Microsoft makes it easier to get started with Windows Virtual Desktops

/0 Comments/in /by

Microsoft today announced a slew of updates to various parts of its Microsoft 365 ecosystem. A lot of these aren’t all that exciting (though that obviously depends on your level of enthusiasm for products like Microsoft Endpoint Manager), but the overall thrust behind this update is to make life easier for the IT admins that help provision and manage corporate Windows — and Mac — machines, something that’s even more important right now, given how many companies are trying to quickly adapt to this new work-from-home environment.

For them, the highlight of today’s set of announcements is surely an update to Windows Virtual Desktop, Microsoft’s service for giving employees access to a virtualized desktop environment on Azure and that allows IT departments to host multiple Windows 10 sessions on the same hardware. The company is launching a completely new management experience for this service that makes getting started significantly easier for admins.

Ahead of today’s announcement, Brad Anderson, Microsoft’s corporate VP for Microsoft 365, told me that it took a considerable amount of Azure expertise to get started with this service. With this update, you still need to know a bit about Azure, but the overall process of getting started is now significantly easier. And that, Anderson noted, is now more important than ever.

“Some organizations are telling me that they’re using on-prem [Virtual Desktop Infrastructure]. They had to go do work to basically free up capacity. In some cases, that means doing away with disaster recovery for some of their services in order to get the capacity,” Anderson said. “In some cases, I hear leaders say it’s going to take until the middle or the end of May to get the additional capacity to spin up the VDI sessions that are needed. In today’s world, that’s just unacceptable. Given what the cloud can do, people need to have the ability to spin up and spin down on demand. And that’s the unique thing that a Windows Virtual Desktop does relative to traditional VDI.”

Anderson also believes that remote work will remain much more common once things go back to normal — whenever that happens and whatever that will look like. “I think the usage of virtualization where you are virtualizing running an app in a data center in the cloud and then virtualizing it down will grow. This will introduce a secular trend and growth of cloud-based VDI,” he said.

In addition to making the management experience easier, Microsoft is now also making it possible to use Microsoft Teams for video meetings in these virtual desktop environments, using a feature called ‘A/V redirection’ that allows users to connect their local audio and video hardware and virtual machines with low latency. It’ll take another month or so for this feature to roll out, though.

Also new is the ability to keep service metadata about Windows Virtual Desktop usage within a certain Azure region for compliance and regulatory reasons.

For those of you interested in Microsoft Endpoint Manager, the big news here is better support for macOS-based machines. Using the new Intune MDM agent for macOS, admins can use the same tool for managing repetitive tasks on Windows 10 and macOS.

Productivity Score — a product only an enterprise manager would love — is also getting an update. You can now see how people in an organization are reading, authoring and collaborating around content in OneDrive and SharePoint, for example. And if they aren’t, you can write a memo and tell them they should collaborate more.

There are also new dashboards here for looking at how employees work across devices and how they communicate. It’s worth noting that this is aggregate data and not another way for corporate to look at what individual employees are doing.

The one feature here that does actually seem really useful, especially given the current situation, is a new Network Connectivity category that helps IT to figure out where there are networking challenges.

Microsoft’s Windows Virtual Desktop service is now generally available

Okta COVID-19 app usage report finds it’s not just collaboration seeing a huge uptick

/0 Comments/in /by

Okta released a special COVID-19 edition of its app usage report today, and you don’t need a Ph. D. in statistics to guess what they found. Indeed, Zoom surged 110% on the Okta network, leading the way in usage growth just as you would expect, but another whole class of tools besides collaboration also saw huge increases in usage.

As Okta wrote in the report, “We see growth in two major areas: collaboration tools, especially video conferencing apps, and network security tools such as VPNs that extend secure access to remote workers.”

These plumbing tools might not be as sexy as the collaboration tools or boast triple digit growth like Zoom did, but they are seeing a substantial increase in usage as company IT departments try to bring some order to a widely distributed workforce.

As Okta pointed out in the report, bad actors have been looking to take advantage of the situation, as they tend to do, and these folks do love to sew some chaos.

Image Credit: Okta

The biggest winners here beyond collaboration tools were VPN businesses with Palo Alto Networks GlobalProtect and Cisco AnyConnect coming in at 94% and 86% usage increases respectively. But they weren’t the only tools growing, as Okta reported the Citrix ADC load balancing tool and ProofPoint’s security training apps also showed strong gains.

It’s probably not surprising that these kinds of tools are seeing an increase in usage with so many employees working from home, but it is interesting to see which vendors are benefiting from the move.

It’s also worth noting that Okta can point to a clear demarcation date when usage began to tick up. It’s easy to forget now, but March 6th was the last day of “normal” app usage before we started to see usage of these tools start to surge.

Image Credit: Okta

While reports of this kind are somewhat limited because of the focus on a particular set of customers and the tools they use, it does give you a sense of general trends in technology involving 8,000 Okta customers and 6,500 app integrations.

