Atlassian launches free tiers for all its cloud products, extends premium pricing plan

At our TC Sessions: Enterprise event, Atlassian co-CEO Scott Farquhar today announced a number of updates to how the company will sell its cloud-based services. These include the launch of new premium plans for more of its products, as well as the addition of a free tier for all of the company’s services that didn’t already offer one. Atlassian now also offers discounted cloud pricing for academic institutions and nonprofit organizations.

The company previously announced its premium plans for Jira Software Cloud and Confluence Cloud. Now, it is adding Jira Service Desk to this lineup, and chances are it’ll add more of its services over time. The premium plan adds a 99.9% update SLA, unlimited storage and additional support. Until now, Atlassian sold these products solely based on the number of users, but didn’t offer a specific enterprise plan.

As Harsh Jawharkar, the head of go-to-market for Cloud Platform at Atlassian, told me, many of its larger customers, who often ran the company’s products on their own servers before, are now looking to move to the cloud and hand over to Atlassian the day-to-day operations of these services. That’s in part because they are more comfortable with the idea of moving to the cloud at this point — and because Atlassian probably knows how to run its own services better than anybody else. 

For these companies, Atlassian is also introducing a number of new features today. Those include soon-to-launch data residency controls for companies that need to ensure that their data stays in a certain geographic region, as well as the ability to run Jira and Confluence Cloud behind customized URLs that align with a company’s brand, which will launch in early access in 2020. Maybe more important, though, are features to Atlassian Access, the company’s command center that helps enterprises manage its cloud products. Access now supports single sign-on with Google Cloud Identity and Microsoft Active Directory Federation Services, for example. The company is also partnering with McAfee and Bitglass to offer additional advanced security features and launch a cross-product audit log. Enterprise admins will also soon get access to a new dashboard that will help them understand how Atlassian’s tools are being used across the organization.

But that’s not all. The company is also launching new tools to make customer migration to its cloud products easier, with initial support for Confluence and Jira support coming later this year. There’s also new extended cloud trial licenses, which a lot of customers have asked for, Jawharkar told me, because the relatively short trial periods the company previously offered weren’t quite long enough for companies to fully understand their needs.

This is a big slew of updates for Atlassian — maybe its biggest enterprise-centric release since the company’s launch. It has clearly reached a point where it had to start offering these enterprise features if it wanted to grow its market and bring more of these large companies on board. In its early days, Atlassian mostly grew by selling directly to teams within a company. These days, it has to focus a bit more on selling to executives as it tries to bring more enterprises on board — and those companies have very specific needs that the company didn’t have to address before. Today’s launches clearly show that it is now doing so — at least for its cloud-based products.

The company isn’t forgetting about other users either, though. It’ll still offer entry-level plans for smaller teams and it’s now adding free tiers to products like Jira Software, Confluence, Jira Service Desk and Jira Core. They’ll join Trello, Bitbucket and Opsgenie, which already feature free versions. Going forward, academic institutions will receive 50% off their cloud subscriptions and nonprofits will receive 75% off.

It’s obvious that Atlassian is putting a lot of emphasis on its cloud services. It’s not doing away with its self-hosted products anytime, but its focus is clearly elsewhere. The company itself started this process a few years ago and a lot of this work is now coming to fruition. As Anu Bharadwaj, the head of Cloud Platform at Atlassian, told me, this move to a fully cloud-native stack enabled many of today’s announcements, and she expects that it’ll bring a lot of new customers to its cloud-based services.  

Shared inbox startup Front adds WhatsApp support

Front, the company that lets you manage your inboxes as a team, is adding one more channel, WhatsApp. Starting today, you can read and reply to people contacting you through WhatsApp.

This feature is specifically targeted at users of WhatsApp Business. You can get a business phone number through Twilio and then hand out that number to your customers.

After that, you can see the messages coming in Front and treat them like any Front message. In particular, you can assign conversations to a specific team members so that your customers get a relevant answer as quickly as possible. If you need more information, Front integrates with popular CRMs, such as Salesforce, Pipedrive and HubSpot.

You can also discuss with other teammates before sending a reply to your customer. It works like any chat interface — you can at-mention your coworkers and start an in-line chat in the middle of a WhatsApp thread. When you’re ready to answer, you can hit reply and send a WhatsApp message.

Front started with generic email addresses, such as sales@yourcompany or jobs@yourcompany. But the company has added more channels over time, such as Facebook, Twitter, website chat and text messages.

If you’ve already been using Front with text messages, you can now easily add WhatsApp and use the same service for that new channel.

WhatsApp sync

macOS Incident Response | Part 3: System Manipulation

In Part 1 and Part 2, we looked at collecting device, file and system data and how to retrieve data on user activity and behavior. In this final part of the series, we’re going to look for evidence of system manipulation that could leave a device or a user vulnerable to further exploitation. Some of that evidence may already have been collected from our earlier work, while other pieces of information will require some extra digging. Let’s go!

header image

Usurping the Sudoers File

One of the first places I want to look for system manipulation is in the /etc/sudoers file. This file can be used to allow users to run processes with elevated privileges without being challenged for a password. To check whether the sudoers file has been modified, we will use the visudo command rather than opening the file directly in vi or another editor. Using visudo is safer as it prevents the file being saved in an invalid format.

$ sudo visudo

Modifications to the sudoers file will typically be seen at the end of the file. In part, that’s because the easiest way for a process to write to it is by simply appending to it, but also the commands in the file take precedence in reverse order, with the later commands overriding earlier ones. For that reason, it’s important for attackers that their commands override any others that may target the same users, groups or hosts. In this example, we can see that a malicious process has added a line to allow the user ‘sentinel’ – or more importantly any process running as that user – to run the command at the path shown on any host (ALL) without authenticating.

image of visudo

Cuckoos in the PATH

The $PATH environment variable lists the paths where the shell will search for programs to execute that correspond to a given command name. We can see the user’s path list with

$ echo $PATH

In this example, the user’s path contains the following locations:

image of user Path

We can use a short Bash script to iterate over the paths, and list their contents, sorted by date modified in descending order.

