Salesforce, AWS announce extended partnership with further two-way integration

Salesforce and AWS represent the two most successful cloud companies in their respective categories. Over the last few years the two cloud giants have had an evolving partnership. Today they announced plans for a new set of integration capabilities to make it easier to share data and build applications that cross the two platforms.

Patrick Stokes, EVP and GM for Platform at Salesforce, points out that the companies have worked together in the past to provide features like secure sharing between the two services, but they were hearing from customers that they wanted to take it further and today’s announcement is the first step towards making that happen.

“[The initial phases of the partnership] have really been massively successful. We’re learning a lot from each other and from our mutual customers about the types of things that they want to try to accomplish, both within the Salesforce portfolio of products, as well as all the Amazon products, so that the two solutions complement each other really nicely. And customers are asking us for more, and so we’re excited to enter into this next phase of our partnership,” Stokes explained.

He added, “The goal really is to unify our platforms, so bring [together] all the power of the Amazon services with all of the power of the of the Salesforce platform.” These capabilities could be the next step in accomplishing that.

This involves a couple of new features the companies are working on to help developers on both the platform and application side of the equation. For starters that includes enabling developers to virtualize Amazon data inside Salesforce without having to do all the coding to make that happen manually.

“More specifically, we’re going to virtualize Amazon data within the Salesforce platform, so whether you’re working with an S3 bucket, Amazon RDS or whatever it is we’re going to make it so that that the data is virtualized and just appears just like it’s native data on the Salesforce platform,” he said.

Similarly, developers building applications on Amazon will be able to access Salesforce data and have it appear natively in Amazon. This involves providing connectors between the two systems to make the data flow smoothly without a lot of coding to make that happen.

The companies are also announcing event sharing capabilities, which makes it easier for both Amazon and Salesforce customers to build microservices-based applications that cross both platforms.

“You can build microservices-oriented architecture that spans the services of Salesforce and Amazon platforms, again without having to write any code. To do that, [we’re developing] out of the box connectors so you can click and drag the events that you want.”

The companies are also announcing plans to make it easier from an identity and access management perspective to access the platforms with a guided setup. Finally, the companies are working on applications to build Amazon Chime communications tooling into Service Cloud and other Salesforce services to build things like virtual call centers using AWS machine learning technology.

Amazon VP of Global Marketing Rachel Thorton says that having the two cloud giants work together in this way should make it easier for developers to create solutions that span the two platforms. “I just think it unlocks such possibilities for developers, and the faster and more innovative developers can be, it just unlocks opportunities for businesses, and creates better customer experiences,” Thornton said.

It’s worth noting that Salesforce also has extensive partnerships with other cloud providers including Microsoft Azure and Google Cloud Platform.

As is typically the case with Salesforce announcements, while all of these capabilities are being announced today, they are still in the development stage and won’t go into beta testing until later this year with GA expected sometime next year. The companies are expected to release more details about the partnership at Dreamforce and re:Invent, their respective customer conferences later this year.

How Cyber Sleuths Cracked an ATM Shimmer Gang

In 2015, police departments worldwide started finding ATMs compromised with advanced new “shimming” devices made to steal data from chip card transactions. Authorities in the United States and abroad had seized many of these shimmers, but for years couldn’t decrypt the data on the devices. This is a story of ingenuity and happenstance, and how one former Secret Service agent helped crack a code that revealed the contours of a global organized crime ring.

Jeffrey Dant was a special agent at the U.S. Secret Service for 12 years until 2015. After that, Dant served as the global lead for the fraud fusion center at Citi, one of the largest financial institutions in the United States.

Not long after joining Citi, Dant heard from industry colleagues at a bank in Mexico who reported finding one of these shimming devices inside the card acceptance slot of a local ATM. As it happens, KrebsOnSecurity wrote about that particular shimmer back in August 2015.

This card ‘shimming’ device is made to read chip-enabled cards and can be inserted directly into the ATM’s card acceptance slot.

The shimmers were an innovation that caused concern on multiple levels. For starters, chip-based payment cards were supposed to make it far more expensive and difficult for thieves to copy and clone. But these skimmers took advantage of weaknesses in the way many banks at the time implemented the new chip card standard.

Also, unlike traditional ATM skimmers that run on hidden cell phone batteries, the ATM shimmers found in Mexico did not require any external power source, and thus could remain in operation collecting card data until the device was removed.

When a chip card is inserted, a chip-capable ATM reads the data stored on the smart card by sending an electric current through the chip. Incredibly, these shimmers were able to siphon a small amount of that power (a few milliamps) to record any data transmitted by the card. When the ATM is no longer in use, the skimming device remains dormant, storing the stolen data in an encrypted format.

Dant and other investigators looking into the shimmers didn’t know at the time how the thieves who planted the devices went about gathering the stolen data. Traditional ATM skimmers are either retrieved manually, or they are programmed to transmit the stolen data wirelessly, such as via text message or Bluetooth.

But recall that these shimmers don’t have anywhere near the power needed to transmit data wirelessly, and the flexible shimmers themselves tend to rip apart when retrieved from the mouth of a compromised ATM. So how were the crooks collecting the loot?

“We didn’t know how they were getting the PINs at the time, either,” Dant recalled. “We found out later they were combining the skimmers with old school cameras hidden in fake overhead and side panels on the ATMs.”

Investigators wanted to look at the data stored on the shimmer, but it was encrypted. So they sent it to MasterCard’s forensics lab in the United Kingdom, and to the Secret Service.

“The Secret Service didn’t have any luck with it,” Dant said. “MasterCard in the U.K. was able to understand a little bit at a high level what it was doing, and they confirmed that it was powered by the chip. But the data dump from the shimmer was just encrypted gibberish.”

Organized crime gangs that specialize in deploying skimmers very often will encrypt stolen card data as a way to remove the possibility that any gang members might try to personally siphon and sell the card data in underground markets.

THE DOWNLOAD CARDS

Then in 2017, Dant got a lucky break: Investigators had found a shimming device inside an ATM in New York City, and that device appeared identical to the shimmers found in Mexico two years earlier.

“That was the first one that had showed up in the U.S. at that point,” Dant said.

The Citi team suspected that if they could work backwards from the card data that was known to have been recorded by the skimmers, they might be able to crack the encryption.

