Microsoft Patch Tuesday, June 2020 Edition

Microsoft today released software patches to plug at least 129 security holes in its Windows operating systems and supported software, by some accounts a record number of fixes in one go for the software giant. None of the bugs addressed this month are known to have been exploited or detailed prior to today, but there are a few vulnerabilities that deserve special attention — particularly for enterprises and employees working remotely.

June marks the fourth month in a row that Microsoft has issued fixes to address more than 100 security flaws in its products. Eleven of the updates address problems Microsoft deems “critical,” meaning they could be exploited by malware or malcontents to seize complete, remote control over vulnerable systems without any help from users.

A chief concern among the panoply of patches is a trio of vulnerabilities in the Windows file-sharing technology (a.k.a. Microsoft Server Message Block or “SMB” service). Perhaps most troubling of these (CVE-2020-1301) is a remote code execution bug in SMB capabilities built into Windows 7 and Windows Server 2008 systems — both operating systems that Microsoft stopped supporting with security updates in January 2020. One mitigating factor with this flaw is that an attacker would need to be already authenticated on the network to exploit it, according to security experts at Tenable.

The SMB fixes follow closely on news that proof-of-concept code was published this week that would allow anyone to exploit a critical SMB flaw Microsoft patched for Windows 10 systems in March (CVE-2020-0796). Unlike this month’s critical SMB bugs, CVE-2020-0796 does not require the attacker to be authenticated to the target’s network. And with countless company employees now working remotely, Windows 10 users who have not yet applied updates from March or later could be dangerously exposed right now.

Microsoft Office and Excel get several updates this month. Two different flaws in Excel (CVE-2020-1225 and CVE-2020-1226) could be used to remotely commandeer a computer running Office just by getting a user to open a booby-trapped document. Another weakness (CVE-2020-1229) in most versions of Office may be exploited to bypass security features in Office simply by previewing a malicious document in the preview pane. This flaw also impacts Office for Mac, although updates are not yet available for that platform.

After months of giving us a welcome break from patching, Adobe has issued an update for its Flash Player program that fixes a single, albeit critical security problem. Adobe says it is not aware of any active exploits against the Flash flaw. Mercifully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year. Adobe also released security updates for its Experience Manager and Framemaker products.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for a wonky Windows update to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Further reading:

AskWoody and Martin Brinkmann on Patch Tuesday fixes and potential pitfalls

Trend Micro’s Zero Day Initiative June 2020 patch lowdown

U.S-CERT on Active Exploitation of CVE-2020-0796

Florence, Ala. Hit By Ransomware 12 Days After Being Alerted by KrebsOnSecurity

In late May, KrebsOnSecurity alerted numerous officials in Florence, Ala. that their information technology systems had been infiltrated by hackers who specialize in deploying ransomware. Nevertheless, on Friday, June 5, the intruders sprang their attack, deploying ransomware and demanding nearly $300,000 worth of bitcoin. City officials now say they plan to pay the ransom demand, in hopes of keeping the personal data of their citizens off of the Internet.

Nestled in the northwest corner of Alabama, Florence is home to roughly 40,000 residents. It is part of a quad-city metropolitan area perhaps best known for the Muscle Shoals Sound Studio that recorded the dulcet tones of many big-name music acts in the 1960s and 70s.

Image: Florenceal.org

On May 26, acting on a tip from Milwaukee, Wisc.-based cybersecurity firm Hold Security, KrebsOnSecurity contacted the office of Florence’s mayor to alert them that a Windows 10 system in their IT environment had been commandeered by a ransomware gang.

Comparing the information shared by Hold Security dark web specialist Yuliana Bellini with the employee directory on the Florence website indicated the username for the computer that attackers had used to gain a foothold in the network on May 6 belonged to the city’s manager of information systems.

My call was transferred to no fewer than three different people, none of whom seemed eager to act on the information. Eventually, I was routed to the non-emergency line for the Florence police department. When that call went straight to voicemail, I left a message and called the city’s emergency response team.

That last effort prompted a gracious return call the following day from a system administrator for the city, who thanked me for the heads up and said he and his colleagues had isolated the computer and Windows network account Hold Security flagged as hacked.

“I can’t tell you how grateful we are that you helped us dodge this bullet,” the technician said in a voicemail message for this author. “We got everything taken care of now, and some different protocols are in place. Hopefully we won’t have another near scare like we did, and hopefully we won’t have to talk to each other again.”

But on Friday, Florence Mayor Steve Holt confirmed that a cyberattack had shut down the city’s email system. Holt told local news outlets at the time there wasn’t any indication that ransomware was involved.

However, in an interview with KrebsOnSecurity Tuesday, Holt acknowledged the city was being extorted by DoppelPaymer, a ransomware gang with a reputation for negotiating some of the highest extortion payments across dozens of known ransomware families.

The average ransomware payment by ransomware strain. Source: Chainalysis.

Holt said the same gang appears to have simultaneously compromised networks belonging to four other victims within an hour of Florence, including another municipality that he declined to name. Holt said the extortionists initially demanded 39 bitcoin (~USD $378,000), but that an outside security firm hired by the city had negotiated the price down to 30 bitcoin (~USD $291,000).

Like many other cybercrime gangs operating these days, DoppelPaymer will steal reams of data from victims prior to launching the ransomware, and then threaten to publish or sell the data unless a ransom demand is paid.

