How MedusaLocker Ransomware Aggressively Targets Remote Hosts

In September of this year, our research team began to track and observe a recently-identified ransomware family dubbed MedusaLocker. This particular ransomware family has a few unique features designed to ensure it encrypts as much data as possible, not only on the locally infected machine but across a network. MedusaLocker’s ability to force connectivity to remote (mapped) drives along with its persistence mechanisms are particularly problematic. In this post, we take a look at how MedusaLocker works and how it is different from other recent ransomware strains.

image of medusa locker ransomware

Delivery of MedusaLocker follows a fairly standard and established pattern. Current data indicates that the malicious payloads are distributed via phishing and spam email. The examples we have analyzed show the malware attached directly in email messages as opposed to containing a link to a malicious site.

MedusaLocker Aims To Encrypt All Remote Drives

Upon initial execution of the threat MedusaLocker will take steps to ensure that it is able to access and infect remote and adjacent hosts. The malware will check the value of “EnableLinkedConnections” under the HKEY_LOCAL_MACHINESOFTWAREMicrosoftCurrentVersionPoliciesSystem registry key.  If necessary, the threat will set this value to ‘1’

image of enable linked connections  

This ensures that mapped network drives are accessible to the threat for encryption and/or spreading. 

As part of this process, the malware goes as far as to restart the LanmanWorkstation service. This service is responsible for creating and maintaining client network connections to remote servers over the SMB protocol. If this service is stopped, these connections become unavailable. If this service is disabled, other services that depend on it will fail to start. By restarting the Workstation service, MedusaLocker forces any related configuration changes into effect.

MedusaLocker Bypasses Legacy Security Products

From there, the threat will attempt to terminate the processes of multiple security products. The malware targets a few dozen running executables, including those belonging to G Data, Qihoo 360 and Symantec security products. In addition, MedusaLocker kills off more generic products including MS SQL, Apache Tomcat, and VMware – commonly used by malware researchers to conduct analysis and reverse engineering

MedusaLocker also attempts to terminate several processes belonging to accounting software package Intuit QuickBooks. This ensures that any open files containing valuable financial data are not locked from modification by the software, which would prevent the ransomware from encrypting them. 

The full list of targeted executables is as follows:

image of targeted processes

How MedusaLocker Ransomware Encrypts Victim’s Files

Encryption is achieved using AES 256, and said AES key is subsequently encrypted via an RSA-2048 public key. The public key is embedded in the malicious executable itself. The samples we have analyzed all utilize the .encrypted extension for files that have been encrypted.

While many ransomware strains focus on particular file extensions to target, one of MedusaLocker’s distinctive features is that it takes the opposite approach, effectively whitelisting some hard-coded file extensions during the encryption process. The ransomware will ignore files with the .encrypted extension, for example, so as to avoid files which have already been encrypted. This is required as the malware sets itself to run at repeated intervals, checking for new items to encrypt (more on that further down).  

image of encrypted file list 

There are examples of other extensions being used, and these are also accommodated for in the list of exclusions. In addition to .encrypted, MedusaLocker will also use and avoid the following extensions:

.newlock
.skynet
.nlocker
.bomber
.breakingbad
.locker16

After the initial execution, the threat will sleep for a hard-coded interval of 60 seconds. It will then repeat its processes to attempt to find further files to encrypt. In addition, the threat creates a scheduled task to ensure persistence, which runs at 15 or 30-minute intervals (the task intervals can vary across different samples).  

image of Task Scheduler

The ability to skip over already-encrypted files (by checking extension) makes this process more efficient. MedusaLocker also avoids encryption of select ‘critical’ file types and drive locations. These include:

image of drive locations

How Much Does MedusaLocker Ransomware Cost?

Once the primary encryption process is complete, MedusaLocker will deposit a HOW_TO_RECOVER_DATA.html file in every folder that contains encrypted files. The ransomware note contains no information about how much the victim’s will have to pay. This indicates that the criminals will apply variable pricing depending on their assessment of the victim’s financial means. This is a model that we’ve seen used by other ransomware strains, such as with Matrix ransomware

Victims are required to reach out via email to purchase a decryptor in the hope that they can restore their files. That is, rather than trying to navigate to a .onion  TOR-based payment portal, the victims have to blindly message their attacker and await a reply on instructions for how to get the information they need to recover their data. 

image of ransomware note

As of this writing, we are not aware of any public decryptor for MedusaLocker. 

MedusaLocker is also quite aggressive with regards to its methods of inhibiting any sort of ‘manual’ recovery (ex: Local backups, VSS / Shadow Copies). The threat takes multiple steps to block victims from implementing standard recovery steps. These include deletion of Shadow Copies, deletion of local backups (via wbadmin) as well as disabling startup recovery options (via bcdedit).

image of anti-recovery methods

How To Protect Against MedusaLocker Ransomware?