Figma raises $50 million Series D led by Andreessen Horowitz

/0 Comments/in /by

Figma, the design platform that lets folks work collaboratively and in the cloud, has today announced the close of a $50 million Series D financing. The round was led by Andreessen Horowitz, with partner Peter Levine and cofounding partner Marc Andreessen managing the deal for the firm. New angel investors, including Henry Ellenbogen from Durable Capital, also participated in the round alongside existing investors Index, Greylock, KPCB, Sequoia and Founders Fund.

Forbes reports that the latest funding round values Figma at $2 billion.

Dylan Field, Figma founder and CEO, told TechCrunch that discussions between a16z and Figma actually began towards the end of the fundraising cycle for the company’s Series C, which closed in February of 2019.

“It felt a bit like a shotgun wedding,” said Field, explaining that both parties instead opted to get to know each other better. They’ve been building their relationship over the past year, leading to today’s Series D close. Field also added that he has not met other investors in this round in person, and the vast majority of the deal was done over Zoom.

“When you think about the future of Silicon Valley, there is an interesting question around capital infrastructure being here and people not being able to access that if they’re not here, too,” said Field. “I got to see firsthand how a deal done online can work and I think more and more investors aren’t going to worry about whether you’re in Silicon Valley or not.”

Figma launched in 2015 after nearly six years of development in stealth. The premise was to create a collaborative, cloud-based design tool that would be the Google Docs of design.

Since, Figma has built out the platform to expand access and usability for individual designers, small firms and giant enterprise companies alike. For example, the company launched plug-ins in 2019, allowing developers to build in their own tools to the app, such as a plug-in for designers to automatically rename and organize their layers as they work (Rename.it) and one that gives users the ability to add placeholder text that they can automatically find and replace later (Content Buddy).

The company also launched an educational platform called Community, which gives designers the ability to share their work and let other users ‘remix’ that design, or simply check out how it was built, layer by layer.

A spokesperson told TechCrunch that this deal was “opportunistic,” and that the company was in a strong cash position pre-financing. The new funding expands Figma’s runway during these uncertain times, with coronavirus halting a lot of enterprise purchasing and ultimately slowing growth of some rising enterprise players.

Field explained that Figma’s data is counter to the expected narrative around enterprise purchasing because Figma is specifically built to let teams collaborate in the cloud.

“We’re actually seeing a lot of acceleration for bigger deals on the sales side,” said Field. “Figma is a tool that can help right now.”

The company says that one interesting change they’ve seen in the COVID era is a significant jump in user engagement from teams to collaborate more in Figma. The firm has also seen an uptick in whiteboarding, note taking, slide deck creation and diagramming, as companies start using Figma as a collaborative tool across an entire organization rather than just within a team of designers.

This latest deal brings Figma’s total funding to $132.9 million. Field added that, though the company is not yet profitable, this latest financing gives the company three to four years of runway, even with aggressive scaling and hiring efforts moving forward.

Material Bank, a logistics platform for sourcing architectural and design samples, raises $28M

/0 Comments/in /by

Material Bank, a logistics platform for the architectural and design industry, has announced the close of a $28 million Series B financing today, led by Bain Capital Ventures. Bain’s Merritt Hummer led the round on behalf of the firm and will join the board of directors at Material Bank, along with Jeff Sine, cofounder and partner at The Raine Group.

Existing investors Raine Ventures and Starwood Capital Group cofounder, Chairman and CEO Barry Sternlicht also participated in the round.

Material Bank launched in January 2019, founded by Adam I. Sandow. Its platform is meant to serve designers, architects and others who source and purchase the very building blocks of our physical world: materials.

Most architectural firms and designers have their own physical library of materials in their office, like carpet swatches, wall covering samples, tiles, and hardwoods for flooring. These libraries are nearly impossible to keep up to date — not only do styles change over time (just like clothes or anything else) but architects pull this or that binder of wall coverings or carpets and there’s no telling if or when that binder returns to the library, or if the binder will still be complete when it does return.

The other big obstacle for designers and architects is that there’s no real aggregation across the many, many manufacturers of these materials.

Sandow likens it to searching for a flight in the old days.

“We all used to book airline travel through an agent, and then the airlines offered websites,” said Sandow. “We thought ‘this is great! I can just go to AA.com or Delta.com to book my flights.’ Until we wanted to price shop. Then you had to search four or five different websites and write down all the prices and by the time you found the price you wanted, it may be gone.”

Then came Expedia and Hotwire.

That’s how Sandow thinks of Material Bank for the architectural industry.

Material Bank aggregates materials across hundreds of vendors, giving users the ability to filter around multiple parameters to find a selection of materials in minutes instead of hours.

But aggregation and powerful search are only half the battle. Designers and architects are also burdened by the time it takes to get their samples. One package may arrive tomorrow, with two others in the next three days, and still more coming in one week.

