5 Things You Need to Know About Silver Sparrow

/0 Comments/in /by

Researchers at Red Canary recently broke news of a novel macOS infection dubbed Silver Sparrow. Given headlines that suggest this is a new malware threat that has infected “30,000 devices”, targets both Intel and Apple Silicon M1 devices, and has “security pros stumped”, end users and enterprise security teams alike are expressing concerns about what Silver Sparrow is, whether they are protected (spoiler: if you are a SentinelOne customer, yes you are) and how they can hunt for it on devices that are not protected by a modern next-gen security platform. In this post, we explain what Silver Sparrow is, how dangerous it is, and whether you should be concerned about it.

1. What is Silver Sparrow?

Silver Sparrow is the name given to an infection threat identified by researchers that uses the Apple installer package format and a novel mechanism for running a preinstall script.

While the installer package, readily identifiable from the .pkg file extension, typically uses dedicated preinstall and postinstall shell scripts for preparing and cleaning up software installations, Silver Sparrow takes a different approach and (ab)uses the Distribution file to run JavsScript code during the installation process.

 

While macOS malware has long-abused preinstall and postinstall scripts, this is the first known case of malware using the Distribution file to execute bash commands via the JavaScript API.

The Distribution file contains over 100 lines of code which function to:

  1. Set up a persistence agent with the filename pattern init-.plist (currently known agentNames are “virx” and “agent”) in ~/Library/LaunchAgents.
  2. Set up the program executable with the filepath pattern: ~/Library/Application Support/_updater/.sh
  3. Attempt to download the payload and write and execute it as /tmp/


That all sounds worrisome, but despite the headlines, there is no imminent threat to users or enterprises from the Silver Sparrow malware. The 30,000 infections reported in the media may or may not be an accurate count, but the fact is that number is based on researchers detecting two variants, neither of which have delivered a payload to date, and more importantly, neither of which can deliver a payload any longer.

The original research title was apt, but ignored by many commentators: “Clipping Silver Sparrow’s Wings: Outing macOS malware before it takes flight”. The title reflects the fact that not only have new installations been blocked by Apple revoking the installers’ signatures but also existing installations cannot deliver a payload since the hardcoded URLs, located on AWS S3 instances, have also been taken down by Amazon. It’s worth repeating for those that didn’t read the original research: no payload was ever delivered prior to the actions taken by Apple and Amazon.

2. How Is Silver Sparrow Related to M1 Chips?

Given that, you might be wondering what all the fuss about Silver Sparrow is. There are two reasons why security researchers (not so much Mac users) should be interested in Silver Sparrow. One good reason, as noted above, is that it uses a novel mechanism of infection by abusing the JavaScript API and the package installer’s Distribution file.

Importantly, if you inspect the Silver Sparrow installer package in a tool like ‘Suspicious Package’, you will not be able to see the malicious script.

Analysts can use the shareware tool Pacifist to inspect the Distribution file, however:

The second reason is that Silver Sparrow is another example of recently compiled malware that targets both of Apple’s hardware architectures: Intel and Apple Silicon.

Seeing malware target the new ARM architecture creates a lot of interest, but that is entirely expected. Basically, any software developer creating or compiling any software using the latest version of Xcode will by default create a universal binary that contains binaries for both Intel and ARM architectures.

So while this is still relatively new (given that Apple Silicon is relatively new), expect to see this increasingly going forward.

3. What Kind of Malware Does Silver Sparrow Deliver?

As noted above, Silver Sparrow is a dropper and persistence mechanism, but there has to date been no known payload. However, from the way the observed components work, we can make some reasonable inferences about what kind of malware Silver Sparrow was designed to deliver.

First, note that the installer uses a ‘tried and tested’ technique typical of adware for campaign tracking. This technique involves scraping the download URL from the user’s LSQuarantineEvents database.


That in itself suggests that Silver Sparrow is likely selling itself as a mechanism to 3rd party “affiliates” or pay-per-install (PPI) partners. The existence of this technique shows that the developers are aiming to monetize the delivery of payloads, and as such puts it firmly in the category of commodity adware/malware.

Second, the Silver Sparrow installer packages observed to date contained what the original researchers called ‘bystander apps’: dummy apps that have no perceived purpose. This suggests that the authors may have been trialling the delivery mechanism in order to later offer it to “bundleware” clients that wrap free or cracked apps around the malicious installer, a technique that is widely used by commodity adware and PUP installers.

4. Am I Protected from Silver Sparrow?

None of the above is a reason not to be concerned. Adware and PUPs are nuisances at best and security concerns at worst. Fortunately, there is very little risk of infection from this threat at the current time.

SentinelOne customers are protected from all known samples of Silver Sparrow, and we are actively engaged in tracking and blocking any new variants of this threat. If you are not a SentinelOne customer yet, the good news is that there is a universal kill switch that can keep you protected. The Silver Sparrow persistence agent runs a program that uninstalls the malware in the event that a certain zero byte file exists in the Users Library folder.


You can create such a file using the touch command, like so:

touch ~/Library/._insu

Again, it is worth reiterating that none of the known samples are capable of either installing or delivering a payload, so even those unprotected users that may have previously ran the Silver Sparrow installer before it was blocked cannot now receive a payload.