MedusaLocker has been specifically coded to ensure the maximum amount of data is captured, both locally and remotely, and to prevent victims from taking any steps towards recovery other than by paying the ransom. 

SentinelOne customers are fully protected from malware payloads associated with MedusaLocker ransomware, as demonstrated in the video below.

Conclusion

MedusaLocker is another daily reminder that Ransomware is still a serious concern for all environments large or small. Perhaps in light of some victims choosing not to pay and to look for alternative means of recovery, threat actors are becoming increasingly aggressive.

As always, ensure that you have fully tested and drilled Business Continuity and Disaster Recovery (BCP/DRP) plans and procedures in place, in addition to leveraging a modern and capable endpoint security solution. SentinelOne prevents malware payloads such as MedusaLocker, Ryuk and others from wreaking havoc on target systems, as well as being able to unencrypt all files by rolling back infected systems to a healthful state. 

MedusaLocker IOCs

MedusaLocker Samples
dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
0432b4ad0f978dd765ac366f768108b78624dab8704e119181a746115c2bef75
d6223b02155d8a84bf1b31ed463092a8d0e3e3cdb5d15a72b5638e69b67c05b7
f31b9f121c6c4fadaa44b804ec2a891c71b20439d043ea789b77873fa3ab0abb
db11260b9eff22f397c4eb6e2f50d02545dbb7440046c6f12dbc68e0f32d57ce

MITRE ATT&CK TTPs
T1486 Data Encrypted for Impact
T1105 Remote File Copy
T1018 Remote System Discovery
T1112 Modify Registry
T1053 Scheduled Task
T1063 Security Software Discovery


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

What is a Botnet? (And Why Are They Dangerous?)

You’ve likely heard the names: Emotet, Trickbot, Dridex. These are some of the most notorious botnets currently on the loose in cyberspace, infecting and enslaving hundreds of thousands of machines. Last month, the UK’s Labour party was hit by two DDoS attacks from threat actor group Lizard Squad, who claimed to have control of a botnet connected to “millions of devices”. And earlier this year, a Brazilian botnet of 400,000 IoT devices conducted a massive attack against one site issuing more than 200,00 requests per second over a 13-day period. The threat from botnets is one of the most serious issues facing enterprises today. In this post, we take a closer look at what botnets are and how they work.

image of what is a botnet

What is a Botnet?

A botnet, in simple terms, is a network of infected computers that are controlled as a single entity by a malicious actor. That means the actor can have all the computers in the infected network carry out the same instructions at the same time. 

image of define botnet

This power to perform actions at massive scale, to coordinate the behaviour of hundreds of thousands of internet-connected machines, is what makes botnets so fearsome. If combined with wormable properties, the botnet can not only act at scale but also infect other machines on the same corporate network and enslave those, too, thus providing the botnet with autonomous growth. 

What Are Botnets Used For?

One of the most common uses of botnets is to carry out DDoS (Distributed Denial of Service) attacks against enterprise servers and websites. A DDoS attack occurs when a large number of devices all try to connect to a server at the same time. This can overload the server’s ability to deal with all the incoming packet requests and knock it offline, thus making it inaccessible to genuine customers wishing to use the service.  

There have been several high-profile examples of such denial of service attacks. Mirai malware, whose author “Anna Senpai” notoriously released the source code on Hackforums website leading to a multitude of copycats, is one of the most successful botnets used for DDoS. Mirai was used to target independent security blogger Brian Krebs after he exposed two individuals behind a previous DDoS attacks on Github and DNS provider, Dyn. 

The Mirai botnet was used to specifically infect Linux IoT devices like security cameras, printers, routers and other simple internet connected appliances. 

image of STOMP TCP attack

Botnet-powered DDoS attacks are a problem that can affect others beyond the immediate target, too. As most websites are themselves hosted behind other ISPs or content delivery network providers like Akamai, Cloudfare, Fastly and so on, if these servers can’t handle the extra traffic, other clients of these providers can also experience denial of service. In the Krebs attack, Akamai were forced to drop the Krebs website to protect other Akamai customers. 

DDoS isn’t the only thing that botnets are used for. Another IoT botnet, BCMUPnP, managed to enslave 100,000 home and small office routers most likely with the intent of issuing spam mail. Pumping out spam is also one of the Emotet botnet’s favored tasks these days, along with delivering malware, trojans, and ransomware. Botnets have also been used in financial breaches (GameOver ZeuS), credential stuffing attacks and targeted intrusions.   

Botnet malware will usually also contain some self-updating and administration functions in order to allow the bot owner to add or remove functionality, communicate with peers, exfiltrate data, change persistence methods and take countermeasures to defeat legacy AV and malware signature detections.

How Do Botnets Work?