Holt told KrebsOnSecurity the city can’t afford to see its citizens’ personal and financial data jeopardized by not paying.

“Do they have our stuff? We don’t know, but that’s the roll of the dice,” Holt said.

Steve Price, the Florence IT manager whose Microsoft Windows credentials were stolen on May 6 by a DHL-themed phishing attack and used to further compromise the city’s network, explained that following my notification on May 26 the city immediately took a number of preventative measures to stave off a potential ransomware incident. Price said that when the ransomware hit, they were in the middle of trying to get city leaders to approve funds for a more thorough investigation and remediation.

“We were trying to get another [cybersecurity] response company involved, and that’s what we were trying to get through the city council on Friday when we got hit,” Price said. “We feel like we can build our network back, but we can’t undo things if peoples’ personal information is released.”

A DoppelPaymer ransom note. Image: Crowdstrike.

Fabian Wosar, chief technology officer at Emsisoft, said organizations need to understand that the only step which guarantees a malware infestation won’t turn into a full-on ransomware attack is completely rebuilding the compromised network — including email systems.

“There is a misguided belief that if you were compromised you can get away with anything but a complete rebuild of the affected networks and infrastructure,” Wosar said, noting that it’s not uncommon for threat actors to maintain control even as a ransomware victim organization is restoring their systems from backups.

“They often even demonstrate that they still ‘own’ the network by publishing screenshots of messages talking about the incident,” Wosar said.

Hold Security founder Alex Holden said Florence’s situation is all too common, and that very often ransomware purveyors are inside a victim’s network for weeks or months before launching their malware.

“We often get glimpses of the bad guys beginning their assaults against computer networks and we do our best to let the victims know about the attack,” Holden said. “Since we can’t see every aspect of the attack we advise victims to conduct a full investigation of the events, based on the evidence collected. But when we deal with sensitive situations like ransomware, timing and precision are critical. If the victim will listen and seek out expert opinions, they have a great chance of successfully stopping the breach before it turns into ransom.”

15 macOS Power Tricks for Security Pros

I’ve been using macOS on a daily basis since 2004. I’ve used every version of the OS since OSX Panther (released in October 2003), and I have beta-tested every version of macOS on an annual basis since Lion 10.7 (released in July, 2011). While this may sound like a long time to some, it is certainly not as long as some of my macOS friends nor as long as some of my macOS colleagues at SentinelOne. Even so, one would think it should be long enough to have learned pretty much everything there is to learn about Apple’s Desktop environment. Alas, that is far from the case. Apple’s operating system never fails to hold some new surprise. Tricks with option keys, for example, can lay undiscovered for years, and with Apple’s annual release cycle, who knows how many yet-to-be found tricks remain unearthed?

Nevertheless, over the years I have come across and regularly use a number of tricks that I find particularly useful in relation to macOS security tasks, whether that’s writing code, hunting for threats, recording malware behaviour or triaging infected machines. In this post, I wanted to share some of these in the hope that others may find them useful. So, without further ado, here’s 15 of my most used macOS Power Tricks for Security Pros!

1. Find Bundle Id Of Any Application

Trick

lsappinfo list | grep 

or

grep -A1 -i bundleidentifier "$(mdfind -name .app | head -n 1)"/Contents/Info.plist

Discussion
Bundle IDs (bunde identifiers) are unique identifiers for every application on a given Mac device. Regular bundle IDs take the form of “com..”, such as

com.apple.finder

Bundle IDs are set in the application bundle’s Info.plist file and are registered in the Launch Services database as soon as the bundle is written to disk. As such, if you know an application’s bundle ID, it is very easy to find its location without having to expend unnecessary processor resources as you would using the Finder or the shell find command.

The first example uses lsappinfo to query all running applications and greps for the bundle ID from the output. This utility’s listings are very informative, and can tell you not only the bundle ID but also the executable path, current PID and many other details. See the man page for more details.

However, you may want to find the bundle identifier of an application that is not currently running. For that, use the second version that leverages the mdfind utility.

Note that mdfind only shows results for files the user has permission to access: it’s why you don’t get all those permissions errors that you do with the regular ‘find’ command (unless you redirect stderr to /dev/null). But that’s OK, since the entire Launch Services database is relative to the user: it’ll only return results for apps that the user has permission to launch, anyway.

2. Find Apps Lacking the Hardened Runtime

Trick

for i in /Applications/*.app; do codesign -dv "${i}" &>> /tmp/codes; done; grep -B3 'none' /tmp/codes | grep ^Executable | sed 's/^Executable=/No Hardened Runtime: /g'; rm -rf /tmp/codes

Discussion
As of macOS 10.15 Catalina, by default, all applications must be notarized in order to launch, but there are some get-out clauses that mean there could be unnotarized apps on your system. First, users can locally override the requirement for notarization, and this does not require Administrator privileges. It’s a common macOS malware technique to socially engineer the user into doing just that. Second, Apple flip-flopped somewhat on notarization requirements in the early stages, and apps that were notarized and installed prior to February 2020 under less strict requirements, such as not having the hardened runtime, will run just fine on Catalina even after the stricter requirements came into force.

It is possible to check whether an application does not have a notarization “ticket” stapled to it if you have Xcode tools installed with a much shorter one-liner:

for i in /Applications/* ; do stapler validate "${i}"|grep -B 1 -v worked;done

However, that’s problematic on two counts, quite apart from the fact that it requires Xcode command line tools.