“We knew when the shimmer went into the ATM, thanks to closed-circuit television footage,” Dant said. “And we know when that shimmer was discovered. So between that time period of a couple of days, these are the cards that interacted with the skimmer, and so these card numbers are most likely on this device.”

Based off that hunch, MasterCard’s eggheads had success decoding the encrypted gibberish. But they already knew which payment cards had been compromised, so what did investigators stand to gain from breaking the encryption?

According to Dant, this is where things got interesting: They found that the same primary account number (unique 16 digits of the card) was present on the download card and on the shimmers from both New York City and Mexican ATMs.

Further research revealed that account number was tied to a payment card issued years prior by an Austrian bank to a customer who reported never receiving the card in the mail.

“So why is this Austrian bank card number on the download card and two different shimming devices in two different countries, years apart?” Dant said he wondered at the time.

He didn’t have to wait long for an answer. Soon enough, the NYPD brought a case against a group of Romanian men suspected of planting the same shimming devices in both the U.S. and Mexico. Search warrants served against the Romanian defendants turned up multiple copies of the shimmer they’d seized from the compromised ATMs.

“They found an entire ATM skimming lab that had different versions of that shimmer in untrimmed squares of sheet metal,” Dant said. “But what stood out the most was this unique device — the download card.”

The download card (right, in blue) opens an encrypted session with the shimmer, and then transmits the stolen card data to the attached white plastic device. Image: KrebsOnSecurity.com.

The download card consisted of two pieces of plastic about the width of a debit card but a bit longer. The blue plastic part — made to be inserted into a card reader — features the same contacts as a chip card. The blue plastic was attached via a ribbon cable to a white plastic card with a green LED and other electronic components.

Sticking the blue download card into a chip reader revealed the same Austrian card number seen on the shimming devices. It then became very clear what was happening.

“The download card was hard coded with chip card data on it, so that it could open up an encrypted session with the shimmer,” which also had the same card data, Dant said.

The download card, up close. Image: KrebsOnSecurity.com.

Once inserted into the mouth of ATM card acceptance slot that’s already been retrofitted with one of these shimmers, the download card causes an encrypted data exchange between it and the shimmer. Once that two-way handshake is confirmed, the white device lights up a green LED when the data transfer is complete.

THE MASTER KEY

Dant said when the Romanian crew mass-produced their shimming devices, they did so using the same stolen Austrian bank card number. What this meant was that now the Secret Service and Citi had a master key to discover the same shimming devices installed in other ATMs.

That’s because every time the gang compromised a new ATM, that Austrian account number would traverse the global payment card networks — telling them exactly which ATM had just been hacked.

“We gave that number to the card networks, and they were able to see all the places that card had been used on their networks before,” Dant said. “We also set things up so we got alerts anytime that card number popped up, and we started getting tons of alerts and finding these shimmers all over the world.”

For all their sleuthing, Dant and his colleagues never really saw shimming take off in the United States, at least nowhere near as prevalently as in Mexico, he said.

The problem was that many banks in Mexico and other parts of Latin America had not properly implemented the chip card standard, which meant thieves could use shimmed chip card data to make the equivalent of old magnetic stripe-based card transactions.

By the time the Romanian gang’s shimmers started showing up in New York City, the vast majority of U.S. banks had already properly implemented chip card processing in such a way that the same phony chip card transactions which sailed through Mexican banks would simply fail every time they were tried against U.S. institutions.

“It never took off in the U.S., but this kind of activity went on like wildfire for years in Mexico,” Dant said.

The other reason shimming never emerged as a major threat for U.S. financial institutions is that many ATMs have been upgraded over the past decade so that their card acceptance slots are far slimmer, Dant observed.

“That download card is thicker than a lot of debit cards, so a number of institutions were quick to replace the older card slots with newer hardware that reduced the height of a card slot so that you could maybe get a shimmer and a debit card, but definitely not a shimmer and one of these download cards,” he said.

Shortly after ATM shimmers started showing up at banks in Mexico, KrebsOnSecurity spent four days in Mexico tracing the activities of a Romanian organized crime gang that had very recently started its own ATM company there called Intacash.

Sources told KrebsOnSecurity that the Romanian gang also was paying technicians from competing ATM providers to retrofit cash machines with Bluetooth-based skimmers that hooked directly up to the electronics on the inside. Hooked up to the ATM’s internal power, those skimmers could collect card data indefinitely, and the data could be collected wirelessly with a smart phone.

Follow-up reporting last year by the Organized Crime and Corruption Reporting Project (OCCRP) found Intacash and its associates compromised more than 100 ATMs across Mexico using skimmers that were able to remain in place undetected for years. The OCCRP, which dubbed the Romanian group “The Riviera Maya Gang,” estimates the crime syndicate used cloned card data and stolen PINs to steal more than $1.2 billion from bank accounts of tourists visiting the region.

Last month, Mexican authorities arrested Florian “The Shark” Tudor, Intacash’s boss and the reputed ringleader of the Romanian skimming syndicate. Authorities charged that Tudor’s group also specialized in human trafficking, which allowed them to send gang members to compromise ATMs across the border in the United States.

Singularity XDR – From Vision to Reality

These past quarters have been incredibly exciting for SentinelOne as a whole and specifically for Singularity XDR. They have highlighted a terrific year of success for everyone involved – from Engineering to every person in our Global Sales team.

Over the past few months, Singularity XDR has outperformed every other vendor in the MITRE ATT&CK evaluations (in more ways than one), has had unrivaled success in the Gartner Critical Capabilities report, and positioned itself firmly in the leaders quadrant of the 2021 Gartner EPP Magic Quadrant. Every external data point is important to us, and we pride ourselves on being a data-driven company but no data point is perhaps as good as the way your industry sees you and how much they emulate your choices (as they are arguably your strongest critics), including Palo Alto Networks CEO and other security vendors like Checkpoint on their MITRE report.

From its launch, Singularity XDR has inherently remained a means to an end, as opposed to a shiny goal in and of itself. Every investment we’ve made has been 100% tied to a need our customers – from the Fortune 10 to enterprises – have expressed: how can we help accelerate detection and response workflows with fewer clicks, agents, screens, and people. Data and automation are a huge part of that, but they are not the goal – they are a way for us to achieve what our customers need (more on that later).