This leads to a confusing experience of getting all these samples together to show a client, and is a huge environmental waste with dozens of boxes arriving at the same exact location over several days.

To combat this waste, Material Bank built a facility in Memphis directly next door to FedEx’s sorting center. This facility is the very last stop that FedEx makes each night before sorting and sending off its overnight packages by plane.

That means that Material Bank users can place an order by midnight EST and get their samples, from any vendor on Material Bank, by 10am ET the next morning. These samples come in a single box with a tray that can be repurposed into a return package to send back unneeded samples.

Obviously, Material Bank’s facility would require hundreds of workers to turn around orders that come in late to be picked up by FedEx if it weren’t for advancements in robotics. Material Bank partners with Locus Robotics in its facility, and is thus able to pay $17.50 an hour to its human workers in the building.

Sandow says that coronavirus has not hampered the business at all, with the company seeing record revenues in March and with expectations to beat that record in April. That is partially due to the fact that those physical sample libraries in architectural and design firms are no longer accessible to employees who have had to shift to working from home.

Material Bank doesn’t charge architects or designers for the service, but does have a hybrid SaaS model in place for manufacturers and vendors on the platform. Manufacturers pay a monthly fee to access and use the platform, listing their SKUs, as well as a transactional fee to get access to the architects and designers placing orders for samples of their materials. Essentially, the manufacturers pay for the lead generation and hand-off to potential customers.

Sandow spent the last two decades growing a media network of architectural and design-focused magazines and knew early on that a reliance on advertising wouldn’t cut it as media moved online, with plans to build tools and services instead.

Material Bank was born out of that effort, and spun out of Sandow group relatively early on in its life.

The company has raised a total of $55 million since inception.

AWS hits $10B for the quarter putting it on a $40B run rate

/0 Comments/in /by

AWS, the cloud arm of Amazon, would be a pretty successful business on its own. Today, the company announced it has passed $10 billion for the quarter, putting the cloud business on an impressive run rate of more than $40 billion.

It was a bright spot for the company in an earnings report that saw it report net income of $2.5 billion, down $1 billion from a year ago.

Still, most companies would take that for the entire business, but AWS, which started off as kind of a side hustle for Amazon back in 2006, has grown into a powerful business all on its own. With a growth rate of 33%, it’s still growing briskly, even if it’s slowing down a bit as the law of large numbers begins to work against it.

Amazon Q1 beats on net sales of $75.5B but posts net income of $2.5B, down $1B on a year ago

Even though Microsoft has grown more quickly — in yesterday’s report Microsoft reported that Azure was growing at a 59% clip — AWS had such a big head start and controls a big chunk of the market share.

To give you a sense of how quickly this business has grown, Bloomberg’s Jon Erlichman tweeted the Q1 numbers for AWS since 2014, and it’s pretty amazing growth:

In 2014, it was a $4 billion a year business. Today it is 9.1x that and still going strong. The good news for everyone involved is that this is a huge market, and while nobody could ever characterize the pandemic and it’s economic fall-out as good news for anyone, the fact is that it is forcing companies to move to the cloud faster than they might have wanted to go.

That should bode well for all the cloud infrastructures vendors, even as the economy shrinks, the kinds of services these vendors offer should be in more demand than ever, and that means these numbers could just keep growing for some time.

AWS is sick of waiting for your company to move to the cloud

New Red Hat CEO Paul Cormier faces a slew of challenges in the midst of pandemic

/0 Comments/in /by

When former Red Hat CEO Jim Whitehurst moved on to become president at parent company IBM earlier this month, the logical person to take his place was long-time executive Paul Cormier. As he takes over in the most turbulent of times, he still sees a company that is in the right place to help customers modernize their approach to development as they move more workloads to the cloud.

We spoke to Cormier yesterday via video conference, and he appeared to be a man comfortable in his new position. We talked about the changes his new role has brought him personally, how he his helping his company navigate the current situation and how his relationship with IBM works.

One thing he stressed was that even as part of the IBM family, his company is running completely independently, and that includes no special treatment for IBM. It’s just another customer, an approach he says is absolutely essential.

Taking over

He says that he felt fully prepared for the role having run the gamut of jobs over the years, from engineering to business units to CTO. The big difference for him as CEO is that in all of his previous roles he could be the technical guy speaking a certain engineering language with his colleagues. As CEO, things have changed, especially during a time when communication has become paramount.

This has been an even bigger challenge in the midst of the pandemic. Instead of traveling to offices for meetings, chatting over informal coffees and having more serendipitous encounters, he has had to be much more deliberate in his communication to make sure his employees feel in the loop, even when they are out of the office.

“I have a company-wide meeting every two weeks. You can’t over communicate right now because it just doesn’t happen [naturally in the course of work]. I’ve got to consciously do it now, and that’s probably the biggest thing,” he said.

Incoming IBM CEO Arvind Krishna faces monumental challenges on multiple fronts

Go-to-market challenges

While Cormier sees little change on the engineering side, where many folks have been working remotely for some time, the go-to-market team could face more serious hurdles as they try to engage with customers.