Generally, botnets utilize one of two different network architectures, either following a client-server model with communications occurring over protocols like IRC or HTTP or a Peer-to-Peer (P2P) decentralized network model.

In the client-server model, all the bots in the network connect to one or more command and control servers run by the bot master. This model allows for fast and direct communication with the bot clients, but suffers from a structural weakness: all the bots must know the internet address of the C2 servers, and that means law enforcement can easily learn the location of the servers and take them down. 

That’s precisely what happened earlier this year when the French police working with the FBI found that the C2 server for the RETADUP botnet, with 850,000 infected computers enslaved, was located in the Île-de-France region. The authorities gained secret access to the server through the hosting provider and replaced the botnet server’s code with their own. So as not to alert the criminals, the authorities copied the original malicious code but added a secret function that caused all the bots to disinfect themselves as soon as they connected with the C2.

“The gendarmerie has dismantled one of the largest networks of pirated computers in the world! In collaboration with the FBI, French cyber police managed to “disinfect” more than 850,000 computers remotely. A world first!”

image of french police tweet

Peer-to-Peer offers a more secure architecture from the threat actor’s point of view. This decentralized network set up has been likened to a “terrorist cell” network, where noone in a given cell knows the identity of anyone else in other cells. The cell – a small group of bots – has a known “head” or “node” – in a P2P botnet that’s usually a bot with a public internet address – that other bots in the cell (which perhaps live behind a NAT or firewall) can connect with. Since there is no central command from which to issue instructions, the bot owner issues digitally encrypted commands that are shared among the peers. Encrypted with the owner’s private key, only commands the bot master sends will be decrypted (using the bot master’s public key) and acted on by the bots. This use of asymmetric encryption prevents others from hijacking the bots in the decentralized network.

With patience, it is possible to build up a map of a P2P network and disrupt it. The Joanap botnet, believed to be run by North Korean threat actors, was disrupted in early 2019 after the FBI ran servers that mimicked Joanap peers in a technique known as peer poisoning. This allowed them to collect IP addresses of infected bots and notify the victims and their internet service providers.

How Are Botnets Created?

To create a simple C2-style botnet, the bot herder or bot master will need to set up a server to provide the command and control structure. This is usually a web application built on top of a LAMP environment utilizing PHP and MySQL.

Once the backend is set up, the would-be bot master then needs a bot builder. The builder’s primary function is to pack a third component, a malware payload, and embed it with configuration information and the C2s address or addresses. 

Kits for creating botnets can be found “for sale” on the dark net or provided in a “Software as a Service” (SaaS) model. ICE9 (Ice IX) and Neutrino are two well-known examples.

image of ice 9

Once the package is assembled with a malicious payload, C2 addresses and configuration files, the last step is to distribute the package to victims. Typically, botnet infections take the form of malicious attachments in phishing emails, as this vector is still the most sure of success even today. Another way that a new bot herder can gain initial clients is to buy the services of other, already established, botnets to deliver their payload. 

Are Botnets Illegal?

As botnets are just themselves networks of computers, there isn’t anything illegal about creating a botnet of computers you own or have permission to control. Researchers, for example, may be interested in creating their own “botnet labs”. However, it is considered a criminal offence to install malware on a computer belonging to others without their permission. It is also a criminal offence to then direct that computer to conduct other activities if those are illegal, too, so bot herders may face more than one charge if caught by law enforcement agencies. 

Mitigating Botnet Attacks

As we have seen, botnets are just networks of computers that are infected with malware. For that reason, the most effective deterrent to botnet infection is a robust behavioral AI security solution that can prevent malware payloads from executing on the device. Firewall control may also be useful for detecting botnet communications across the network.

Conclusion

Due to their ability to coordinate attacks at massive scale, as well as deliver diverse payloads and infect other machines, botnets are a significant threat to individuals, enterprise and government organizations. With botnets now targeting the increasing number of IoT devices flooding both public and private networks, it is essential to ensure that you have EDR protection on endpoints and full visibility into every device on your network.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Box looks to balance growth and profitability as it matures

Prevailing wisdom states that as an enterprise SaaS company evolves, there’s a tendency to sacrifice profitability for growth — understandably so, especially in the early days of the company. At some point, however, a company needs to become profitable.

Box has struggled to reach that goal since going public in 2015, but yesterday, it delivered a mostly positive earnings report. Wall Street seemed to approve, with the stock up 6.75% as we published this article.

Box CEO Aaron Levie says the goal moving forward is to find better balance between growth and profitability. In his post-report call with analysts, Levie pointed to some positive numbers.

“As we shared in October [at BoxWorks], we are focused on driving a balance of long-term growth and improved profitability as measured by the combination of revenue growth plus free cash flow margin. On this combined metric, we expect to deliver a significant increase in FY ’21 to at least 25% and eventually reaching at least 35% in FY ’23,” Levie said.