Furthermore, as Resha Chedda mentioned in a previous post (“5 Questions to Consider Before Choosing the Right XDR Solution”), our approach to XDR is one that assumes that it is rooted in our unique approach to EDR. Challenges such as data normalization, contextualization, and correlation are not new. Neither is the need to maximize automation and maintain a strong offering across all protected surfaces. It is not a coincidence that this market is not XIEM or XOAR but XDR. Had our EDR not been best in class, our XDR strategy would be inherently flawed.

That does not mean that EDR is enough. While the EDR fundamentals are critical, they must be combined with net-new innovation and execution at an exponentially larger scale. XDR is somewhere between evolution and revolution – On one hand, XDR is clearly not just a patchwork of capabilities; it calls for an organic evolution from EPP and EDR. On the other hand, the realities facing an XDR solution – ranging from the threat landscape to the abundance of vulnerable surfaces and the quantity of data, all serve as a catalyst for revolutionary, force-multiplying, technological advancement.

From E to XDR

Both EDR and XDR are essentially a Venn diagram of Data, Detection, Automation and Action – with the sweet spot being unsurprisingly in the middle. There are several key EDR foundational product capabilities that SentinelOne has spent multiple years perfecting and have been a huge part of our success. It’s exactly that sweet-spot which: A) is so hard to replicate; and B) is critical to XDR (and why so many “XDR” vendors are failing)

Storyline™ + MITRE

  • The 2021 MITRE ATT&CK evaluation (as well as those before it) has become, for all intents and purposes, the benchmark for EDR. While the results are definitely open to interpretation and almost everyone can make a claim to be the best – we’re actually proudest of a metric that often gets overlooked and is probably the only one that translates directly to MTTR (Mean time to Respond) – Despite being the only vendor with 100% visibility as well as more observed behaviors – SentinelOne created fewer distinct incidents than any other vendor.
  • This is thanks to Storyline – The ability to correlate and aggregate 100s of suspicious activities across multiple entities (Files, Processes, Users, Domains, IPs and more) into a single Campaign-Level-Insight. This means that analysts using SentineOne can Triage, Investigate and Respond to large, complex attacks with exponentially fewer clicks, but more importantly, in less time.

1 Click Remediation – Across Every Platform

  • One of the most impactful derivatives of Storyline is the fact that an entire campaign can be mitigated, remediated and in some cases entirely rolled-back with a single click. With Storyline correlating all of the different activities and entities – remediating the storyline translates into remediating an entire campaign. SentinelOne’s approach to Response has always been focused on automation and cross-platform parity and will continue to be so. For example, we have recently launched a Remote Scripting Orchestration capability which will enable our customers to automatically execute multiple scripts across their entire environment, regardless of OS, with a single, easy to use workflow.

STAR™

  • Storyline Active Response (STAR)™  is our cloud-based Automated Hunting, Detection, and Response engine. Balancing between our own built-in detection and delivering a powerful mechanism for our partners and customers to define their own detections was not an easy task- but that’s what we’ve achieved with STAR. Every query that can be run in Singularity can also be defined as a rule that monitors every incoming data-point in near real-time. Upon triggering, these rules can initiate anything from a simple alert to a complex playbook of actions. STAR is already a key part of our EDR and will evolve with Singularity XDR in terms of both the data it monitors and the actions it can initiate.

365 Days of Live Hunting Data

  • The term data retention gets thrown around far too frequently in this industry. Many vendors claim they offer “Long Term Data Retention,” but upon further investigation, it is either only partial data or partially accessible. Within Singularity, we offer our customers the ability to perform live hunting across 365 days (or more if needed) of data. For context, S1 was deemed the only one with 100% MITRE ATT&CK visibility – so that’s an unparalleled amount of data).  Since SolarWinds and SUNBURST, many of our customers have utilized our ability to query 365 days of data to get a picture of what occurred in their environment for a whole year.

It’s the combination and balance of foundations like these, alongside many others that enable us to deliver on XDR.

Data & Automation – As Guiding Principles

Despite everything said above, we are far from “Done”. We continue to Build, Integrate and Expand on all fronts.

The recent acquisition of Scalyr is probably the best example of our strategy becoming a reality, as well as the inseparable bond between being the best EDR and XDR. With Data being one of the cornerstones of every security problem, not just XDR, it was clear to us that we needed to establish Singularity on top of a foundation that can optimize for the “holy trinity” of data – Performance, Scale and Cost. Scalyr’s technology complements everything we want to achieve with both EDR and XDR – Unparalleled speed, efficiency, and flexibility and a perfect fit for rapid ingestion of data from an increasing number of new sources, both Endpoint and beyond.  Additionally, we are now seeing just how critical it is to choose a technology that was designed to address topics such as “How easy is it to ingest new types of data”, “How efficient is the data normalization process” and “Does the technology support the creation of abstraction and analysis layers on top of the data” – instead of just buying a “SIEM” or creating a “Graph”.

SentinelOne Storyline Active Response (STAR)
Customize EDR to adapt to your environment

Marketplace and Integrating into existing Security Stacks

The recently launched Singularity Marketplace is another huge part of our XDR strategy. SentinelOne has a great track record of launching new products – whether covering new surfaces or addressing new use-cases, but we recognize that many of our customers have diverse security stacks. With the Singularity Marketplace we facilitate the integration and orchestration of Data and Response across those stacks, but in a way that alienates nobody and optimizes for speed, simplicity and above all else, IMPACT. The list and scope of XDR applications that we support for Data Ingestion, Correlation and Response is growing by the week – being prioritized by a single voice – that of our customers. We make sure that every source we ingest and every API we expose actually makes an impact – does it enhance context, does it improve root-cause analysis, does it accelerate remediation?

Conclusion

Today’s marketing and positioning around the need for XDR can be confusing. One might find different technologies claiming similar claims, leaving the buyer with too many options and the need to research what it actually means. For us at SentinelOne, it’s these initiatives, together with the EDR foundations mentioned above and several other ground-breaking projects – from covering new surfaces to introducing new workflows, that are going to help us keep delivering what our customers need. Singularity XDR will not compromise – we are not a SOAR, not a SIEM, but the world’s best XDR. And we’re only just getting started.

