2019.

Yesterday, another SaaS management tool, Torii, announced a $10 million Series A. Other players in the SaaS management space include BetterCloud and Blissfully, among others.

Ironclad’s Jason Boehmig: The objective of pricing is to become less wrong over time

In 2017, Ironclad founder and CEO Jason Boehmig was looking to raise a Series A. As a former lawyer, Boehmig had a specific process for fundraising and an ultimate goal of finding the right investors for his company.

Part of Boehmig’s process was to ask people in the San Francisco Bay Area about their favorite place to work. Many praised RelateIQ, a company founded by Steve Loughlin who had sold it to Salesforce for $390 million and was brand new to venture at the time.

“I wanted to meet Steve and had kind of put two and two together,” said Boehmig. “I was like, ‘There’s this founder I’ve been meaning to connect with anyways, just to pick his brain, about how to build a great company, and he also just became an investor.’”

On this week’s Extra Crunch Live, the duo discussed how the Ironclad pitch excited Loughlin about leading the round. (So excited, in fact, he signed paperwork in the hospital on the same day his child was born.) They also discussed how they’ve managed to build trust by working through disagreements and the challenges of pricing and packaging enterprise products.

As with every episode of Extra Crunch Live, they also gave feedback on pitch decks submitted by the audience. (If you’d like to see your deck featured on a future episode, send it to us using this form.)

We record Extra Crunch Live every Wednesday at 12 p.m. PST/3 p.m. EST/8 p.m. GMT. You can see our past episodes here and check out the March slate right here.

Episode breakdown:

  • The pitch — 2:30
  • How they operate — 23:00
  • The problem of pricing — 29:00
  • Pitch deck teardown — 35:00

The pitch

When Boehmig came in to pitch Accel, Loughlin remembers feeling ambivalent. He had heard about the company and knew a former lawyer was coming in to pitch a legal tech company. He also trusted the reference who had introduced him to Boehmig, and thought, “I’ll take the meeting.”

Then, Boehmig dove into the pitch. The company had about a dozen customers that were excited about the product, and a few who were expanding use of the product across the organization, but it wasn’t until the ultimate vision of Ironclad was teased that Loughlin perked up.

Loughlin realized that the contract can be seen as a core object that could be used to collaborate horizontally across the enterprise.

“That was when the lightbulb went off and I realized this is actually much bigger,” said Loughlin. “This is not a legal tech company. This is core horizontal enterprise collaboration in one of the areas that has not been solved yet, where there is no great software yet for legal departments to collaborate with their counterparts.”

He listed all the software that those same counterparts had to let them collaborate: Salesforce, Marketo, Zendesk. Any investor would be excited to hear that a potential portfolio company could match the likes of those behemoths. Loughlin was hooked.

“There was a slide that I’m guessing Jason didn’t think much of, as it was just the data around the business, but I got pretty excited about it,” said Loughlin. “It said, for every legal user Ironclad added, they added nine other users from departments like sales, marketing, customer service, etc. It was evidence that this theory of collaboration could be true at scale.”

Mexican Politician Removed Over Alleged Ties to Romanian ATM Skimmer Gang

The leader of Mexico’s Green Party has been removed from office following allegations that he received money from a Romanian ATM skimmer gang that stole hundreds of millions of dollars from tourists visiting Mexico’s top tourist destinations over the past five years. The scandal is the latest fallout stemming from a three-part investigation into the organized crime group by KrebsOnSecurity in 2015.

One of the Bluetooth-enabled PIN pads pulled from a compromised ATM in Mexico. The two components on the left are legitimate parts of the machine. The fake PIN pad made to be slipped under the legit PIN pad on the machine, is the orange component, top right. The Bluetooth and data storage chips are in the middle.

Jose de la Peña Ruiz de Chávez, who leads the Green Ecologist Party of Mexico (PVEM), was dismissed this month after it was revealed that his were among 79 bank accounts seized as part of an ongoing law enforcement investigation into a Romanian organized crime group that owned and operated an ATM network throughout the country.

In 2015, KrebsOnSecurity traveled to Mexico’s Yucatan Peninsula to follow up on reports about a massive spike in ATM skimming activity that appeared centered around some of the nation’s primary tourist areas.

That three-part series concluded that Intacash, an ATM provider owned and operated by a group of Romanian citizens, had been paying technicians working for other ATM companies to install sophisticated Bluetooth-based skimming devices inside cash machines throughout the Quintana Roo region of Mexico, which includes Cancun, Cozumel, Playa del Carmen and Tulum.

Unlike most skimmers — which can be detected by looking for out-of-place components attached to the exterior of a compromised cash machine — these skimmers were hooked to the internal electronics of ATMs operated by Intacash’s competitors by authorized personnel who’d reportedly been bribed or coerced by the gang.