5. How Can I Threat Hunt for Silver Sparrow Attempts?

Despite the fact that the Silver Sparrow has no known payload, the mechanism is an interesting proof of concept. Security teams and individuals can look for the following indicators of compromise:

File Paths

/tmp/version.plist
/tmp/version.json
/tmp/agent
~/Library/Application Support/verx_updater/verx.sh
~/Library/LaunchAgents/init_verx.plist
~/Library/LaunchAgents/verx.plist
~/Library/LaunchAgents/init_agent.plist
~/Library/Application Support/agent_updater

Hashes

0a38080d4101dccf056434348527835633dd589c ./agent.sh
1cfad5b29b12f3c27ad9efb84524532e27407547 ./init_agent.plist
debbb192798bb1c89d935257972498278885ccec ./com.tasks.updater
63c9506d704ee873a75abe18163122fcfe114cc5 ./update.pkg
0a2f947b5c844713b7c55188aa2e47917945816e ./updater.pkg
eca8a2fdb052676e96b56fe3559694eab3fe87bc Distribution
c03805a7b2ef8401f4b2c44698f361fb5fa03672 Distribution

URLs

hxxps://mobiletraits[.]s3.amazonaws.com/
hxxps://specialattributes[.]s3.amazonaws.com/

Conclusion

Silver Sparrow represents a novel infection mechanism but to date has no known malicious payload. While users are right to be concerned about any new threat that appears to bypass static signature mechanisms, current evidence suggests that Silver Sparrow is a proof of concept set up by an actor looking to sell an install mechanism to adware/PPI clients.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Winning enterprise sales teams know how to persuade the Chief Objection Officer

/0 Comments/in /by
Oren Yunger
Contributor

Oren Yunger is an investor at GGV Capital, where he leads the cybersecurity vertical and drives investments in enterprise IT, data infrastructure, and developer tools. He was previously chief information security officer at a SaaS company and a public financial institution.
More posts by this contributor

Many enterprise software startups at some point have faced the invisible wall. For months, your sales team has done everything right. They’ve met with a prospect several times, provided them with demos, free trials, documentation and references, and perhaps even signed a provisional contract.

The stars are all aligned and then, suddenly, the deal falls apart. Someone has put the kibosh on the entire project. Who is this deal-blocker and what can software companies do to identify, support and convince this person to move forward with a contract?

I call this person the Chief Objection Officer.

Who is this deal-blocker and what can software companies do to identify, support and convince this person to move forward with a contract?

Most software companies spend a lot of time and effort identifying their potential buyers and champions within an organization. They build personas and do targeted marketing to these individuals and then fine-tune their products to meet their needs. These targets may be VPs of engineering, data leaders, CTOs, CISOs, CMOs or anyone else with decision-making authority. But what most software companies neglect to do during this exploratory phase is to identify the person who may block the entire deal.

This person is the anti-champion with the power to scuttle a potential partnership. Like your potential deal-makers, these deal-breakers can have any title with decision-making power. Chief Objection Officers aren’t simply potential buyers who end up deciding your product is not the right fit, but are instead blockers-in-chief who can make departmentwide or companywide decisions. Thus, it’s critical for software companies to identify the Chief Objection Officers that might block deals and, then, address their concerns.

So how do you identify the Chief Objection Officer? The trick is to figure out the main pain points that arise for companies when considering deploying your solution, and then walk backward to figure out which person these challenges impact the most. Here are some common pain points that your potential customers may face when considering your product.

Change is hard. Never underestimate the power of the status quo. Does implementing your product in one part of an organization, such as IT, force another department, such as HR, to change how they do their daily jobs?

Think about which leaders will be most reluctant to make changes; these Chief Objection Officers will likely not be your buyers, but instead the heads of departments most impacted by the implementation of your software. For example, a marketing team may love the ad targeting platform they use and thus a CMO will balk at new database software that would limit or change the way customer segment data is collected. Or field sales would object to new security infrastructure software that makes it harder for them to access the company network from their phones. The head of the department that will bear the brunt of change will often be a Chief Objection Officer.

Is someone’s job on the line?

Another common pain point when deploying a new software solution is that one or more jobs may become obsolete once it’s up and running. Perhaps your software streamlines and outsources most of a company’s accounts payable processes. Maybe your SaaS solution will replace an on-premise homegrown one that a team of developers has built and nurtured for years.

The Good, the Bad and the Ugly in Cybersecurity – Week 8

/0 Comments/in /by

The Good

This week was another successful week with regards to law enforcement operations against ransomware actors. Early in the week, news broke regarding the arrest of an Egregor ransomware operation running out of the Ukraine. The individuals were affiliate operators as opposed to the actual ‘authors’ or ‘source’ of the ransomware.

The arrests were part of a joint operation between French and Ukrainian law enforcement agencies. It is said that the apprehended individuals were responsible for affiliate-based deployment of Egregor ransomware, along with the relevant breaching of the targeted environment.

Egregor has been utilized in numerous high-profile attacks over the last 6 months. It has also been associated with other malware families and is often observed being used in tandem with these threats (e.g., Qbot). It is not confirmed to be related, but the Egregor payment portal and victim blogs (both TOR-based and clearnet) have been down for weeks. The momentum of Egregor has definitely slowed and taken a hit, at least partially due to these law enforcement operations. It remains to be seen what the future holds for Egregor, but at the moment, it appears to be left-for-dead. It may be that the threat actors are also moving away to newer platforms, as they did from Maze. We will be watching these groups closely in the coming weeks.

The Bad

This week, CISA (Cybersecurity and Infrastructure Security Agency) released Alert AA21-048A. This is the latest joint alert covering malicious activity out of North Korea. Specifically, the alert covers AppleJeus, a well-known tool in the DPRK (aka Lazarus) arsenal used for cryptocurrency theft. This latest advisory comes to us from the FBI, CISA, and the Department of Treasury.

According to the alert, Lazarus has been launching targeted cryptocurrency-stealing operations in over 30 countries in the past year alone but has a much longer history going back to at least 2018. The malware is delivered via specially-crafted cryptocurrency trading applications (JMT Trading, Celas Trade Pro, UnionCrypto, Kupay Wallet, CoinGoTrade, Dorusio, Ants2Whale).

gif image of Lazarus JMT Trader malware

For extra credibility, the threat actors built custom websites with SSL certified domains to fool unwary crypto users into using the malicious apps, which were fully functional and based on copies of open-source cryptocurrency exchange programs like Q.T. Bitcoin Trader and Blackbird Bitcoin Arbitrage.

