Axis Security raises $32M to help companies stay secure while working from home

/0 Comments/in /by

Axis Security launched last year with the idea of helping customers enable contractors and third parties to remotely access a company’s systems in a safe way, but when the pandemic hit, they saw another use case, one which had been on their road map: helping keep systems secure when employees were working from home.

Today, the company announced a $32 million Series B investment led by Canaan Partners, with participation from existing investors Ten Eleven Ventures and Cyberstarts. Today’s round brings the total raised to $49 million, according to Axis.

Gil Azrielant, co-founder and CTO, says that the company was able to make the shift to a work from home security scenario so quickly because it had built the product from the ground up to support this vision eventually. The pandemic just accelerated that approach.

“We decided to focus on third parties and contractors at first, but we saw where the puck was going and definitely [designed] the infrastructure to become a full-blown, secure access product. So the infrastructure was there, and we just had to add a few things that were planned for later,” Azrielant told TechCrunch.

He says that the company’s product uses the notion of Zero Trust, which, as the name suggests, assumes you can’t trust anyone on your system, and work from there. Using a rules-based engine, customers can create a secure environment based on your role.

‘One day we were in the office and the next we were working from home’

“What you can see, or what you can do, or what you can download or get to is fully controlled by our Application Access Cloud. This is based on what device you’re using, where you are, who you are, what role you’re in, and what you usually do and don’t do to determine the level of access you are going to get,” he said.

As the startup emerged from stealth last March just three days after the pandemic shutdown began in California, it had two main customers — a hotel chain and a pharmaceutical company — and CEO Dor Knafo says that as COVID took hold, “necessity became the mother of adoption.”

He added, “Both accounts came to us and asked us to start pursuing all these employee access use cases, and to us that was incredible because that gave them the push they needed to see the [remote access] vision just as vividly as we do,” he said. Today it has added to that initial pair, and, while it wouldn’t share an exact number, it reports it has tens of customers.

Today, the startup has 38 employees almost evenly split between San Mateo, California and Tel Aviv, Israel, with plans to accelerate hiring to reach 100 people next year. As the company scales, Knafo says that he is trying to build a more diverse group as it moves to hire more people in the coming year.

“Today, we have incentive internally to help us hire in a more diverse way. We invest heavily in that, and we continue to [keep that at top of mind] for everyone in the company,” Knafo said.

Azrielant added that the pandemic has shown employees don’t have to be located near the offices, which have been closed for much of this year, and that opens up more possibilities to build a more diverse workforce because they can hire from anywhere.

With a product that has much utility right now, the company will be using the new influx of cash to help build out its sales and marketing operations and expand sales outside of North America.

“With COVID accelerating and with a shift to work from anywhere, we’ll definitely focus on bringing our products to more enterprises, which are facing this urgent challenge of working from home,” Knafo said.

Work From Home is dead, long live Work From Anywhere

Salesforce creates for profit platform to help governments distribute COVID vaccine when it’s ready

/0 Comments/in /by

For more than 20 years, Salesforce has been selling cloud business software, but it has also used the same platform to build ways to track other elements besides sales, marketing and service information including Work.com, the platform it created earlier this year to help companies develop and organize a safe way to begin returning to work during the pandemic.

Today, the company announced it was putting that same platform to work to help distribute and track a vaccine whenever it becomes available along with related materials like syringes that will be needed to administer it. The plan is to use Salesforce tools to solve logistical problems around distributing the vaccine, as well as data to understand where it could be needed most and the efficacy of the drug, according to Bill Patterson, EVP and general manager for CRM applications at Salesforce.

“The next wave of the virus phasing, if you will, will be [when] a vaccine is on the horizon, and we begin planning the logistics. Can we plan the orchestration? Can we measure the inventory? Can we track the outcomes of the vaccine once it reaches the public’s hands,” Patterson asked.

Salesforce has put together a new product called Work.com for Vaccines to put its platform to work to help answer these questions, which Patterson says ultimately involves logistics and data, two areas that are strengths for Salesforce.

Amid pandemic, returning to offices remains an open question for tech leaders

The platform includes the core Work.com command center along with additional components for inventory management, appointment management, clinical administration, outcome monitoring and public outreach.

While this all sounds good, what Salesforce lacks of course is expertise in drug distribution or public health administration, but the company believes that by creating a flexible platform with open data that government entities can share that data with other software products outside of the Salesforce family.

“That’s why it’s important to use an open data platform that allows for aggregate data to be quickly summarized and abstracted for public use,” he said. He points to the fact that some states are using Tableau, the company that Salesforce bought last year for a tidy $15.7 billion, to track other types of COVID data.

“Many states today are running all their COVID testing and positive case reporting through the Tableau platform. We want to do the same kind of exchange of data with things like inventory management [for a vaccine],” he said.

Salesforce closes $15.7B Tableau deal

While this sounds like a public service kind of activity, Salesforce intends to sell this product to governments to manage vaccines. Patterson says that to run a system like this at what they envision will be enormous scale, it will be a service that governments have to pay for to access.

