Rapid Threat Hunting with Deep Visibility – Feature Spotlight

As a threat hunter, your main mission is to understand the behavior of your endpoints and to capture abnormal behavior with fast, super fast mitigation actions. You need the ability to search your fleet for behavioral indicators such as those mapped by the Mitre ATT&CK framework with a single-click, and you need to automate threat hunts for known attacks or according to your own criteria. SentinelOne’s Deep Visibility with True Context ID allows you to do all that and more, faster than ever before. Let’s take a look.

 

What is True Context ID?

SentinelOne’s Deep Visibility empowers you with rapid threat hunting capabilities thanks to our patented True Context ID technology. Each autonomous SentinelOne Agent builds a model of its endpoint infrastructure and real-time running behavior. True Context ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the True Context ID to quickly find all related processes, files, threads, events and other data with a single query.

image of console and true context id

With True Context ID, Deep Visibility returns full, contextualized data that lets you swiftly understand the root cause behind a threat with all of its context, relationships and activities revealed from one search.

True Context ID lets threat hunters understand the full story of what happened on an endpoint. Use it to hunt easily, see the full chain of events, and save time for your security teams.

Deep Visibility Comes With Ease of Use

Threat hunting in the Management console’s graphical user interface is powerful and intuitive. The SentinelOne Deep Visibility query language is based on a user-friendly SQL subset that will be familiar from many other tools.

The interface assists you in building the correct syntax with completion suggestions and a one-click command palette. This saves you time and spares threat hunters the pain of remembering how to construct queries even if they are unfamiliar with the syntax.

image of command palette

A visual indicator shows whether the syntax is valid or not so you don’t waste time waiting for a bad query to return an error. Let’s search for a common “Living off the Land” technique by running a query across a 12-month period to return every process that added a net user:

image of query language

We also provide a great cheatsheet to rapidly power-up your team’s threat hunting capabilities here.

Use Case: Responding to Incidents

Let’s suppose you’ve seen a report of a new Indicator of Compromise (IOC) in your threat intel feeds. Has your organization been exposed to it? It’s fast and simple to run a query across your environment to find out.

In the Console’s Forensics view, copy the hash of the detection. In the Visibility view, begin typing in the query search field and select the appropriate hash algorithm from the command palette and then select or type =. Now, paste the hash to complete the query.

image of use case 1

This is how easy it is even for members of your team with little or no experience of SQL-style syntax to construct powerful, threat hunting queries.

The results will show all endpoints that ever had the file installed. It’s as simple as that.

image of results

Results Come Fast, No Time For Coffee!

SentinelOne handles around 10 billion events a day, so we understand that when you query huge datasets, you cannot wait hours for the results. Deep Visibility returns results lightning fast, and thanks to its Streaming mode can even let you see the results of subqueries before the complete query is done.

Deep Visibility query results show detailed information from all your SentinelOne Agents, displaying attributes like path, Process ID, True Context ID and much more.

With Deep Visibility, you can consume the data earlier, filter the data more easily, pivot for new drill-down queries, and understand the overall story much more quickly than with other EDR products.

Fast Query on MITRE Behavioral Indicators

As a threat hunter, querying the MITRE ATT&CK framework has likely become one of your go-to tools. SentinelOne’s Deep Visibility makes hunting for MITRE ATT&CK TTPs fast and painless. It’s as easy as entering the Mitre ID.

image of mitre search

For example, you could search your entire fleet for any process or event with behavioral characteristics of process injection with one simple query:

IndicatorDescription Contains "T1055"

There’s no need to form seperate queries for different platforms. With SentinelOne, a single query will return results from all your endpoints regardless of whether they are running Windows, Linux or macOS.

image of mitre indicators

Stay Ahead With Automated Hunts

SentinelOne’s Deep Visibility is designed to lighten the load on your team in every way, and that includes giving you the tools to set up and run custom threat hunting searches that run on a schedule you define through Watchlists.

With Watchlists, you can save Deep Visibility queries or define new ones, let the queries run periodically and get notifications when a query returns results. Your organization is secure while you or your team are not on duty.