“The go-to-market and sales side is going to be the challenge because we don’t know how our customers will come out of this. Everybody’s going to have different strategies on how they’re coming out of this, and that will drive a lot,” he said.

This week was Cormier’s first Red Hat Summit as CEO, one that like so many conferences had to pivot from a live event to virtual fairly quickly. Customers have been nervous, and this was the first chance to really reconnect with them since things have shut down. He says that he was pleasantly surprised how well it worked, even allowing more people to attend than might pay to travel to a live event.

Conferences are a place for the sales team to really shine and lay the groundwork for future sales. Not being there in person had to be a big change for them, but he says this week went better than he expected, and they learned a ton about running virtual events that they will carry forth into the future.

“We all miss the face-to-face for sure, but I think we’ve learned new things, and I think our team did an amazing job in pulling this off,” he said.

No favorites for IBM

As he navigates his role inside the IBM family, he says that new CEO Arvind Krishna has effectively become his board of directors, now that the company has gone private. When IBM paid $34 billion for Red Hat in 2018, it was looking for a way to modernize the company and to become a real player in the hybrid cloud market.

Hybrid involves finding a way to manage infrastructure that lives on premises as well as in the cloud without having to use two sets of tools. While IBM is all-in on Red Hat, Cormier says it’s absolutely essential to their relationship with customers that they don’t show them any favoritism, and that includes no special pricing deals.

With $34B Red Hat deal closed, IBM needs to execute now

Not only that, he says that he has the freedom to run the company the way he sees fit. “IBM doesn’t set our product strategy. They don’t set our priorities. They know that over time our open-source products could eat into what they are doing with their proprietary products, and they are okay with that. They understand that,” he said.

He says that doing it any other way could begin to erode the reason that IBM spent all that money in the first place, and it’s up to Cormier to make sure that they continue to do what they were doing and keep customers comfortable with that. So far, the company seems to be heading in the same upward trajectory it was on as a public company.

In the most recent earnings report in January, IBM reported Red Hat income of $1.07 billion, up from $863 million the previous year when it was still a private company. That’s a run rate of over $4 billion, putting it well within reach of the $5 billion goal Whitehurst set a few years ago.

Now it’s Cormier’s job to get them there and beyond. The pandemic certainly makes it more challenging, but he’s ready to lead the company to that next level, all while walking the line as the CEO of a company that lives under the IBM family umbrella and all that entails.

Paul Cormier takes over as Red Hat CEO, as Jim Whitehurst moves to IBM

How Cybercriminals are Weathering COVID-19

/0 Comments/in /by

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.

FUELED BY MULES

One of the more common and perennial cybercriminal schemes is “reshipping fraud,” wherein crooks buy pricey consumer goods online using stolen credit card data and then enlist others to help them collect or resell the merchandise.

Most online retailers years ago stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. These restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe — derisively referred to as “reshipping mules” — to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.

A screen shot from a user account at “Snowden,” a long-running reshipping mule service.

But apparently a number of criminal reshipping services are reporting difficulties due to the increased wait time when calling FedEx or UPS (to divert carded goods that merchants end up shipping to the cardholder’s address instead of to the mule’s). In response, these operations are raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services.

That’s according to Intel 471, a cyber intelligence company that closely monitors hundreds of online crime forums. In a report published today, the company said since late March 2020 it has observed several crooks complaining about COVID-19 interfering with the daily activities of their various money mules (people hired to help launder the proceeds of cybercrime).

“One Russian-speaking actor running a fraud network complained about their subordinates (“money mules”) in Italy, Spain and other countries being unable to withdraw funds, since they currently were afraid to leave their homes,” Intel 471 observed. “Also some actors have reported that banks’ customer-support lines are being overloaded, making it difficult for fraudsters to call them for social-engineering activities (such as changing account ownership, raising withdrawal limits, etc).”

Still, every dark cloud has a silver lining: Intel 471 noted many cybercriminals appear optimistic that the impending global economic recession (and resultant unemployment) “will make it easier to recruit low-level accomplices such as money mules.”

Alex Holden, founder and CTO of Hold Security, agreed. He said while the Coronavirus has forced reshipping operators to make painful shifts in several parts of their business, the overall market for available mules has never looked brighter.

“Reshipping is way up right now, but there are some complications,” he said.

For example, reshipping scams have over the years become easier for both reshipping mule operators and the mules themselves. Many reshipping mules are understandably concerned about receiving stolen goods at their home and risking a visit from the local police. But increasingly, mules have been instructed to retrieve carded items from third-party locations.

“The mules don’t have to receive stolen goods directly at home anymore,” Holden said. “They can pick them up at Walgreens, Hotel lobbies, etc. There are a ton of reshipment tricks out there.”

But many of those tricks got broken with the emergence of COVID-19 and social distancing norms. In response, more mule recruiters are asking their hires to do things like reselling goods shipped to their homes on platforms like eBay and Amazon.