But because the skimmers were Bluetooth-based — allowing thieves periodically to collect stolen data just by strolling up to a compromised machine with a mobile device — KrebsOnSecurity was able to detect which ATMs had been hacked using nothing more than a cheap smart phone.

In a series of posts on Twitter, De La Peña denied any association with the Romanian organized crime gang, and said he was cooperating with authorities.

But it is likely the scandal will ensnare a number of other important figures in Mexico. According to a report in the Mexican publication Expansion Politica, the official list of bank accounts frozen by the Mexican Ministry of Finance include those tied to the notary Naín Díaz Medina; the owner of the Quequi newspaper, José Alberto Gómez Álvarez; the former Secretary of Public Security of Cancun, José Luis Jonathan Yong; his father José Luis Yong Cruz; and former governors of Quintana Roo.

In May 2020, the Mexican daily Reforma reported that the skimming gang enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office.

The following month, my reporting from 2015 emerged as the primary focus of a documentary published by the Organized Crime and Corruption Reporting Project (OCCRP) into Intacash and its erstwhile leader — 44-year-old Florian “The Shark” Tudor. The OCCRP’s series painted a vivid picture of a highly insular, often violent transnational organized crime ring (referred to as the “Riviera Maya Gang“) that controlled at least 10 percent of the $2 billion annual global market for skimmed cards.

It also details how the group laundered their ill-gotten gains, and is alleged to have built a human smuggling ring that helped members of the crime gang cross into the U.S. and ply their skimming trade against ATMs in the United States. Finally, the series highlights how the Riviera Maya gang operated with impunity for several years by exploiting relationships with powerful anti-corruption officials in Mexico.

In 2019, police in Mexico arrested Tudor for illegal weapons possession, and raided his various properties there in connection with an investigation into the 2018 murder of his former bodyguardConstantin Sorinel Marcu.

According to prosecution documents, Marcu and The Shark spotted my reporting shortly after it was published in 2015, and discussed what to do next on a messaging app:

The Shark: Krebsonsecurity.com See this. See the video and everything. There are two episodes. They made a telenovela.

Marcu: I see. It’s bad.

The Shark: They destroyed us. That’s it. Fuck his mother. Close everything.

The intercepted communications indicate The Shark also wanted revenge on whoever was responsible for leaking information about their operations.

The Shark: Tell them that I am going to kill them.

Marcu: Okay, I can kill them. Any time, any hour.

The Shark: They are checking all the machines. Even at banks. They found over 20.

Marcu: Whaaaat?!? They found? Already??

Since the OCCRP published its investigation, KrebsOnSecurity has received multiple death threats. One was sent from an email address tied to a Romanian programmer and malware author who is active on several cybercrime forums. It read:

“Don’t worry.. you will be killed you and your wife.. all is matter of time amigo :)”

To Be Continued…How End Of Life Products Put Enterprises At Risk

The software stack used by enterprises can be an excessive one, comprised of legacy software, commercial enterprise software, open-source software and a mixture of on-premise and cloud deployments. What is common to all these types of software is the necessity to maintain them and keep them up to date. Failing to do so can cause operational problems (such as malfunctions), but more importantly, poorly maintained software can expose the organization to severe security risks.

‘End of Life’ should mean what it says: vendors mark software in a specific way that tells organizations not only that it’s no longer supported but also that it should no longer be deployed. But in almost any medium to large-sized organization, EOL software can be found, and sometimes even abound, across the enterprise, exposing the entire business to risk. Why do so many enterprises fail to heed the vendors’ warnings, and what are the dangers of doing so?

A Case Study: Accellion FTA

Accellion FTA (File Transfer Appliance) was the attack vector used in several recent high profile attacks, including: Singaporean telecom company Singtel, Australian medical research institute QIMR Berghofer, the Washington state auditor, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, and the University of Colorado.
 
All these entities were using Accellion’s FTA, an old software application used to store and share large files. If you’re not familiar with it, think Box, Dropbox or Google Drive, but much, much older, dating back to the early 2000s. Enterprises would buy an FTA license, install the software on their own servers, and use it to enable the storing and sharing of large files with customers and employees. A typical use case for such software back then would be transferring files too large to be sent over email, a service that nowadays is so common that most businesses already have other solutions. 

Accellion is an old software product that has already been replaced by the vendor with Accellion Kiteworks, but it seems that many organizations kept using the old version, perhaps never realizing it was still installed on some forgotten sever.

As often happens with products that have been on the market for a long time, people eventually find undiscovered vulnerabilities. In this case, it was an SQL injection vulnerability that enabled attackers to upload and install a webshell, giving them the ability to download files stored on the Accellion FTA server (and clean up after the deed). 