Creating a Watchlist is simplicity itself. In the Visibility view of the Management console, run your query. Then, click “Save new set”, choose a name for the Watchlist, and choose who should be notified. That’s it. The threat hunt will run across your environment at the specified timing interval and the recipients will receive alerts of all results.

image of watchlists

Deep Insight At Every Level

SentinelOne’s Deep Visibility is built for granularity. You can drill-down on any piece of information from a Deep Visibility query result. Each column shows an alphabetical list of the matching items. You can filter for one or more items. In a row of a result, you can expand the cell to see details. For most details, you can open a submenu and drill-down even further. Alternatively, you can use the selected details to run a new query.

image of new query

Conclusion

Threat hunting lets you find suspicious behavior in its early stages before it becomes an attack that will generate alerts. It supplements the automated rules of detection tools, which require a high level of confidence that behavior is suspicious before an alert is generated. But effective threat hunting needs to result in less work for your busy analysts while at the same time providing more security for your organization, its data, services and customers. With SentinelOne’s Deep Visibility, you gain deep insight into everything that has happened in your environment. Deep Visibility gives you not only visibility but also ease of use, speed and context to make threat hunting more effective than ever before. If you would like to know more contact us today or try a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Hyperledger Fabric, the open source distributed ledger, reaches release 2.0

The open source Hyperledger Foundation announced the release of Hyperledger Fabric 2.0 today, the first such project to reach a 2.0 release.

It’s a notable milestone. The blockchain as a business tool has certainly had a rocky road over the last few years, but there is still plenty to like about smart contracts that have automated compliance checks built in. Hyperledger Fabric 2.0 has lots of new features with that in mind.

The biggest updates involve forcing agreement among the parties before any new data can be added to the ledger, known as decentralized governance of the smart contracts. In practice, it means that the system will prevent any entity from writing to the ledger until there is consensus among the parties involved in the transaction, a basic blockchain tenet.

This is a requirement because the beauty and the curse of the distributed ledger is that it is an immutable record. Once you have written something in the ledger, it becomes very difficult to change it without the agreement of all those involved in the contract. You want to make sure you get it right before you commit something to the ledger.

Along those same lines, developers can build in automated checks along the way. As they say, this ensures the parties can “validate additional information before endorsing a transaction proposal.”

Brian Behlendorf, Executive Director at Hyperledger and a big advocate of open source distributed ledger technology, says this is a big milestone for the project and the organization as it looks to help organizations adopt distributed ledger technology.

“Fabric 2.0 is a new generation framework developed by and for the enterprises that are building distributed ledger capabilities into the core of their businesses. This new release reflects both the development and deployment experience of the Fabric community and confirms the arrival of the production era for enterprise blockchain,” Behlendorf said in a statement.

That remains to be seen. The rise of blockchain in business has moved at a slow pace, but this release shows that the open source community is still committed to building enterprise-grade distributed ledger technology. Today’s announcement is another step in that direction.

OpsRamp raises $37.5M for its hybrid IT operations platform

OpsRamp, a service that helps IT teams discover, monitor, manage and — maybe most importantly — automate their hybrid environments, today announced that it has closed a $37.5 million funding round led by Morgan Stanley Expansion Capital, with participation from existing investor Sapphire Ventures and new investor Hewlett Packard Enterprise.

OpsRamp last raised funding in 2017, when Sapphire led its $20 million Series A round.

At the core of OpsRamp’s services is its AIOps platform. Using machine learning and other techniques, this service aims to help IT teams manage increasingly complex infrastructure deployments, provide intelligent alerting and eventually automate more of their tasks. The company’s overall product portfolio also includes tools for cloud monitoring and incident management.

The company says its annual recurrent revenue increased by 300% in 2019 (though we obviously don’t know what number it started 2019 with). In total, OpsRamp says it now has 1,400 customers on its platform and alliances with AWS, ServiceNow, Google Cloud Platform and Microsoft Azure.

OpsRamp co-founder and CEO Varma Kunaparaju

According to OpsRamp co-founder and CEO Varma Kunaparaju, most of the company’s customers are mid to large enterprises. “These IT teams have large, complex, hybrid IT environments and need help to simplify and consolidate an incredibly fragmented, distributed and overwhelming technology and infrastructure stack,” he said. “The company is also seeing success in the ability of our partners to help us reach global enterprises and Fortune 5000 customers.”

Kunaparaju told me that the company plans to use the new funding to expand its go-to-market efforts and product offerings. “The company will be using the money in a few different areas, including expanding our go-to-market motion and new pursuits in EMEA and APAC, in addition to expanding our North American presence,” he said. “We’ll also be doubling-down on product development on a variety of fronts.”

Given that hybrid clouds only increase the workload for IT organizations and introduce additional tools, it’s maybe no surprise that investors are now interested in companies that offer services that rein in this complexity. If anything, we’ll likely see more deals like this one in the coming months.

“As more of our customers transition to hybrid infrastructure, we find the OpsRamp platform to be a differentiated IT operations management offering that aligns well with the core strategies of HPE,” said Paul Glaser, vice president and head of Hewlett Packard Pathfinder. “With OpsRamp’s product vision and customer traction, we felt it was the right time to invest in the growth and scale of their business.”

Sprint Exposed Customer Support Site to Web

Fresh on the heels of a disclosure that Microsoft Corp. leaked internal customer support data to the Internet, mobile provider Sprint has addressed a mix-up in which posts to a private customer support community were exposed to the Web.