#! /bin/bash

while IFS=: read -d: -r path; do
    cd $path
    echo $path
    ls -altR
done <<< "${PATH:+"${PATH}:"}"  

From the results, we can quickly see which files were modified most recently. Pay particular attention to what is at the top of the path, as /usr/local/bin is in the above example. This location will be searched first when a command is issued on the command line, ahead of system paths. A “cuckoo” script named, say, sudo or any other commonly used system utility, inserted at the top of the path would get called before – in other words, instead of – the real utility. A malicious actor could write a fake sudo script which first called the actor’s own routines before passing on the user’s intended actions to the real sudo utility. Done properly, this would be completely transparent to the user, and of course the attacker would have gained elevated privileges along the way.

Bash, Zsh and Other Shells

In a similar way, an attacker could modify one of several files that determine things like shell aliases. An alias in say the .bashrc file could replace every call to sudo with a call to an attacker’s script. To search for this possibility, be sure to check the contents of the following for such manipulations:

~/.bash_profile        # if it exists, read once when you log in to the shell
~/.bash_login          # if it exists, read once if .bash_profile doesn't exist
~/.profile             # if it exists, read once if the two above don't exist 
/etc/profile           # only read if none of the above exist

~/.bashrc              # if it exists, read every time you start a new shell
~/.bash_logout         # if it exists, read when the login shell exits

And look for the same for other shell environments the user might have like .zshrc for Zsh.

Etc, Hosts and Friends

It’s also worth running a time-sorted ls on the etc folder.

$ cd /etc; ls -altR

On this compromised system, it’s very clear what’s been modified recently.

image of files modified in etc

The hosts file is a leftover from the past and the way computers used to resolve domain names to IP addresses, a primitive form of DNS. These days the only use of the hosts file is to loopback certain domain names to the localhost, 127.0.0.1, which effectively prevents the system from reaching out to these domains. The hosts file is often manipulated by malware to stop the system checking in with certain remote services, such as Apple or other software vendors. A healthy hosts file will typically have very few entries, like so:

Networking and Sharing Prefs

While we’re discussing network communications, let’s check on several other areas that can be manipulated. In System Preferences’ Network pane, click Advanced… and look at the Proxies tab. Some malware will use an autoproxy to redirect user’s traffic in order to achieve a man-in-the-middle attack. We can also pull this information from the data we collected from sysdiagnose by searching on “autoproxy”. Here we see the good news that no autoproxy is set.

image of autoproxy search

We can utilise the networksetup utility here to output similar information to what you can see in the System Preferences UI regarding each network service.

#! /bin/bash

n=$(networksetup -listallnetworkservices | grep -v asterisk)
for nt in $n; do
    printf "n$ntn--------n";
    networksetup -getinfo $nt;
done

We can also find this information in the sysdiagnose report in the output of SystemProfiler’s SPNetworkLocationDataType.spx file.

Finding Local and Remote Logins

Let’s start with the obvious. Does the device have any of its sharing preferences enabled? In the User Interface, these are listed in the Sharing Pane:

image of sharing prefs

As explained in Malware Hunting on macOS | A Practical Guide, we can get the same information from netstat by grepping for particular ports associated with sharing services. For convenience, we can run a one-liner on the command line or via script that will succinctly output the Sharing preferences:


rmMgmt=`netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l`; scrShrng=`netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.5900" | wc -l`; flShrng=`netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | egrep "*.88|*.445|*.548" | wc -l`;rLgn=`netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.22" | wc -l`; rAE=`netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.3031" | wc -l`; bmM=`netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.4488" | wc -l`;printf "nThe following services are OFF if '0', or ON otherwise:nScreen Sharing: %snFile Sharing: %snRemote Login: %snRemote Mgmt: %snRemote Apple Events: %snBack to My Mac: %snn" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";

This lengthy pipeline of commands should return something like this.

image of sharing prefs from netstat

In the sysdiagnose/network-info folder, the netstat.txt file will also list, among other things, active internet connections. Alternatively, you can collect much of the same relevant information with the following commands:

Active Internet connections (including servers):
netstat -A -a -l -n -v

Routing tables:
netstat -n -r -a -l

Also, check the user’s home folder for the invisible .ssh directory and the addition of any attacker public keys. Here, an unwanted process has secretly written a known_hosts file into the ssh folder so that the process can ensure it’s connecting to its own C2 server before exfiltrating user data or downloading further components.

Either on the system itself or from the sysdiagnose folder, look for the existence of the kcpassword file. This file only exists if the system has Auto login set up, which allows a user to login to the Mac without providing a user name or password. Although it’s unlikely a remote attacker would chose to set this up, a local one might (such as a co-worker), if they had hopes of physical access in the future. Perhaps more importantly, the file contains the user’s actual login password in encoded but not encrypted form. It’s a simple thing to decode it, but it does require having already achieved elevated privileges to do so.

The /usr/sbin/sysadminctl utility has a few useful options for checking on Guest account and other settings. This one-liner will output some useful status information:

state=("automaticTime" "afpGuestAccess" "filesystem" "guestAccount" "smbGuestAccess"); for i in "${state[@]}"; do sysadminctl -"${i}" status; done;

image of sysadminctl

Achieving Persistence Through Application Bundles

We have already covered macOS persistence techniques, and I encourage you to refer to that for an in-depth treatment. However, it’s worth mentioning here one of the upshots of Apple’s recent change to requiring developers to use Application bundles for things like kexts and login items, which is that it can now be much harder to track these down. In the past, all 3rd party extensions would have been in /Library/Extensions and all login items could be tracked through the loginitems.plist file. Recent changes mean these can now be anywhere that an application can be, and that is pretty much everywhere!