“Reshipping definitely has become more complicated,” Holden said. “Not every mule will run 10 times a day to the post office, and some will let the goods sit by the mailbox for days. But on the whole, mules are more compliant these days.”

GIVE AND TAKE

KrebsOnSecurity recently came to a similar conclusion: Last month’s story, “Coronavirus Widens the Money Mule Pool,” looked at one money mule operation that had ensnared dozens of mules with phony job offers in a very short period of time. Incidentally, the fake charity behind that scheme — which promised to raise money for Coronavirus victims — has since closed up shop and apparently re-branded itself as the Tessaris Foundation.

Charitable cybercriminal endeavors were the subject of a report released this week by cyber intel firm Digital Shadows, which looked at various ways computer crooks are promoting themselves and their hacking services using COVID-19 themed discounts and giveaways.

Like many commercials on television these days, such offers obliquely or directly reference the economic hardships wrought by the virus outbreak as a way of connecting on an emotional level with potential customers.

“The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services,” the report notes. “These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.”

Brian’s Club — one of the underground’s largest bazaars for selling stolen credit card data and one that has misappropriated this author’s likeness and name in its advertising — recently began offering “pandemic support” in the form of discounts for its most loyal customers.

It stands to reason that the virus outbreak might depress cybercriminal demand for “dumps,” or stolen account data that can be used to create physical counterfeit credit cards. After all, dumps are mainly used to buy high-priced items from electronics stores and other outlets that may not even be open now thanks to the widespread closures from the pandemic.

If that were the case, we’d also expect to see dumps prices fall significantly across the cybercrime economy. But so far, those price changes simply haven’t materialized, says Gemini Advisory, a New York based company that monitors the sale of stolen credit card data across dozens of stores in the cybercrime underground.

Stas Alforov, Gemini’s director of research and development, said there’s been no notable dramatic changes in pricing for both dumps and card data stolen from online merchants (a.k.a. “CVVs”) — even though many cybercrime groups appear to be massively shifting their operations toward targeting online merchants and their customers.

“Usually, the huge spikes upward or downward during a short period is reflected by a large addition of cheap records that drive the median price change,” Alforov said, referring to the small and temporary price deviations depicted in the graph above.

Intel 471 said it came to a similar conclusion.

“You might have thought carding activity, to include support aspects such as checker services, would decrease due to both the global lockdown and threat actors being infected with COVID-19,” the company said. “We’ve even seen some actors suggest as much across some shops, but the reality is there have been no observations of major changes.”

CONSCIENCE VS. COMMERCE

Interestingly, the Coronavirus appears to have prompted discussion on a topic that seldom comes up in cybercrime communities — i.e., the moral and ethical ramifications of their work. Specifically, there seems to be much talk these days about the potential karmic consequences of cashing in on the misery wrought by a global pandemic.

For example, Digital Shadows said some have started to question the morality of targeting healthcare providers, or collecting funds in the name of Coronavirus causes and then pocketing the money.

“One post on the gated Russian-language cybercriminal forum Korovka laid bare the question of threat actors’ moral obligation,” the company wrote. “A user initiated a thread to canvass opinion on the feasibility of faking a charitable cause and collecting donations. They added that while they recognized that such a plan was ‘cruel,’ they found themselves in an ‘extremely difficult financial situation.’ Responses to the proposal were mixed, with one forum user calling the plan ‘amoral,’ and another pointing out that cybercrime is inherently an immoral affair.”

Deep Dive: Exploring an NTLM Brute Force Attack with Bloodhound

/0 Comments/in /by

In this post, we describe how our Vigilance MDR team investigated a classic NTLM brute force attack, which has become a very common type of attack against our customers in the last few weeks. Following the attacker’s steps, we will cover the following topics:

  • Attack vector via NTLM Brute Forcing
  • Multiple credentials dumping techniques 
  • SharpHound – an active directory collector tool
  • The Detection

Our threat researchers have encountered a large number of lateral movement detections that were identified by SentinelOne as NTLM Brute Force attacks. As can be seen in the image below, there were a total of 2,481 detections that hit hundreds of machines. We can also see that based on the credentials dumping and PowerShell post-exploitation, we have mapped these indicators to MITRE IDs: T1003, T1064 and T1086.

We begin with taking initial mitigation steps:

  • Disconnecting the machine from the network
  • Issuing, by one click, the Remediate command that kills and quarantines the malicious group as well as remove any files and persistence that were created
  • Blacklisting and blocking any IOCs we find

Then we start to conduct a deep analysis of this attack. We can see that the victim machine is a Data Center server that was targeted from an internal machine which was not protected by the SentinelOne product; therefore, we couldn’t identify how the attacker first got into the customer’s network.

So what is NTLM?

NTLM stands for “New Technology LAN Manager” and is proprietary to Microsoft as an authentication protocol. It uses an encrypted challenge/response protocol in order to authenticate a user, without sending its password over the network. 