KrebsOnSecurity recently contacted Sprint to let the company know that an internal customer support forum called “Social Care” was being indexed by search engines, and that several months worth of postings about customer complaints and other issues were viewable without authentication to anyone with a Web browser.

A redacted screen shot of one Sprint customer support thread exposed to the Web.

A Sprint spokesperson responded that the forum was indeed intended to be a private section of its support community, but that an error caused the section to become public.

“These conversations include minimal customer information and are used for frontline reps to escalate issues to managers,” said Lisa Belot, Sprint’s communications manager.

A review of the exposed support forum by this author suggests that while none of the posts exposed customer information such as payment card data, a number of them did include customer account information, such customer names, device identifiers and in some cases location information.

Perhaps more importantly for Sprint and its customers, the forum also included numerous links and references to internal tools and procedures. This sort of information would no doubt be of interest to scammers seeking to conduct social engineering attacks against Sprint employees as way to perpetrate other types of fraud, including unauthorized SIM swaps or in gleaning more account information from targeted customers.

Earlier this week, vice.com reported that hackers are phishing workers at major U.S. telecommunications companies to gain access to internal company tools. That news followed a related Vice report earlier this month which found ne’er-do-wells are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers.

The misstep by Sprint comes just days after Microsoft acknowledged that a database containing “a subset of information related to customer support interactions was accessible to the internet between the dates of Dec. 5 and Dec. 31, 2019.” Microsoft said it was alerting individuals whose information was exposed, which included location information, email and IP addresses, telephone numbers and descriptions of technical issues.

A message Microsoft sent to customers affected by their recent leak of customer support data.

This week marked the annual observance of Data Privacy Day, an occasion in which we are reminded to be more judicious about the types of personal information we voluntarily share on social media and other Web sites. But both the Microsoft and Sprint stumbles are a reminder that billion-dollar companies very often expose this information on our behalf, even when we are doing everything within our power to safeguard it.

Scripting Macs With Malice | How Shlayer and Other Malware Installers Infect macOS

The Myth of the Safe Mac is something we’ve written about before, but sometimes it takes a startling statistic to get people’s attention. Research suggesting that 10% of all Kaspersky-protected Macs had been hit by Shlayer malware in 2019 certainly caught the attention of last week’s news cycle, and hopefully it’s the sort of stat that can serve as a wake-up call to those who still ask in 2020 “Do Macs get viruses?” (by which, of course, they mean ‘do Macs get infected with malware?’).

The resounding answer to that is “Yes, of course they do!”, and they’re getting infected at increasing rates because malware authors have adapted and evolved their techniques. In this post, we’ll explore in more detail the infection method adopted by Shlayer and other malware families recently. This method has proven to be an effective means of beating built-in macOS security controls and, indeed, a number of end user protection tools, too.

image of scripting macs with malice

Why Threat Actors Are Turning to Scripts

Until recently, most threat actors approached macOS infection in pretty much the same way. From adware to OSX.Dok and APT Lazarus group targeted attacks, the first stage infection is typically a standard Apple application bundle containing a malicious machO binary file. The machO is to macOS what PE is to Windows or ELF to Linux: the standard system executable format at the heart of GUI applications.

image of shroomcourt adware

The problem with such compiled binaries from a threat actor’s point of view is that they have a lot of code surface for detection. Legacy-style AV will scan binaries on execution, while macOS itself will check such binaries for Notarization and codesigning on first launch. The life of a binary file downloaded from the internet is one of a series of hurdles to leap over. And on top of that, building and compiling new binaries to beat hash and Yara rule checks is also more work for attackers than they would like.

Using a scripting language offers attackers a number of advantages. They’re easier to iterate on, they’re harder to scan, and although they can technically be codesigned, they don’t have to be, and that codesigning is in any case a brittle and easily removed extended attribute. But scripts have a couple of disadvantages, too. First, they still have to lose the Gatekeeper “quarantine bit” (read here if you’re not familiar with how Gatekeeper works); and second, asking victims to download and execute a sketchy-looking script is not a convincing look for malware that’s trying to pass itself off as a legitimate application.

Shlayer and related adware installers like Bundlore have got around both of these problems with surprising ease. Attackers have realized that due to increasing security controls on legitimate applications, many macOS users have become familiarized with the process and are undaunted by the prospect of simply overriding their own security preferences. Instructions like this allow even non-admin users to override Gatekeeper with two-clicks and let the malware launch.

image right click to bypass macOS security

The second problem was never really a problem to begin with, but it took malware authors a while to either catch on to, or bother to implement, the fact that the file format inside an application bundle can be anything you like – it doesn’t have to be a machO. A python or shell script will do just as well. Moreover, with clever uses of aliases and filenames, attackers don’t even need to use an application bundle at all. While a scary-looking shell script might put some potential victims on alert, a nice icon like this will look harmless enough to many others.

image of player dmg

Inside Shlayer.a malware

The image above shows how the Shlayer.a variant presents itself to users when they mount the disk image that contains it. The disk image is typically downloaded by users who have been tricked through social engineering to believing they need to update Adobe Flash player.