In the first post in this series, we looked at an example of using LSRegister to hunt for unusual or unwanted applications. We can also leverage the Spotlight backend to search for the location of apps once we have a target bundle identifier to hand. For example:

mdfind "kMDItemCFBundleIdentifier == 'com.cnaa4c4d'"

image of mdfind

Be careful with the syntax: the whole search statement is encapsulated in double quotes and the value to search for is within single quotes. More information about using mdfind can be found in the utility’s man page. A list of possible predicate search terms can be printed out with

mdimport -X

Manipulating Users Through Their Browsers

For the vast majority of attacks, the gateway to compromise comes through interaction with the user, so it’s important to check on applications that are used for communications. Have these applications’ default settings been manipulated to make further exploitation and compromise easier for the attacker?

We already took a look at this in general in Part 2, but specifically some of the items we would want to look at are the addition of browser extensions, default home page and search criteria, security settings, additional or privileged users and password use. We should also check the default download location and iterate over that folder for recent activity.

I’ve explained here how we can examine recent downloads that have been tagged with Apple’s LSQuarantine bit, but this bit is easily removed and the records in the LSQuarantine file are not all that reliable. A full listing of the user’s browser history is better scraped from the relevant folders and databases belonging to each browser app. Although browser history does not tell us directly about system manipulation, by tracking the urls of malicious sites visited we can build a picture not only of where malware may have come from, but where it might be sending our user to for further compromises. We can also use any malicious URLs found in browser history as search terms across our collected data.

Although there are many browsers, I will only deal with the major ones here. It should be possible to apply the same principles in these examples to other browsers. Safari, Firefox, Chrome and Opera all have slightly different ways of storing history. Here’s a few examples.

Browser History

To retrieve Safari history (Terminal will require Full Disk Access in Mojave and later):

sqlite3 ~/Library/Safari/History.db "SELECT h.visit_time, i.url FROM history_visits h INNER JOIN history_items i ON h.history_item = i.id"

To retrieve a list of sites that have acquired Push Notifications permissions in Safari:

plutil -p ~/Library/Safari/UserNotificationPermissions.plist | grep -a3 '"Permission" => 1'

To retrieve the last session data from Safari:

plutil -p ~/Library/Safari/LastSession.plist | grep -iv sessionstate .

Chrome history can be gathered with the following command:

sqlite3 ~/Library/Application Support/Google/Chrome/Default/History "SELECT datetime(((v.visit_time/1000000)-11644473600), 'unixepoch'), u.url FROM visits v INNER JOIN urls u ON u.id = v.url;"

Similar will work for Vivaldi and other Chromium based browsers once you substitute the appropriate path to the browser’s database. For example:

sqlite3 ~/Library/Application Support/Vivaldi/Default/History "SELECT datetime(((v.visit_time/1000000)-11644473600), 'unixepoch'), u.url FROM visits v INNER JOIN urls u ON u.id = v.url;"

Firefox History is slightly different.

sqlite3 ~/Library/Application Support/Firefox/Profiles/*/places.sqlite "SELECT datetime(last_visit_date/1000000,'unixepoch'), url, title from moz_places"

Browser Extensions

I’ve previously described how the Safari Extensions format has changed recently and how this can be leveraged by bad actors. To retrieve an old-style list of Safari browser extensions:

plutil -p ~/Library/Safari/Extensions/Extensions.plist| grep "Bundle Directory Name" | sort --ignore-case

The new .appex style which require an Application bundle can be enumerated via the pluginkit utility.

pluginkit -mDvvv -p com.apple.Safari.extension

image of pluginkit

Extensions, particularly in Chrome have long been problematic and an easy way for scammers to control user’s browsing. Extensions can be enumerated in Chromium browsers from the Extensions folder:

$ ~/Library/Application Support/Google/Chrome/Default/Extensions; ls -al

Unfortunately, the randomized names and lack of human-readable identifiers is not helpful.

image of chrome extensions

Suffice to say it is worth going over the contents of each directory thoroughly.

Like Safari, Firefox uses a similar, though reversed, bundleIdentifier format for Extension names, which is far more user-friendly:

cd ~/Library/Application Support/Firefox/Profiles/*/extensions; ls -al

image of firefox extensions

Browser Security Settings

Some adware and malware attempt to turn off the browser’s built-in anti-phishing settings, which is surprisingly easy to do. We can check this setting for various browsers with a few simple one-liners.

For Safari:

defaults read com.apple.Safari WarnAboutFraudulentWebsites

The reply should be 1 to indicate the setting is active.

Chrome and Chromium browsers typically use a “safebrowsing” key in the Preferences file located in the Defaults folder. You can simply grep for “safebrowsing” and look for {"enabled: true,"} in the result to indicate anti-phishing and malware protection is on.

grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences

Opera is slightly different, using the key “fraud_protection_enabled” rather than ‘safebrowsing’.

grep 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences

image of opera prefs

In Firefox, preferences are held in the prefs.js file. The following command

grep 'browser.safebrowsing' ~/Library/Application Support/Firefox/Profiles/*/prefs.js

will return “safebrowsing.malware.enabled” and “phishing.enabled” as false if the safe search settings have been disabled, as shown in the following images:


image of firefox browser protections disabled

If the settings are on, those keys will not be present.

There are many other settings that can be mined from the browser’s support folders aside from history, preferences and extensions using the same techniques as above. These locations should also be searched for manipulation of user settings and preferences such as default home page and search engines.