While much of the alert focuses on the macOS platform, it should be noted that there are Windows variants of the malware as well. The alert covers, in detail, seven versions of the cryptocurrency-thieving malware and includes a number of IOCs and other actionable intelligence data. We recommend that all review the latest alert, and stay on top of all malicious behavior coming from the Lazarus APT group.

The Ugly

In this day and age, there is no shortage of ransomware attacks, and this week it was revealed that Kia Motors America had been targeted and infected with DoppelPaymer ransomware.

This past Saturday, Kia noted a widespread outage of many critical systems. The effects were felt internally and externally as the attack also affected the use of many of the company’s mobile applications. In addition, all U.S. dealer-specific platforms, IT Servers, phone-based support systems, and self-payment phone systems were affected by the attack. While availability of Kia systems and services across the United States has been severely impacted, international systems appear to be less affected.

As these attacks become more prevalent, we are increasingly seeing ‘household names’ on the victim list. Once again, this highlights the critical need for quality preventative controls. Attackers knowingly target vulnerable systems, even when certain security tools are installed, because threat actors know it is trivial to bypass them.

In this ongoing cat and mouse game, it is vital to have full visibility across your environment, along with a trusted XDR platform. Mix that with regular and continually updated user education (how to spot phishing attacks and similar) and we are all in a much better position to prevent these attacks all together.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

The Good, the Bad and the Ugly in Cybersecurity – Week 8

/0 Comments/in /by

The Good

This week was another successful week with regards to law enforcement operations against ransomware actors. Early in the week, news broke regarding the arrest of an Egregor ransomware operation running out of the Ukraine. The individuals were affiliate operators as opposed to the actual ‘authors’ or ‘source’ of the ransomware.

The arrests were part of a joint operation between French and Ukrainian law enforcement agencies. It is said that the apprehended individuals were responsible for affiliate-based deployment of Egregor ransomware, along with the relevant breaching of the targeted environment.

Egregor has been utilized in numerous high-profile attacks over the last 6 months. It has also been associated with other malware families and is often observed being used in tandem with these threats (e.g., Qbot). It is not confirmed to be related, but the Egregor payment portal and victim blogs (both TOR-based and clearnet) have been down for weeks. The momentum of Egregor has definitely slowed and taken a hit, at least partially due to these law enforcement operations. It remains to be seen what the future holds for Egregor, but at the moment, it appears to be left-for-dead. It may be that the threat actors are also moving away to newer platforms, as they did from Maze. We will be watching these groups closely in the coming weeks.

The Bad

This week, CISA (Cybersecurity and Infrastructure Security Agency) released Alert AA21-048A. This is the latest joint alert covering malicious activity out of North Korea. Specifically, the alert covers AppleJeus, a well-known tool in the DPRK (aka Lazarus) arsenal used for cryptocurrency theft. This latest advisory comes to us from the FBI, CISA, and the Department of Treasury.

According to the alert, Lazarus has been launching targeted cryptocurrency-stealing operations in over 30 countries in the past year alone but has a much longer history going back to at least 2018. The malware is delivered via specially-crafted cryptocurrency trading applications (JMT Trading, Celas Trade Pro, UnionCrypto, Kupay Wallet, CoinGoTrade, Dorusio, Ants2Whale).

gif image of Lazarus JMT Trader malware

For extra credibility, the threat actors built custom websites with SSL certified domains to fool unwary crypto users into using the malicious apps, which were fully functional and based on copies of open-source cryptocurrency exchange programs like Q.T. Bitcoin Trader and Blackbird Bitcoin Arbitrage.

While much of the alert focuses on the macOS platform, it should be noted that there are Windows variants of the malware as well. The alert covers, in detail, seven versions of the cryptocurrency-thieving malware and includes a number of IOCs and other actionable intelligence data. We recommend that all review the latest alert, and stay on top of all malicious behavior coming from the Lazarus APT group.

The Ugly

In this day and age, there is no shortage of ransomware attacks, and this week it was revealed that Kia Motors America had been targeted and infected with DoppelPaymer ransomware.

This past Saturday, Kia noted a widespread outage of many critical systems. The effects were felt internally and externally as the attack also affected the use of many of the company’s mobile applications. In addition, all U.S. dealer-specific platforms, IT Servers, phone-based support systems, and self-payment phone systems were affected by the attack. While availability of Kia systems and services across the United States has been severely impacted, international systems appear to be less affected.

As these attacks become more prevalent, we are increasingly seeing ‘household names’ on the victim list. Once again, this highlights the critical need for quality preventative controls. Attackers knowingly target vulnerable systems, even when certain security tools are installed, because threat actors know it is trivial to bypass them.

In this ongoing cat and mouse game, it is vital to have full visibility across your environment, along with a trusted XDR platform. Mix that with regular and continually updated user education (how to spot phishing attacks and similar) and we are all in a much better position to prevent these attacks all together.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

SailPoint is buying SaaS management startup Intello

/0 Comments/in /by

SailPoint, an identity management company that went public in 2017, announced it was going to be acquiring Intello, an early-stage SaaS management startup. The two companies did not share the purchase price.

SailPoint believes that by helping its customers locate all of the SaaS tools being used inside a company, it can help IT make the company safer. Part of the problem is that it’s so easy for employees to deploy SaaS tools without IT’s knowledge, and Intello gives them more visibility and control.

In fact, the term “shadow IT” developed over the last decade to describe this ability to deploy software outside of the purview of IT pros. With a tool like Intello, they can now find all of the SaaS tools and point the employees to sanctioned ones, while shutting down services the security pros might not want folks using.

Grady Summers, EVP of product at SailPoint, says that this problem has become even more pronounced during the pandemic as many companies have gone remote, making it even more challenging for IT to understand what SaaS tools employees might be using.