However, switch views in the Finder and then toggle hidden files with the hotkey Command-Shift-Period, and we can see there’s a bunch of other files hidden away on the disk image. Note the enc file, which is called by the Player.command shell script.

image of hidden malicious files in dmg

This version is relatively simple, but still clever. The hidden enc script decodes into the following second stage shell script, which downloads and launches the next stage in the form of a malicious app in a subfolder of the /tmp folder.

image of early shlayer variant

The code

$ mktemp -d /tmp/XXXXXXXXX

offers the malware an easy way to generate a random folder name. The number of Xs determine the length, and the mktemp command helpfully generates a random string of that length.

image of mktemp

Shlayer.a has been around for 18 months or so, and aside from the download URL, it hasn’t changed much in that time. Despite that, at the time of writing the most recent sighting of Shlayer.a on VirusTotal was 2 hours ago; malware authors don’t persist with unsuccessful strategies, so Shlayer.a is clearly still very much a going concern.

image of shlayer a on virustotal

Inside Shlayer.d malware

A more recent version increases the complexity and the size of the shell script and uses a very different technique. If you run the file command on both samples, you’ll notice that they are both Bash scripts but the newer sample contains binary data:

image of shlayer_d file type

Our newer sample has also ballooned to 1.7MB compared to the slim-Jim Shlayer.a version of 181 bytes. If we open that in Vi, we’ll get 6000 lines or so of binary. From within Vi, we can call the xxd utility to get a clearer picture of what’s going on. The firsts 400 lines or so are a shell script with a base64 encoded string for input.

image of shlayer_d

Decoding that reveals another script embedded within it:

image of shlayer_d embedded script

and more base64 code at Line 17, which defines the variable _t.

image shlayer_d second stage base64

Note how the script itself leverages the xxd utility to decode its own binary data. The final Line 18 at the end of the data reveals the command that will be run:

eval "$(_m "$_t" "$_y")"

Let’s change that eval to echo to print out the next stage.

image of shlayer final stage decryption

As we can see, the script jumps through quite a few hoops before gathering operating system version and machine ID. As with Shlayer_a, it then downloads and executes the payload from a subfolder within /tmp, making use of the mktemp utility. The payload is then deleted and, for good measure, the script kills the Terminal.app as its final act.

Inside Bundlore: Friends of the Shlayer Family

As mentioned at the beginning of this post, other researchers have covered the more recent Shlayer.e variant, which uses Python rather than Bash to achieve much the same thing, so I won’t repeat their analysis here, but the technical details are certainly worth reading up on.

Throughout the above, I’ve followed the naming conventions used by Kaspersky in order to facilitate readers following the story from there or elsewhere, but as you’ll notice if you look at the detections on VirusTotal, there is a wide variety of names for the Shlayer malware, with some engines identifying Shlayer variants as Bundlore variants and vice versa. Given the fluidity and similarity between samples of Shlayer and Bundlore, let’s look at a sample that offers a different twist on what we saw above.

The final sample I want to take a look at uses very similar techniques as the previous Shlayer samples, although it is tagged by Kaspersky as “OSX.Bnodlero.x” and by a number of other vendors as “Bundlore-CJ”. Let’s use Pacifist to inspect and extract the disk image’s contents.

image of bundlore installer

In terms of distribution and packaging, we see the sample is a DMG containing an installer.app. The app’s icon is an image that resembles the familiar .pkg image, and the main executable is once again a shell script. However, the script is somewhat different to the earlier ones, and it’s worth taking a look at from a defenders point of view.

While the Shlayer samples above all eventually called out to a URL to retrieve the final payload, this sample packs an encrypted payload within the Installer.app bundle itself. The two files of interest in the Installer.app bundle are the script executable and the file with a random name in the Resources folder. While the executable name is a randomly generated string of alphanumeric characters, note that the name of the file in the Resources folder is the same string reversed.

Let’s start by decoding the base64 in the script. Here’s the encoded and decoded version side-by-side.

image of decrypted bundlore script

After decryption, we find that the script writes a machO binary to a subfolder in the /tmp folder, again using mktemp but this time with a 12-character length. The script creates a bundle structure for the executable, giving it a random Bundle Identifier from hashing the date command and running it through base64 before formatting it with tr to delete unwanted characters.