Growing the platform

Part of the maturation and drive to profitability is spurred by the fact that Box now has a more complete product platform. While many struggle to understand the company’s business model, it provides content management in the cloud and modernizing that aspect of enterprise software. As a result, there are few pure-play content management vendors that can do what Box does in a cloud context.

Coralogix announces $10M Series A to bring more intelligence to logging

Coralogix, a startup that wants to bring automation and intelligence to logging, announced a $10 million Series A investment today.

The round was led by Aleph with participation from StageOne Ventures, Janvest Capital Partners and 2B Angels. Today’s investment brings the total raised to $16.2 million, according to the company.

CEO and co-founder Ariel Assaraf says his company focuses on two main areas: logging and analysis. The startup has been doing traditional applications performance monitoring up until now, but today, it also announced it was getting into security logging, where it tracks logs for anomalies and shares this information with security information and event management (SEIM) tools.

“We do standard log analytics in terms of ingesting, parsing, visualizing, alerting and searching for log data at scale using scaled, secure infrastructure,” Assaraf said. In addition, the company has developed a set of algorithms to analyze the data, and begin to understand patterns of expected behavior, and how to make use of that data to recognize and solve problems in an automated fashion.

“So the idea is to generally monitor a system automatically for customers plus giving them the tools to quickly drill down into data, understand how it behaves and get context to the issues that they see,” he said.

For instance, the tool could recognize that a certain sequence of events like a user logging in, authenticating that user and redirecting him or her to the application or website. All of those events happen every time, so if there is something different, the system will recognize that and share the information with DevOps team that something is amiss.

The company, which has offices in Tel Aviv, San Francisco and Kiev, was founded in 2015. It already has 1500 customers including Postman, Fiverr, KFC and Caesars Palace. They’ve been able to build the company with just 30 people to this point, but want to expand the sales and marketing team to help build it out the customer base further. The new money should help in that regard.

Vivun snags $3M seed round to bring order to pre-sales

Vivun, a startup that wants to help companies keep better track of pre-sales data announced a $3 million seed round today led by Unusual Ventures, the venture firm run by Harness CEO Jyoti Bansal.

Vivun founder and CEO Matt Darrow says that pre-sales team works more closely with the customer than anyone else, delivering demos and proof of concepts, and generally helping sales get over the finish line. While sales has CRM to store knowledge about the customer, pre-sales has been lacking a tool to track info about their interactions with customers, and that’s what his company built.

“The main problem that we solve is we give technology to those pre-sales leaders to run and operate their teams, but then take those insights from the group that knows more about the technology and the customer than anybody else, and we deliver that across the organization to the product team, sales team and executive staff,” Darrow explained.

Darrow is a Zuora alumni, and his story is similar to that company’s founder Tien Tzuo, who built the first billing system for Salesforce, then founded Zuroa to build a subscription billing system for everyone else. Similarly, Darrow built a pre-sales tool for Zuroa after finding there wasn’t anything else out there that was devoted specifically to tracking that kind of information.

“At Zuora, I had to build everything from scratch. After the IPO, I realized that this is something that every tech company can take advantage of because every technology company will really need this role to be of high value and impact,” he said.

The company not only tracks information via a mobile app and browser tool, it also has a reporting dashboard to help companies understand and share the information the pre-sales team is hearing from the customer. For example, they might know that x number of customers have been asking for a certain feature, and this information can be organized and passed onto other parts of the company.

Screenshot: Vivun

Bansal, who was previously CEO and co-founder at AppDynamics, a company he sold to Cisco for $3.7 billion just before its IPO in 2017, saw a company filling a big hole in the enterprise software ecosystem. He is not just an investor, he’s also a customer.

“To be successful, a technology company needs to understand three things: where it will be in five years, what its customers need right now, and what the market wants that it’s not currently providing. Pre-sales has answers to all three questions and is a strategically important department that needs management, analytics, and tools for accelerating deals. Yet, no one was making software for this critical department until Vivun,” he said in a statement.

The company was founded in 2018 and has been bootstrapped until now. It spent the first year building out the product. Today, the company has 20 customers including SignalFx (acquired by Splunk in August for $1.05 billion) and Harness.

Instagram founders join $30M raise for Loom work video messenger

Why are we all trapped in enterprise chat apps if we talk 6X faster than we type, and our brain processes visual info 60,000X faster than text? Thanks to Instagram, we’re not as camera-shy anymore. And everyone’s trying to remain in flow instead of being distracted by multi-tasking.

That’s why now is the time for Loom. It’s an enterprise collaboration video messaging service that lets you send quick clips of yourself so you can get your point across and get back to work. Talk through a problem, explain your solution, or narrate a screenshare. Some engineering hocus pocus sees videos start uploading before you finish recording so you can share instantly viewable links as soon as you’re done.

