Firewall Vulnerabilities | Is Your Data Leaking Like Capital One?

This week’s big security news involved a data breach at Capital One that, by the company’s own estimate, affected approximately 100 million individuals in the United States and approximately 6 million Canadians. Among the data leaked were 140,00 Social Security Numbers (SSNs) and 80,000 bank account numbers belonging to secured credit card customers. It has been claimed that the Capital One breach may be as far reaching as the Equifax breach of 2017, which affected an estimated 147 million consumers and cost the company at least $575 million in fines and up to $700 million in compensation.

So what exactly happened at Capital One, how did it happen and what lessons can we learn from yet another massive data breach

What Happened At Capital One?

As has been well-documented since the news broke earlier this week, an individual by the name of Paige A Thompson, aka Erratic on Twitter (her account has since been suspended), was indicted by the FBI on July 29, 2019  on a single count of Computer Fraud and Abuse. The charge pertains to an alleged network intrusion that resulted in the exfiltration and theft of Capital One confidential consumer data, including credit card applications and other digital documents.

image of FBA affidavit

The hack is said to have taken place on or after March 12, 2019, when Thompson allegedly used a vulnerability in a firewall application to access a privileged account. Once she had gained access, the FBI claim, she went on to use it to issue server commands to obtain personally identifying information (PII) belonging to applicants of a Capital One credit card product between 2005 to 2019. The information disclosed includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and income.

The investigation was triggered by an email sent to Capital One’s Responsible Disclosure email address – a channel the company uses to receive intel on bugs, vulnerabilities and other security issues – by an unidentified security researcher. Despite the FBI not naming the Cloud Service provider used by Capital One to host the breached server, the security researcher’s email refers to “leaked s3 data”.  The reference to “s3” clearly indicates Amazon’s Simple Storage Service (S3). Capital One have, also, been vocal about being clients of Amazon S3 in the past

image of informant email

Although the technical details of how Thompson allegedly hacked into the server are sparse at this time, we do know that, according to Capital One, the leak occurred through a firewall vulnerability issue. Amazon’s S3 and other cloud services come strongly touted with a Web Application Firewall known as AWS-WAF, which can be hosted on the Amazon CloudFront. Ms Thompson’s CV, a partial screenshot of which appears below, indicates that she was formerly employed by Amazon, and had extensive experience of networking, S3 and CloudFront technologies.

image of Paige Thompson's CV

Under the Twitter handle of “Erratic”, Thompson had earlier posted some generalized descriptions suggesting how she might undertake similar attacks.

image of paige thompson tweets

What Are Web Application Firewalls (WAFs)?

According to Capital One’s statement, the firewall configuration vulnerability has now been fixed. Although it has not been confirmed, given what we do know, it’s a reasonable assumption that the issue concerned Capital One’s configuration of Amazon’s Web Application Firewall, the AWS-WAF. 

Web Application Firewalls are intended to protect particular web applications by analyzing packets of incoming traffic according to a set of rules or policies, and filterering out potentially harmful traffic. The kinds of attack that WAFs are designed to defend against include cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection. 

image of aws waf        Source

Amazon’s AWS-WAF allows customers like Capital One to either set up their own rules or buy pre-configured Managed Rules from AWS Marketplace sellers. The fact that there is a market for managed rules testifies to the fact that configuring and maintaining WAFs is no simple matter. It is not just a matter of configuring a WAF once and letting it run; rather, WAFs need to be actively maintained as the application behind a WAF is itself likely to evolve with development and user demand and require different rules for its traffic over time. Because of this, WAFs can be subject to both a high degree of false positives (blocking harmless traffic) and false negatives (allowing malicious traffic). They can also impact performance if not configured correctly. These and other considerations create the need for specialist third-party vendors to provide and maintain Managed Rules.

It is not known whether Capital One was using a Managed Rules provider or had configured their own firewall settings, but there is an interesting piece of data revealed in a screenshot of Erratic’s postings in an open Slack channel.  