First, apps can be notarized without the ticket; and indeed, many developers attach the ticket to the DMG or installer rather than the application itself, so simply checking for the ticket will not yield accurate results.

Second, the main benefit of notarization from a security point of view is that, under the strictest rules, it requires the hardened runtime flag. Apps without such a flag can be modified by malicious processes, so with this trick what we want to do is actually list all applications in the Applications folder (of course, you can and should think about applying the same technique to other folders containing applications), and then testing whether each lacks the required flags. The one-liner outputs the results of codesign to a temporary file, then greps the file for those entries that have no flags at all, indicating that there’s no hardened runtime. The one-liner also cleans up this temporary file after outputting the list of executables matching the search.

3. Find Devices Connected To Your LAN

Trick

while true; do clear; arp -alnx; c=$(arp -alnx | wc -l); let n=$c-1; printf 'tCount: t'$n'n'; sleep 2; done;

Discussion
This one-liner leverages the arp utility to print out information about devices connected to your LAN, including the local IP address, MAC address (aka Linklayer Address) and expiry times, among other things. The command uses an infinite while loop on a 2-second delay, so that it continuously updates until you interrupt it with the keyboard command Ctl-C.

If you also keep an inventory of allowed MAC addresses on your network, this can be a very easy way to manually spot rogue devices that appear on your home, lab or other small network. For an automated enterprise solution, use something like SentinelOne’s Ranger.

4. Inflate a File, Change It’s Hash

Trick

for i in {1..3000000}; do echo '0' >> ; done

Discussion
When testing known malware there are circumstances when you might need to change the file’s size or hash in order to beat security detection rules. This trick was discussed in our recent post on how to bypass XProtect on Catalina, but that’s certainly not the only reason why you might want to use it. Any file-size check can be beaten this way, as well as any reputation check against a file’s hash. In the latter case, there’s no need to inflate the file with anything more than a single byte, so adjust the second number in the condition from 3000000 to anything from 2 to a number just a little larger than the size mentioned in the rule you’re trying to defeat.

image of how to bloat a file

5.Find Names Of All Logging Subsystems

Trick

ls -al /System/Library/Preferences/Logging/Subsystems | awk '{print $9}' | sed 's/.plist//g'

Discussion
Apple’s built-in log utility gives you access to system wide log messages created by os_log, os_trace and other logging systems. The universal logging system is a powerful utility once you get the hang of how to use it. That requires clearing a couple of hurdles, though. One is getting used to using predicate-based filtering. Another is knowing which subsystems are available for you to query.

In this trick, we pull all the available subsystems from the system and print them to stdout.

With this list, we can now refine searches to particular areas, which is ideal for bug hunting and vulnerability assessment.

6. Find Applications with Full Disk Access Permissions

Trick

sudo sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "SELECT client,allowed FROM access WHERE service == 'kTCCServiceSystemPolicyAllFiles'" | grep '1'$

Discussion
Full Disk Access (FDA) is a user protection mechanism that was introduced in macOS Mojave and considerably expanded in macOS Catalina. Whether it’s actually very effective at offering real-world protection is debatable, but there’s no arguing that for developers and power users it is often the cause of frustration as many common application and script functions will fail to work unless the executing process has FDA permission.

This trick allows you to quickly determine which applications on a given device have been granted that permission. In most cases, the output should accord with what you see in System Preferences’ Security & Privacy pane (see ‘Full Disk Access’ under the Privacy tab). However, if your device is managed by an MDM solution, then System Preferences will not show you all the items that actually have Full Disk Access permission, so this trick also comes in handy in that scenario. Note the use of the sudo command: you will need Administrator privileges in order to read the the TCC SQLITE3 database.

It’s also worth noting that if you leave off the call to grep at the end, you’ll see a longer list of entries, with the additional ones having a 0 at the end. These are apps that have appeared in the list of FDA but are not currently enabled.

7. Get the Mac’s UUID, Board-ID

Trick

 ioreg -rd1 -c IOPlatformExpertDevice | grep UUID | awk '{print $NF}' | sed 's/"//g'

Or

/usr/sbin/system_profiler SPHardwareDataType | grep UUID | awk '{print $NF}'

Discussion
This is a common trick used by macOS adware and is useful for a number of reasons. From an attacker’s point of view, the IOPlatformUUID is a good way for threat actors to keep track of compromised victims, and the UUID can be sent as part of a URL from the victim’s machine to the attacker’s C2. From a defenders point of view, it’s worth monitoring calls to ioreg and system_profiler that are specifically seeking out the IOPlatformExpertDevice property or parsing for the UUID.

Note that the “board-id” key in the same property list for ioreg is one of several ways a malicious process can tell whether it’s running on bare metal or inside a (researcher’s) Virtual Machine.

ioreg -rd1 -c IOPlatformExpertDevice | grep board-id 


Similarly, getting the full Hardware Overview from system_profiler provides a lot of useful environmental information (use the same command as above, but remove the call to grep and everything after).

The system_profiler command is essentially the command line version of the System Information.app located in the Utilities subfolder inside the Applications folder. Use system_profiler -listDataTypes to see all the different sections you can query. As always, the man page will furnish you with other useful information on the utility.