The script then gives the new bundle executable permissions and launches it using the built-in open command. The script then promptly deletes the bundle and its parent directory from the filesystem, leaving nothing to be found as the source of infection.

Conclusion

In this post, we’ve seen how threat actors are easily able to convince users to override their own security settings, and how these same bad actors are using scripts as opposed to the more easily detectable and harder to iterate native binary format as the initial installer. Many legacy AV scanners don’t even recognize scripts as executables, and as the parent process will be the scripting language’s executable (e.g., /bin/bash or /usr/bin/python), these may also bypass security solutions that whitelist such tools. The best way to protect users from these kind of threats is with a behavioral solution that does not care what file type is used or what parent process is invoked, and which of course cannot be overridden by the user on the endpoint.

Sample Hashes

Shlayer.a:
a45a770803ad44eca678e74a5a10c270062c449c8ed6c6ac5a2b3217881272ad
da500f8821dde25cff8bba0e9dd5bf2d8efa8b188718f93287960969eec1b6b7

Shlayer.d: – First Stage
c32199390872536e45f0cc9d5a55e23ed5b0822772555b57def9aeb22cfdcb49

Shlayer.d: – Second Stage
f968eec32cbc625d8c3ef27c5a785be6c3a84df1344569f329da18dc66beb9a2

OSX.Bnodlero.x: – First Stage
962dd0564f179904c7ae59e92c6456a2906527fc2dc26480d25ef87b28bd429a

OSX.Bnodlero.x: – Decrypted machO
6dd68a2b1375d47f99d7219aa5131bbab008bf0ae73784836b8c46b3e1d8f461


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Greylock’s Reid Hoffman and Sarah Guo to talk fundraising at Early Stage SF 2020

Early Stage SF is around the corner, and we are more than excited for this brand new event. The intimate gathering of founders, VCs, operators and tech industry experts is all about giving founders the tools they need to find success, no matter the challenge ahead of them.

Struggling to understand the legal aspects of running a company, like negotiating cap tables or hiring international talent? We’ve got breakout sessions for that. Wondering how to go about fundraising, from getting your first yes to identifying the right investors to planning the timeline for your fundraise sprint? We’ve got breakout sessions for that. Growth marketing? PR/Media? Building a tech stack? Recruiting?

We. Got. You.

Hoffman + Guo

Today, we’re very proud to announce one of our few Main Stage sessions that will be open to all attendees. Reid Hoffman and Sarah Guo will join us for a conversation around “How To Raise Your Series A.”

Reid Hoffman is a legendary entrepreneur and investor in Silicon Valley. He was an Executive VP and founding board member at PayPal, before going on to co-found LinkedIn in 2003. He led the company to profitability as CEO before joining Greylock in 2009. He serves on the boards of Airbnb, Apollo Fusion, Aurora, Coda, Convoy, Entrepreneur First, Microsoft, Nauto, and Xapo, among others. He’s also an accomplished author, with books like Blitzscaling, The Startup of You, and The Alliance.

Sarah Guo has a wealth of experience in the tech world. She started her career in high school at a tech firm founded by her parents, called Casa Systems. She then joined Goldman Sachs, where she invested in growth-stage tech startups such as Zynga and Dropbox, and advised both pre-IPO companies (Workday) and publicly traded firms (Zynga, Netflix, and Nvidia). She joined Greylock Partners in 2013 and led the firm’s investment in Cleo, Demisto, Sqreen and Utmost. She has a particular focus on B2B applications as well as infrastructure, cybersecurity, collaboration tools, AI, and healthcare.

The format for Hoffman and Guo’s main stage chat will be familiar to folks who have followed the investors. It will be an updated, in-person combination of Hoffman’s famously annotated LinkedIn Series B pitchdeck that led to Greylock’s investment, and Sarah Guo’s in-depth breakdown of what she looks for in a pitch.

They’ll lay out a number of universally applicable lessons that folks seeking Series A funding can learn from, tackling each from their own unique perspectives. Hoffman has years of experience in consumer-focused companies, with a special expertise in network effects. Guo is one of the top minds when it comes to investment in enterprise software.

We’re absolutely thrilled about this conversation, and to be honest, the entire Early Stage agenda.

How it works

Here’s how it all works:

There will be about 50+ breakout sessions at the event, and attendees will have an opportunity to attend at least seven. The sessions will cover all the core topics confronting early-stage founders — up through Series A — as they build a company, from raising capital to building a team to growth. Each breakout session will be led by notables in the startup world.

Don’t worry about missing a breakout session, because transcripts from each will be available to show attendees. And most of the folks leading the breakout sessions have agreed to hang at the show for at least half the day and participate in CrunchMatch, TechCrunch’s app to connect founders and investors based on shared interests.