If you would like to learn more about STAR and the SentinelOne XDR platform, contact us for more information or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Memory.ai, the startup behind time-tracking app Timely, raises $14M to build more AI-based productivity apps

Time is your most valuable asset — as the saying goes — and today a startup called Memory.ai, which is building AI-based productivity tools to help you with your own time management, is announcing some funding to double down on its ambitions: It wants not only to help manage your time, but to, essentially, provide ways to use it better in the future.

The startup, based out of Oslo, Norway, initially made its name with an app called Timely, a tool for people to track time spent doing different tasks. Aimed not just at people who are quantified self geeks, but those who need to track time for practical reasons, such as consultants or others who work on the concept of billable hours. Timely has racked up 500,000 users since 2014, including more than 5,000 paying businesses in 160 countries.

Now, Memory.ai has raised $14 million as it gears up to launch its next apps, Dewo (pronounced “De-Voh”), an app that is meant to help people do more “deep work” by learning about what they are working on and filtering out distractions to focus better; and Glue, described as a knowledge hub to help in the creative process. Both are due to be released later in the year.

The funding is being led by local investors Melesio and Sanden, with participation from Investinor, Concentric and SNÖ Ventures, who backed Memory.ai previously.

“Productivity apps” has always been something of a nebulous category in the world of connected work. They can variously cover any kind of collaboration management software ranging from Asana and Jira through to Slack and Notion; or software that makes doing an existing work task more efficient than you did it before (e.g. Microsoft has described all of what goes into Microsoft 365 — Excel, Word, PowerPoint, etc. — as “productivity apps”); or, yes, apps like those from Memory.ai that aim to improve your concentration or time management.

These days, however, it feels like the worlds of AI and advances in mobile computing are increasingly coming together to evolve that concept once again.

If the first wave of smartphone communications and the apps that are run on smartphone devices — social, gaming, productivity, media, information, etc. — have led to us getting pinged by a huge amount of data from lots of different places, all of the time, then could it be that the second wave is quite possibly going to usher in a newer wave of tools to handle all that better, built on the premise that not everything is of equal importance? No-mo FOMO? We’ll see.

In any case, some bigger platform players also helping to push the agenda of what productivity means in this day and age.

For example, in Apple’s recent preview of iOS 15 (due to come out later this year) the company gave a supercharge to its existing “do not disturb” feature on its phones, where it showed off a new Focus mode, letting users customize how and when they want to receive notifications from which apps, and even which apps they want to have displayed, all organized by different times of day (e.g. work time), place, calendar items and so on.

Today, iPhone plays so many roles in our lives. It’s where we get information, how people reach us, and where we get things done. This is great, but it means our attention is being pulled in so many different directions and finding that balance between work and life can be tricky,” said Apple’s Craig Federighi in the WWDC keynote earlier this month. “We want to free up space to focus and help you be in the moment.” How well that gets used, and how much other platforms like Google follow suit, will be interesting to see play out. It feels, in any case, like it could be the start of something.

And, serendipitously — or maybe because this is some kind of zeitgeist — this is also playing into what Memory.ai has built and is building. 

Mathias Mikkelsen, the Oslo-based founder of Memory.ai, first came up with his idea for Timely (which had also been the original name of the whole startup) when he was working as a designer in the ad industry, one of those jobs that needed to track what he was working on, and for how long, in order to get paid.

He said he knew the whole system as it existed was inefficient: “I just thought it was insane how cumbersome and old it was. But at the same time how important it was for the task,” he said.

The guy had an entrepreneurial itch that he was keen to scratch, and this idea would become the salve to help him. Mikkelsen was so taken with building a startup around time management, that he sold his apartment in Oslo and moved himself to San Francisco to be where he believed was the epicenter of startup innovation. He tells me he lived off the proceeds of his flat for two years “in a closet” in a hacker house, bootstrapping Timely, until eventually getting into an accelerator (500 Startups) and subsequently starting to raise money. He eventually moved back to Oslo after two years to continue growing the business, as well as to live somewhere a little more spacious.

The startup’s big technical breakthrough with Timely was to figure out an efficient way of tracking time for different tasks, not just time worked on anything, without people having to go through a lot of data entry.

The solution: to integrate with a person’s computer, plus a basic to-do schedule for a day or week, and then match up which files are open when to determine how long one works for one client or another. Phone or messaging conversations, for the moment, are not included, and neither are the contents of documents — just the titles of them. Nor is data coming from wearable devices, although you could see how that, too, might prove useful.

The basic premise is to be personalised, so managers and others cannot use Timely to track exactly what people are doing, although they can track and bill for those billable hours. All this is important, as it also will feed into how Dewo and Glue will work.

The startup’s big conceptual breakthrough came around the same time: Getting time tracking or any productivity right “has never been a UI problem,” Mikkelsen said. “It’s a human nature problem.” This is where the AI comes in, to nudge people towards something they identify as important, and nudge them away from work that might not contribute to that. Tackling bigger issues beyond time are essential to improving productivity overall, which is why Memory.ai now wants to extend to apps for carving out time for deep thinking and creative thinking.

While it might seem to be a threat that a company like Apple has identified the same time management predicament that Memory.ai has, and is looking to solve that itself, Mikkelsen is not fazed. He said he thinks of Focus as not unlike Apple’s work on Health: there will be ways of feeding information into Apple’s tool to make it work better for the user, and so that will be Memory.ai’s opportunity to hopefully grow, not cannibalize, its own audience with Timely and its two new apps. It is, in a sense, a timely disruption.

“Memory’s proven software is already redefining how businesses around the world track, plan and manage their time. We look forward to working with the team to help new markets profit from the efficiencies, insights and transparency of a Memory-enabled workforce,” said Arild Engh, a partner at Melesio, in a statement.

Kjartan Rist, a partner at Concentric, added: “We continue to be impressed with Memory’s vision to build and launch best-in-class products for the global marketplace. The company is well on its way to becoming a world leader in workplace productivity and collaboration, particularly in light of the remote and hybrid working revolution of the last 12 months. We look forward to supporting Mathias and the team in this exciting new chapter.”