8. Convert a String from Hex to ASCII (and back again)

Trick

echo '' | xxd -r -p

Or

echo 'hello world' | xxd -p

Or

echo 'hello world' | od -t c -t x1

Or

python -c "print bytearray.fromhex('')"

Discussion
If you have anything to do with security, it’s almost inevitable that you will be regularly faced with the prospect of converting between hexadecimal encoded strings and ASCII characters. There’s actually quite a few ways to do it, depending on your preference, as the code above shows. Personally, I prefer using xxd because it’s quick, easy to remember and short to type. Be sure to use the -p switch to get a nice continuous printed string. The -r switch lets your reverse the hex back to ASCII.

The od utility provides a somewhat different output, showing each byte in both ASCII and hex in parallel, which can be useful in circumstances where you want to visually compare each byte against its ASCII representation.

9. Batch Convert A Folder of PNG Images To JPEG

Trick

mkdir jpegs; sips -s format jpeg *.* --out jpegs

Discussion
Another common task in the security field, whether you are penetration testing, researching or writing, is taking screenshots. By default, the macOS screencapture utility will use .png format. However, if you’re uploading screenshots to webpages, JPEG format is usually preferred as these files are lighter and make pages load faster.

Although you can change the default file format of screencapture (see man screencapture), I find it useful to leave the default as .png as it’s often the preferred format for many other tasks. Fortunately, this one-liner will pretty much instantly iterate over all the images in the current working directory, create a new folder called “JPEGS” and populate that folder with copies of all your PNGs in JPEG format. The sips tool is a little-known utility with a great deal of useful functionality. Check out man sips for the wealth of other options.

10. Hide All Files on the Desktop

Trick

chflags hidden ~/Desktop/*

And

chflags nohidden ~/Desktop/*

Discussion
Another trick related to recording and reporting: in the event you need to take a screencapture or screen recording of your Desktop, there is an alternative to moving or deleting all your Desktop clutter, which is to temporarily hide all Desktop files with the chflags utility.

Note that while this is unrelated to another trick for using the Finder to show/hide invisible files with the keychord Command-Shift-Period, if you’ve enabled invisible files in the Finder using that keychord, you’ll also need to invoke the Finder keychord again to toggle that setting to ‘off’ for this trick to work.

Don’t forget after you’ve taken your screencapture or recording to reverse the invisibility using the nohidden flag.

11. Encode/Decode URL Strings

Trick

alias urldecode='python3 -c "import sys, urllib.parse as ul; print(ul.unquote_plus(sys.argv[1]))"'

And

alias urlencode='python3 -c "import sys, urllib.parse as ul; print(ul.quote_plus(sys.argv[1]))"'

Discussion
Percent-encoded URL strings are a common enough occurrence that I find it useful to have an alias defined in my shell .rc scripts for dealing with them, particularly for decoding. Although this trick uses Python 3, there are many other ways to do this using different tools: Python 2, Perl, Ruby, pure Bash and Zsh to name a few, with varying degrees of accuracy. I prefer the Python 3 one personally as in my experience it’s the most reliable, but naturally YMMV.

12. Create a Randomly-Named File or Directory

Trick

mktemp -d /tmp/XXXXXXXXXXXX

Discussion
Use the mktemp utility with or without the -d switch to make a randomly named file or directory, respectively. You do not need to specify the /private/tmp directory; you could equally use the $TMPDIR directory or any other directory you wish: the utility will create the randomly-named file or directory in the current working directory if no path prefix is given.

Randomly named temp files are useful in defensive programming to ensure that attackers cannot predict the path of temporary files where you may need to locate application or program resources. Similarly, they are used by attackers to drop malicious files in the Temporary directory and other locations with random names to help them evade simple path-based detection heuristics and YARA rules that try to lighten the load on resources by specifying particular locations.

In the example above, I use 12 Xs to generate a suitably difficult-to-guess random name. However, defenders (and attackers) can to a certain extent defeat this trick though judicious use of regex search patterns.

As an aside, be aware that there are a number of different temporary directories in use on macOS. While /tmp is an alias for /private/tmp, both /private/var/tmp and $TMPDIR are entirely different locations, as evidenced by the listings for each in the following image. We show the count from ls -al rather than the directory listing for $TMPDIR simply because there’s so many files there it would not fit conveniently into a screenshot.

13. Use Swift as a Scripting Language

Trick

#!/usr/bin/swift

Or

#!/usr/bin/env swift

Discussion
The advantage of using Swift as a scripting language is that it allows you to run code from text files that can natively call out to Apple Cocoa APIs. With access to code in the Foundation, AppKit and other frameworks, you can build portable scripts that are just as powerful as native binaries, which is ideal for red or blue teamers.

Using Swift in this way is dependent on the existence of Xcode’s command line tools on the target machine, so this restricts your targets primarily to developers – a sizeable bunch who are often reluctant to install security controls, and a tasty target group if you are thinking about supply-chain attacks and lateral movement – or installing the dependency as part of your post-exploitation. You can avoid the dependency altogether, however, by turning your scripts into Swift binaries on your own machine and then importing the binary to the target device. To do so, simply remove the shebang from the script and use the swiftc compiler to rapidly create a native Mach-O binary:

swiftc my_script.swift -o my_script

Using Swift as a scripting language obviously requires knowledge of Swift itself, but a very good intro can be found on Derik Ramirez’s excellent website here.