Loom video messaging on mobile

“What we felt was that more visual communication could be translated into the workplace and deliver disproportionate value” co-founder and CEO Joe Thomas tells me. He actually conducted our whole interview over Loom, responding to emailed questions with video clips.

Launched in 2016, Loom is finally hitting its growth spurt. It’s up from 1.1 million users and 18,000 companies in February to 1.8 million people at 50,000 businesses sharing 15 million minutes of Loom videos per month. Remote workers are especially keen on Loom since it gives them face-to-face time with colleagues without the annoyance of scheduling synchronous video calls. “80% of our professional power users had primarily said that they were communicating with people that they didn’t share office space with” Thomas notes.

A smart product, swift traction, and a shot at riding the consumerization of enterprise trend has secured Loom a $30 million Series B. The round that’s being announced later today was led by prestigious SAAS investor Sequoia and joined by Kleiner Perkins, Figma CEO Dylan Field, Front CEO Mathilde Collin, and Instagram co-founders Kevin Systrom and Mike Krieger.

“At Instagram, one of the biggest things we did was focus on extreme performance and extreme ease of use and that meant optimizing every screen, doing really creative things about when we started uploading, optimizing everything from video codec to networking” Krieger says. “Since then I feel like some products have managed to try to capture some of that but few as much as Loom did. When I first used Loom I turned to Kevin who was my Instagram co-founder and said, ‘oh my god, how did they do that? This feels impossibly fast.’”

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-4d6c7146a401f7d25cd12a887828ac7e’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-4d6c7146a401f7d25cd12a887828ac7e’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

Systrom concurs about the similarities, saying “I’m most excited because I see how they’re tackling the problem of visual communication in the same way that we tried to tackle that at Instagram.” Loom is looking to double-down there, potentially adding the ability to Like and follow videos from your favorite productivity gurus or sharpest co-workers.

Loom is also prepping some of its most requested features. The startup is launching an iOS app next month with Android coming the first half of 2020, improving its video editor with blurring for hiding your bad hair day and stitching to connect multiple takes. New branding options will help external sales pitches and presentations look right. What I’m most excited for is transcription, which is also slated for the first half of next year through a partnership with another provider, so you can skim or search a Loom. Sometimes even watching at 2X speed is too slow.

But the point of raising a massive $30 million Series B just a year after Loom’s $11 million Kleiner-led Series A is to nail the enterprise product and sales process. To date, Loom has focused on a bottom-up distribution strategy similar to Dropbox. It tries to get so many individual employees to use Loom that it becomes a team’s default collaboration software. Now it needs to grow up so it can offer the security and permissions features IT managers demand. Loom for teams is rolling out in beta access this year before officially launching in early 2020.

Loom’s bid to become essential to the enterprise, though, is its team video library. This will let employees organize their Looms into folders of a knowledge base so they can explain something once on camera, and everyone else can watch whenever they need to learn that skill. No more redundant one-off messages begging for a team’s best employees to stop and re-teach something. The Loom dashboard offers analytics on who’s actually watching your videos. And integration directly into popular enterprise software suites will let recipients watch without stopping what they’re doing.

To build out these features Loom has already grown to a headcount of 45, though co-founder Shahed Khan is stepping back from company. For new leadership, it’s hired away former head of web growth at Dropbox Nicole Obst, head of design for Slack Joshua Goldenberg, and VP of commercial product strategy for Intercom Matt Hodges.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-11fd0a41b2d5fe7bbcb5320087d22473’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-11fd0a41b2d5fe7bbcb5320087d22473’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

Still, the elephants in the room remain Slack and Microsoft Teams. Right now, they’re mainly focused on text messaging with some additional screensharing and video chat integrations. They’re not building Loom-style asynchronous video messaging…yet. “We want to be clear about the fact that we don’t think we’re in competition with Slack or Microsoft Teams at all. We are a complementary tool to chat” Thomas insists. But given the similar productivity and communication ethos, those incumbents could certainly opt to compete. Slack already has 12 million daily users it could provide with video tools.

Loom co-founder and CEO Joe Thomas

Hodges, Loom’s head of marketing, tells me “I agree Slack and Microsoft could choose to get into this territory, but what’s the opportunity cost for them in doing so? It’s the classic build vs. buy vs. integrate argument.” Slack bought screensharing tool Screenhero, but partners with Zoom and Google for video chat. Loom will focus on being easily integratable so it can plug into would-be competitors. And Hodges notes that “Delivering asynchronous video recording and sharing at scale is non-trivial. Loom holds a patent on its streaming, transcoding, and storage technology, which has proven to provide a competitive advantage to this day.”