Conclusion

And that brings us to the end of this short series on macOS Incident Response! There is much that we have not covered; the subject is as vast in its breadth as is macOS itself, but we have covered, in Posts 1, 2, and 3, the basics of where and what kind of information you can collect about the device’s activity, the users’ behaviour and the threat actor’s manipulations. For those interested in learning more, you could take a look at OS X Incident Response Scripting & Analysis by Jaron Bradley, which takes a different but useful approach from the one I’ve taken here. If you want to go beyond these kinds of overviews to digital forensics, check out the SANS course run by Sarah Edwards. Finally, of course, please follow me on Twitter if you have comments, questions or suggestions on this series and @SentinelOne to keep up with all the news about macOS security.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Starboard Value takes 7.5% stake in Box

Starboard Value, LP revealed in an SEC Form 13D filing last week that it owns a 7.5% stake in Box, the cloud content management company.

It is probably not a coincidence that Starboard Value invests in companies whose stock has taken a bad turn. Box’s share price has been on a roller coaster ride in the years since 2015, when its stock was priced initially at $14.00/share but then surged to $23.23 on its opening day. In recent years, its share price has gone as high as $28.12, but the declines have been steep: its 52-week low is $12.46 per share.

Screenshot 2019 09 03 17.22.05

“While we do not comment on interactions with our investors, Box is committed to maintaining an active and engaged dialogue with stockholders. The Board of Directors and management team are focused on delivering growth and profitability to drive long-term stockholder value as we continue to pioneer the Cloud Content Management market,” a Box spokesperson told TechCrunch.

Indeed, it is too early to tell what Starboard’s investment will mean longer term. But more generally, it has been known to take a very active role in its portfolio companies, sometimes increasing its stake to secure places on the board and using that position to advocate management changes, restructuring, sales and more.

And Box is now, in a sense, on notice. From Starboard’s filing:

“Depending on various factors including, without limitation, the Issuer’s financial position and investment strategy, the price levels of the Shares, conditions in the securities markets and general economic and industry conditions, the Reporting Persons may in the future take such actions with respect to their investment in the Issuer as they deem appropriate including, without limitation, engaging in communications with management and the Board of Directors of the Issuer, engaging in discussions with stockholders of the Issuer or other third parties about the Issuer and the [Starboard’s] investment, including potential business combinations or dispositions involving the Issuer or certain of its businesses, making recommendations or proposals to the Issuer concerning changes to the capitalization, ownership structure, board structure (including board composition), potential business combinations or dispositions involving the Issuer or certain of its businesses, or suggestions for improving the Issuer’s financial and/or operational performance, purchasing additional Shares, selling some or all of their Shares, engaging in short selling of or any hedging or similar transaction with respect to the Shares…”

Box began life as a consumer storage company but made the transition to enterprise software several years after it launched in 2005. It raised more than $500 million along the way, and it was a Silicon Valley SaaS darling until it filed its S-1 in 2014.

That S-1 revealed massive sales and marketing spending, and critics came down hard on the company. That led to one of the longest IPO delays in memory, taking nine months from the time the company filed until it finally had its IPO in January 2015.

While losses more recently appear to be getting smaller, they are still a very prominent aspect of the company’s financials. In its Q2 earnings report last week, Box announced  $172.5 million in revenue for for the quarter, putting it on a run rate close to $700 million, but it also said its GAAP operating loss was $36.3 million, or 21% of revenue (year-ago GAAP operating loss was $37.2 million, or 25% of revenue).

Non-GAAP operating income meanwhile was $0.5 million, or 0% of revenue (year-ago non-GAAP operating loss was $6.5 million, or 4% of revenue). Negative free cash flow was also up to -$19 million versus -$10 million a year ago. In other words, these are precisely the kind of metrics that attract activist investors to high-profile public companies.

Levie will be appearing at TechCrunch Sessions: Enterprise on Thursday.

We emailed Starboard Value for comment on this article. Should it respond, we will update the article.

Spam In your Calendar? Here’s What to Do.

Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working. But periodically they circle back to old tricks, and few spam trends are as perennial as calendar spam, in which invitations to click on dodgy links show up unbidden in your digital calendar application from Apple, Google and Microsoft. Here’s a brief primer on what you can do about it.

Image: Reddit

Over the past few weeks, a good number of readers have written in to say they feared their calendar app or email account was hacked after noticing a spammy event had been added to their calendars.

The truth is, all that a spammer needs to add an unwelcome appointment to your calendar is the email address tied to your calendar account. That’s because the calendar applications from Apple, Google and Microsoft are set by default to accept calendar invites from anyone.

Calendar invites from spammers run the gamut from ads for porn or pharmacy sites, to claims of an unexpected financial windfall or “free” items of value, to outright phishing attacks and malware lures. The important thing is that you don’t click on any links embedded in these appointments. And resist the temptation to respond to such invitations by selecting “yes,” “no,” or “maybe,” as doing so may only serve to guarantee you more calendar spam.

Fortunately, the are a few simple steps you can take that should help minimize this nuisance. To stop events from being automatically added to your Google calendar:

-Open the Calendar application, and click the gear icon to get to the Calendar Settings page.
-Under “Event Settings,” change the default setting to “No, only show invitations to which I have responded.”

To prevent events from automatically being added to your Microsoft Outlook calendar, click the gear icon in the upper right corner of Outlook to open the settings menu, and then scroll down and select “View all Outlook settings.” From there:

-Click “Calendar,” then “Events from email.”
-Change the default setting for each type of reservation settings to “Only show event summaries in email.”

For Apple calendar users, log in to your iCloud.com account, and select Calendar.

-Click the gear icon in the lower left corner of the Calendar application, and select “Preferences.”
-Click the “Advanced” tab at the top of the box that appears.
-Change the default setting to “Email to [your email here].”