I would sound one note of caution here about using the #!/usr/bin/env form of this or any other scripting shebang. Developers often recommend this practice because it ensures that the shell will find the executable even if it isn’t located at the standard path or if there are multiple versions of the executable (think Python 2, Python 2.7, Python 3, etc). However, from a security point of view, this introduces a potential vulnerability. As env will use whatever executable appears first in the user’s $PATH with the name specified (e.g., Swift), it could be possible for a malicious process to drop a cuckoo binary at the top of a user’s Path and have that executed instead of the real Swift binary. For that reason, I would recommend always using the absolute path to the Swift (and other) binaries if security is of concern.

Ebook: macOS Threat Hunting & Incident Response
This guide will arm you with the knowledge you need to defend your organization’s macOS fleet.

14. Move or Resize Selected Area While Taking a Screenshot

Trick

Hold down the spacebar while selecting a region with Command-Shift-4.

Discussion
This is a wonderful trick that I only learned about a few months ago, despite having been a user of the screencapture keychord Command-Shift-4 on a daily basis for many years. While the great thing about this keychord is it lets you rapidly select a custom region, it can be frustrating if your starting position is a little off.

With this trick, you need not cancel with Esc and try again. Keep the mouse/trackpad pressed to avoid taking the shot, then simply hold down the space bar and move the cursor to reposition the selected region to where you want it. Release the space bar after repositioning and continue to adjust by dragging in the usual way if needed. Release the mouse/trackpad to take the shot.

With macOS Catalina 10.15, there is also the additional Command-Shift-5 keychord, which offers various options from a HUD style interface including specifying a different Save location from the default one.

15. Convert Cocoa Timestamp to Human Readable Date

Trick

date -r $(( + 978307200))

Discussion
This is a trick that I’ve mentioned before when discussing macOS Incident Response, but is well worth repeating here (not least to have as a handy reference). Unix epoch timestamps, which begin at from Mon, 1st January, 1970, 00:00:00, are in widespread use both across macOS and other operating systems, and converting them to a human readable form can be done on the command line using the date utility.

Less familiar are Cocoa timestamps, which take a similar form but often have a decimal representing fractions of a second appended, like 587381138.016775. The most important difference though is that Cocoa timestamps begin 31 years later than their Unix ancestors, on 1st January, 2001. Thus to convert a Cocoa timestamp using the date utility, we need to add the 31-year difference, which is 978307200 seconds. You can ignore the fractions of a second after the decimal point for most non-forensic purposes.

Conclusion

I hope that some of those will be new to you and prove to be useful in your own work on macOS. If you would like to know when we post more macOS content, then subscribe to the blog or follow SentinelOne on Twitter. If you want to see all our macOS related content in one easy to find place, then bookmark our dedicated macOS page. And, of course, if you’d like to share your own cool power tricks, hit me up on Twitter and let me know your macOS secrets – I would love to include them in a future post!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Yugabyte lands $30M Series B as open source database continues to flourish

It’s been a big period of positive change for Yugabyte, makers of the open source, cloud native YugabyteDB database. Just last month they brought on former Pivotal CEO Bill Cook as CEO, and today the company announced it has closed a $30 million Series B.

8VC and strategic investor WiPro led the round with participation from existing investors Lightspeed Venture Partners and Dell Technologies Capital. Today’s investment brings the total raised to $55 million, according to the company.

The startup also announced that former Pivotal co-founder Scott Yara would be joining the company’s board. Along with Cook, that brings a distinct Pivotal influence to the company.

Kannan Muthukkaruppan, who was CEO, now holds the title of president. He says that the company has built “a fully open source, high performance distributed SQL database meant for transactional workloads in the cloud.”

Today, in addition to the open source product, it offers a private Database as a Service platform to enterprise customers. This can run on a variety of platforms including public, private, or hybrid cloud or Kubernetes infrastructure. The company also offers a fully managed cloud service, which is currently available on AWS and Google Cloud Platform with Azure support coming in the future.

The founders have quite a pedigree. Muthukkaruppan spent 13 years at Oracle helping build Oracle’s relational engine. Then he moved onto Facebook in the early days where he met co-founders Karthik Ranganathan and Mikhail Bautin. The founding team worked on database technology that helped scale Facebook from 40 million users to over a billion.

It was that background that really caught the attention of Cook. “First of all, there’s a huge market opportunity here that we think we fit into, and it is unique in the sense of the pedigree that this team has, and what they built and the expertise they have across that whole spectrum of being able to scale and have [a database that is] performant across [geographic] zones,” he said.

As the company gets this investment, it’s not only a period of change inside the organization, it is against the backdrop of the worldwide pandemic and economic fallout from that event, but Muthukkaruppan sees momentum here in spite of the macro conditions.

“With COVID-19, we actually saw an increased sense of urgency across many enterprises, wanting to move businesses to the cloud and improve their operational and go-to-market efficiency around the product that they were bringing to market,” he said. He believes that the company’s database can be a key part of that.

The company currently has 50 employees, but sees doubling that number in the next 12-18 months as interest in the products continues to grow. Cook says the company has a diverse workforce today, and he will continue to build on that in his hiring practices.

“The more inclusive you can be ties to all our principles and values [as a company] already so we’re not changing how we operate,” he says. He says diversity is not only the right thing to do from a human perspective, it also makes good business sense to have a diverse workforce.

Silverfin wants to modernize accounting software with its cloud service

Meet Silverfin, a startup focused on accounting software. This isn’t about helping small startups handle accounting tasks themselves. Silverfin wants to build the cloud service for small and big accounting firms — Salesforce, but for accounting.