Identity solutions business SailPoint up 8% following IPO

“This has led to a sharp rise in ungoverned SaaS sprawl and unprotected data that is being stored and shared within these apps. With little to no visibility into what shadow access exists within their organization, IT teams are further challenged to protect from the cyber risks that have increased over the past year,” Summers explained in a statement. He believes that with Intello in the fold, it will help root out that unsanctioned usage and make companies safer, while also helping them understand their SaaS spend better.

Intello has always seen itself as a way to increase security and compliance and has partnered in the past with other identity management tools like Okta and OneLogin. The company was founded in 2017 and raised $5.8 million according to Crunchbase data. That included a $2.5 million extended seed in May 2019.

Yesterday, another SaaS management tool, Torii, announced a $10 million Series A. Other players in the SaaS management space include BetterCloud and Blissfully, among others.

SaaS management startup Intello scores $2.5 million extended seed

Ironclad’s Jason Boehmig: The objective of pricing is to become less wrong over time

/0 Comments/in /by

In 2017, Ironclad founder and CEO Jason Boehmig was looking to raise a Series A. As a former lawyer, Boehmig had a specific process for fundraising and an ultimate goal of finding the right investors for his company.

Part of Boehmig’s process was to ask people in the San Francisco Bay Area about their favorite place to work. Many praised RelateIQ, a company founded by Steve Loughlin who had sold it to Salesforce for $390 million and was brand new to venture at the time.

“I wanted to meet Steve and had kind of put two and two together,” said Boehmig. “I was like, ‘There’s this founder I’ve been meaning to connect with anyways, just to pick his brain, about how to build a great company, and he also just became an investor.’”

On this week’s Extra Crunch Live, the duo discussed how the Ironclad pitch excited Loughlin about leading the round. (So excited, in fact, he signed paperwork in the hospital on the same day his child was born.) They also discussed how they’ve managed to build trust by working through disagreements and the challenges of pricing and packaging enterprise products.

As with every episode of Extra Crunch Live, they also gave feedback on pitch decks submitted by the audience. (If you’d like to see your deck featured on a future episode, send it to us using this form.)

We record Extra Crunch Live every Wednesday at 12 p.m. PST/3 p.m. EST/8 p.m. GMT. You can see our past episodes here and check out the March slate right here.

Episode breakdown:

  • The pitch — 2:30
  • How they operate — 23:00
  • The problem of pricing — 29:00
  • Pitch deck teardown — 35:00

The pitch

When Boehmig came in to pitch Accel, Loughlin remembers feeling ambivalent. He had heard about the company and knew a former lawyer was coming in to pitch a legal tech company. He also trusted the reference who had introduced him to Boehmig, and thought, “I’ll take the meeting.”

Then, Boehmig dove into the pitch. The company had about a dozen customers that were excited about the product, and a few who were expanding use of the product across the organization, but it wasn’t until the ultimate vision of Ironclad was teased that Loughlin perked up.

Loughlin realized that the contract can be seen as a core object that could be used to collaborate horizontally across the enterprise.

“That was when the lightbulb went off and I realized this is actually much bigger,” said Loughlin. “This is not a legal tech company. This is core horizontal enterprise collaboration in one of the areas that has not been solved yet, where there is no great software yet for legal departments to collaborate with their counterparts.”

He listed all the software that those same counterparts had to let them collaborate: Salesforce, Marketo, Zendesk. Any investor would be excited to hear that a potential portfolio company could match the likes of those behemoths. Loughlin was hooked.

“There was a slide that I’m guessing Jason didn’t think much of, as it was just the data around the business, but I got pretty excited about it,” said Loughlin. “It said, for every legal user Ironclad added, they added nine other users from departments like sales, marketing, customer service, etc. It was evidence that this theory of collaboration could be true at scale.”

Mexican Politician Removed Over Alleged Ties to Romanian ATM Skimmer Gang

/0 Comments/in /by

The leader of Mexico’s Green Party has been removed from office following allegations that he received money from a Romanian ATM skimmer gang that stole hundreds of millions of dollars from tourists visiting Mexico’s top tourist destinations over the past five years. The scandal is the latest fallout stemming from a three-part investigation into the organized crime group by KrebsOnSecurity in 2015.

One of the Bluetooth-enabled PIN pads pulled from a compromised ATM in Mexico. The two components on the left are legitimate parts of the machine. The fake PIN pad made to be slipped under the legit PIN pad on the machine, is the orange component, top right. The Bluetooth and data storage chips are in the middle.

Jose de la Peña Ruiz de Chávez, who leads the Green Ecologist Party of Mexico (PVEM), was dismissed this month after it was revealed that his were among 79 bank accounts seized as part of an ongoing law enforcement investigation into a Romanian organized crime group that owned and operated an ATM network throughout the country.

In 2015, KrebsOnSecurity traveled to Mexico’s Yucatan Peninsula to follow up on reports about a massive spike in ATM skimming activity that appeared centered around some of the nation’s primary tourist areas.

That three-part series concluded that Intacash, an ATM provider owned and operated by a group of Romanian citizens, had been paying technicians working for other ATM companies to install sophisticated Bluetooth-based skimming devices inside cash machines throughout the Quintana Roo region of Mexico, which includes Cancun, Cozumel, Playa del Carmen and Tulum.

Unlike most skimmers — which can be detected by looking for out-of-place components attached to the exterior of a compromised cash machine — these skimmers were hooked to the internal electronics of ATMs operated by Intacash’s competitors by authorized personnel who’d reportedly been bribed or coerced by the gang.

But because the skimmers were Bluetooth-based — allowing thieves periodically to collect stolen data just by strolling up to a compromised machine with a mobile device — KrebsOnSecurity was able to detect which ATMs had been hacked using nothing more than a cheap smart phone.