Making these changes will mean that any events your email provider previously added to your calendar automatically by scanning your inbox for certain types of messages from common events — such as making hotel, dining, plane or train reservations, or paying recurring bills — may no longer be added for you. Spammy calendar invitations may still show up via email; in the event they do, make sure to mark the missives as spam.

Have you experienced a spike in calendar spam of late? Or maybe you have another suggestion for blocking it? If so, sound off in the comments below.

‘Satori’ IoT Botnet Operator Pleads Guilty

A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies.

Kenneth “Nexus-Zeta” Schuchman, in an undated photo.

Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors.

According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fiber-optic networking devices.

Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days).

Throughout 2017 and into 2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further develop Satori by identifying and exploiting additional security flaws in other IoT systems.

Schuchman and his accomplices gave new monikers to their IoT botnets with almost each new improvement, rechristening their creations with names including “Okiru,” and “Masuta,” and infecting up to 700,000 compromised systems.

The plea agreement states that the object of the conspiracy was to sell access to their botnets to those who wished to rent them for launching attacks against others, although it’s not clear to what extent Schuchman and his alleged co-conspirators succeeded in this regard.

Even after he was indicted in connection with his activities in August 2018, Schuchman created a new botnet variant while on supervised release. At the time, Schuchman and Drake had something of a falling out, and Schuchman later acknowledged using information gleaned by prosecutors to identify Drake’s home address for the purposes of “swatting” him.

Swatting involves making false reports of a potentially violent incident — usually a phony hostage situation, bomb threat or murder — to prompt a heavily-armed police response to the target’s location. According to his plea agreement, the swatting that Schuchman set in motion in October 2018 resulted in “a substantial law enforcement response at Drake’s residence.”

As noted in a September 2018 story, Schuchman was not exactly skilled in the art of obscuring his real identity online. For one thing, the domain name used as a control server to synchronize the activities of the Satori botnet was registered to the email address nexuczeta1337@gmail.com. That domain name was originally registered to a “ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash.

People who operate IoT-based botnets maintain and build up their pool of infected IoT systems by constantly scanning the Internet for other vulnerable systems. Schuchman’s plea agreement states that when he received abuse complaints related to his scanning activities, he responded in his father’s identity.

“Schuchman frequently used identification devices belonging to his father to further the criminal scheme,” the plea agreement explains.

While Schuchman may be the first person to plead guilty in connection with Satori and its progeny, he appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk.

Multiple sources also say Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others.

The investigation into Schuchman and his alleged co-conspirators is being run out the FBI field office in Alaska, spearheaded by some of the same agents who helped track down and ultimately secure guilty pleas from the original co-authors of the Mirai botnet.

It remains to be seen what kind of punishment a federal judge will hand down for Schuchman, who reportedly has been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000.

However, it seems likely his sentencing will fall well short of that maximum: Schuchman’s plea deal states that he agreed to a recommended sentence “at the low end of the guideline range as calculated and adopted by the court.”

Endpoint Security | Winning the War Against Time

What is the one common denominator against any adversary? What is the most precious commodity of all in the struggle between attackers and defenders? What is the one advantage the adversary has, up till now, always had over us? The answer is time itself. The reason why threats—from WannaCry and NotPetya to MegaCortex and RobinHood—succeed is not sophistication. They simply outpace our ability to stop them in their tracks. The threats move at machine-speed. Our defenses do not. The threats are hyper automated. Our defenses are not.

WannaCry was arguably one of the least sophisticated, most poorly written ransomware payloads ever. A large portion of it was corrupted, and it never even ran in many high-profile enterprises the worm component plowed through and wreaked havoc in. It was its sheer velocity that ultimately beat enterprise defenses and out-paced Incident Response teams in the trenches.

Indeed, the most important point of this post is that our defenses lack velocity. There is nothing terribly sophisticated about most threats: they are simply faster than we are! It is why we are still just as unprepared today against a pending BlueKeep worm as we were two years ago.

image winning war against time

The Lies We Tell Ourselves

So how can we get time back on our side? We can start by dumping untruths such as these:

“It’s a matter of when, not if, we will be compromised” and “An attacker only needs to be right once to succeed, whereas defenders need to be right 100% of the time to prevent a breach.”

The truth is that it is only a matter of “when not if” if we as defenders are unable to control the “when”.

The fact is most of us have spent the last 3-4 years building up an immense stack of extremely noisy solutions, the vast majority of which can only (by definition) help us after the fact. We’ve then spent another 1-2 years trying to get all of them to talk to each other in order to understand what bad thing just happened to the organization. Too little, too late.

The adversary benefits as we inundate our best (and hyper rare) talent with noise. With tracking down root cause analysis (RCA). With vetting false positives. With improving our playbooks to accommodate the incidents we’re resigned to expect. We have completely lost the plot… and there is no one to blame but ourselves. Most security vendors only build what they imagine enterprises want, and their investors all want them to have a cloud story… they all want them to have subscription-based OPEX model, they all want them to sell volumes of alerts, bandwidth, data retention, events per second, pew-pew laser maps, and ephemerally-challenged intelligence.

We are standing here doing the same thing over and over again while expecting better results. We have negative unemployment and millions of unfilled positions, yet we throw more after-the-fact noise/alerts/false positives and rabbit hole pivot/hunt/RCA activity at the few remaining burnt-out analysts we are lucky enough to retain.

The Battlefield Is The Endpoint

The key to winning against an adversary is to know where they are going to be, what they will do when they get there, and then taking an action that anticipates the enemy’s move in order to stop them in their tracks. The battlefield is the endpoint…namely, your endpoint. It is where attacks originate, and it is where persistence is gained. It is where lateral movement goes to and fro. It is where processes are injected into, where network packets originate from, where the data lives and where the end user creates. It is where the bad guys exfiltrate from, and it is nearly always what your RCA efforts end up pointing back to, after the fact.