The startup just raised a Series B funding round led by Hg — Index Ventures led the previous Series A round. While terms of the deal are undisclosed, a source told me the round is worth approximately $30 million.

In order to improve productivity, Silverfin tries to automate the most time-consuming aspect of accounting — data collection. The company helps you connect with your clients’ accounting software directly to import their data, such as Xero, QuickBooks, Sage and SAP.

After that, Silverfin standardizes your data set and lets you add data manually so the platform can become the main data repository.

Once your data is in the system, you need to process it. Silverfin lets you configure automated workflows and templates so that anybody in the accounting firm can enrich data and check for compliance issues. Like Salesforce and other software-as-a-service products, multiple people can communicate on the service and look at all past edits and changes.

You can then visualize financial data, generate reports and statements. It opens up new possibilities for accounting firms. They can charge advisory services thanks to analytics tools and an alert system.

The startup was founded in Ghent, Belgium, but it has now expanded to London, Amsterdam and Copenhagen. Silverfin has attracted 650 customers, including big accounting firms in Europe and North America.

By targeting the most demanding customers first, Silverfin doesn’t need to replace Xero or QuickBooks altogether. It can integrate with those existing software solutions first. There’s an opportunity to go downmarket later and convince smaller companies that don’t necessarily have a big accounting team.

Enterprise investors remain flexible as they navigate COVID-19

One would think it’s a given that investment strategies would change in the strange times we find ourselves. With the economy staggering and so much general uncertainty, it seems caution would be the watchword of the day, especially in the enterprise. But enterprise investors aren’t necessarily looking at what’s going on right now.

As startups make their way into the enterprise, they often grow from a single product to a platform offering, which means such investments tend to be a long haul that can take a decade or longer to mature and exit or IPO. The bigger the approach, the longer the sales cycle, so even though sales motion could be stalling now, it doesn’t mean VCs are just giving up on these types of investments.

Savvy investors understand that this is going to be a long game, and the current situation driven by a worldwide pandemic won’t necessarily change their approach significantly.

We asked a number of enterprise investors if they have changed their approach in light of the pandemic and its knock-on economic impacts, how the current environment has changed their relationship with existing portfolio clients and how well those clients are coping with the new reality.

  • Theresia Gouw, Acrew Capital
  • Diane Fraiman, Voyager Capital
  • Casey Aylward, Costanoa Ventures
  • Hope Cochran, Madrona Venture Group
  • Leyla Seka, Operator Collective
  • Max Gazor, CRV
  • Navin Chaddha, Mayfield
  • Matt Murphy, Menlo Venture Capital
  • Soma Somasegar, Madrona Ventures
  • Jon Lehr, Work-Bench
  • Steve Herrod, General Catalyst
  • Jai Das, Sapphire Ventures
  • Ed Sim, Boldstart Ventures
  • Martin Casado, Andreessen Horowitz
  • Vas Natarajan, Accel
  • Dharmesh Thakker, Battery Ventures

[Editor’s note: Our prior enterprise survey failed to include any responses from female VCs and did not meet TechCrunch’s standards for diversity and inclusion. We regret the error.]

Theresia Gouw, Acrew Capital

With the pandemic having such a huge impact on the economy, how has this changed your investment approach and the types of companies you are more likely to invest in?

We remain committed to our five core thesis areas: security & infrastructure modernized, financial services rebuilt, work reimagined, data interconnected, and community activated. We break out each of our thesis areas into anywhere from 10-20 sub-sectors.

We have been continuously reprioritizing which sub-sectors will likely see business growth as well as opportunities to make a positive difference to a world grappling with COVID. There are still many unknowns and we closely watch company formation and funding to see where there might be particular concentration of entrepreneurial activity, which we take to be a positive sign that a market is robust and ready for significant investment.

Within enterprise software, we’ve unsurprisingly seen an acceleration in enterprise demand for communication and collaboration software. We’ve historically maintained a thesis that enterprise communication is an untapped, shadow set of data about workplace productivity and knowledge. With swaths of workers working remotely, capturing insights from these conversations provides a significant opportunity. This applies to industry verticals as much as it applies to functional software that sells across industries and focuses on a particular type of communication. We believe the key is that both employees and employers find these insights to be beneficial.

Lastly, we’ve also seen a growth in software and data that help enterprises navigate disruptions in supply, demand, or other aspects of their business.

New Harness product lets engineering teams monitor cloud spending in real time

One of the big advantages of using the cloud is ease of deployment. For engineers, being able to dial up infrastructure resources means being able to develop without delays, but it can also lead to big bills at the end of the month if you don’t know what you’re spending.

Harness wants to help with that, and today the startup released a product called Continuous Efficiency. It is designed to help engineering teams use cloud resources in a more cost-efficient manner, and do this in real time as they allocate resources.

Jyoti Bansal, co-founder and CEO at Harness, says that today most companies don’t know the extent of their cloud costs until the finance people get the bill at the end of the month. What’s more, the bill is entirely disconnected from the developers who are responsible for that cost. Finally, he says that at least 35% of that cost is waste, money they didn’t have to spend.

What Harness is hoping to do with this new product is give developers visibility into their spending with the goal that if they see how much waste they are generating they will dial back on usage.

“We are rethinking managing your cloud costs. From the perspective of developers, how do we give context sensitivity to developers so they get a full view of [what they are spending in the cloud],” he said.