The tea leaves point to video invading more and more of our communication, so I expect rival startups and features to Loom will crop up. Vidyard and Wistia’s Soapbox are already pushing into the space. As long as it has the head start, Loom needs to move as fast as it can. “It’s really hard to maintain focus to deliver on the core product experience that we set out to deliver versus spreading ourselves too thin. And this is absolutely critical” Thomas tells me.

One thing that could set Loom apart? A commitment to financial fundamentals. “When you grow really fast, you can sometimes lose sight of what is the core reason for a business entity to exist, which is to become profitable. . . Even in a really bold market where cash can be cheap, we’re trying to keep profitability at the top of our minds.”

Xerox tells HP it will bring takeover bid directly to shareholders

Xerox fired the latest volley in the Xerox HP merger letter wars today. Xerox CEO John Visentin wrote to the HP board that his company planned to take its $33.5 billion offer directly to HP shareholders.

He began his letter with a tone befitting a hostile takeover attempt, stating that their refusal to negotiate defied logic. “We have put forth a compelling proposal – one that would allow HP shareholders to both realize immediate cash value and enjoy equal participation in the substantial upside expected to result from a combination. Our offer is neither ‘highly conditional’ nor ‘uncertain’ as you claim,” Visentin wrote in his letter.

He added, “We plan to engage directly with HP shareholders to solicit their support in urging the HP Board to do the right thing and pursue this compelling opportunity.”

The letter was in response to one yesterday from HP in which it turned down Xerox’s latest overture, stating that the deal seemed beyond Xerox’s ability to afford it. It called into question Xerox’s current financial situation, citing Xerox’s own financial reports, and took exception to the way in which Xerox was courting the company.

“It is clear in your aggressive words and actions that Xerox is intent on forcing a potential combination on opportunistic terms and without providing adequate information,” the company wrote.

Visentin fired back in his letter, “While you may not appreciate our “aggressive” tactics, we will not apologize for them. The most efficient way to prove out the scope of this opportunity with certainty is through mutual due diligence, which you continue to refuse, and we are obligated to require.”

He further pulled no punches writing that he believes the deal is good for both companies and good for the shareholders. “The potential benefits of a combination between HP and Xerox are self-evident. Together, we could create an industry leader – with enhanced scale and best-in-class offerings across a complete product portfolio — that will be positioned to invest more in innovation and generate greater returns for shareholders.”

Patrick Moorhead, founder and principal analyst at Moor Insights & Strategies, thinks HP ultimately has the upper hand in this situation. “I feel like we have seen this movie before when Carl Icahn meddled with Dell in a similar way. Xerox is a third of the size HP Inc., has been steadily declining in revenue, is running out of options, and needs HP more than HP needs it.”

It would seem Xerox has chosen a no-holds barred approach to the situation. The pen is now in HP’s hands as we await the next letter and see how the printing giant intends to respond to the latest missive from Xerox.

New Amazon capabilities put machine learning in reach of more developers

Today, Amazon announced a new approach that it says will put machine learning technology in reach of more developers and line of business users. Amazon has been making a flurry of announcements ahead of its re:Invent customer conference next week in Las Vegas.

While the company offers plenty of tools for data scientists to build machine learning models and to process, store and visualize data, it wants to put that capability directly in the hands of developers with the help of the popular database query language, SQL.

By taking advantage of tools like Amazon QuickSight, Aurora and Athena in combination with SQL queries, developers can have much more direct access to machine learning models and underlying data without any additional coding, says VP of artificial intelligence at AWS, Matt Wood.

“This announcement is all about making it easier for developers to add machine learning predictions to their products and their processes by integrating those predictions directly with their databases,” Wood told TechCrunch.

For starters, Wood says developers can take advantage of Aurora, the company’s MySQL (and Postgres)-compatible database to build a simple SQL query into an application, which will automatically pull the data into the application and run whatever machine learning model the developer associates with it.

The second piece involves Athena, the company’s serverless query service. As with Aurora, developers can write a SQL query — in this case, against any data store — and based on a machine learning model they choose, return a set of data for use in an application.

The final piece is QuickSight, which is Amazon’s data visualization tool. Using one of the other tools to return some set of data, developers can use that data to create visualizations based on it inside whatever application they are creating.

“By making sophisticated ML predictions more easily available through SQL queries and dashboards, the changes we’re announcing today help to make ML more usable and accessible to database developers and business analysts. Now anyone who can write SQL can make — and importantly use — predictions in their applications without any custom code,” Amazon’s Matt Asay wrote in a blog post announcing these new capabilities.

Asay added that this approach is far easier than what developers had to do in the past to achieve this. “There is often a large amount of fiddly, manual work required to take these predictions and make them part of a broader application, process or analytics dashboard,” he wrote.