Here’s the fine print. Each of the 50+ breakout sessions is limited to around 100 attendees. We expect a lot more attendees, of course, so signups for each session are on a first-come, first-serve basis. Buy your ticket today and you can sign up for the breakouts that we’ve announced. Pass holders will also receive 24-hour advance notice before we announce the next batch. (And yes, you can “drop” a breakout session in favor of a new one, in the event there is a schedule conflict.)

Grab yourself a ticket and start registering for sessions right here. Interested sponsors can hit up the team here.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-02477ba73f2ce7104ba54bd838810d2a’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-02477ba73f2ce7104ba54bd838810d2a’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

Wawa Breach May Have Compromised More Than 30 Million Payment Cards

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states.

The fraud bazaar Joker’s Stash on Monday began selling some 30 million stolen payment card accounts that experts say have been tied back to a breach at Wawa in 2019.

Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening — dubbed “BIGBADABOOM-III” by Joker’s Stash — map squarely back to cardholder purchases at Wawa.

On Dec. 19, 2019, Wawa sent a notice to customers saying the company had discovered card-stealing malware installed on in-store payment processing systems and fuel dispensers at potentially all Wawa locations.

Pennsylvania-based Wawa says it discovered the intrusion on Dec. 10 and contained the breach by Dec. 12, but that the malware was thought to have been installed more than nine months earlier, around March 4. The exposed information includes debit and credit card numbers, expiration dates, and cardholder names. Wawa said the breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card).

A spokesperson for Wawa confirmed that the company today became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on December 19, 2019.

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa said in a statement released to KrebsOnSecurity. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the statement continues. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”

Gemini Advisory, a New York-based fraud intelligence company, said the biggest concentrations of stolen cards for sale in the BIGBADABOOM-III batch map back to Wawa customer card use in Florida and Pennsylvania, the two most populous states where Wawa operates. Wawa also has locations in Delaware, Maryland, New Jersey, Virginia and the District of Columbia.

According to Gemini, Joker’s Stash has so far released only a small portion of the claimed 30 million. However, this is not an uncommon practice: Releasing too many stolen cards for sale at once tends to have the effect of depressing the overall price of stolen cards across the underground market.

“Based on Gemini’s analysis, the initial set of bases linked to “BIGBADABOOM-III” consisted of nearly 100,000 records,” Gemini observed. “While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries. Non-US-based cardholders likely fell victim to this breach when traveling to the United States and utilizing Wawa gas stations during the period of exposure.”

Gemini’s director of research Stas Alforov stressed that some of the 30 million cards advertised for sale as part of this BIGBADABOOM batch may in fact be sourced from breaches at other retailers, something Joker’s Stash has been known to do in previous large batches.

Gemini monitors multiple carding sites like Joker’s Stash. The company found the median price of U.S.-issued records in the new Joker’s Stash batch is currently $17, with some of the international records priced as high as $210 per card.

“Apart from banks with a nationwide presence, only financial institutions along the East Coast had significant exposure,” Gemini concluded.

Representatives from MasterCard did not respond to requests for comment. Visa declined to comment for this story, but pointed to a series of alerts it issued in November and December 2019 about cybercrime groups increasingly targeting fuel dispenser merchants.

A number of recent high-profile nationwide card breaches at main street merchants have been linked to large numbers of cards for sale at Joker’s Stash, including breaches at supermarket chain Hy-Vee, restaurant chains Sonic, Buca di Beppo, Krystal, Moe’s, McAlister’s Deli, and Schlotzsky’s, retailers like Bebe Stores, and hospitality brands such as Hilton Hotels.

Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals, and that data can then be used to create counterfeit copies of the cards.

The United States is the last of the G20 nations to make the shift to more secure chip-based cards, which are far more expensive and difficult for criminals to counterfeit. Unfortunately, many merchants have not yet shifted to using chip-based card readers and still swipe their customers’ cards.

According to stats released in November by Visa, more than 3.7 million merchant locations are now accepting chip cards. Visa says for merchants who have completed the chip upgrade, counterfeit fraud dollars dropped 81 percent in June 2019 compared to September 2015. This may help explain why card thieves increasingly are shifting their attention to compromising e-commerce merchants, a trend seen in virtually every country that has already made the switch to chip-based cards.

Many filling stations are upgrading their pumps to include more cyber and physical security — such as end-to-end encryption of card data, custom locks and security cameras. In addition, newer pumps can accommodate more secure chip-based payment cards that are already in use and in some cases mandated by other G20 nations.

But these upgrades are disruptive and expensive, and many fuel station owners are putting them off until it is absolutely necessary. Prior to late 2016, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip.

Yet in December 2016, Visa — by far the largest credit card network in the United States — delayed the requirements, saying fuel station owners would be given until October 1, 2020 to meet the liability shift deadline.