In a series of posts on Twitter, De La Peña denied any association with the Romanian organized crime gang, and said he was cooperating with authorities.

But it is likely the scandal will ensnare a number of other important figures in Mexico. According to a report in the Mexican publication Expansion Politica, the official list of bank accounts frozen by the Mexican Ministry of Finance include those tied to the notary Naín Díaz Medina; the owner of the Quequi newspaper, José Alberto Gómez Álvarez; the former Secretary of Public Security of Cancun, José Luis Jonathan Yong; his father José Luis Yong Cruz; and former governors of Quintana Roo.

In May 2020, the Mexican daily Reforma reported that the skimming gang enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office.

The following month, my reporting from 2015 emerged as the primary focus of a documentary published by the Organized Crime and Corruption Reporting Project (OCCRP) into Intacash and its erstwhile leader — 44-year-old Florian “The Shark” Tudor. The OCCRP’s series painted a vivid picture of a highly insular, often violent transnational organized crime ring (referred to as the “Riviera Maya Gang“) that controlled at least 10 percent of the $2 billion annual global market for skimmed cards.

It also details how the group laundered their ill-gotten gains, and is alleged to have built a human smuggling ring that helped members of the crime gang cross into the U.S. and ply their skimming trade against ATMs in the United States. Finally, the series highlights how the Riviera Maya gang operated with impunity for several years by exploiting relationships with powerful anti-corruption officials in Mexico.

In 2019, police in Mexico arrested Tudor for illegal weapons possession, and raided his various properties there in connection with an investigation into the 2018 murder of his former bodyguardConstantin Sorinel Marcu.

According to prosecution documents, Marcu and The Shark spotted my reporting shortly after it was published in 2015, and discussed what to do next on a messaging app:

The Shark: Krebsonsecurity.com See this. See the video and everything. There are two episodes. They made a telenovela.

Marcu: I see. It’s bad.

The Shark: They destroyed us. That’s it. Fuck his mother. Close everything.

The intercepted communications indicate The Shark also wanted revenge on whoever was responsible for leaking information about their operations.

The Shark: Tell them that I am going to kill them.

Marcu: Okay, I can kill them. Any time, any hour.

The Shark: They are checking all the machines. Even at banks. They found over 20.

Marcu: Whaaaat?!? They found? Already??

Since the OCCRP published its investigation, KrebsOnSecurity has received multiple death threats. One was sent from an email address tied to a Romanian programmer and malware author who is active on several cybercrime forums. It read:

“Don’t worry.. you will be killed you and your wife.. all is matter of time amigo :)”

To Be Continued…How End Of Life Products Put Enterprises At Risk

/0 Comments/in /by

The software stack used by enterprises can be an excessive one, comprised of legacy software, commercial enterprise software, open-source software and a mixture of on-premise and cloud deployments. What is common to all these types of software is the necessity to maintain them and keep them up to date. Failing to do so can cause operational problems (such as malfunctions), but more importantly, poorly maintained software can expose the organization to severe security risks.

‘End of Life’ should mean what it says: vendors mark software in a specific way that tells organizations not only that it’s no longer supported but also that it should no longer be deployed. But in almost any medium to large-sized organization, EOL software can be found, and sometimes even abound, across the enterprise, exposing the entire business to risk. Why do so many enterprises fail to heed the vendors’ warnings, and what are the dangers of doing so?

A Case Study: Accellion FTA

Accellion FTA (File Transfer Appliance) was the attack vector used in several recent high profile attacks, including: Singaporean telecom company Singtel, Australian medical research institute QIMR Berghofer, the Washington state auditor, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, and the University of Colorado.
 
All these entities were using Accellion’s FTA, an old software application used to store and share large files. If you’re not familiar with it, think Box, Dropbox or Google Drive, but much, much older, dating back to the early 2000s. Enterprises would buy an FTA license, install the software on their own servers, and use it to enable the storing and sharing of large files with customers and employees. A typical use case for such software back then would be transferring files too large to be sent over email, a service that nowadays is so common that most businesses already have other solutions. 

Accellion is an old software product that has already been replaced by the vendor with Accellion Kiteworks, but it seems that many organizations kept using the old version, perhaps never realizing it was still installed on some forgotten sever.

As often happens with products that have been on the market for a long time, people eventually find undiscovered vulnerabilities. In this case, it was an SQL injection vulnerability that enabled attackers to upload and install a webshell, giving them the ability to download files stored on the Accellion FTA server (and clean up after the deed). 

News of the attacks caught Accellion in the midst of transferring clients to their newer platforms. They have since released an emergency patch, urged their existing users to switch to the new products and issued an end-of-life announcement for FTA effective April 30, 2021. 

It is unclear if Accellion meant to retire the product at that time anyway or chose to do so now because of the recent vulnerabilities. In any case, we can estimate that the official retirement of this product will not result in the end of subsequent exploitations.

So What’s The Problem With Older Software? 

You tried it, you bought it, and it still works all these years later. What’s not to like about software that lasts? Alas, the problems with using older software products are numerous. 

First, many of these products were released when testing methodologies were different and before bug bounty programs became popular. This means that they likely did not undergo the kind of rigorous testing (especially when it comes to automated load testing) and fuzzing that modern vulnerability testers (and threat actors) use. If someone were to test these old software products with contemporary tools, they might well detect new vulnerabilities that the vendor missed back then.

Second, vendors rarely bother to issue security updates for discontinued products. Why would they? They want you to buy their latest offering, and “end of life” and “unsupported” means what it says. Thus, even if new vulnerabilities are found, affected products are unlikely to receive appropriate patches.

Older software products might also suffer from operational issues such as lack of compatibility with newer products or protocols, poor reliability and higher maintenance costs when, for example, that software itself has either hardware, OS or other software dependencies.