Oftentimes, resources go unused or are over allocated, and giving visibility into this should let developers stay on budget, and in some cases save big bucks. To show how this works, the company says that one customer had a Kubernetes cluster configured with an annual cost of $1.6 million. After running the Continuous Efficiency product, it found that just 15% of the cluster compute resources were actually being used. After reconfiguring based on this data, they were able to save $1.3 million over the course of a year.

Image Credit: Harness

While Bansal says the product was in development long before the pandemic started, a tool like this at this particular moment in time is even more important as companies are looking for ways to cut costs.

Harness was founded in 2016 and has raised $80 million, according to Crunchbase data. Bansal formerly co-founded AppDynamics, a company that Cisco acquired in January 2017 for $3.7 billion.

Owners of DDoS-for-Hire Service vDOS Get 6 Months Community Service

The co-owners of vDOS, a now-defunct service that for four years helped paying customers launch more than two million distributed denial-of-service (DDoS) attacks that knocked countless Internet users and websites offline, each have been sentenced to six months of community service by an Israeli court.

vDOS as it existed on Sept. 8, 2016.

A judge in Israel handed down the sentences plus fines and probation against Yarden Bidani and Itay Huri, both Israeli citizens arrested in 2016 at age 18 in connection with an FBI investigation into vDOS.

Until it was shuttered in 2016, vDOS was by far the most reliable and powerful DDoS-for-hire or “booter” service on the market, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most websites offline.

vDOS advertised the ability to launch attacks at up to 50 gigabits of data per second (Gbps) — well more than enough to take out any site that isn’t fortified with expensive anti-DDoS protection services.

The Hebrew-language sentencing memorandum (PDF) has redacted the names of the defendants, but there are more than enough clues in the document to ascertain the identities of the accused. For example, it says the two men earned a little more than $600,000 running vDOS, a fact first reported by this site in September 2016 just prior to their arrest, when vDOS was hacked and KrebsOnSecurity obtained a copy of its user database.

In addition, the document says the defendants were initially apprehended on September 8, 2016, arrests which were documented here two days later.

Also, the sentencing mentions the supporting role of a U.S. resident named only as “Jesse.” This likely refers to 23-year-old Jesse Wu, who KrebsOnSecurity noted in October 2016 pseudonymously registered the U.K. shell company used by vDOS, and ran a tiny domain name registrar called NameCentral that vDOS and many other booter services employed.

Israeli prosecutors say Wu also set up their payment infrastructure, and received 15 percent of vDOS’s total revenue for his trouble. NameCentral no longer appears to be in business, and Wu could not be reached for comment.

Although it is clear Bidani and Huri are defendants in this case, it is less clear which is referenced as Defendant #1 or Defendant #2. Both were convicted of “corrupting/disturbing a computer or computer material,” charges that the judge said had little precedent in Israeli courts, noting that “cases of this kind have not been discussed in court so far.” Defendant #1 also was convicted of sharing nude pictures of a 14 year old girl.

vDOS also sold API access to their backend attack infrastructure to other booter services to further monetize their excess firepower, including Vstress, Ustress, and PoodleStresser and LizardStresser.

Yarden Bidani. Image: Facebook.

Both defendants received the lowest possible sentence (the maximum was two years in prison) — six months of community service under the watch of the Israeli prison service — mainly because the accused were minors during the bulk of their offenses. The judge also imposed small fines on each, noting that more than $175,000 dollars worth of profits had already been seized from their booter business.

The judge observed that while Defendant #2 had shown remorse for his crimes and an understanding of how his actions affected others — even sobbing throughout one court proceeding — Defendant #1 failed to participate in the therapy sessions previously ordered by the court, and that he has “a clear and daunting boundary for recurrence of further offenses in the future.”

Boaz Dolev, CEO of ClearSky Cyber Security, said he’s disappointed in the lightness of the sentences given how much damage the young men caused.

“I think that such an operation that caused big damage to so many companies should have been dealt differently by the Israeli justice system,” Dolev said. “The fact that they were under 18 when committing their crimes saved them from much harder sentences.”

While DDoS attacks typically target a single website or Internet host, they often result in widespread collateral Internet disruption. Less than two weeks after the 2016 arrest of Bidani and Huri, KrebsOnSecurity.com suffered a three-day outage as a result of a record 620 Gbps attack that was alleged to have been purchased in retribution for my reporting on vDOS. That attack caused stability issues for other companies using the same DDoS protection firm my site enjoyed at the time, so much so that the provider terminated my service with them shortly thereafter.

To say that vDOS was responsible for a majority of the DDoS attacks clogging up the Internet between 2012 and 2016 would be an understatement. The various subscription packages for the service were sold based in part on how many seconds the denial-of-service attack would last. And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.

It seems likely vDOS was responsible for several decades worth of DDoS years, but it’s impossible to say for sure because vDOS’s owners routinely wiped attack data from their servers.

Prosecutors in the United States and United Kingdom have in recent years sought tough sentences for those convicted of running booter services. While a number of  current charges against alleged offenders have not yet been fully adjudicated, only a handful of defendants in these cases have seen real jail time.

The two men responsible for creating and unleashing the Mirai botnet (the same duo responsible for building the massive crime machine that knocked my site offline in 2016) each avoided jail time thanks to their considerable cooperation with the FBI.