Although the word “new” is no longer relevant in the year 2020, as this protocol is very old and there are new and better authentication protocols that have already been developed, NTLM is still here and in use. Let’s take a look at how it works.

  1. User logs in with its credentials
  2. User’s credentials are calculated with the Hash algorithm
  3. Hash is stored in the machine’s account database: Security Account Manager (SAM)
  4. The user sends a connection request to the server
  5. The server generates a random Challenge and sends to the user
  6. User’s machine encrypts the random Challenge with the password hash
  7. The server encrypts the Challenge with the password hash as well
  8. The server validates the encrypted Challenge was created by the user, by comparing the responses

When Do Organizations Use It?

NTLM is usually used by organizations when:

  • There is no Kerberos trust between two different forests
  • At least the client or the server is not in the same domain
  • The authentication between client and server is attempted by IP
  • The organizational firewall is blocking Kerberos ports

Why Is NTLM Still In Use?

Although there are two NTLM versions, they are both weak and have vulnerabilities. 

Since NTLMv1 hashes are not salted and always have the same length, with modern processor power it takes just a few seconds to crack such hashes.

The NTLMv2 was intended as a cryptographically strengthened replacement for NTLMv1 since it uses salted hash and variable length. However, before the client sends the salted hash to the server it’s saved unsalted in the client’s memory, which exposes the password to offline cracking when responding to the challenge.

While there are better authentication protocols such as Kerberos that provide several advantages over NTLM, as we can see, organizations are still using the NTLM protocol.

The main reasons are:

  • Since NTLM is a legacy protocol, organizations fear to break legacy applications such as printers, file servers, etc, without causing damage to production.
  • Organizations have to determine and map each machine that needs to use this protocol then figure out how to move from NTLM usage to a more secure authentication protocol such as Kerberos.

What Are the Signs of an NTLM Brute Force Attack?

One or more of the following activities should appear on your network when an NTLM Brute Force attack is taking place:

  • Multiple accounts with lockouts after the attacker made too many attempts
  • A single source machine conduct password spraying over multiple machines
  • Uses of the NTLM protocol with account enumeration

Back to our analysis, by examining our internal log files we can clearly see account enumeration from a single unprotected source machine that does password spraying.

Once the attacker had brute-forced the Data Center server successfully, he continued credential dumping by querying the Windows Syskeys using RegOpenKeyEx/RegQueryInfoKey API calls as well as saving the SAM database. As we know, the SAM database contains encrypted usernames and passwords locally on the machine they were created on so saving the database has value to the attacker.

This activity can be seen in our Active EDR DeepVisibility, which mapped these detections to MITRE technique:

The next step for the attacker was to create cmd.exe and execute powershell.exe with the following obfuscated code:

Looking at the second line of this obfuscated code, we can see the attacker used -join char[] in order to convert the ASCII values to strings. 

Let’s write a few lines to decode this obfuscated code:

Analyzing the output source code, we can see the attacker stored a Mimikatz Powershell file remotely on the source unprotected machine, then invoked it in order to dump credentials without ever writing the Mimikatz binary to the victim’s machine.

Empire & Mimikatz Detection Demo
By Ryan Merrick – Sr. Strategic Engineer – SentinelOne

Watch Now

A few minutes later, we identified another detection which revealed the attacker’s next move. This involved dropping and executing two other executables: SharpHound.exe and Procdump64.exe

Let’s cover each node’s command line.

First, the attacker executed whoami in order to the get login information, as well as procdump64.exe in order to dump the lsass.exe.

Executing procdump64.exe is a good example of how attackers use Living Off the Land tactics, since such processes are signed, known and verified (in our case by Microsoft).

That way attackers hope they can hide their malicious activity in an ocean of legit processes, as well as making it hard for security researchers to determine who is the group behind such an attack.

Second, the next executable in this malicious group is SharpHound.exe, which was executed with the following commands:

Interlude: A Quick Refresher on SharpHound

Before we continue analysing the attack, let’s take a quick look at SharpHound in order to understand the attacker’s tactics better. SharpHound is the executable version of BloodHound and provides a snapshot of the current active directory state by visualizing its entities.

This tool helps both defenders and attackers to easily identify correlations between users, machines, and groups. Additionally, this tool:

  • Collects Active sessions 
  • Collects Active Directory permissions
  • Maps the shortest path to Domain Admins
  • Looks for hidden correlations 

Importantly, even a user with regular permissions can use this tool.

Gathering Data and Lateral Movement

Back to our analysis, the attacker dropped the SharpHound tool then started collecting data by executing the command: -C All.

This command runs an ingester on the victim’s machine that queries the active directory. Once done, the following compressed file has been created:

The compressed file contains JSON files with the relevant collected active directory information:

The attacker then uploads the compressed dataset into a Neo4j server, which imports these JSON files and after processing them, shows the graph theory.