This isn’t the first time that Salesforce has created a product that falls somewhat outside of the standard kind of business realm, but which takes advantage of the Salesforce platform. Last year it developed a tool to help companies measure how sustainable they are being. While the end goal is positive, just like Work.com for Vaccines and the broader Work.com platform, it is a tool that they charge for to help companies implement and measure these kinds of initiatives.

The tool set is available starting today. Pricing will vary depending on the requirements and components of each government entity.

The real question here is should this kind of distribution platform be created by a private company like Salesforce for profit, or perhaps would be better suited to an open source project, where a community of developers could create the software and distribute it for free.

Salesforce is building an app to gauge a company’s sustainability progress

How Twilio built its own conference platform

/0 Comments/in /by

Twilio’s annual customer conference was supposed to happen in May, but like everyone else who had live events scheduled for this year, it ran smack-dab into COVID-19 and was forced to cancel. That left the company wondering how to reimagine the event online. It began an RFP process to find a vendor to help, but eventually concluded it could use its own APIs and built a platform on its own.

That’s a pretty bold move, but one of the key issues facing Twilio was how to recreate the in-person experience of the show floor where people could chat with specific API experts. After much internal deliberation, they realized that was what their communication API products were designed to do.

Once they committed to going their own way, they began a long process that involved figuring out must-have features, building consensus in the company, creating a development and testing cycle and finding third-party partnerships to help them when they ran into the limitations of their own products.

All that work culminates this week when Twilio holds its annual Signal Conference online Wednesday and Thursday. We spoke to In-Young Chang, director of experience at Twilio, to learn how this project came together.

Twilio CEO Jeff Lawson on shifting a 3,000-person company to fully remote

Chang said once the decision was made to go virtual, the biggest issue for them (and for anyone putting on a virtual conference) was how to recreate that human connection that is a natural part of the in-person conference experience.

The company’s first step was to put out a request for proposals with event software vendors. She said that the problem was that these platforms hadn’t been designed for the most part to be fully virtual. At best, they had a hybrid approach, where some people attended virtually, but most were there in person.

“We met with a lot of different vendors, vendors that a lot of big tech companies were using, but there were pros to some of them, and then cons to others, and none of them truly fit everything that we needed, which was connecting our customers to product experts [like we do at our in-person conferences],” Chang told TechCrunch.

Even though they had winnowed the proposals down to a manageable few, they weren’t truly satisfied with what the event software vendors were offering, and they came to a realization.

“Either we find a vendor who can do this fully custom in three months’ time, or [we do it ourselves]. This is what we do. This is in our DNA, so we can make this happen. The hard part became how do you prioritize because once we made the conference fully software-based, the possibilities were endless,” she said.

Twilio 2010 board deck gives peek at now-public company’s early days

All of this happened pretty quickly. The team interviewed the vendors in May, and by June made the decision to build it themselves. They began the process of designing the event software they would be using, taking advantage of their own communications capabilities, first and foremost.

The first thing they needed to do was meet with various stakeholders inside the company and figure out the must-have features in their custom platform. She said that reeling in people’s ambitions for version 1.0 of the platform was part of the challenge that they faced trying to pull this together.

“We only had three months. It wasn’t going to be totally perfect. There had to be some prioritization and compromises, but with our APIs we [felt that we] could totally make this happen,” Chang said.

They started meeting with different groups across the company to find out their must-haves. They knew that they wanted to recreate this personal contact experience. Other needs included typical conference activities like being able to collect leads and build agendas and the kinds of things you would expect to do at any conference, whether in-person or virtual.

As the team met with the various constituencies across the company, they began to get a sense of what they needed to build and they created a priorities document, which they reviewed with the Signal leadership team. “There were some hard conversations and some debates, but everyone really had goodwill toward each other knowing that we only had a few months,” she said.

Signal Concierge Agent for virtual Twilio Signal Conference

Signal Concierge Agent helps attendees navigate the online conference. Image Credits: Twilio

The team believed it could build a platform that met the company’s needs, but with only 10 developers working on it, they had a huge challenge to get it done in three months.

With one of the major priorities putting customers together with the right Twilio personnel, they decided to put their customer service platform, Twilio Flex, to work on the problem. Flex combines voice, messaging, video and chat in one interface. While the conference wasn’t a pure customer service issue, they believed that they could leverage the platform to direct requests to people with the right expertise and recreate the experience of walking up to the booth and asking questions of a Twilio employee with a particular skill set.

“Twilio Flex has Taskrouter, which allows us to assign agents unique skills-based characteristics, like you’re a video expert, so I’m going to tag you as a video expert. If anyone has a question around video, I know that we can route it directly to you,” Chang explained.

Twilio launches Flex, a fully programmable contact center

They also built a bot companion, called Signal Concierge, that moves through the online experience with each attendee and helps them find what they need, applying their customer service approach to the conference experience.