I’ve run incident response teams, and I’ve been lucky enough to have had access to literally thousands of compromise assessment reports. I can already tell you what your RCA is going to be; I know how they are getting in. You do, too: spearphishing, creds, RDP, vulnerable web services, insider threat, and (sadly) your MSSP or third party/supply chain.

Yet, most of us are probably not running MFA on every externally-facing application. Or we are still running unneeded RDP services and hoping that plopping them inside a VPN makes any difference. Likely we still haven’t fixed our SSDLC because we don’t have the authority or ability to influence the cultural shift required to do so. And yes, our end users are still clicking on things because that’s what end users do on devices made for clicking things! They are not the problem, and training them effectively is only ever going to be a partial solution, even when we get measurable improvements on their behavior.

If we want to win, we have to control our own endpoints. Controlling an endpoint is not the same thing as having passive visibility into what happened on it, nor is it the ability to restore it from a back-up. It is controlling it at a process level, period.

If we have all the visibility in the world; crystal clear, 20/20 vision and perfect hindsight but it doesn’t inform us fast enough to take the action that actually matters before the bad thing happens, then all we have gained with that visibility is friction, noise, opportunity cost of precious (human) resources, and a perpetuation of the problem.

Turning the Tables Against the Adversary

It’s time to turn the tables and restore time to the defender’s advantage, and to do so on the defender’s soil. Earlier above I quoted a common misguided edict we tell ourselves:

“An attacker only needs to be right once to succeed, whereas defenders need to be right 100% of the time to prevent a breach.”

Let’s rearrange that statement to our advantage. Let’s be better hackers than the Darwinian criminals laughing at our after-the-fact cloud security platforms:

“An attacker needs to be right at every step to succeed, and a defender only needs to be right once to prevent a breach.”

The truth is we’ve had the advantage the whole time. We own the endpoint. It is our domain. We control what happens on it and what does not. We just haven’t implemented enough active machine-speed defenses to keep up with the threat.

We can hook the kernel before the bad actor does. We can identify legitimate processes before a bad actor ever gets a foothold. We can know what the majority of bad actors do once on the endpoint before they get there. We can leverage NLP and machine learning (ML) to understand entire worlds of potential malicious activity well before a bad actor steps foot in our domain. We can uninstall any software we deem vulnerable or a threat. We can reverse-out changes that unauthorized software or users make to the operating system.

We can outpace the bad actor. If we see PowerShell spawned from a Word document fetching a remote file, we can kill that process before it even completes running in memory. We can do all this because it is our domain; it is our endpoint.

There is no such thing as an attack that is only one step, other than maybe the Ping of Death from 20 years ago. If the MITRE ATT&CK framework illustrates one thing, it should be this: we can and need to be able to interject an active kill chain as it unfolds in real time.

Most attacks are automated, yet their automation is not sophisticated and it is not highly adaptable. It is not a human behind a keyboard ready to improvise. We can stop these attacks on our soil.

So let’s make the attacker be right 100% of the time. Let’s make them get it right at every step if they want to succeed. More importantly, let’s get really good at stopping them before they take the steps we know they must!

The Time is Now!

Time is the battle and the endpoint is the battlefield. To win at the game of time on a machine-speed field, we must automate. In order to allow for automation, we must have confidence that it will not break the enterprise or the mission. To gain confidence quickly enough, we must leverage both high-confidence static rules, and NLP and/or other forms of ML where and when and if it makes sense to do so. We must be able to quickly assemble enough events on a host to provide sufficient context to discern malicious activity and interject it immediately.

But let’s do this on the endpoint where the action is! Your Tesla doesn’t consult cloud intelligence before it decides to put on the brakes for you to avoid an impact. A Space-X rocket booster’s thruster controls don’t require a tether to the Cloud to adjust for pitch and yaw before landing on a floating platform at sea. Our intelligence must be where the battle is and allow automation to happen at machine speed. If we actually put first things first, and win back the time advantage on the endpoint, then we may finally be able to lean forward and solve our identity, credentials, IOT, insider threat, SSDLC, and supply chain problems.

Let’s roll!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

OpenGov raises $51M to boost its cloud-based IT services for government and civic organizations

OpenGov, the firm co-founded by Palantir’s Joe Lonsdale that helps government and other civic organizations organise, analyse and present financial and other data using cloud-based architecture, has raised another big round of funding to continue expanding its business. The startup has picked up an additional $51 million in a Series D round led by Weatherford Capital and 8VC (Lonsdale’s investment firm), with participation from existing investor Andreessen Horowitz.

The funding brings the total raised by the company to $140 million, with previous investors in the firm including JC2 Ventures, Emerson Collective, Founders Fund and a number of others. The company is not disclosing its valuation — although we are asking — but for some context, PitchBook noted it was around $190 million in its last disclosed round — although that was in 2017 and has likely increased in the interim, not least because of the startup’s links in high places, and its growth.

On the first of these, the company says that its board of directors includes, in addition to Lonsdale (who is now the chairman of the company); Katherine August-deWilde, Co-Founder and Vice-Chair of First Republic Bank; John Chambers, Founder and CEO of JC2 Ventures and Former Chairman and CEO of Cisco Systems; Marc Andreessen, Co-Founder and General Partner of Andreessen Horowitz; and Zac Bookman, Co-Founder and CEO of OpenGov .

And in terms of its growth, OpenGov says today it counts more than 2,000 governments as customers, with recent additions to the list including the State of West Virginia, the State of Oklahoma, the Idaho State Controller’s Office, the City of Minneapolis MN, and Suffolk County NY. For comparison, when we wrote in 2017 about the boost the company had seen since Trump’s election (which has apparently seen a push for more transparency and security of data), the company noted 1,400 government customers.