Now, we don’t know what kind of snapshot the attacker has had from the victim’s Data Center server; however, we did find this tool to be very interesting, so we will write a quick introduction covering the features we have tested in our malware lab.

Once the Neo4j server is up and the JSON files have been successfully imported, we get a small GUI that gives us the ability to search for any node in our theory graph as well as three tabs:  Database Info, Node Info, and Queries.

The Database Info tab shows in numbers an overview on our active directory, such as: 

  • How many users are there? 
  • How many active sessions are there for these users? 
  • How many groups are there? 
  • How many relationships are there between our nodes etc.

The theory graph shows all the relations from a given machine node, as shown below. 

For example:

  • Yellow nodes: represent the groups [right-click to expand and see members]
  • Green nodes: represent the users
  • Red nodes: represent active machine’s sessions
  • MemberOf edge: represents the users that are members of the connected Groups node
  • AdminTo edge: represents a group that have admin privileges on the particular connected machine node

Note: Bloodhound only provides a snapshot of the current state of the domain, meaning if you are analyzing a graph and find access to a particular entity, it doesn’t mean this session is still active.

The Queries tab contains predefined queries such as:

  • Find all Domain Admins: Finds all the Domain Admins relations from your current node
  • Map Domain Trust: Shows if your current domain has a relationship with other domains 
  • Shortest Paths to High-Value Targets: Shows you the shortest paths to the Domain Admins, Administrators, etc. (Right-click a node to set this machine as a High-Value Target)

The Node Info tab shows us information regarding our current node: 

  • Last time that the password was changed (old timestamp could indicate a weak password)
  • There are 3 active sessions from our current machine
  • There are 30 relationships with High-Value Target machines 
  • First Degree Group Memberships indicates that this node is a member of 3 different groups
  • We have direct RDP connections to 3 machines

We can also try finding a path from our current machine to any target machine we want:

All these BloodHound features show how the attacker leveraged this tool’s abilities to move laterally in the network using RDP from its current Data Center node, tried reaching high-value targets such as Group Admins, Administrators users and probably the main high-value target will be the Domain Controller server. 

How Can We Detect BloodHound Traffic?

To identify usage of BloodHound in your environment, monitor network traffic between your endpoints to your Domain Controller, which will mostly be over TCP port 389 (LDAP).

Another indicator can be by identifying a high amount of queries to the active directory server as well.

Conclusions

As can be seen, an NTLM brute force attack is still a serious concern for all environments especially when combining multiple credential dumping techniques and dropping a tool that creates a snapshot of your current active directory state.

As always, ensure your SOC team monitors such NTLM activity as well as suspicious network traffic to the active directory server, as we have shown in this post.

Additionally, it’s essential to deploy a modern and capable endpoint security solution. For threat hunters and SOC teams using SentinelOne, they can detect such activity by using Watch lists in our Active EDR DeepVisibility. For example, if we want to detect Windows Syskeys events, we can simply create a Watch list that matches a behavioral indicator related to “accessing the Windows Syskeys”. Once such events appear over your network, the Watch list will automatically send you an email with the detection URL.

The SentinelOne agent also prevents aggressive payloads such as Mimikatz touching the lsass process, and teams can mitigate and remediate any malicious group with just one click in the Management console.

Last but not least, our Vigilance MDR team provides a 24/7 Managed Detection and Response service to SentinelOne’s VIP customers. This detection is just one example out of thousands of threats we handle every day. If you are not yet a SentinelOne customer, contact us to find out more about how we can protect your business or try a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Google is making Meet free for everyone

/0 Comments/in /by

Google today announced that it is making Meet, its video meeting tool for businesses that directly competes with the likes of Zoom, available for free to everyone. Until now, you could participate in a Meet call without being a paying user, but you needed a paid G Suite account to start calls.

You won’t be able to schedule free Meet calls right away, though. Google is opening up access to Meet to free users gradually, starting next week. It may take a few weeks before everybody has access to it.

After September, free accounts will be limited to meetings that don’t run longer than 60 minutes, but until then, you can chat for as long as you want. The only other real limit is that meetings can’t have more than 100 participants. You still get screen sharing, real-time captions and the new tiled layout the company introduced only a few days ago.

Users will need a Google account to participate in meetings, though, which isn’t likely to be a major barrier for most people, but it does add more friction than simply clicking on a Zoom link.

Google argues that in return, you get a safer platform, not just because it’s hard to guess meeting codes for Meet (which makes “Meet-bombing” a non-starter), but also because Meet runs in the browser and is hence less vulnerable to security threats.

“With COVID, video conferencing is really becoming an essential service and we have seen video conferencing usage really go up,” Smita Hashim, the Director of Product Management at Google Cloud, told me. Because the need for these tools continues to increase, Google decided to bring Meet to individual users now, though Hashim noted that some of this had been on the company’s roadmap before.