“Signal Concierge is your conference companion, so that if you ever have a question about what session you should go to next or [you want to talk to an expert], there’s just one place that you have to go to get an answer to your question, and we’ll be there to help you with it,” she said.

The company couldn’t do everything with Twilio’s tools, so it turned to third parties in those cases. “We continued our partnership with Klik, a conference data and badging platform all available via API. And Perficient, a Twilio SI partner we hired to augment the internal team to more quickly implement the custom Twilio Flex experience in the tight time frame we had. And Plexus, who provided streaming capabilities that we could use in an open-source video player,” she said.

They spent September testing what they built, making sure the Signal Concierge was routing requests correctly and all the moving parts were working. They open the virtual doors on Wednesday morning and get to see how well they pulled it off.

Chang says she is proud of what her team pulled off, but recognizes this is a first pass and future versions will have additional features that they didn’t have time to build.

“This is V1 of the platform. It’s not by any means exactly what we want, but we’re really proud of what we were able to accomplish from scoping the content to actually building the platform within three months’ time,” she said.

How Adobe shifted a Las Vegas conference to executives’ living rooms in less than 30 days

Papaya Global raises $40M for a payroll and HR platform aimed at global workforces

/0 Comments/in /by

Workforces are getting more global, and people who work day in, day out for organizations don’t always sit day in, day out in a single office, in a single country, to get a job done. Today, one of the startups building HR to help companies provision services for and manage those global workers better is announcing a funding round to capitalise on a surge in business that it has seen in the last year — spurred in no small part by the global health pandemic, the impact it’s had on travel and the way it has focused the minds of companies to get their cloud services and workforce management in order.

Papaya Global, an Israeli startup that provides cloud-based payroll, as well as hiring, onboarding and compliance services for organizations that employ full-time, part-time, or contractors outside of their home country, has raised $40 million in a Series B round of funding led by Scale Venture Partners. Workday Ventures — the corporate investment arm of the HR company — Access Industries (via its Israeli vehicle Claltech), and previous investors Insight Partners, Bessemer Venture Partners, New Era Ventures, Group 11, and Dynamic Loop also participated

The money comes less than a year after its Series A of $45 million, following the company growing 300% year-over-year annually since 2016. It’s now raised $95 million and is not disclosing valuation. But Eynat Guez, the CEO who co-founded the company in that year with Ruben Drong and Ofer Herman, said in an interview that it’s 5x the valuation it had in its round last year.

Its customers include fast-growing startups (precisely the kind of customer that not only has global workforces, but is expanding its employee base quickly) like OneTrust, nCino and Hopin, as well as major corporates like Toyota, Microsoft, Wix, and General Dynamics.

Guez said Papaya Global was partly born out of the frustrations she herself had with HR solutions — she’s worked in the field for years. Different countries have different employment regulations, varied banking rules, completely different norms in terms of how people get paid, and so on. While there have been some really modern tools built for local workforces — Rippling, Gusto, Zenefits now going head to head with incumbents like ADP — they weren’t built to address these issues.

Other HR people who have dealt with international workers would understand her pain, those who control the purse strings might have been less aware of the fragmentation. All that changed in the last eight months (and for the foreseeable future), a period when companies have had to reassess everything about how they work to make sure that they can get through the current period without collapsing.

“The major impact of Covid-19 for us has been changing attitudes,” said Guez. “People usually think that payroll works by itself, but it’s one of the more complex parts of the organization, covering major areas like labor, accounting, tax. Eight months ago, a lot of clients thought, it just happens. But now they realize they didn’t have control of the data, some don’t even have a handle on who is being paid.”

As people moved into and out of jobs, and out of offices into working from home, as the pandemic kicked off, some operations fell apart as a result, she said. “Payroll continuity is like IT continuity, and so all of a sudden when Covid started its march, we had prospects calling us saying they didn’t have data on, for example, their Italian employees, and the office they were using wasn’t answering the phone.”

Guez herself is walking the walk on the remote working front. Papaya Global itself has offices around the world, and Guez herself is normally based in Tel Aviv. But our interview was conducted with her in the Maldives. She said she and her family decided to decamp elsewhere before Israel went into a second lockdown, which was very tough to handle in a small flat with small children. Working anywhere, as we have found out, can work.

The company is not the only one that has identified and is building to help organizations handle global workforces. In fact, just when you think the unemployment, furlough and layoff crunch is affecting an inordinate number of people and the job market is in a slump, a rush of them, along with other HR companies, have all been announcing significant funding rounds this year on the back of surges in business.

Others that have raised money during the pandemic include Deel, which like Papaya Global is also addressing the complexities of running global workforces; Turing, which helps with sourcing and then managing international teams; Factorial with its platform targeting specifically SMBs; Lattice focused on the bigger challenges of people management; and Rippling, the second act from Zenefits’ Parker Conrad.