Government data is generally associated with legacy systems and cripplingly slow bureaucratic processes, and that has spelled opportunity to some startups, who are leveraging the growth of cloud services to present solutions tailored to the needs of civic organizations and the people who work in them, from city planners to finance specialists. In the case of OpenGov, it packages its services in a platform it calls the OpenGov Cloud.

“OpenGov’s mission to power more effective and accountable government is driving innovation and transformation for the public sector at high speed,” said OpenGov CEO Zac Bookman in a statement. “This new investment validates OpenGov’s position as the leader in enterprise cloud solutions for government, and it fuels our ability to build, sell, and deploy new mission-critical technology that is the safe and trusted choice for government executives.”

City Manager Dashboard Screen

It’s also, it seems, a trusted choice for government executives who have left public service and moved into investing, leveraging some of the links they still have into those who manage procurement for public services. Weatherford Capital, one of the lead investors, is led in part by managing partner Will Weatherford, who is the former Speaker of the House for the State of Florida.

“OpenGov’s innovative technology, accomplished personnel, market leadership, and mission-first approach precisely address the growing challenges inherent in public administration,” he said in a statement. “We are thrilled at the opportunity to partner with OpenGov to accelerate its growth and continue modernizing how this important sector operates.”

It will be interesting to see how and if the company uses the funding to consolidate in its particular area of enterprise technology. There are other firms like LiveStories that have also been building services to help better present civic data to the public that you could see as complementary to what OpenGov is doing. OpenGov has made acquisitions in the past, such as Ontodia to bring more open-source data and technology into its platform.

Kabbage acquires Radius Intelligence, the marketing tech firm with a database of 20M small businesses

Data is the new oil, as the saying goes, and today Kabbage — a fintech startup backed by SoftBank that has built a business around lending up to $250,000 to small and medium enterprises, using AI-based algorithms to help determine the terms of the loan — is picking up an asset to expand its own data trove as it looks to expand into further SMB financial services. The company has acquired Radius Intelligence, the marketing technology firm that has built a database of information on some 20 million small and medium businesses in the U.S.

Terms of the deal are not being disclosed, but notably, it comes on the heels of a sightly tumultuous period for Radius . Last year, the company announced a merger with its big competitor Leadspace, only to quietly cancel the deal three months later. Then two months after that, it replaced its longtime CEO.

Radius — which is backed by some $120 million from investors that include Founders Fund, David Sacks, Salesforce Ventures, AME Cloud Ventures and the actor Jared Leto, among others — last had a valuation of around $200 million, according to PitchBook, but that was prior to these events. Kabbage, meanwhile, has raised hundreds of millions in equity and debt and is valued at more than $1 billion. The deal will be financed off Kabbage’s own balance sheet and will not require the company to raise more funds, I understand.

Rob Frohwein, Kabbage’s co-founder and CEO, said in an interview that the plan is to integrate Radius’ tech and IP into the Kabbage platform — the task will be overseen by Radius’ current CEO, Joel Carusone — as well as Radius’ tech team of 20 engineers, who will work for the Atlanta-based startup out of its office in San Francisco.

He also added that Radius’ current products — which include market intelligence and contact information for employees at SMBs in the U.S., along with a host of related solutions, which up to now had been gathered both via public sources and the businesses updating the information themselves; as well as the technology for merging disparate sources of data and ferreting out the “valid” pieces that are worth retaining and throwing out what is out of date — will not be sold any longer via Radius. From now on, there will be only one customer for all that data: Kabbage itself (the company had already been a user of Radius’ data to help its own marketing team connect with new and and existing customers).

“We have known the company for a long time,” said Frohwein. Other customers that Radius lists on its site include Square, American Express, LendingTree, FirstData, MetLife, Sam’s Club, Yahoo and more.

This doesn’t mean that Kabbage might not offer the SMB intelligence in a format to businesses directly via its own platform at some point, but it also means that as Kabbage expands into services that might compete with some of Radius’ now-former customers — payments and merchant acquirer services, as well as tools to help SMBs grow their own customer funnels are some that are on the cards for the coming months — it will have an edge on them because of the data on users that it will now own.

The deal underscores two bigger trends among startups that focus on enterprise customers. First, it points to  ongoing consolidation in the world of marketing tech, in part as businesses look for ways to better compete against the likes of Microsoft and Salesforce, which are also continually building out their stacks of services. And we likely will see more activity from stronger fintech companies keen to expand their platforms to provide more touchpoints and revenue streams from existing customers, as well as more services to expand the customer base overall.

“We’re thrilled to join the Kabbage team. As a company dedicated to small business analytics and data management, we’ve always had a deep respect for Kabbage’s data-driven technology and focus,” Radius CEO Carusone said in a statement. “Our companies have complementary technical architectures and domain experience for decision making. With Kabbage, we can build a more sophisticated analytics solution to identify, reach and serve small businesses.”

Kabbage itself is not looking for new funding at the moment, Frohwein said, but he added also that it is on a fast trajectory at the moment but still a ways away from an IPO, so I wouldn’t discount more raises in the future. The company is currently on track to see revenues up 40% versus last year, with customers up 60%.

“We’re always looking to grow,” he said.

Feds Allege Adconion Employees Hijacked IP Addresses for Spamming

Federal prosecutors in California have filed criminal charges against four employees of Adconion Direct, an email advertising firm, alleging they unlawfully hijacked vast swaths of Internet addresses and used them in large-scale spam campaigns. KrebsOnSecurity has learned that the charges are likely just the opening salvo in a much larger, ongoing federal investigation into the company’s commercial email practices.