Likewise, Pennsylvania resident David Bukoski recently got five years probation and six months of “community confinement” after pleading guilty to running the Quantum Stresser booter service. Lizard Squad member and PoodleStresser operator Zachary Buchta was sentenced to three months in prison and ordered to pay $350,000 in restitution for his role in running various booter services.

On the other end of the spectrum, last November 21-year-old Illinois resident Sergiy Usatyuk was sentenced to 13 months in jail for running multiple booter services that launched millions of attacks over several years. And a 20-year-old U.K. resident in 2017 got two years in prison for operating the Titanium Stresser service.

For their part, authorities in the U.K. have sought to discourage would-be customers of these booter services by purchasing Google ads warning that such services are illegal. The goal is to steer customers away from committing further offenses that could land them in jail, and toward more productive uses of their skills and/or curiosity about cybersecurity.

And that’s really it for Google+

Last year, Google launched the beta of Currents, which was essentially a rebrand of Google+ for G Suite users, since Google+ for consumers went to meet its maker in April 2019. While Google+ was meant to be an all-purpose social network, the idea behind Currents is more akin to what Microsoft is doing with Yammer or Facebook with Workplace. It’s meant to give employees a forum for internal discussions and announcements.

To complicate matters, Google kept Google+ around, even after the launch of Currents, but in an email to G Suite admins, it has now announced that Google+ for G Suite will close its doors on July 6, after which there will be no way to opt out of Currents or revert back to Google+.

And with that, Google has driven the final nail into Google+’s coffin. The Google+ mobile apps will be automatically updated to Currents. All existing links to Google+ will redirect to Currents.

Going forward, Google+ will only live on as a hazy memory, filled with circles of friends, all of which were forced to use their real name (at least at the beginning), +1 buttons everywhere, sparks and the promise of fun games, ripples and more.

Currents is all business — and while I’m not aware of a lot of companies that use it, it looks to be a solid option for companies that would otherwise use the Yammer/Teams combination in the Microsoft ecosystem. Now, I guess, we can start the countdown before Google launches another social network.

If you want to take a stroll down memory lane, check out our history of Google+ below:

The Good, the Bad and the Ugly in Cybersecurity – Week 23

The Good

This week, the Cybersecurity and Infrastructure Security Agency (CISA) released the first, in what is to be a series, of Cyber Essentials Toolkits. The agency plans to release new toolkit updates each month. Each toolkit is designed to align with what CISA has deemed the 6 “Essential Elements” of Cyber Readiness. Through each step and module of the toolkit(s), the goal is to walk business leaders, CISOs, and information owners through the process of developing and implementing proper cybersecurity practices and hygiene. By taking these “bite size” baby-steps, organizations should gain the ability to properly manage and understand risk, as well as properly compartmentalize information and resources to complement the lowering of risk and exposure. The 6 “Essential Elements” as defined by CISA are:

  • Yourself
  • Your Staff
  • Your Systems
  • Your Surroundings
  • Your Data
  • Your Actions Under Stress
  •  

    The first of these toolkits is focused on the Yourself element and is aimed at cybersecurity leaders as well as IT professionals and service providers. The overall project is aimed at C-level executives. If you would like to learn more about the Cyber Essentials Toolkit and related efforts, we encourage you to visit CISA’s site for ongoing updates to this effort.

    The Bad

    This week’s ‘Bad’ is a critical vulnerability in VMware Cloud Director, disclosed by researchers who say it could allow attackers to fully take over affected infrastructure.

    The flaw lies in improper input handling, leading to a state allowing for arbitrary code injection. The flaw can be triggered via maliciously-crafted traffic by way of the Flex and HTML5-based interfaces, as well as via supplied APIs. The vulnerability, assigned CVE-2020-3956, was discovered during a security audit by researchers at Citadelo.

    The impact of this vulnerability goes beyond remote code execution. The researchers were able to show that through this flaw it was possible to gain access to external cloud infrastructure. The flaw could be used to gain full access to a vCloud database, manipulate the credentials of a System Administrator account, and ultimately access all hosted customers with full privileges.

    In addition to the posted disclosure, Citadelo has posted a detailed PoC to demonstrate the flaw. VMware has released updates to address the issue. All exposed or concerned customers are encouraged to review the posted materials, and follow the recommended guidelines and fixes.

    The Ugly

    Actors behind the DoppelPaymer ransomware have announced their breach of Digital Management, LLC, an IT service provider based in Maryland. The victim has a number of Fortune 100 clients including NASA. The NASA relationship is specifically called out on the DoppelPaymer blog site.

    The attackers have posted verified samples of data on the TOR-based blog, and claim to have encrypted 2,583 machines. At the time of writing, the ransomware operators have publicly posted 21 sample files from the hack.

    The gang claim to have stolen equipment designs and plans, HR and personnel data, as well as internal documents belonging to both NASA and SpaceX. The sample data appears to span multiple years, from 2016 or earlier to the present day.

    Given that Digital Management LLC works within the federal space, compliance and regulatory requirements are much stricter than they are for non-federal entities, so the company could face devastating repercussions both from regulators and from clients. In some ways, these attacks can prove to be as damaging if not more so than many state-sponsored campaigns. While they may lack the stealthy techniques of an APT group, the impact can be just as devastating or even business-ending. Digital Management, LLC are certainly going to find themselves fighting on several fronts as they try to put out the wildfires caused by this breach.


    Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

    Read more about Cyber Security