“Papaya Global’s accelerating growth is a testament to their top-notch executive leadership as well as their ability to streamline international payroll management, a first for many enterprises that have learned to live with highly manual payroll processes,” said Rory O’Driscoll, a partner at Scale Venture Partners, in a statement. “The complexity and cost of managing multi-region workforces cannot be understated. Eynat and her team are uniquely serving their customers’ needs, bringing an advanced SaaS platform into a market long-starved for more effective software solutions.”

Who’s Behind Monday’s 14-State 911 Outage?

/0 Comments/in /by

Emergency 911 systems were down for more than an hour on Monday in towns and cities across 14 U.S. states. The outages led many news outlets to speculate the problem was related to Microsoft‘s Azure web services platform, which also was struggling with a widespread outage at the time. However, multiple sources tell KrebsOnSecurity the 911 issues stemmed from some kind of technical snafu involving Intrado and Lumen, two companies that together handle 911 calls for a broad swath of the United States.

Image: West.com

On the afternoon of Monday, Sept. 28, several states including Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania and Washington reported 911 outages in various cities and localities.

Multiple news reports suggested the outages might have been related to an ongoing service disruption at Microsoft. But a spokesperson for the software giant told KrebsOnSecurity, “we’ve seen no indication that the multi-state 911 outage was a result of yesterday’s Azure service disruption.”

Inquiries made with emergency dispatch centers at several of the towns and cities hit by the 911 outage pointed to a different source: Omaha, Neb.-based Intrado — until last year known as West Safety Communications — a provider of 911 and emergency communications infrastructure, systems and services to telecommunications companies and public safety agencies throughout the country.

Intrado did not respond to multiple requests for comment. But according to officials in Henderson County, NC, which experienced its own 911 failures yesterday, Intrado said the outage was the result of a problem with an unspecified service provider.

“On September 28, 2020, at 4:30pm MT, our 911 Service Provider observed conditions internal to their network that resulted in impacts to 911 call delivery,” reads a statement Intrado provided to county officials. “The impact was mitigated, and service was restored and confirmed to be functional by 5:47PM MT.  Our service provider is currently working to determine root cause.”

The service provider referenced in Intrado’s statement appears to be Lumen, a communications firm and 911 provider that until very recently was known as CenturyLink Inc. A look at the company’s status page indicates multiple Lumen systems experienced total or partial service disruptions on Monday, including its private and internal cloud networks and its control systems network.

Lumen’s status page indicates the company’s private and internal cloud and control system networks had outages or service disruptions on Monday.

In a statement provided to KrebsOnSecurity, Lumen blamed the issue on Intrado.

“At approximately 4:30 p.m. MT, some Lumen customers were affected by a vendor partner event that impacted 911 services in AZ, CO, NC, ND, MN, SD, and UT,” the statement reads. “Service was restored in less than an hour and all 911 traffic is routing properly at this time. The vendor partner is in the process of investigating the event.”

It may be no accident that both of these companies are now operating under new names, as this would hardly be the first time a problem between the two of them has disrupted 911 access for a large number of Americans.

In 2019, Intrado/West and CenturyLink agreed to pay $575,000 to settle an investigation by the Federal Communications Commission (FCC) into an Aug. 2018 outage that lasted 65 minutes. The FCC found that incident was the result of a West Safety technician bungling a configuration change to the company’s 911 routing network.

On April 6, 2014, some 11 million people across the United States were disconnected from 911 services for eight hours thanks to an “entirely preventable” software error tied to Intrado’s systems. The incident affected 81 call dispatch centers, rendering emergency services inoperable in all of Washington and parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota and Florida.

According to a 2014 Washington Post story about a subsequent investigation and report released by the FCC, that issue involved a problem with the way Intrado’s automated system assigns a unique identifying code to each incoming call before passing it on to the appropriate “public safety answering point,” or PSAP.

“On April 9, the software responsible for assigning the codes maxed out at a pre-set limit,” The Post explained. “The counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure.”

Compounding the length of the 2014 outage, the FCC found, was that the Intrado server responsible for categorizing and keeping track of service interruptions classified them as “low level” incidents that were never flagged for manual review by human beings.

The FCC ultimately fined Intrado and CenturyLink $17.4 million for the multi-state 2014 outage. An FCC spokesperson declined to comment on Monday’s outage, but said the agency was investigating the incident.

How to Catch a Spy | Detecting FinFisher Spyware on macOS

/0 Comments/in /by

A report last week from human rights advocates Amnesty International brought to light a macOS variant of a cross-platform spyware suite known as FinSpy, developed and marketed by German-based outfit FinFisher. The FinSpy tool was written with multiple capabilities in mind, with everything from keylogger, audio recording, camera and screenshot tools to a remote access shell, file enumeration and exfiltration functions. In this post, we look at how to detect the macOS variant and list some previously unpublished IoCs.

What is FinFisher Spyware?