Vantage raises $4M to help businesses understand their AWS costs

Vantage, a service that helps businesses analyze and reduce their AWS costs, today announced that it has raised a $4 million seed round led by Andreessen Horowitz. A number of angel investors, including Brianne Kimmel, Julia Lipton, Stephanie Friedman, Calvin French Owen, Ben and Moisey Uretsky, Mitch Wainer and Justin Gage, also participated in this round.

Vantage started out with a focus on making the AWS console a bit easier to use — and helping businesses figure out what they are spending their cloud infrastructure budgets on in the process. But as Vantage co-founder and CEO Ben Schaechter told me, it was the cost transparency features that really caught on with users.

“We were advertising ourselves as being an alternative AWS console with a focus on developer experience and cost transparency,” he said. “What was interesting is — even in the early days of early access before the formal GA launch in January — I would say more than 95% of the feedback that we were getting from customers was entirely around the cost features that we had in Vantage.”

Image Credits: Vantage

Like any good startup, the Vantage team looked at this and decided to double down on these features and highlight them in its marketing, though it kept the existing AWS Console-related tools as well. The reason the other tools didn’t quite take off, Schaechter believes, is because more and more, AWS users have become accustomed to infrastructure-as-code to do their own automatic provisioning. And with that, they spend a lot less time in the AWS Console anyway.

“But one consistent thing — across the board — was that people were having a really, really hard time 12 times a year, where they would get a shocking AWS bill and had to figure out what happened. What Vantage is doing today is providing a lot of value on the transparency front there,” he said.

Over the course of the last few months, the team added a number of new features to its cost transparency tools, including machine learning-driven predictions (both on the overall account level and service level) and the ability to share reports across teams.

Image Credits: Vantage

While Vantage expects to add support for other clouds in the future, likely starting with Azure and then GCP, that’s actually not what the team is focused on right now. Instead, Schaechter noted, the team plans to add support for bringing in data from third-party cloud services instead.

“The number one line item for companies tends to be AWS, GCP, Azure,” he said. “But then, after that, it’s Datadog, Cloudflare, Sumo Logic, things along those lines. Right now, there’s no way to see, P&L or an ROI from a cloud usage-based perspective. Vantage can be the tool where that’s showing you essentially, all of your cloud costs in one space.”

That is likely the vision the investors bought into, as well, and even though Vantage is now going up against enterprise tools like Apptio’s Cloudability and VMware’s CloudHealth, Schaechter doesn’t seem to be all that worried about the competition. He argues that these are tools that were born in a time when AWS had only a handful of services and only a few ways of interacting with those. He believes that Vantage, as a modern self-service platform, will have quite a few advantages over these older services.

“You can get up and running in a few clicks. You don’t have to talk to a sales team. We’re helping a large number of startups at this stage all the way up to the enterprise, whereas Cloudability and CloudHealth are, in my mind, kind of antiquated enterprise offerings. No startup is choosing to use those at this point, as far as I know,” he said.

The team, which until now mostly consisted of Schaechter and his co-founder and CTO Brooke McKim, bootstrapped the company up to this point. Now they plan to use the new capital to build out its team (and the company is actively hiring right now), both on the development and go-to-market side.

The company offers a free starter plan for businesses that track up to $2,500 in monthly AWS cost, with paid plans starting at $30 per month for those who need to track larger accounts.

DarkRadiation | Abusing Bash For Linux and Docker Container Ransomware

While new ransomware families are a common occurrence these days, a recently discovered ransomware dubbed ‘DarkRadiation’ is especially noteworthy for defenders. First, it targets Linux and Docker cloud containers, making it of particular concern to enterprises. Secondly, DarkRadiation is written entirely in Bash, a feature that can make it difficult for some security solutions to identify as a threat. In this post, we’ll take a look at the DarkRadiation Bash scripts and show how this novel ransomware can be detected.

What is DarkRadiation Ransomware?

DarkRadiation appears to have been first noticed in late May by Twitter user @r3dbU7z and was later reported on by researchers at Trend Micro. It appears to have come to light as part of a set of hacker tools through discovery on VirusTotal.

At this time, we have no information on delivery methods or evidence of in-the-wild attacks. However, analysis of its various components suggest that the actors behind its development intend on using it as a campaign targeting Linux installs and Docker containers.

The ransomware uses a complex collection of Bash scripts and at least half a dozen C2s, all of which appear to be currently offline, to communicate with Telegram bots via hardcoded API keys.

DarkRadiation is part of a larger collection of hacking scripts

The DarkRadiation scripts have a number of dependencies including wget, curl, sshpass, pssh and openssl. If any of these are not available on the infected device, the malware attempts to download the required tools using YUM (Yellowdog Updater, Modified), a python-based package manager widely adopted by popular Linux distros such as RedHat and CentOS.

DarkRadiation checks for and installs dependencies

Code artifacts in the same script show the ransomware attempting to stop, disable and delete the /var/lib/docker directory, used by Docker to store images, containers, and local named volumes. Despite the name of the function, docker_stop_and_encrypt, it appears that at least in its current form it acts purely as a wiper for Docker images. However, as other researchers have noted, several versions of these scripts were found on the threat actor’s infrastructure, suggesting that they may be in nascent development and not yet ready for full deployment.

The ransomware appears to wipe the main Docker directory

In order to facilitate communication, the ransomware relies on another script, bt_install.sh, to set up and test a Telegram bot, written to the local file path at "/usr/share/man/man8/mon.8.gz". Fans of the popular science fiction trilogy “The Matrix” may recognize the test message, “Knock, knock, Neo.” included in the bt_install shell script.

DarkRadiation threat actors appear to be fans of The Matrix Trilogy

The same script also installs and enables a service called “griphon” as a way to gain persistence. If the malware has been run with admin rights, the service is installed as “griphon.service” at the default "/etc/systemd/system/" path and ensures the Telegram bot is brought up and running each time the device is re-booted.

A systemd service called ‘Griphon’ is installed for persistence

The ExecStart command ensures that the bot is started either on system boot or by manual invocation of the service via systemctl.

Bash Ransomware Script and Obfuscation

DarkRadiation embedded ransomware note

The ransomware script exists in several versions called supermicro_cr and crypt. An obfuscated version in the attacker’s repository uses a simple technique that we’ve seen before in shell script-based malware, which has been common on macOS for a while. The technique involves assigning random variables to “chunks” of script code.