News of the attacks caught Accellion in the midst of transferring clients to their newer platforms. They have since released an emergency patch, urged their existing users to switch to the new products and issued an end-of-life announcement for FTA effective April 30, 2021. 

It is unclear if Accellion meant to retire the product at that time anyway or chose to do so now because of the recent vulnerabilities. In any case, we can estimate that the official retirement of this product will not result in the end of subsequent exploitations.

So What’s The Problem With Older Software? 

You tried it, you bought it, and it still works all these years later. What’s not to like about software that lasts? Alas, the problems with using older software products are numerous. 

First, many of these products were released when testing methodologies were different and before bug bounty programs became popular. This means that they likely did not undergo the kind of rigorous testing (especially when it comes to automated load testing) and fuzzing that modern vulnerability testers (and threat actors) use. If someone were to test these old software products with contemporary tools, they might well detect new vulnerabilities that the vendor missed back then.

Second, vendors rarely bother to issue security updates for discontinued products. Why would they? They want you to buy their latest offering, and “end of life” and “unsupported” means what it says. Thus, even if new vulnerabilities are found, affected products are unlikely to receive appropriate patches.

Older software products might also suffer from operational issues such as lack of compatibility with newer products or protocols, poor reliability and higher maintenance costs when, for example, that software itself has either hardware, OS or other software dependencies.

Furthermore, older products may not be compatible with today’s compliance requirements or with insurance requirements, leaving the enterprise open to liability claims in the event of a breach.

No Pain, No Change – The Lure of Legacy Software

Despite all this, a global PC Trends Report found that 55% of all programs worldwide were out of date, and many operating systems in current use were out of date, too. Why is it, then, that enterprises continue with legacy software? 

There is no single answer, but it is often one or more of several factors, such as budget saving, lack of awareness and sometimes pure institutional inertia: if the organization is not seeing (or aware of) operational issues, there’s likely to be little incentive to “fix what ain’t broken”. No pain, no change. 

It’s also often easier to continue using the same, familiar technology stack across users, administrators and clients where there are long-standing workflows that no one wants to disrupt. 

Another factor: the perceived (if false) economy that replacing something that “still works” is an unnecessary and unwanted expense. 

Put any one or more of those together with an organization that is either unaware of the dangers or the existence of legacy software still in use and you have a recipe for increased enterprise risk: an exploitation waiting to happen. 

The Easiest Route To Exploitation

As noted, out of date software is a security risk. Attackers know this and seek to exploit it. The most famous example was the WannaCry attack of 2017. After NSA hacking tools were leaked online, notably EternalBlue, they were quickly leveraged to deploy new, wormable ransomware. The vulnerability had become known nearly three months prior to WannaCry, and at the time Microsoft had released a patch to all relevant OSs two months prior to the attack. Alas, thousands of organizations failed to install the patch and were hit as a result. 

More recent incidents (in addition to Accellion FTA) include the attack in early February 2021 on a Florida water treatment plant that used the obsolete 32-bit version of Windows 7, and even the famous incident of Texas attorney Rod Ponton’s “feline” appearance before court was due to the fact he was using a 10-year-old laptop installed with avatar-augmenting software, likely Live! Cam Avatar or Crazy Talk 4, which he was unaware of (until catlike features appeared on his face).  

What Lies Ahead?

Given how poorly organizations have dealt with replacing older products in the past, it is very unlikely that many will do much better in the future, and for every one that doesn’t, history teaches that a breach is a real possibility. Organizations should recognize this is a significant security risk and treat it as such. Mitigating this risk involves awareness, preparation, and if needed, response.

A proper inventory of all IT assets and the software versions installed on them is the first step. Follow that up by identifying which products are obsolete, and which are about to reach end of life, then decide if and how to replace these. Such products can include the now retired Acrobat Reader, Acrobat Flash and older Windows versions of Windows 10 Windows 7. Be aware that, on May 11, 2021, the Home, Pro, Pro Education, Pro for Workstations editions of Windows 10 version 1909 and all editions of Windows Server, version 1909 will reach end of service

Singularity Ranger IoT
Network Visibility & Control. A cloud delivered, software-defined network discovery solution designed to add global network visibility and control with minimal friction.

Using tools like SentinelOne Ranger can assist in mapping the existing assets and associated software versions.

Organizations are also advised to adhere to vendor updates and patches, especially in the case of security products (some of which can have hidden critical security flaws for years). A next-gen security platform is a prerequisite for securing the organization if an attacker does find a way inside by leveraging vulnerabilities in older products.

How Can SentinelOne Help?

SentinelOne provides one platform to prevent, detect, respond, and hunt threats across all enterprise assets. See what has never been seen before. Control the unknown. All at machine speed.

Want to learn more about defending your organization? Contact us for more information or request a free demo.
 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security