According to FinFisher’s own website and marketing material, the company produces tools for “tactical intelligence gathering”, “strategic intelligence gathering”, and “deployment methods and exploitation”. The company states that it only partners with “Law Enforcement and Intelligence Agencies” and has a “worldwide presence”.

Amnesty International and other civil rights organizations  (e.g., the Citizen Lab), however, have noted FinSpy being used in campaigns targeting “activists, journalists and dissidents” in Egypt, Ethiopia, and the United Arab Emirates (UAE) among others. What ties these various campaigns together, aside from the use of FinFisher products, is that the targets are very frequently “human rights defenders”.

Although elements of the toolkit targeting macOS users have been known for some while to malware researchers, and some components of the macOS suite do not appear to be functional on the latest iterations of Apple’s desktop platform, our tests confirmed the malware samples shared by Amnesty will still launch and infect a macOS Catalina install, and that some of dropped malware is not well-known to reputation services like VirusTotal.

How Does FinSpy for macOS Work?

In their report, Amnesty provided the following hash for this sample on VirusTotal which we used for our analysis:

4f3003dd2ed8dcb68133f95c14e28b168bd0f52e5ae9842f528d3f7866495cea

Although some engines on VT have caught up with this sample, the majority still do not recognize it as malware at the time of writing, with only 12/59 detections.

As the sample is not Notarized, the user will need to be socially engineered to override the Notarization check on macOS Catalina, something that commodity malware authors at least have become very successful at achieving.

The trojan installer’s MacOS folder contains two executable files and a directory.

The Bash script, Install Çağlayan, contains the logic for executing the malicious application bundle in the hidden .log folder:

The ARA0848.app’s Mach-O executable contains logic to detect execution in a Virtual Machine environment as a means to thwart macOS malware researchers using any one of Parallels, VMWare or VirtualBox virtualization software:

Since it is always wise to reverse macOS malware in an isolated test environment, we had to alter the sample slightly in order to beat its built-in anti-analysis detection routine. In our case, we are using an isolated Parallels Virtual Machine for this lab, so some light binary patching should take care of the VM detection.

First, we copy the binary off the DMG to local disk, and then open the binary in the vi editor:

Then we call the xxd utility from vi’s command line:

%!xxd

Next, we search for instances of “parallels”. Fortunately, there are only two:

We now edit the first character of each and change it from ‘parallels’ to ‘xarallels’ by substituting the hex 70 (‘p’) for 78 (‘x’). We then use %!xxd -r to reverse the hex back to binary format and save out of vi with the command wq.

Launching the sample on macOS Catalina requires overriding the Notarization check (more on this below), after which we immediately observe a request from the malware to elevate privileges. After obliging, the malware immediately writes the following files to the user’s Library Caches folder:

Aside from that, the FinFisher spyware seeks to maintain persistence by writing a domain level LaunchAgent called logind.plist to /Library/LaunchAgents folder.

The program argument targets /private/etc/logind, where we find the following setuid, setgid file:

While the path at /etc/logind (or /private/etc/logind) is well-known for this malware (see the next section), the executable dropped in our test is currently unknown on VirusTotal and, to our knowledge, has not been shared before:

02e4d0e23391bbbb75c47f5db44d119176803da74b1c170250e848de51632ae9

A different file with the same name, but also apparently virtually unknown on VT, appears at

/Library/Frameworks/Storage.framework/Contents/MacOS/logind

1cf36a2d8a2206cb4758dcdbd0274f21e6f437079ea39772e821a32a76271d46

Is FinSpy A New Kind of Fully Undetectable Malware?

Malware authors and resellers are always keen to paint their products as ‘undetectable’ or ‘fully undetectable’ (FUD) to attract customers, and we are sure those who market tools to “Law Enforcement and Intelligence Agencies” are just as concerned to make the same claims. If you’re in the market for buying malware, particularly spyware, then being undetectable is pretty much the first feature on your shopping list.

Despite such claims, very little malware is truly “fully undetectable”, simply because it needs to behave in certain, predictable ways in order to fulfil its objectives (for example, log keystrokes, communicate with a C2 and so on), and in this regard FinSpy is no different.

In fact, elements of FinSpy have been known to security researchers and static search engines for some time. In particular, a user path used by FinFisher for the persistence agent:

~/Library/LaunchAgents/logind

has been known since at least 2017. Other path elements can be seen added to Apple’s MRT.app in stages over recent months, with new detection paths added in v1.52 and v1.64:

Despite that, even the current MRT.app, v1.66, still doesn’t search for the LoginAgent at the domain level.

More importantly, however, is that MRT.app’s detections don’t prevent Mac users from becoming victims of FinSpy. Apple’s MRT.app is a post-infection tool that runs at periodic intervals: primarily, when the user boots the Mac or logs in to a user account, as well as when the tool is silently updated by Apple in the background.