The names of the first two highlighted items coincide with information in the FBI indictment that indicate they could be the stolen material from Capital One. The first item is the name of a directory containing hundreds of items with the same name as the breached account, while the second is a compressed file of 28GB of data. However, the name of the third item, Rotate_Access_key.tar.xz is a file of 35GB of compressed data and may also hold a potential clue to the hack.

Access keys are required for Amazon IAM users in order to login to an AWS instance. AWS customers are advised to rotate these access keys on a regular basis. However, rotating keys, while not complicated, involves several distinct steps important for security. These include separate measures to ensure both that the previously used key is deleted and that the Secret Access Key required for key creation is recorded and stored securely. 

image of aws instructions to rotate keys

The Rotate_Access_key file in Erratic’s data dump could suggest she had discovered the key or keys prior to the breach and used those to gain the required credentials. Alternatively, the file name could indicate the keys were discovered as part of the breach. It remains to be seen if more details are revealed as the case progresses through the courts. Either way, given the central role Access keys play in authentication in the AWS environment, the contents of Rotate_Access_key.tar.xz will undoubtedly be of interest to investigators in the case. 

What Can We Learn From the Capital One Breach?

The primary take away from the Capital One breach is that enterprises need to ensure that firewalls and Web Application Firewalls are properly configured and maintained, and that credentials are secure. The apparent speed with which Capital One were able to claim the configuration vulnerability had been fixed may suggest the remedy was obvious once known, and that in turn may indicate a simple oversight like not securing a Secret Access Key or failing to disable an older, disused key that could possibly have already become insecure.

On top of the immediate lessons, enterprises need to be mindful that Firewalls and WAFs do not offer a complete security solution, and with the ever-present possibility of insider threats or just human error allowing hackers access to protected resources, it is essential to have in place an autonomous endpoint security solution that can implement its own Firewall controls, Watchlist alerts to notify of unauthorized file access and real-time endpoint visibility for investigation. 

Conclusion

The consequences of the hack on Capital One are likely to be greater than we can tell at this early stage. For Paige Thompson, aka Erratic, if found guilty she faces a maximum 5 years in prison and fine of $250,000. For Capital One, the company insists that there is no evidence to-date that the hacker had distributed the stolen data or tried to use it for fraudulent purposes. Even so, given the hefty fine meted out to Equifax by the FTC, the company may still face sanction after all the details have played out.

Read more about Cyber Security

Prodly announces $3.5M seed to automate low-code cloud deployments

Low-code programming is supposed to make things easier on companies, right? Low-code means you can count on trained administrators instead of more expensive software engineers to handle most tasks, but like any issue solved by technology, there are always unintended consequences. While running his former company, Steelbrick, which he sold to Salesforce in 2015 for $360 million, Max Rudman identified a persistent problem with low-code deployments. He decided to fix it with automation and testing, and the idea for his latest venture, Prodly, was born.

The company announced a $3.5 million seed round today, but more important than the money is the customer momentum. In spite of being a very early-stage startup, the company already has 100 customers using the product, a testament to the fact that other people were probably experiencing that same pain point Rudman was feeling, and there is a clear market for his idea.

As Rudman learned with his former company, going live with the data on a platform like Salesforce is just part of the journey. If you are updating configuration and pricing information on a regular basis, that means updating all the tables associated with that information. Sure, it’s been designed to be point and click, but if you have changes across 48 tables, it becomes a very tedious task, indeed.

The idea behind Prodly is to automate much of the configuration, provide a testing environment to be sure all the information is correct and, finally, automate deployment. For now, the company is just concentrating on configuration, but with the funding it plans to expand the product to solve the other problems, as well.

Rudman is careful to point out that his company’s solution is not built strictly for the Salesforce platform. The startup is taking aim at Salesforce admins for its first go-round, but he sees the same problem with other cloud services that make heavy use of trained administrators to make changes.

“The plan is to start with Salesforce, but this problem actually exists on most cloud platforms — ServiceNow, Workday — none of them have the tools we have focused on for admins, and making the admins more productive and building the tooling that they need to efficiently manage a complex application,” Rudman told TechCrunch.