Either way, Wawa could be facing steep fines for failing to protect customer card data traversing its internal payment card networks. In addition, at least one class action lawsuit has already been filed against the company.

Finally, it’s important to note that even if all 30 million of the cards that Joker’s Stash is selling as part of this batch do in fact map back to Wawa locations, it’s highly unlikely that more than a small percentage of these cards will actually be purchased and used by fraudsters. In the 2013 megabreach at Target Corp., for example, fraudsters stole roughly 40 million cards but only ended up selling between one to three million of those cards.

Pantheon bets on WebOps as it charts a course to an IPO

It has been 10 years since Pantheon launched. At the time, it was mostly a hosting service for Drupal sites, but about six years ago, it added WordPress hosting to its lineup and raised more VC money as some of its competitors did the same. After its 2016 Series C round, things started quieting down, though the company has clear ambitions to become a public company in the next few years. To chat about those plans and the overall state of the business, I sat down with Pantheon co-founder and CEO Zack Rosen and new Pantheon board member Elissa Fink, former CMO of Tableau.

Maybe the biggest change at Pantheon is that when it launched, its team was almost solely focused on the developer experience. And while Pantheon was essentially a hosting service and offers personal plans, its focus was never on individuals who wanted a WordPress blog (which a lot of companies focused on, especially in the pre-Twitter days). Its efforts always revolved around businesses, large enterprises and the agencies that serve them.

“Back then, our overriding focus was really around the developer experience — the practitioner experience — of using our product,” Rosen explained. “And frankly, at the time, we actually really didn’t know what to call it. It really didn’t have a category, but we always felt it was something new.” He noted that over the last few years, Pantheon started talking to a lot of marketers and realized that the needs of these marketing leaders are driving this space.

Chicago’s ActiveCampaign raises $100M for an all-in-one marketing and sales automation platform

Marketing and sales automation — tools that leverage the advances and data of our digital age to better identify and then interact with customers — is big business, with the whole market expected to generate some $6.6 billion in revenues for related companies by 2025.

But “companies” is the operative word here: it’s a very fragmented space, with dozens of hopefuls covering different aspects of marketing and sales, each with its own unique approach. There is an alternative trend, though, and today a customer experience automation company called ActiveCampaign, catering not just to large enterprises but small and medium businesses too, has raised a large round of funding to build out its own one-stop-shop model. It includes the tools to run email and messaging-based marketing campaigns; marketing automation across sites and events; and sales and CRM.

The Chicago-based company is today announcing that it has closed a Series B of $100 million, money that it will use to invest in building out new technology and to expand internationally. The funding is being led by Susquehanna Growth Equity, with PE firm Silversmith Capital Partners also participating.

ActiveCampaign is not your typical startup. It has been around since 2003, and this is only the second time it has raised money — the first time was in 2016, a modest $20 million round from Silversmith. Fundraising is not the only thing that sets it apart: it’s also profitable and has been for years (one reason it hasn’t raised money), and it’s actually already quite large, with 90,000 customers in 161 countries.

Yet it’s something of a theme in the world of “startups” — meaning tech companies that are still privately owned and raising from VCs and related backers — particularly those that are B2B focused, that some of the more interesting and successfully bootstrapped of them at some point turn to VC and private equity when it comes to needing an extra boost to move beyond what has become its natural growth rate.

In the case of ActiveCampaign, it had a taste of what a little outside investment could do in the last few years: Jason VandeBoom, founder and CEO of ActiveCampaign, said the company has seen its annual recurring revenues grow 6x since 2016 to $90 million, with employees booming from 65 to more than 550.

The company’s core proposition is that it provides a less fragmented approach to businesses interested in building in some digital marketing or sales tools into their outreach and then considering what to do next.

“What we are up against are a number of companies focused on a single slice of customer experience, either CRM or a customer success platform,” VandeBoom said. “We’re still at this point in the industry where the category is taking shape,” which spells a ripe opportunity for ActiveCampaign.

The need for what ActiveCampaign provides is a basic one: Whether you are an online retailer or any business that wants to expand its audience or make sure to stay connected to the one you already have, you need tools to reach users, figure out what they want to see from you and connect in a relevant way.

VandeBoom added while there are no specific plans for acquisitions that can be discussed now, the funding also gives the company “optionality” in terms of what it might do next.

Part of the company’s approach is to build technology in-house, but in the spirit of all-in-one platforms, its value also lies in how many other things its users can plug into using ActiveCampaign.

The company has some 260 technology partners and a “recipe library” with more than 250 automations already built, or users can build and customise themselves from more than 300 possible apps that can be integrated, including Shopify, Square, Facebook, Eventbrite and Salesforce.