In order to actually try and prevent launch and execution of malicious code, Apple uses a number of different technologies: namely, Gatekeeper, Notarization and XProtect. While useful, the first two suffer from the weakness that they are overridable by the user, meaning that the malware can be installed either by socially engineering the victim or by a malicious user with temporary access to the victim’s computer.

On macOS 10.15 Catalina, XProtect has become far more robust and resistant to user bypassing, but XProtect is only as useful as the signatures it contains. Since in our test we were able to execute both the FinSpy trojan installer and the hidden malicious application bundle it includes on a macOS Catalina 10.15.7 installation, we surmise that XProtect has yet to catch up with the latest FinSpy samples.

Does SentinelOne Protect Against FinSpy / FinFisher Malware?

Our test of the above samples shows that the SentinelOne agent correctly detects and blocks FinFisher/ FinSpy for macOS malware.

Our behavioral detection reveals that the FinSpy malware attempts Defense Evasion and Persistence, which we map to MITRE ATT&CK TTPs T1211 and T1160, respectively.

The SentinelOne management console Process Tree accurately maps the execution of malicious processes, correctly convicting those that belong to the malware (in red):

Conclusion

FinFisher’s FinSpy malware for macOS is a commercially produced and distributed product aimed at infecting Mac users for the purposes of spying, stealing data and remotely controlling the target machine. While we pass no judgement on whether this spyware is being ‘legitimately’ used by law enforcement or intelligence agencies around the world, we remain committed to ensuring that SentinelOne customers are fully protected from infection by this or any other unauthorized software on their endpoints. If you would like to see how SentinelOne can help protect your business, contact us today or request a free demo. For more insight into macOS malware threats, see here.

Indicators of Compromise

/Volumes/caglayan-macos/Install Çağlayan.app/Contents/MacOS/.log/ARA0848.app/Contents/MacOS/installer (Mach-O)
SHA256: 651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673
SHA1: 2584f1119c65ffd0936e2916b285389404b942c9

/private/etc/logind (Mach-O)
SHA256: 02e4d0e23391bbbb75c47f5db44d119176803da74b1c170250e848de51632ae9
SHA1: 62e5dc40bfabaa712cd9e32ac755384db07f0dab

/Library/Frameworks/Storage.framework/Contents/MacOS/logind (Mach-O)
SHA256: 1cf36a2d8a2206cb4758dcdbd0274f21e6f437079ea39772e821a32a76271d46
SHA1:d3dab40d51e1b4ff332b6be1c993c916c3d58481

~/Library/Caches/org.logind.ctp.archive/helper (Mach-O)
SHA256: 562c420921f5146273b513d17b9f470a99bd676e574c155376c3eb19c37baa09
SHA1: 72cb14bc737a9d77c040affa60521686ffa80b84

~/Library/Caches/org.logind.ctp.archive/helper2 (Python Script)
SHA256: af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0
SHA1: 9a0ede8fad59e7252502881554be0c21972238c9

~/Library/Caches/org.logind.ctp.archive/helper3 (Mach-O)
SHA256: 6ab836d19bc4b69dfe733beef295809e15ace232be0740bc326f58f9d31d8197
SHA1: 427a1c1daf9030069f0c771ce172c104513a7722

~/Library/Caches/org.logind.ctp.archive/installer (Mach-O)
SHA256: ac414a14464bf38a59b8acdfcdf1c76451c2d79da0b3f2e53c07ed1c94aeddcd
SHA1: a65965b960b3d322bbae467f51bf215d574b00cc

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Skydio partners with EagleView for autonomous residential roof inspections via drone

/0 Comments/in /by

Skydio only just recently announced its expansion into the enterprise and commercial market with hardware and software tools for its autonomous drone technology, and now it’s taking the lid off a brand new big partnership with one commercial partner. Skydio will work with EagleView to deploy automated residential roof inspections using Skydio drones, with service initially provide via EagleView’s Assess product, launching first in the Dallas/Ft. Worth area of Texas.

The plan is to expand coverage to additional metro areas starting next year, and then broaden to rural customers as well. The partners will use AI-based analysis, paired with Skydio’s high-resolution, precision imaging to provide roofing status information to insurance companies, claims adjustment companies and government agencies, providing a new level of quality and accuracy for property inspections that don’t even require an in-person roof inspection component.

Autonomous drone startup Skydio raises $100 million and launches the X2 commercial drone

Skydio announced its enterprise product expansion in July, alongside a new $100 million funding round. The startup, which has already delivered two generations of its groundbreaking fully autonomous consumer drone, also debuted the X2, a commercial drone that includes additional features like a thermal imaging camera. It’s also offering a suite of “enterprise skills,” software features that can provide its partners with automated workflows and AI analysis and processing, including a House Scan feature for residential roof inspection, which is core to this new partnership.

Adobe beefs up developer tools to make it easer to build apps on Experience Cloud

/0 Comments/in /by

Adobe has had a developer program for years called Adobe.io, but today at the Adobe Developers Live virtual conference, the company announced some new tools with a fresh emphasis on helping developers build custom apps on the Adobe Experience Cloud.