As an example, Wood offers a lead-scoring model you might use to pick the most likely sales targets to convert. “Today, in order to do lead scoring you have to go off and wire up all these pieces together in order to be able to get the predictions into the application,” he said. With this new capability, you can get there much faster.

“Now, as a developer I can just say that I have this lead scoring model which is deployed in SageMaker, and all I have to do is write literally one SQL statement that I do all day long into Aurora, and I can start getting back that lead scoring information. And then I just display it in my application and away I go,” Wood explained.

As for the machine learning models, these can come pre-built from Amazon, be developed by an in-house data science team or purchased in a machine learning model marketplace on Amazon, says Wood.

Today’s announcements from Amazon are designed to simplify machine learning and data access, and reduce the amount of coding to get from query to answer faster.

Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains

On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States.

An advertisement on the cybercrime store Joker’s Stash for a new batch of ~4 million credit/debit cards stolen from four different restaurant chains across the midwest and eastern United States.

Two financial industry sources who track payment card fraud and asked to remain anonymous for this story said the four million cards were taken in breaches recently disclosed by restaurant chains Krystal, Moe’s, McAlister’s Deli and Schlotzsky’s. Krystal announced a card breach last month. The other three restaurants are all part of the same parent company and disclosed breaches in August 2019.

KrebsOnSecurity heard the same conclusion from Gemini Advisory, a New York-based fraud intelligence company.

“Gemini found that the four breached restaurants, ranked from most to least affected, were Krystal, Moe’s, McAlister’s and Schlotzsky’s,”  Gemini wrote in an analysis of the New World Order batch shared with this author. “Of the 1,750+ locations belonging to these restaurants, nearly 50% were breached and had customer payment card data exposed. These breached locations were concentrated in the central and eastern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama.”

McAlister’s (green), Schlotzsky’s (blue), Moe’s (gray), and Krystal (orange) locations across the United States. There is an additional Moe’s location in Hawaii that is not depicted. Image: Gemini Advisory.

Focus Brands (which owns Moe’s, McAlister’s, and Schlotzsky’s) was breached between April and July 2019, and publicly disclosed this on August 23. Krystal claims to have been breached between July and September 2019, and disclosed this in late October.

The stolen cards went up for sale at the infamous Joker’s Stash carding bazaar. The most recent big breach marketed on Joker’s Stash was dubbed “Solar Energy,” and included more than five million cards stolen from restaurants, fuel pumps and drive-through coffee shops operated by Hy-Vee, a supermarket chain based in Iowa.

According to Gemini, Joker’s Stash likely delayed the debut of the New World Order cards to keep from flooding the market with too much stolen card data all at once, which can have the effect of lowering prices for stolen cards across the board.

“Joker’s Stash first announced their breach on November 11, 2019 and published the data on November 22,” Gemini found. “This delay between breaches occurring as early as July and data being offered in the dark web in November appears to be an effort to avoid oversaturating the dark web market with an excess of stolen payment records.”

Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems, often by compromising third-party firms that help manage these systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals, and that data can then be used to create counterfeit copies of the cards.

The United States is embarrassingly the last of the G20 nations to make the shift to more secure chip-based cards, which are far more expensive and difficult for criminals to counterfeit. Unfortunately, many merchants have not yet shifted to using chip-based card readers and still swipe their customers’ cards.

According to stats released in September by Visa, 80 percent of U.S. storefronts now accept chip cards. Visa says for merchants who have completed the chip upgrade, counterfeit fraud dollars dropped 87 percent in March 2019 compared to September 2015. This may help explain why card thieves increasingly are shifting their attention to compromising e-commerce merchants, a trend seen in virtually every country that has already made the transition to chip-based cards.

Companies that accept, store, process and transmit credit and debit card payments are required to implement so-called Payment Card Industry (PCI) security standards, but not all entities are required to prove that they have met them. While the PCI standards are widely considered a baseline for merchants that accept payment cards, many security experts advise companies to put in place protections that go well beyond these standards.

Even so, the 2019 Payment Security Report from Verizon indicates the number of companies that maintain full compliance with PCI standards decreased for the second year in a row to just 36.7 percent worldwide.

As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).

It’s really not worth worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.

It’s Way Too Easy to Get a .gov Domain Name

Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain.

Earlier this month, KrebsOnSecurity received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application.

“I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment. “The only thing that was real was the mayor’s name.”

The email from this source was sent from exeterri[.]gov, a domain registered on Nov. 14 that at the time displayed the same content as the .us domain it was impersonating — town.exeter.ri.us — which belongs to the town of Exeter, Rhode Island (the impostor domain is no longer resolving).

“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source continued. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

Technically, what my source did was wire fraud (obtaining something of value via the Internet/telephone/fax through false pretenses); had he done it through the U.S. mail, he could be facing mail fraud charges if caught.