Customers include Nutanix, Johnson & Johnson, Splunk, Tableau and Verizon (which owns this publication). The $3.5 million round was led by Shasta Ventures, with participation from Norwest Venture Partners.

Amazon acquires flash-based cloud storage startup E8 Storage

Amazon has acquired Israeli storage tech startup E8 Storage, as first reported by Reuters, CNBC and Globes and confirmed by TechCrunch. The acquisition will bring the team and technology from E8 in to Amazon’s existing Amazon Web Services center in Tel Aviv, per reports.

E8 Storage’s particular focus was on building storage hardware that employs flash-based memory to deliver faster performance than competing offerings, according to its own claims. How exactly AWS intends to use the company’s talent or assets isn’t yet known, but it clearly lines up with their primary business.

AWS acquisitions this year include TSO Logic, a Vancouver-based startup that optimizes data center workload operating efficiency, and Israel-based CloudEndure, which provides data recovery services in the event of a disaster.

Save with group discounts and bring your team to TechCrunch’s first-ever Enterprise event Sept. 5 in SF

Get ready to dive into the fiercely competitive waters of enterprise software. Join more than 1,000 attendees for TC Sessions Enterprise 2019 on September 5 to navigate this rapidly evolving category with the industry’s brightest minds, biggest names and exciting startups.

Our $249 early-bird ticket price remains in play, which saves you $100. But one is the loneliest number, so why not take advantage of our group discount, buy in bulk and bring your whole team? Save an extra 20% when you buy four or more tickets at once.

We’ve packed this day-long conference with an outstanding lineup of presentations, interviews, panel discussions, demos, breakout sessions and, of course, networking. Check out the agenda, which includes both industry titans and boundary-pushing startups eager to disrupt the status quo.

We’ll add more surprises along the way, but these sessions provide a taste of what to expect — and why you’ll need your posse to absorb as much intel as possible.

Talking Developer Tools
Scott Farquhar (Atlassian)

With tools like Jira, Bitbucket and Confluence, few companies influence how developers work as much as Atlassian. The company’s co-founder and co-CEO Scott Farquhar will join us to talk about growing his company, how it is bringing its tools to enterprises and what the future of software development in and for the enterprise will look like.

Keeping the Enterprise Secure
Martin Casado (Andreessen Horowitz), Wendy Nather (Duo Security), Emily Heath (United Airlines)

Enterprises face a litany of threats from both inside and outside the firewall. Now more than ever, companies — especially startups — have to put security first. From preventing data from leaking to keeping bad actors out of your network, enterprises have it tough. How can you secure the enterprise without slowing growth? We’ll discuss the role of a modern CSO and how to move fast — without breaking things.

Keeping an Enterprise Behemoth on Course
Bill McDermott (SAP)

With over $166 billion in market cap, Germany-based SAP is one of the most valuable tech companies in the world today. Bill McDermott took the leadership in 2014, becoming the first American to hold this position. Since then, he has quickly grown the company, in part thanks to a number of $1 billion-plus acquisitions. We’ll talk to him about his approach to these acquisitions, his strategy for growing the company in a quickly changing market and the state of enterprise software in general.

The Quantum Enterprise
Jim Clarke (Intel), Jay Gambetta (IBM
and Krysta Svore (Microsoft)
4:20 PM – 4:45 PM

While we’re still a few years away from having quantum computers that will fulfill the full promise of this technology, many companies are already starting to experiment with what’s available today. We’ll talk about what startups and enterprises should know about quantum computing today to prepare for tomorrow.

TC Sessions Enterprise 2019 takes place on September 5. You can’t be everywhere at once, so bring your team, cover more ground and increase your ROI. Get your group discount tickets and save.

Calling all hardware startups! Apply to Hardware Battlefield @ TC Shenzhen

Got hardware? Well then, listen up, because our search continues for boundary-pushing, early-stage hardware startups to join us in Shenzhen, China for an epic opportunity; launch your startup on a global stage and compete in Hardware Battlefield at TC Shenzhen on November 11-12.