Jason Woosley, VP of developer experience and commerce at Adobe, says that the pandemic has forced companies to build enhanced digital experiences much more quickly than they might have, and the new tools being announced today are at least partly related to helping speed up the development of better online experiences.

“Our focus is very specifically on making the experience-generation business something that’s very attractive to developers and very accessible to developers so we’re announcing a number of tools,” Woosley told TechCrunch.

The idea is to build a more complete framework over time to make it easier to build applications and connect to data sources that take advantage of the Experience Cloud tooling. For starters, Project Firefly is designed to help developers build applications more quickly by providing a higher level of automation than was previously available.

How Adobe shifted a Las Vegas conference to executives’ living rooms in less than 30 days

“Project Firefly creates an extensibility framework that reduces the boilerplate that a developer would need to get started working with the Experience Cloud, and extends that into the customizations that we know every implementation eventually needs to differentiate the storefront experience, the website experience or whatever customer touch point as these things become increasingly digital,” he said.

In order to make those new experiences open to all, the company is also announcing React Spectrum, an open source set of libraries and tools designed to help members of the Adobe developer community build more accessible applications and websites.

“It comes with all of the accessibility features that often get forgotten when you’re in a race to market, so it’s nice to make sure that you will be very inclusive with your design, making sure that you’re bringing on all aspects of your audiences,” Woosley said.

Finally, a big part of interacting with Experience Cloud is taking advantage of all of the data that’s available to help build those more customized interactions with customers that having that data enables. To that end, the company is announcing some new web and mobile software development kits (SDKs) designed to help make it simpler to link to Experience Cloud data sources as you build your applications.

Project Firefly is available in developer preview starting today. Several React Spectrum components and some data connection SDKs are also available today. The company intends to keep adding to these various pieces in the coming months.

Adobe announces AI toolbox for Experience Platform

The Good, the Bad and the Ugly in Cybersecurity – Week 39

/0 Comments/in /by

The Good

This week, British national Nathan Wyatt received a sentence of five years in prison, along with a hefty fine, in connection with multiple breaches and operations attributed to the “The Dark Overlord” hacking group.

Wyatt, a 39 year old, held a pivotal role in numerous malicious campaigns carried out by TDO (The Dark Overlord). This result has been a long-time coming as Wyatt was taken into custody in 2017, and finally extradited to the United States in December of 2019. Lengthy legal documents, filed in 2017, detail many of the specific offenses, along with some of the related methodologies.

The court documents offer an inside look at a tactic that has become all-too commonplace in recent times. Wyatt, along with others in the TDO team, would attack high-value targets, exfiltrate swaths of valuable data, and then demand a ransom in return for not leaking the stolen data to the public. If victims failed to meet the demands, the TDO would leak breach details to the media, post the data for sale in hacker forums, or simply post it for all to see on the web.

One of Wyatt’s main responsibilities was to broker communications between the victims and TDO. Wyatt would register unique phone numbers and accounts and use those channels to communicate with victims to demand the ransom or negotiate where required.

The TDO have been linked to a large number of high-profile campaigns against Netflix, ABC, SMART, Gorilla Glue, and many others, so it’s pleasing to see the legal system catch up to these actors. Wyatt’s criminal endeavours cost him five years behind bars and nearly 1.5 million USD in fines.

The Bad

This week, CISA (US CERT Cybersecurity & Infrastructure Security Agency) released Alert AA20-266A. The agency has noticed a sizeable uptick in the distribution of LokiBot commodity malware, via their EINSTEIN IDS system, starting in July 2020.

LokiBot is a widely available tool, with nearly no barrier to entry for setup and use. This makes the framework very attractive to enterprising cybercriminals that lack the skills to create or manage more complex malware or the resources to buy into a more expensive toolset. Generally speaking, LokiBot contains keylogging, backdoor/remote access features, browser-based credential harvesting and information stealing features. It can also be used as a loader or dropper for additional code or malware.

While LokiBot is well-known, well-documented, and generally well-defended against, this week’s alert is a good reminder that even the less-sophisticated malware families will ebb and flow in use and effectiveness. There is never a time when we, as “cyber-defenders”, can let our guard down. We encourage all to have a look at CISA’s guidance and use this as an opportunity to review your security posture and make any changes needed to ensure protection against LokiBot and all the other nasty bits out there in the wild.

The Ugly

As we inch closer to the upcoming election in the United States, sensitivity around election security is at an all time high, and you know that things are taking a turn towards the ugly when when an election-related entity is targeted with ransomware. Tyler Technologies, a company which provides services to the United States government, recently reported that it was hit with a damaging ransomware infection.

Tyler Technologies’ services to the U.S. government include emergency management, disaster recovery assistance, and the collection and sharing of election data. The company describes itself as a “Leading provider of end-to-end information management solutions and services for local governments.”