But a cybercriminal — particularly a state-sponsored actor operating outside the United States — likely would not hesitate to do so if he thought registering a .gov was worth it to make his malicious website, emails or fake news social media campaign more believable.

“I never said it was legal, just that it was easy,” the source said. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”

Earlier today, KrebsOnSecurity contacted officials in the real town of Exeter, RI to find out if anyone from the U.S. General Services Administration — the federal agency responsible for managing the .gov domain registration process — had sought to validate the request prior to granting a .gov in their name.

A person who called back from the town clerk’s office but who asked not to be named said someone from the GSA did phone the mayor’s office on Nov. 24 — which was four days after I reached out to the federal agency about the domain in question and approximately 10 days after the GSA had already granted the phony request.

WHO WANTS TO BE A GOVERNMENT?

Responding today via email, a GSA spokesperson said the agency doesn’t comment on open investigations.

“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” the agency wrote, without elaborating on what those additional controls might be.

KrebsOnSecurity did get a substantive response from the Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security which is leading efforts to protect the federal .gov domain of civilian government networks [NB: The head of CISA, Christopher C. Krebs, is of no relation to this author].

The CISA said this matter is so critical to maintaining the security and integrity of the .gov space that DHS is now making a play to assume control over the issuance of all .gov domains.

“The .gov top-level domain (TLD) is critical infrastructure for thousands of federal, state and local government organizations across the country,” reads a statement CISA sent to KrebsOnSecurity. “Its use by these institutions should instill trust. In order to increase the security of all US-based government organizations, CISA is seeking the authority to manage the .gov TLD and assume governance from the General Services Administration.”

The statement continues:

“This transfer would allow CISA to modernize the .gov registrar, enhance the security of individual .gov domains, ensure that only authorized users obtain a .gov domain, proactively validate existing .gov holders, and better secure everyone that relies on .gov. We are appreciative of Congress’ efforts to put forth the DOTGOV bill [link added] that would grant CISA this important authority moving forward. GSA has been an important partner in these efforts and our two agencies will continue to work hand-in-hand to identify and implement near-term security enhancements to the .gov.”

In an era when the nation’s top intelligence agencies continue to warn about ongoing efforts by Russia and other countries to interfere in our elections and democratic processes, it may be difficult to fathom that an attacker could so easily leverage such a simple method for impersonating state and local authorities.

Despite the ease with which apparently anyone can get their own .gov domain, there are plenty of major U.S. cities that currently do not have one, probably because they never realized they could with very little effort or expense. A review of the Top 10 most populous U.S. cities indicates only half of them have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio, and San Diego.

Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov are all still available. As is the .gov for San Jose, Calif., the economic, cultural and political center of Silicon Valley. No doubt a great number of smaller cities also haven’t figured out they’re eligible to secure their own .gov domains. That said, some of these cities do have .gov domains (e.g. nyc.gov), but it’s not clear whether the GSA would allow the same city to have multiple .gov domains.

In addition to being able to convincingly spoof communications from and websites for cities and towns, there are almost certainly a myriad other ways that possessing a phony .gov domain could be abused. For example, my source said he was able to register his domain in Facebook’s law enforcement subpoena system, although he says he did not attempt to abuse that access.

The source who successfully registered an impostor .gov domain said he was able to use that access to register for Facebook’s law enforcement subpoena system.

Now consider what a well-funded adversary could do on Election Day armed with a handful of .gov domains for some major cities in Democrat strongholds within key swing states: The attackers register their domains a few days in advance of the election, and then on Election Day send out emails signed by .gov from, say, miami.gov (also still available) informing residents that bombs had gone off at polling stations in Democrat-leaning districts. Such a hoax could well decide the fate of a close national election.

John Levine, a domain name expert, consultant and author of the book The Internet for Dummies, said the .gov domain space wasn’t always so open as it is today.

“Back in the day, everyone not in the federal government was supposed to register in the .us space,” Levine said. “At some point, someone decided .gov is going to be more democratic and let everyone in the states register. But as we see, there’s still no validation.”

Levine, who served three years as mayor of the village of Trumansburg, New York, said it would not be terribly difficult for the GSA to do a better job of validating .gov domain requests, but that some manual verification would probably be required.

“When I was a mayor, I was in frequent contact with the state, and states know who all their municipalities are and how to reach people in charge of them,” Levine said. “Also, every state has a Secretary of State that keeps track of what all the subdivisions are, and including them in the process could help as well.”

Levine said like the Internet itself, this entire debacle is yet another example of an important resource with potentially explosive geopolitical implications that was never designed with security or authentication in mind.

“It turns out that the GSA is pretty good at doing boring clerical stuff,” he said. “But as we keep discovering, what we once thought was a boring clerical thing now actually has real-world security implications.”