With this round, Martin Angert, director at Susquehanna, is joining ActiveCampaign’s board of directors. His existing roles on the boards of Workfront, WhiteSource, XebiaLabs and Allocadia speaks to interesting potential strategic partnerships for ActiveCampaign.

“ActiveCampaign and the CXA category have grown significantly and our investment in the series B reconfirms Silversmith’s commitment to ActiveCampaign’s future,” said Todd Maclean, co-founder and managing partner of Silversmith Capital Partners, in a statement.

Persona raises $17.5M for an identify verification platform that goes beyond user IDs and passwords

The proliferation of data breaches based on leaked passwords, and the rising tide of regulation that puts a hard stop on just how much user information can be collected, stored and used by companies have laid bare the holes in simple password and memorable-information-based verification systems.

Today a startup called Persona, which has built a platform to make it easier for organisations to implement more watertight methods based on third-party documentation, real-time evaluation, and AI to verify users, is announcing a funding round, speaking to the shift in the market and subsequent demand for new alternatives to the old way of doing things.

The startup has raised $17.5 million in a Series A from a list of impressive investors that include Coatue and First Round Capital, money that it plans to use to double down on its core product: a platform that businesses and organisations can access by way of an API, which lets them use a variety of documents, from government-issued IDs through to biometrics, to verify that customers are who they say they are.

Current customers include Rippling, Petal, UrbanSitter, Branch, Brex, Postmates, Outdoorsy, Rently, SimpleHealth and Hipcamp, among others. Persona’s target user today is any company involved in any kind of online financial transaction to verify for regulatory compliance, fraud prevention and for trust and safety.

The startup is young and is not disclosing valuation. Previously, Persona had raised an undisclosed amount of funding from Kleiner Perkins and FirstRound, according to data from PitchBook. Angels in the company have included Zach Perret and William Hockey (co-founders of Plaid), Dylan Field (founded Figma), Scott Belsky (Behance) and Tony Xu (DoorDash).

Founded by Rick Song and Charles Yeh, respectively former engineers from Square and Dropbox (companies that have had their own concerns with identity verification and breaches), Persona’s main premise is that most companies are not security companies and therefore lack the people, skills, time and money to build strong authentication and verification services — much less to keep up with the latest developments on what is best practice.

And on top of that, there have been too many breaches that have underscored the problem with companies holding too much information on users, collected for identification purposes but then sitting there waiting to be hacked. While a number of services have arisen to help protect identity for repeat users of products — for example Duo and Okta on the enterprise front, or authenticators for online applications as a more secure alternative to two-factor authentication using text messaging — these don’t really fill the use case of verification for the kinds of companies that are typical Persona customers.

The name of the game for Persona is to provide services that are easy to use and as wide as possible in their applicability. For those who can’t or don’t access the code of their apps or websites for registration flows, they can even verify users by way of email-based links.

“Digital identity is one of the most important things to get right, but there is no silver bullet,” Song, who is the CEO, said in an interview. “I believe longer term we’ll see that it’s not a one-size-fits-all approach.” Not least because malicious hackers have an ever-increasing array of tools to get around every system that gets put into place. (The latest is the rise of deep-fakes to mimic people, putting into question how to get around that in, say, a video verification system.)

At Persona, the company currently gives customers the option to ask for social security numbers, biometric verification such as fingerprints or pictures, or government ID uploads and phone lookups, some of which (like biometrics) is built by Persona itself and some of which is accessed via third-party partnerships.

Added to that are other tools like quizzes and video-based interactions. Song said the list is expanding, and the company is looking at ways of using the AI engine that it’s building — which actually performs the matching — to also potentially suggest the best tools for each and every transaction.

It’s notable to me that the platform has been conceived of and built in part by an engineer from a payments company.

API-based platforms taking out some of the extreme complexity of payment systems by doing all the hard work “under the hood” have been a building block of how a lot of financial services get integrated into workflows in cases where the business in question may rely on them but is actually not actually a fintechs (or payment tech provider) in and of themselves. This has been the premise of companies like Stripe, Adyen, CurrencyCloud and even Square to an extent, since its customers are integrating the tool that Square has built for them.

Another key point with Persona is that it provides a way for its customers to access and use information for verification by linking up with other databases, meaning the data is then not kept by the customer itself.

This is a moving target, and one that is becoming increasingly harder to focus on, given not just the rise in malicious hacking, but also regulation that limits how and when data can be accessed and used by online businesses.

Persona notes a McKinsey forecast that the personal identify and verification market will be worth some $20 billion by 2022, which is not a surprising figure when you consider the nearly $9 billion that Google has been fined so far for GDPR violations, or the $700 million Equifax paid out, or the $50 million Yahoo (a sister company now) paid out for its own user-data breach.