Given the current modus operandi of ransomware actors is to leak victim data if the target fails to pay up, this ransomware attack is even more concerning. Current details suggest that the specific ransomware family was RansomExx. Tyler Technologies has indicated that no “personal data” was affected or accessed, and that the attack was limited to their internal corporate network. However, investigation into the matter is ongoing, and new details may emerge in the coming days and weeks.

Meanwhile, the company issued the following statement to their clients via email:

“I am writing to make you aware of a security incident involving unauthorized access to our internal phone and information technology systems by an unknown third party. We are treating this matter with the highest priority and working with independent IT experts to conduct a thorough investigation and response.”

We are certain that more stories like this will crop up as we approach the November election. Now, more than ever, trusted security controls are critical to protect the systems and data that we all rely upon and need to inherently trust.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

EasySend raises $16M from Intel, more for its no-code approach to automating B2C interfaces

/0 Comments/in /by

No-code and low-code software have become increasingly popular ways for companies — especially those that don’t count technology as part of their DNA — to bring in more updated IT processes without the heavy lifting needed to build and integrate services from the ground up.

As a mark of that trend, today, a company that has taken this approach to speeding up customer experience is announcing some funding. EasySend, an Israeli startup which has built a no-code platform for insurance companies and other regulated businesses to build out forms and other interfaces to take in customer information and subsequently use AI systems to process it more efficiently, is announcing that it has raised $16 million.

The funding has actually come in two tranches, a $5 million seed round from Vertex Ventures and Menora Insurance that it never disclosed, and another $11 million round that closed more recently, led by Hanaco with participation from Intel Capital. The company is already generating revenue, and did so from the start, enough that it was actually bootstrapped for the first three years of its life.

Tal Daskal, EasySend’s CEO and co-founder, said that the funding being announced today will be used to help it expand into more verticals: up to now its primary target has been insurance companies, although organically it’s picked up customers from a number of other verticals, such as telecoms carriers, banks and more.

The plan will be now to hone in on specifically marketing to and building solutions for the financial services sector, as well as hiring and expanding in Asia, Europe and the US.

Longer term, he said, that another area EasySend might like to look at more in the future is robotic process automation (RPA). RPA, and companies that deal in it like UIPath, Automation Anywhere and Blue Prism, is today focused on the back office, and EasySend’s focus on the “front office” integrates with leaders in that area. But over time, it would make sense for EasySend to cover this in a more holistic way, he added.

Menora was a strategic backer: it’s one of the largest insurance providers in Israel, Daskal said, and it used EasySend to build out better ways for consumers to submit data for claims and apply for insurance.

Intel, he said, is also strategic although how is still being worked out: what’s notable to mention here is that Intel has been building out a huge autonomous driving business in Israel, anchored by MobileEye, and not only will insurance (and overall risk management) play a big part in how that business develops, but longer term you can see how there will be a need for a lot of seamless customer interactions (and form filling) between would-be car owners, operators, and passengers in order for services to operate more efficiently.

Intel Capital chose to invest in EasySend because of its intelligent and impactful approach to accelerating digital transformation to improve customer experiences,” said Nick Washburn, senior managing director, Intel Capital, in a statement. “EasySend’s no-code platform utilizes AI to digitize thousands of forms quickly and easily, reducing development time from months to days, and transforming customer journeys that have been paper-based, inefficient and frustrating. In today’s world, this is more critical than ever before.”

The rise and persistence of Covid-19 globally has had a big, multi-faceted impact how we all do business, and two of those ways have fed directly into the growth of EasySend.

First, the move to remote working has given organizations a giant fillip to work on digital transformation, refreshing and replacing legacy systems with processes that work faster and rely on newer technologies.

Second, consumers have really reassessed their use of insurance services, specifically health and home policies, respectively to make sure they are better equipped in the event of a Covid-19-precipitated scare, and to make sure that they are adequately covered for how they now use their homes all hours of the day.

EasySend’s platform for building and running interfaces for customer experience fall directly into the kinds of apps and services that are being identified and updated, precisely at a time when its initial target customers, insurers, are seeing a surge in business. It’s that “perfect storm” of circumstances that the startup wouldn’t have wished on the world, but which has definitely helped it along.

While there are a lot of companies on the market today that help organizations automate and run their customer interaction processes, the Daskal said that EasySend’s focus on using AI to process information is what makes the startup more unique, as it can be used not just to run things, but to help improve how things work.

It’s not just about taking in character recognition and organizing data, it’s “understanding the business logic,” he said. “We have a lot of data and we can understand [for example] where customers left the process [when filling out forms]. We can give insights into how to increase the conversion rates.”

It’s that balance of providing tools to do business better today, as well as to focus on how to build more business for tomorrow, that has caught the eye of investors.

“Hanaco is firmly invested in building a digital future. By bridging the gap between manual processes and digitization, EasySend is making this not only possible, but also easy, affordable, and practical,” said Hanaco founding partner Alon Lifshitz, in a statement.