The ransomware script is obfuscated with node-bash-obfuscate

Comments left in the code in Russian suggest the author used an npm package called node-bash-obfuscate’.

Translated comments reveal the hacker’s choice of obfuscation tool

Despite the apparent complexity of the obfuscated script, all such scripts can be easily translated back to plain text simply by replacing the eval command with echo, which prints the script to stdout without executing it.

On execution, the script creates a new user with the name “ferrum”. In some versions, the password is downloaded from the attacker’s C2 via curl and in others it is hardcoded with strings such as “$MeGaPass123#”.

The ransomware script creates a new user and password

For the purpose of avoiding accidental discovery, the ransomware writes itself to "/usr/share/man/man8/", a folder typically reserved for the man pages associated with System administration controls: in other words, a directory not likely to be traversed by chance even by admin users. Moreover, in order to facilitate privilege escalation, the script uses a fairly blunt but often wildly effective ‘social engineering’ technique: by simply asking the user for the required privileges.

The execution chain is caught by the SentinelOne agent and reflected in the Management console:

The chain of execution as seen in the SentinelOne console

If allowed to execute, the ransomware script uses openssl (one of the dependencies we noted earlier) to encrypt files enumerated via the grep and xargs utilities. Encrypted files are appended with the extension .☢, and the encryption key is sent to the attacker’s C2 via the Telegram bot.

openssl is used for file encryption

How SentinelOne Deals With DarkRadiation

For endpoints protected by SentinelOne, DarkRadiation is blocked from the outset, so there’s no risk of any data being encrypted by the malware. As always, it’s safest to have your SentinelOne endpoints use the ‘Protect’ policy to ensure that threats are killed and quarantined automatically. When this occurs, the Management console gives a full report of what processes were killed and quarantined, and shows associated MITRE TTPs in the Threat Indicators panel.

DarkRadiation MITRE TTPs shown in SentinelOne console

In the demo video below, we show how SentinelOne deals with DarkRadiation using the Detect-only policy.

SentinelOne vs DarkRadiation
(Bash Ransomware)

Conclusion

Malware written in shell script languages allows attackers to be more versatile and to avoid some common detection methods. As scripts do not need to be recompiled, they can be iterated upon more rapidly. Moreover, since some security software relies on static file signatures, these can easily be evaded through rapid iteration and the use of simple obfuscator tools to generate completely different script files.

However, no amount of iteration or obfuscation changes the nature of what the malware actually does on execution. Hence, security teams are advised to use a trusted behavioral detection engine such as SentinelOne Singularity that can detect malicious behavior before it does harm to your Linux systems, servers or Docker containers.

If you would like to learn more about how SentinelOne can help secure your organization, contact us for more information or request a free demo.

Indicators of Compromise

SHA256/SHA1
supermicro_cr
d0d3743384e400568587d1bd4b768f7555cc13ad163f5b0c3ed66fdc2d29b810
e437221542112affc30e036921e4395b72fe6504

supermicro_bt
652ee7b470c393c1de1dfdcd8cb834ff0dd23c93646739f1f475f71a6c138edd
5b231b4d834220bf378d1a64c15cc04eca6ddaf6

supermicro_cr_third (obfuscated)
9f99cf2bdf2e5dbd2ccc3c09ddcc2b4cba11a860b7e74c17a1cdea6910737b11
1bea1c2715f44fbfe38c80d333dfa5a28921cefb

supermicro_cr_third (deobfuscated)
654d19620d48ff1f00a4d91566e705912d515c17d7615d0625f6b4ace80f8e3a
83881c44a41f35a054513a4fa68306183100e73b

crypt3.sh
0243ac9f6148098de0b5f215c6e9802663284432492d29f7443a5dc36cb9aab5
919b574a4d000161e52d57b827976b6d9388b33f

crypt2_first.sh
e380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842
215d777140728b748fc264ef203ebd27b2388666

bt_install.sh
fdd8c27495fbaa855603df4f774fe86bbc21743f59fd039f734feb07704805bd
45b57869e3857b50c1d794baba6ceca2641a7cfa

MITRE ATT&CK
T1027 Obfuscated Files or Information
T1202 Indirect Command Execution
T1082 System Information Discovery
T1083 File and Directory Discovery (System Object Enumeration)
T1486 Data Encrypted for Impact
T1059.004 Command and Scripting Interpreter: Unix Shell
T1059 Command and Scripting Interpreter
T1014 Rootkits
T1548 Abuse Elevation Control Mechanism
T1543.002 Create or Modify System Process: Systemd Service


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

DataRails books $25M more to build better financial reporting tools for SMBs

As enterprise startups continue to target interesting gaps in the market, we’re seeing increasingly sophisticated tools getting built for small and medium businesses — traditionally a tricky segment to sell to, too small for large enterprise tools, and too advanced in their needs for consumer products. In the latest development of that trend, an Israeli startup called DataRails has raised $25 million to continue building out a platform that lets SMBs use Excel to run financial planning and analytics like their larger counterparts.

The funding closes out the company’s Series A at $43.5 million, after the company initially raised $18.5 million in April (some at the time reported this as its Series A, but it seems the round had yet to be completed). The full round includes Zeev Ventures, Vertex Ventures Israel and Innovation Endeavors, with Vintage Investment Partners added in this most recent tranche. DataRails is not disclosing its valuation, except to note that it has doubled in the last four months, with hundreds of customers and on target to cross 1,000 this year, with a focus on the North American market. It has raised $55 million in total. 

The challenge that DataRails has identified is that on one hand, SMBs have started to adopt a lot more apps, including software delivered as a service, to help them manage their businesses — a trend that has been accelerated in the last year with the pandemic and the knock-on effect that has had for remote working and bringing more virtual elements to replace face-to-face interactions. Those apps can include Salesforce, NetSuite, Sage, SAP, QuickBooks, Zuora, Xero, ADP and more.

But on the other hand, those in the business who manage finances and financial reporting are lacking the tools to look at the data from these different apps in a holistic way. While Excel is a default application for many of them, they are simply reading lots of individual spreadsheets rather than integrated data analytics based on the numbers.

DataRails has built a platform that can read the reported information, which typically already lives in Excel spreadsheets, and automatically translate it into a bigger picture view of the company.