“We are accelerating what we are doing, given the crisis and given the need for video conferencing at this point,” she said. “We still have the Google Hangouts product but Google Meet availability we are accelerating. This is a newer product designed to scale to many more participants and that has features like closed captioning and those kinds of things.”

So for the time being, Hangouts for consumers and also Google Duo aren’t going away. But at least for consumer Hangouts, which has been on life support for a long time, this move may accelerate its deprecation.

Clearly, Google saw that Zoom caught on among consumers and that Microsoft announced plans for a consumer edition of Teams. Without a free and easily accessible version of Meet, Google wasn’t able to fully capitalize on what has become a breakout time for video conferencing tools, so it makes sense for the company to make a push to get this new edition out of the door as fast as possible.

“From a leadership perspective, the message was really: how can Google be more and more helpful,” Hashim said when I asked her what the discussion about this move was like inside the company. “That was the direction we got. So from our side, video conferencing is the product which is really hugely accelerated usage and Google Meet in particular. So that’s why we first launched the advanced features, then we did the safety controls and then we said, ‘okay, let’s accelerate some of these other features,’ but we kept seeing that need, so it felt like a very natural next step for us to take and make it available to all our users.”

In addition to free access to Google Meet for everyone, Google is also launching a new edition of G Suite, dubbed G Suite Essentials. This new edition, which is meant for small teams and includes access to Google Drive, Docs, Sheet, Slides and, of course, Meet, will be available for free until September 30. After that, Google will start charging, but as Hashim told me, the company hasn’t decided on pricing yet.

For enterprise users, Google is also adding a few perks through September 30. These include free access to advanced Meet features for all G Suite customers, including the ability to live stream to up to 100,000 viewers within their domains, as well as free additional Meet licenses without the need for an amended contract, and free G Suite Essentials for enterprise customers.

Google also used today’s announcement to share a few new stats around Meet. As of last week, Meet’s daily meeting participants surpassed 100 million, for example, and with that, Meet now plays host to 3 billion minutes of video meetings. Daily peak usage is up 30x since January. That’s a lot of time spent in meetings.

Google Meet launches improved Zoom-like tiled layout, low-light mode and more

Atlassian co-founder and co-CEO Mike Cannon-Brookes is coming to Disrupt SF 2020

/0 Comments/in /by

Atlassian is about as ubiquitous to software engineers as Google is to the rest of us. The Sydney-based company, which launched in 2002, develops tools and services for enterprise collaboration and marched efficiently to a public offering in 2015.

So it goes without saying that we’re thrilled to have Atlassian co-founder and co-CEO Mike Cannon-Brookes join us at Disrupt SF 2020, which runs September 14 to September 16.

As far as entrepreneurship goes, Cannon-Brookes is on a very short list of founders who have led a company from founding to public offering, and all the steps in between.

Atlassian was one of the early players in enterprise collaboration, particularly for engineering and development teams, and has over the years introduced a robust product suite, including Jira, Confluence and HipChat.

Cannon-Brookes has been at the helm for the entire journey, from raising early funding to product development to acquisitions (including Trello) to public offering and beyond. All the while, Cannon-Brookes kept the company’s HQ, and all invoicing, in its home country of Australia, becoming the most successful tech startup to ever launch out of the nation down under.

One of the more interesting features of the company? Unlike Microsoft and IBM and other big enterprise software companies, Atlassian has always operated without a proper sales team, using a fraction of spend on sales and marketing compared to other enterprise software giants.

“We had a hunch early on that salespeople break software companies,” Cannon-Brookes told the Australian Financial Review in 2015. “But convincing people this model would work has probably been the biggest struggle we’ve had. We’ve had a lot of smart people who wouldn’t join the company or give us money or advise us because it made no sense to them.”

The company developed an enormously successful distribution flywheel built on the back of one necessary ingredient: remarkable products. Great products at low prices mean that you can sell to everyone, and if you sell to everyone you have to do it online and with transparent pricing and a great free trial. But if you offer a free trial, you better have a remarkable product, and the flywheel spins on and on.

It has worked.

Atlassian products are used by more than 160,000 large and small organizations across the globe, including Spotify, NASA, Sotheby’s and Visa.

Cannon-Brookes is also a tech investor across sectors like software, fintech, agriculture and energy, with a seat on the board of Zoox.

We’re excited to sit down with Cannon-Brookes and hear more about the company’s trajectory over the last two decades and hear what comes next for the behemoth.

Disrupt SF 2020 runs September 14 to September 16 at the Moscone Center right in the heart of San Francisco. For folks who can’t make it in person, we have several Digital Pass options to be part of the action or to exhibit virtually, which you can check out here.

We’ll be announcing more speakers over the coming weeks, so stay tuned.

(Editor’s Note: We’re watching the developing situation around the novel coronavirus very closely and will adapt as we go. You can find out the latest on our event schedule plans here.)

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-9b499a6cf360908fb4ecffa7e6ecab7c’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-9b499a6cf360908fb4ecffa7e6ecab7c’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();