Furthermore, older products may not be compatible with today’s compliance requirements or with insurance requirements, leaving the enterprise open to liability claims in the event of a breach.

No Pain, No Change – The Lure of Legacy Software

Despite all this, a global PC Trends Report found that 55% of all programs worldwide were out of date, and many operating systems in current use were out of date, too. Why is it, then, that enterprises continue with legacy software? 

There is no single answer, but it is often one or more of several factors, such as budget saving, lack of awareness and sometimes pure institutional inertia: if the organization is not seeing (or aware of) operational issues, there’s likely to be little incentive to “fix what ain’t broken”. No pain, no change. 

It’s also often easier to continue using the same, familiar technology stack across users, administrators and clients where there are long-standing workflows that no one wants to disrupt. 

Another factor: the perceived (if false) economy that replacing something that “still works” is an unnecessary and unwanted expense. 

Put any one or more of those together with an organization that is either unaware of the dangers or the existence of legacy software still in use and you have a recipe for increased enterprise risk: an exploitation waiting to happen. 

The Easiest Route To Exploitation

As noted, out of date software is a security risk. Attackers know this and seek to exploit it. The most famous example was the WannaCry attack of 2017. After NSA hacking tools were leaked online, notably EternalBlue, they were quickly leveraged to deploy new, wormable ransomware. The vulnerability had become known nearly three months prior to WannaCry, and at the time Microsoft had released a patch to all relevant OSs two months prior to the attack. Alas, thousands of organizations failed to install the patch and were hit as a result. 

More recent incidents (in addition to Accellion FTA) include the attack in early February 2021 on a Florida water treatment plant that used the obsolete 32-bit version of Windows 7, and even the famous incident of Texas attorney Rod Ponton’s “feline” appearance before court was due to the fact he was using a 10-year-old laptop installed with avatar-augmenting software, likely Live! Cam Avatar or Crazy Talk 4, which he was unaware of (until catlike features appeared on his face).  

What Lies Ahead?

Given how poorly organizations have dealt with replacing older products in the past, it is very unlikely that many will do much better in the future, and for every one that doesn’t, history teaches that a breach is a real possibility. Organizations should recognize this is a significant security risk and treat it as such. Mitigating this risk involves awareness, preparation, and if needed, response.

A proper inventory of all IT assets and the software versions installed on them is the first step. Follow that up by identifying which products are obsolete, and which are about to reach end of life, then decide if and how to replace these. Such products can include the now retired Acrobat Reader, Acrobat Flash and older Windows versions of Windows 10 Windows 7. Be aware that, on May 11, 2021, the Home, Pro, Pro Education, Pro for Workstations editions of Windows 10 version 1909 and all editions of Windows Server, version 1909 will reach end of service

Singularity Ranger IoT
Network Visibility & Control. A cloud delivered, software-defined network discovery solution designed to add global network visibility and control with minimal friction.

Get a Demo

Using tools like SentinelOne Ranger can assist in mapping the existing assets and associated software versions.

Organizations are also advised to adhere to vendor updates and patches, especially in the case of security products (some of which can have hidden critical security flaws for years). A next-gen security platform is a prerequisite for securing the organization if an attacker does find a way inside by leveraging vulnerabilities in older products.

How Can SentinelOne Help?

SentinelOne provides one platform to prevent, detect, respond, and hunt threats across all enterprise assets. See what has never been seen before. Control the unknown. All at machine speed.

Want to learn more about defending your organization? Contact us for more information or request a free demo.
 

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Torii announces $10M Series A to automate SaaS management

/0 Comments/in /by

Today, that software is offered as a cloud service should be pretty much considered a given. Certainly any modern tooling is going to be SaaS, and as companies and employees add services, it becomes a management nightmare. Enter Torii, an early-stage startup that wants to make it easier to manage SaaS bloat.

Today, the company announced a $10 million Series A investment led by Wing Venture Capital, with participation from prior investors Entree Capital, Global Founders Capital, Scopus Ventures and Uncork Capital. The investment brings the total raised to $15 million, according to the company. Under the terms of the deal, Wing partner Jake Flomenberg is joining the board.

Uri Haramati, co-founder and CEO, is a serial entrepreneur who helped launch Houseparty and Meerkat. As a serial founder, he says that he and his co-founders saw firsthand how difficult it was to manage their companies’ SaaS applications, and the idea for Torii developed from that.

“We all felt the changes around SaaS and managing the tools that we were using. We were all early adopters of SaaS. We all [took advantage of SaaS] to scale our companies and we felt the same thing: The fact is that you just can’t add more people who manage more software, it just doesn’t scale,” Haramati told me.

He said they started Torii with the idea of using software to control the SaaS sprawl they were experiencing. At the heart of the idea was an automation engine to discover and manage all of the SaaS tools inside an organization. Once you know what you have, there is a no-code workflow engine to create workflows around those tools for key activities like onboarding or offboarding employees.

Torii no code workflow engine.

Torii Workflow Engine. Image Credits: Torii

The approach seems to be working. As the pandemic struck in 2020, more companies than ever needed to control and understand the SaaS tooling they had, and revenue grew 400% YoY last year. Customers include Delivery Hero, Chewy, Monday.com and Palo Alto Networks.

The company also doubled its employees from a dozen with which they started last year, with plans to get to 60 people by the end of this year. As they do that, as experienced entrepreneurs, Haramati told me they already understood the value of developing a diverse and inclusive workforce, certainly around gender. Today, the team is 25 people with 10 being women and they are working to improve those ratios as they continue to add new people.

Flomenberg invested in Torii because he was particularly impressed with the automation aspect of the company and how it took a holistic approach to the SaaS management problem, rather than attempting to solve one part of it. “When I met Uri, he described this vision. It was really to become the operating system for SaaS. It all starts with the right data. You can trust data that is gathered from [multiple] sources to really build the right picture and pull it together. And then they took all those signals and they built a platform that is built on automation,” he said.