Prior to its acquisition, Adconion offered digital advertising solutions to some of the world’s biggest companies, including Adidas, AT&T, Fidelity, Honda, Kohl’s and T-Mobile. Amobee, the Redwood City, Calif. online ad firm that acquired Adconion in 2014, bills itself as the world’s leading independent advertising platform. The CEO of Amobee is Kim Perell, formerly CEO of Adconion.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — Jacob Bychak, Mark ManoogianPetr Pacas, and Mohammed Abdul Qayyum —  in a ten-count indictment on charges of conspiracy, wire fraud, and electronic mail fraud. All four men have pleaded not guilty to the charges, which stem from a grand jury indictment handed down in June 2017.

‘COMPANY A’

The indictment and other court filings in this case refer to the employer of the four men only as “Company A.” However, LinkedIn profiles under the names of three of the accused show they each work(ed) for Adconion and/or Amobee.

Mark Manoogian is an attorney whose LinkedIn profile states that he is director of legal and business affairs at Amobee, and formerly was senior business development manager at Adconion Direct; Bychak is listed as director of operations at Adconion Direct; Quayyum’s LinkedIn page lists him as manager of technical operations at Adconion. A statement of facts filed by the government indicates Petr Pacas was at one point director of operations at Company A (Adconion).

According to the indictment, between December 2010 and September 2014 the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

The government alleges the men sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

“Members of the conspiracy would use the fraudulently acquired IP addresses to send commercial email (‘spam’) messages,” the government charged.

HOSTING IN THE WIND

Prosecutors say the accused were able to spam from the purloined IP address blocks after tricking the owner of Hostwinds, an Oklahoma-based Internet hosting firm, into routing the fraudulently obtained IP addresses on their behalf.

Hostwinds owner Peter Holden was the subject of a 2015 KrebsOnSecurity story titled, “Like Cutting Off a Limb to Save the Body,” which described how he’d initially built a lucrative business catering mainly to spammers, only to later have a change of heart and aggressively work to keep spammers off of his network.

That a case of such potential import for the digital marketing industry has escaped any media attention for so long is unusual but not surprising given what’s at stake for the companies involved and for the government’s ongoing investigations.

Adconion’s parent Amobee manages ad campaigns for some of the world’s top brands, and has every reason not to call attention to charges that some of its key employees may have been involved in criminal activity.

Meanwhile, prosecutors are busy following up on evidence supplied by several cooperating witnesses in this and a related grand jury investigation, including a confidential informant who received information from an Adconion employee about the company’s internal operations.

THE BIGGER PICTURE

According to a memo jointly filed by the defendants, “this case spun off from a larger ongoing investigation into the commercial email practices of Company A.” Ironically, this memo appears to be the only one of several dozen documents related to the indictment that mentions Adconion by name (albeit only in a series of footnote references).

Prosecutors allege the four men bought hijacked IP address blocks from another man tied to this case who was charged separately. This individual, Daniel Dye, has a history of working with others to hijack IP addresses for use by spammers.

For many years, Dye was a system administrator for Optinrealbig, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra.

Optinrealbig’s CEO was the spam king Scott Richter, who later changed the name of the company to Media Breakaway after being successfully sued for spamming by AOL, MicrosoftMySpace, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.

Dye has been charged with violations of the CAN-SPAM Act. A review of the documents in his case suggest Dye accepted a guilty plea agreement in connection with the IP address thefts and is cooperating with the government’s ongoing investigation into Adconion’s email marketing practices, although the plea agreement itself remains under seal.

Lawyers for the four defendants in this case have asserted in court filings that the government’s confidential informant is an employee of Spamhaus.org, an organization that many Internet service providers around the world rely upon to help identify and block sources of malware and spam.

Interestingly, in 2014 Spamhaus was sued by Blackstar Media LLC, a bulk email marketing company and subsidiary of Adconion. Blackstar’s owners sued Spamhaus for defamation after Spamhaus included them at the top of its list of the Top 10 world’s worst spammers. Blackstar later dropped the lawsuit and agreed to paid Spamhaus’ legal costs.

Representatives for Spamhaus declined to comment for this story. Responding to questions about the indictment of Adconion employees, Amobee’s parent company SingTel referred comments to Amobee, which issued a brief statement saying, “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”

ONE OF THE LARGEST SPAMMERS IN HISTORY?

It appears the government has been investigating Adconion’s email practices since at least 2015, and possibly as early as 2013. The very first result in an online search for the words “Adconion” and “spam” returns a Microsoft Powerpoint document that was presented alongside this talk at an ARIN meeting in October 2016. ARIN stands for the American Registry for Internet Numbers, and it handles IP addresses allocations for entities in the United States, Canada and parts of the Caribbean.

As the screenshot above shows, that Powerpoint deck was originally named “Adconion – Arin,” but the file has since been renamed. That is, unless one downloads the file and looks at the metadata attached to it, which shows the original filename and that it was created in 2015 by someone at the U.S. Department of Justice.

Slide #8 in that Powerpoint document references a case example of an unnamed company (again, “Company A”), which the presenter said was “alleged to be one of the largest spammers in history,” that had hijacked “hundreds of thousands of IP addresses.”

A slide from an ARIN presentation in 2016 that referenced Adconion.

There are fewer than four billion IPv4 addresses available for use, but the vast majority of them have already been allocated. In recent years, this global shortage has turned IP addresses into a commodity wherein each IP can fetch between $15-$25 on the open market.

The dearth of available IP addresses has created boom times for those engaged in the acquisition and sale of IP address blocks. It also has emboldened scammers and spammers who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

In May, KrebsOnSecurity broke the news that Amir Golestan — the owner of a prominent Charleston, S.C. tech company called Micfo LLC — had been indicted on criminal charges of fraudulently obtaining more than 735,000 IP addresses from ARIN and reselling the space to others.

KrebsOnSecurity has since learned that for several years prior to 2014, Adconion was one of Golestan’s biggest clients. More on that in an upcoming story.