For SMEs, Excel is such a central piece of software, yet such a pain point for its lack of extensibility and function, that this predicament was actually the germination of starting DataRails in the first place,

Didi Gurfinkel, the CEO who co-founded the company with Eyal Cohen (the CPO) said that DataRails initially set out to create a more general-purpose product that could help analyze and visualize anything from Excel.

Image: DataRails

“We started the company with a vision to save the world from Excel spreadsheets,” he said, by taking them and helping to connect the data contained within them to a structured database. “The core of our technology knows how to take unstructured data and map that to a central database.” Before 2020, DataRails (which was founded in 2015) applied this to a variety of areas with a focus on banks, insurance companies, compliance and data integrity.

Over time, it could see a very specific application emerging, specifically for SMEs: providing a platform for FP&A (financial planning and analytics), which didn’t really have a solution to address it at the time. “So we enabled that to beat the market.”

“They’re already investing so much time and money in their software, but they still don’t have analytics and insight,” said Gurfinkel.

That turned out to be fortunate timing, since “digital transformation” and getting more out of one’s data was really starting to get traction in the world of business, specifically in the world of SMEs, and CFOs and other people who oversaw finances were already looking for something like this.

The typical DataRails customer might be as small as a business of 50 people, or as big as 1,000 employees, a size of business that is too small for enterprise solutions, “which can cost tens of thousands of dollars to implement and use,” added Cohen, among other challenges. But as with so many of the apps that are being built today to address those using Excel, the idea with DataRails is low-code or even more specifically no-code, which means “no IT in the loop,” he said.

“That’s why we are so successful,” he said. “We are crossing the barrier and making our solution easy to use.”

The company doesn’t have a huge number of competitors today, either, although companies like Cube (which also recently raised some money) are among them. And others like Stripe, while currently not focusing on FP&A, have most definitely been expanding the tools that it is providing to businesses as part of their bigger play to manage payments and subsequently other processes related to financial activity, so perhaps it, or others like it, might at some point become competitors in this space as well.

In the meantime, Gurfinkel said that other areas that DataRails is likely to expand to cover alongside FP&A include HR, inventory and “planning for anything,” any process that you have running in Excel. Another interesting turn would be how and if DataRails decides to look beyond Excel at other spreadsheets, or bypass spreadsheets altogether.

The scope of the opportunity — in the U.S. alone there are more than 30 million small businesses — is what’s attracting the investment here.

“We’re thrilled to reinvest in DataRails and continue working with the team to help them navigate their recent explosive and rapid growth,” said Yanai Oron, general partner at Vertex Ventures, in a statement. “With innovative yet accessible technology and a tremendous untapped market opportunity, DataRails is primed to scale and become the leading FP&A solution for SMEs everywhere.”

“Businesses are constantly about to start, in the midst of, or have just finished a round of financial reporting — it’s a never-ending cycle,” added Oren Zeev, founding partner at Zeev Ventures. “But with DataRails, FP&A can be simple, streamlined, and effective, and that’s a vision we’ll back again and again.”

What does Red Hat’s sale to IBM tell us about Couchbase’s valuation?

The IPO rush of 2021 continued this week with a fresh filing from NoSQL provider Couchbase. The company raised hundreds of millions while private, making its impending debut an important moment for a number of private investors, including venture capitalists.

According to PitchBook data, Couchbase was last valued at a post-money valuation of $580 million when it raised $105 million in May 2020. The company — despite its expansive fundraising history — is not a unicorn heading into its debut to the best of our knowledge.

We’d like to uncover whether it will be one when it prices and starts to trade, so we dug into Couchbase’s business model and its financial performance, hoping to better understand the company and its market comps.

The Couchbase S-1

The Couchbase S-1 filing details a company that sells database tech. More specifically, Couchbase offers customers database technology that includes what NoSQL can offer (“schema flexibility,” in the company’s phrasing), as well as the ability to ask questions of their data with SQL queries.

Couchbase’s software can be deployed on clouds, including public clouds, in hybrid environments, and even on-prem setups. The company sells to large companies, attracting 541 customers by the end of its fiscal 2021 that generated $107.8 million in annual recurring revenue, or ARR, by the close of last year.

Couchbase breaks its revenue into two main buckets. The first, subscription, includes software license income and what the company calls “support and other” revenues, which it defines as “post-contract support,” or PCS, which is a package of offerings, including “support, bug fixes and the right to receive unspecified software updates and upgrades” for the length of the contract.

The company’s second revenue bucket is services, which is self-explanatory and lower-margin than its subscription products.

How Cyber Safe is Your Drinking Water Supply?

Amid multiple recent reports of hackers breaking into and tampering with drinking water treatment systems comes a new industry survey with some sobering findings: A majority of the 52,000 separate drinking water systems in the United States still haven’t inventoried some or any of their information technology systems — a basic first step in protecting networks from cyberattacks.

The Water Sector Coordinating Council surveyed roughly 600 employees of water and wastewater treatment facilities nationwide, and found 37.9 percent of utilities have identified all IT-networked assets, with an additional 21.7 percent working toward that goal.

The Council found when it comes to IT systems tied to “operational technology” (OT) — systems responsible for monitoring and controlling the industrial operation of these utilities and their safety features — just 30.5 percent had identified all OT-networked assets, with an additional 22.5 percent working to do so.

“Identifying IT and OT assets is a critical first step in improving cybersecurity,” the report concluded. “An organization cannot protect what it cannot see.”

It’s also hard to see threats you’re not looking for: 67.9 percent of water systems reported no IT security incidents in the last 12 months, a somewhat unlikely scenario.

Michael Arceneaux, managing director of the WaterISAC — an industry group that tries to facilitate information sharing and the adoption of best practices among utilities in the water sector — said the survey shows much room for improvement and a need for support and resources.

“Threats are increasing, and the sector, EPA, CISA and USDA need to collaborate to help utilities prevent and recover from compromises,” Arceneaux said on Twitter.

While documenting each device that needs protection is a necessary first step, a number of recent cyberattacks on water treatment systems have been blamed on a failure to properly secure water treatment employee accounts that can be used for remote access.

In April, federal prosecutors unsealed an indictment against a 22-year-old from Kansas who’s accused of hacking into a public water system in 2019. The defendant in that case is a former employee of the water district he allegedly hacked.