Haramati admits that it’s challenging to scale in the midst of a pandemic, but the company is growing and is already working to expand the platform to include product recommendations and help with compliance and cost control.

BetterCloud scores $75M Series F as SaaS management needs grow

Tired of ‘Zoom University’? So is edtech

/0 Comments/in /by

The rise of “Zoom University” was only possible because edtech wasn’t ready to address the biggest opportunity of the past year: remote learning at scale. Of course, the term encapsulates more than just Zoom, it’s a nod to how schools had to rapidly adopt enterprise video conferencing software to keep school in session in the wake of closures brought on by the virus’ rapid spread.

Now, nearly a year since students were first sent home because of the coronavirus, a cohort of edtech companies is emerging, emboldened with millions in venture capital, ready to take back the market.

The new wave of startups are slicing and dicing the same market of students and teachers who are fatigued by Zoom University, which — at best — often looks like a gallery view with a chat bar. Four of the companies that are gaining traction include Class, Engageli, Top Hat and InSpace. It signals a shift from startups playing in the supplemental education space and searching to win a spot in the largest chunk of a students day: the classroom.

While each startup has its own unique strategy and product, the founders behind them all need to answer the same question: Can they make digital learning a preferred mode of pedagogy and comprehension — and not merely a backup — after the pandemic is over?

Answering that question begins with deciding whether videoconferencing is what online, live learning should look like.

Ground up

“This is completely grounds up; there is no Zoom, Google Meets or Microsoft Teams anywhere in the vicinity,” said Dan Avida, co-founder of Engageli, just a few minutes into the demo of his product.

Engageli, a new startup founded by Avida, Daphne Koller, Jamie Nacht Farrell and Serge Plotkin, raised $14.5 million in October to bring digital learning to college universities. The startup wants to make big lecture-style classes feel more intimate, and thinks digitizing everything from the professor monologues to side conversations between students is the way to go.

Engageli is a videoconferencing platform in that it connects students and professors over live video, but the real product feature that differentiates it, according to Avida, is in how it views the virtual classroom.

Upon joining the platform, each student is placed at a virtual table with another small group of students. Within those pods, students can chat, trade notes, screenshot the lecture and collaborate, all while hearing a professor lecture simultaneously.

“The FaceTime session going on with friends or any other communication platform is going to happen,” Avida said. “So it might as well run it through our platform.”

The tables can easily be scrambled to promote different conversation or debates, and teachers can pop in and out without leaving their main screen. It’s a riff on Zoom’s breakout rooms, which let participants jump into separate calls within a bigger call.

There’s also a notetaking feature that allows students to screenshot slides and live annotate them within the Engageli platform. Each screenshot comes with a hyperlink that will take the student back to the live recording of that note, which could help with studying.

“We don’t want to be better than Zoom, we want to be different than Zoom,” Avida said. Engageli can run on a variety of products of differing bandwidth, from Chromebooks to iPads and PCs.

Engageli is feature-rich to the point that it has to onboard teachers, its main customer, in two phases, a process that can take over an hour. While Avida says that it only takes five minutes to figure out how to use the platform to hold a class, it does take longer to figure out how to fully take advantage of all the different modules. Teachers and students need to have some sort of digital savviness to be able to use the platform, which is both a barrier to entry for adoption but also a reason why Engageli can tout that it’s better than a simple call. Complexity, as Avida sees it, requires well-worth-it time.

The startup’s ambition doesn’t block it from dealing with contract issues. Other video conferencing platforms can afford to be free or already have been budgeted into. Engageli currently charges $9.99 or less per student seat for its platform. Avida says that with Zoom, “it’s effectively free because people have already paid for it, so we have to demonstrate why we’re much better than those products.”

Engageli’s biggest hurdle is another startup’s biggest advantage.

Built on top of Zoom

Class, launched less than a year ago by Blackboard co-founder Michael Chasen, integrates exclusively with Zoom to offer a more customized classroom for students and teachers alike. The product, currently in private paid beta, helps teachers launch live assignments, track attendance and understand student engagement levels in real time.

While positioning an entire business on Zoom could lead to platform risk, Chasen sees it as a competitive advantage that will help the startup stay relevant after the pandemic.

“We’re not really pitching it as pandemic-related,” Chasen said. “No school has only said that we’re going to plan to use this for a month, and very few K-12 schools say we’re only looking at this in case a pandemic comes again.” Chasen says that most beta customers say online learning will be part of their instructional strategy going forward.

Investors clearly see the opportunity in the company’s strategy, from distribution to execution. Earlier this month, Class announced it had raised $30 million in Series A financing, just 10 weeks after raising a $16 million seed round. Raising that much pre-launch gives the startup key wiggle room, but it also gives validation: a number of Zoom’s earliest investors, including Emergence Capital and Bill Tai, who wrote the first check into Zoom, have put money into Class.

“At Blackboard, we had a six to nine month sales cycle; we’d have to explain that e-learning is a thing,” Chasen said, who was at the LMS business for 15 years. “[With Class] we don’t even have to pitch. It wraps up in a month, and our sales cycle is just showing people the product.

Class adds $30 million to its balance sheet for a Zoom-friendly edtech solution

Unlike Engageli, Class is selling to both K-12 institutions and higher-education institutions, which means its product is more focused on access and ease of use instead of specialized features. The startup has over 6,000 institutions, from high schools to higher education institutions, on the waitlist to join.

Image Credits: Class

Right now, Class software is only usable on Macs, but its beta will be available on iPhone, Windows and Android in the near future. The public launch is at the end of the quarter.

“K-12 is in a bigger bind,” he said, but higher-ed institutions are fully committed to using synchronous online learning for the “long haul.”