In February, we learned that someone hacked into the water treatment plan in Oldsmar, Fla. and briefly increased the amount of sodium hydroxide (a.k.a. lye used to control acidity in the water) to 100 times the normal level. That incident stemmed from stolen or leaked employee credentials for TeamViewer, a popular program that lets users remotely control their computers.

In January, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area, reports Kevin Collier for NBCNews. The hacker in that case also had the username and password for a former employee’s TeamViewer account.

Image: WaterISAC.

Andrew Hildick-Smith is a consultant who served more than 15 years managing remote access systems for the Massachusetts Water Resources Authority. He said the percentage of companies that reported already having inventoried all of their IT systems is roughly equal to the number of larger water utilities (greater than 50,000 population) that recently had to certify to the Environmental Protection Agency (EPA) that they are compliant with the Water Infrastructure Act of 2018.

The water act gives utilities serving between 3,300 and 50,000 residents until the end of this month to complete a cybersecurity risk and resiliency assessment.

But Hildick-Smith said the vast majority of the nation’s water utilities — tens of thousands of them — serve fewer than 3,300 residents, and those utilities currently do not have to report to the EPA about their cybersecurity practices (or the lack thereof).

“A large number of utilities — probably close to 40,000 of them — are small enough that they haven’t been asked to do anything,” he said. “But some of those utilities are kind of doing cybersecurity based on self motivation rather than any requirement.”

According to the water sector report, a great many of the nation’s water utilities are subject to economic disadvantages typical of rural and urban communities.

“Others do not have access to a cybersecurity workforce,” the report explains. “Operating in the background is that these utilities are struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations.”

The report makes the case for federal funding of state and local systems to provide cybersecurity training, tools and services for those in charge of maintaining IT systems, noting that 38 percent of water systems allocate less than 1 percent of their annual budgets to cybersecurity.

As the recent hacking incidents above can attest, enabling some form of multi-factor authentication for remote access can blunt many of these attacks.

However, the sharing of remote access credentials among water sector employees may be a contributing factor in these recent incidents, since organizations that let multiple employees use the same account also are less likely to have any form of multi-factor enabled.

A copy of the report is available here (PDF).

Update, 6:25 p.m. ET: Clarified that the report was issued by the Water Sector Coordinating Council (not the WaterISAC).

The Good, the Bad and the Ugly in Cybersecurity – Week 25

The Good

This week saw another big victory in the battle against ransomware with the arrest of a large swath of individuals associated with the Clop ransomware operation. Law enforcement officials from the Ukraine, United States, and the Republic of Korea conducted over 20 searches across the Kyiv area, including personal property of the defendants. It is reported that the individuals in question are responsible for nearly $500 million in financial damages.

The Clop ransomware team has been in operation in various forms since 2018. Since then, they have targeted a number of high-value entities including Software AG, Qualys, and TAM International. More recent operations involved the exploitation of Accellion FTP software and appliances. It is reported that the apprehended individuals were primarily involved with the money laundering side of operations. Ultimately, this means that the primary actors behind Clop are still at large. However, this is still a significant blow to their infrastructure and finances.

This week’s good news in the battle against cybercrime was not solely about Clop though. A Russian individual tied to the operations of the Kelihos botnet has also been convicted. Oleg Koshkin maintained a “crypting” service that obfuscates malware payloads so as to evade detection by legacy AV software. Koshkin was convicted of providing a critical service that enabled other cyber criminals to infect thousands of computers around the world.

The Bad

While most well known underground forums have banned discussions and commerce around ransomware, there are still some small outliers that continue. We recently came across two new families being offered to would-be criminals, M3rcury and Camelvalley. In both cases, it appears that these tools are in the very early stages of active development.

M3rcury lists the following as its primary features:

  • Removal of backups (shadow copies and other backups)
  • Hybrid RSA AES-256 encryption
  • UAC bypass
  • Sandbox Detection
  • Evasion of heuristic analysis
  • Heavy obfuscation
  • Scantime packed and crypted
  • Single file decryption to get victim trust

All that and more for 150.00 USD!

Camelvalley is advertised at the same price with similar features, and they go so far as to call out the fact that other forums are backing out of the ransomware world. In their original post, they state:

“Since the Colonial Pipeline cyberattack, there are only few ransomwares out there. All RaaS went private only. And the Locker discussion has been banned nearly everywhere. Except there. So, i’ll propose you a deal you can’t refuse!

The Camelvalley Ransomware comes out with plenty of interesting features, and even a solid Anti-Ransomware protection bypass that makes your cyberattack even more easier. The main goal of this project is to let you use less time on working on the ransomware itself and focus more on the evasion and hacking.”

M3rcury is written in Go and supports both 32 and 64 bit payloads. Camelvalley does not state the same, but it would be a fair assumption. In addition, CamelValley is said to have robust support for multithreaded encryption, uses a combination of RSA 2048 and ChaCha20 encryption algorithms, and makes use of the old RIPlace technique.

As stated before, both of these new ransomware offerings appear to be in the very early stages of development. Whether they emerge to become a true threat in-the-wild remains to be seen. The important thing to remember is this corner of the crimeware market will never go away.

The Ugly

This week the source code for the Paradise Ransomware was leaked across hacking and underground forums. The leaked archive contains all that is required to compile Paradise components from scratch. Upon compilation, users have the configuration builder, decryptor tool, and encrypter (the actual malware).

Paradise was never a particularly interesting family of malware. However, it is important to note that the leaked code does work. In the hands of a crafty individual, it is possible to generate new ransomware samples with a handful of configuration options. The ransomware generated from this leak is detected and prevented by most modern security software. It is, however, possible for individuals to modify the source to their needs, so time will tell what becomes of this.

Also in the world of data breaches, it was another busy week. We saw disclosures from Eggfree Cake Box, Carnival Corp, Intuit and more. These attacks are only getting more frequent and more aggressive. We also have ransomware actors sometimes forgoing the encryption step altogether and simply stealing data and holding it hostage. It is imperative that time and resources be spent on a robust, working, and tested disaster recovery plan. When was the last time cold storage was checked and verified? When was the last time you tested a restore of your backups? You should be able to answer questions like these, in addition to ensuring strong user hygiene and powerful modern endpoint security controls.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security