“Higher-ed has already been taking this step towards online learning, and they’re now taking the next step,” he said. “Whereas with a lot of K-12, I’m actually seeing that this is the first step that they’re taking.”

The big hurdle for Class, and any startup selling e-learning solutions to institutions, is post-pandemic utility. While institutions have traditionally been slow to adopt software due to red tape, Chasen says that both of Class’ customers, higher ed and K-12, are actively allocating budget for these tools. The price for Class ranges between $10,000 to $65,000 annually, depending on the number of students in the classes.

“We have not run into a budgeting problem in a single school,” he said. “Higher ed has already been taking this step towards online learning, and they’re now taking the next step, whereas K-12, this is the first step they’re taking.”

Asynchronously, silly

Engageli and Class are both trying to innovate on the live learning experience, but Top Hat, which raised $130 million in a Series E round this past week, thinks that the future is pre-recorded video.

Top Hat digitizes textbooks, but instead of putting a PDF on a screen, the startup fits features such as polls and interactive graphics in the text. The platform has attracted millions of students on this premise.

“We’re seeing a lot of companies putting emphasis on creating a virtual classroom,” he said. “But replicating the same thing in a different medium is never a good idea…nobody wants to stare at a screen and then have the restraint of having to show up at a previous pre-prescribed time.”

In July, Top Hat launched Community to give teachers a way to make class more than just a YouTube video. Similar to ClassDojo, Community provides a space for teachers and students to converse and stay up to date on shared materials. The interface also allows students to create private channels to discuss assignments and work on projects, as well as direct message their teachers.

Will edtech empower or erase the need for higher education?

CEO Mike Silagadze says that Top Hat tried a virtual classroom tool early on, and “very quickly learned that it was fundamentally just the wrong strategy.” His mindset contrasts with the demand that Class and Engageli have proven so far, to which Silagadze says might not be as long-term as they think.

“There’s definitely a lot of interest that’s generated in people signing up to beta lists and like wanting to try it out. But when people really get into it, everyone pretty much drops off and focuses more on asynchronous, small and in-person groups.”

Instead, the founder thinks that “schools are going to double down on the really valuable in-person aspects of higher education that they couldn’t provide before” and deliver other content, like large lecture-style classes or meetings, through asynchronous content delivery.

This is similar to what Jeff Maggioncalda, the CEO of Coursera, told TechCrunch in November: Colleges are going to re-invest in their in-person and residential experiences, and begin offering credentials and content online to fill in the gaps.

ClassDojo’s second act comes with first profits

“We’ve been on the journey to create a more and more complete platform that our customers can use since almost day one,” Silagadze said. “What the pandemic has brought is much more comprehensive testing functionality that Top Hat has rolled out and better communication tooling so basically better chat and communication tooling for professors.”

TopHat costs $30 per semester, per student. Currently Top Hat has most of its paying customers coming in through its content offering, the digital textbooks, instead of this learning platform.

College spin-out

InSpace, a startup spinning out of Champlain college, is similarly focused on making the communication between professors and students more natural. Dr. Narine Hall, the founder of the startup, is a professor herself who just wanted class to “feel more natural” when it was being conducted.

InSpace is similar to some of the virtual HQ platforms that have popped up over the past few months. The platforms, which my colleague Devin Coldewey aptly dubbed Sims for Enterprise, are trying to create the feel of an office or classroom online but without a traditional gallery view or conference call vibe. The potential success of inSpace and others could signal how the future of work will blend gaming and socialization for distributed teams.

InSpace is using spatial gaming infrastructure to create spontaneity. The technology allows users to only hear people within their nearby proximity, and get quieter as they walk, or click, away. When applied to a virtual world, spatial technology can give the feeling of a hallway bump-in.

Similar to Engageli, inSpace is rethinking how an actual class is conducted. In inSpace, students don’t have to leave the main call to have a conversation during inSpace, which they do in Zoom. Students can just toggle over to their own areas and a professor can see teamwork being done in real time. When a student has a question, their bubble becomes bigger, which is easier to track than the hand-raise feature, says Hall.

InSpace has a different monetization strategy than other startups. It charges $15 a month per-educator or “host” versus per-student, which Hall says was so educators could close contracts “as fast as possible.” Hall agrees with other founders that schools have a high demand for the product, but she says that the decision-making process around buying new tooling continues to be difficult in schools with tight budgets, even amid a pandemic. There are currently 100 customers on the platform.

So far, Hall sees inSpace working best with classes that include 25 people, with a max of 50 people.

The company was born out of her own frustrations as a teacher. In grad school, Hall worked on research that combined proximity-based interactions with humans. When August rolled around and she needed a better solution than WebEx or Zoom, she turned to that same research and began building code atop of her teachings. It led to inSpace, which recently announced that it has landed $2.5 million in financing led by Boston Seed Capital.

Virtual HQs race to win over a remote-work-fatigued market

The differences between each startup, from strategy to monetization to its view of the competition, are music to Zoom’s ears. Anne Keough Keehn, who was hired as Zoom’s Global Education Lead just nine months ago, says that the platform has a “very open attitude and policy about looking at how we best integrate…and sometimes that’s going to be a co-opetition.”

“In the past there has been too much consolidation and therefore it limits choices,” Keehn said. “And we know everybody in education likes to have choices.” Zoom will be used differently in a career office versus a class, and in a happy hour versus a wedding; the platform sees opportunity in it all beyond the “monolithic definition” that video-conferencing has had for so long.

And, despite the fact that this type of response is expected by a well-trained executive at a big company in the spotlight, maybe Keehn is onto something here: Maybe the biggest opportunity in edtech right now is that there is opportunity and money in the first place, for remote learning, for better video-conferencing and for more communication.

Editor’s note: A previous version of this story claims that TopHat’s community platform cost $30 per student, per month. TopHat has clarified since that the community platform is free, but its core product is sold for this cost. An update has been made to reflect this clarification.