Apply here to compete in TC Hardware Battlefield 2019. Why? It’s your chance to demo your product to the top investors and technologists in the world. Hardware Battlefield, cousin to Startup Battlefield, focuses exclusively on innovative hardware because, let’s face it, it’s the backbone of technology. From enterprise solutions to agtech advancements, medical devices to consumer product goods — hardware startups are in the international spotlight.

If you make the cut, you’ll compete against 15 of the world’s most innovative hardware makers for bragging rights, plenty of investor love, media exposure and $25,000 in equity-free cash. Just participating in a Battlefield can change the whole trajectory of your business in the best way possible.

We chose to bring our fifth Hardware Battlefield to Shenzhen because of its outstanding track record of supporting hardware startups. The city achieves this through a combination of accelerators, rapid prototyping and world-class manufacturing. What’s more, TC Hardware Battlefield 2019 takes place as part of the larger TechCrunch Shenzhen that runs November 9-12.

Creativity and innovation no know boundaries, and that’s why we’re opening this competition to any early-stage hardware startup from any country. While we’ve seen amazing hardware in previous Battlefields — like robotic armsfood testing devicesmalaria diagnostic tools, smart socks for diabetics and e-motorcycles, we can’t wait to see the next generation of hardware, so bring it on!

Meet the minimum requirements listed below, and we’ll consider your startup:

Here’s how Hardware Battlefield works. TechCrunch editors vet every qualified application and pick 15 startups to compete. Those startups receive six rigorous weeks of free coaching. Forget stage fright. You’ll be prepped and ready to step into the spotlight.

Teams have six minutes to pitch and demo their products, which is immediately followed by an in-depth Q&A with the judges. If you make it to the final round, you’ll repeat the process in front of a new set of judges.

The judges will name one outstanding startup the Hardware Battlefield champion. Hoist the Battlefield Cup, claim those bragging rights and the $25,000. This nerve-wracking thrill-ride takes place in front of a live audience, and we capture the entire event on video and post it to our global audience on TechCrunch.

Hardware Battlefield at TC Shenzhen takes place on November 11-12. Don’t hide your hardware or miss your chance to show us — and the entire tech world — your startup magic. Apply to compete in TC Hardware Battlefield 2019, and join us in Shenzhen!

Is your company interested in sponsoring or exhibiting at Hardware Battlefield at TC Shenzhen? Contact our sponsorship sales team by filling out this form.

Confluera snags $9M Series A to help stop cyberattacks in real time

Just yesterday, we experienced yet another major breach when Capital One announced it had been hacked and years of credit card application information had been stolen. Another day, another hack, but the question is how can companies protect themselves in the face of an onslaught of attacks. Confluera, a Palo Alto startup, wants to help with a new tool that purports to stop these kinds of attacks in real time.

Today the company, which launched last year, announced a $9 million Series A investment led by Lightspeed Venture Partners . It also has the backing of several influential technology execs, including John W. Thompson, who is chairman of Microsoft and former CEO at Symantec; Frank Slootman, CEO at Snowflake and formerly CEO at ServiceNow; and Lane Bess, former CEO of Palo Alto Networks.

What has attracted this interest is the company’s approach to cybersecurity. “Confluera is a real-time cybersecurity company. We are delivering the industry’s first platform to deterministically stop cyberattacks in real time,” company co-founder and CEO Abhijit Ghosh told TechCrunch.

To do that, Ghosh says, his company’s solution watches across the customer’s infrastructure, finds issues and recommends ways to mitigate the attack. “We see the problem that there are too many solutions which have been used. What is required is a platform that has visibility across the infrastructure, and uses security information from multiple sources to make that determination of where the attacker currently is and how to mitigate that,” he explained.

Microsoft chairman John Thompson, who is also an investor, says this is more than just real-time detection or real-time remediation. “It’s not just the audit trail and telling them what to do. It’s more importantly blocking the attack in real time. And that’s the unique nature of this platform, that you’re able to use the insight that comes from the science of the data to really block the attacks in real time.”

It’s early days for Confluera, as it has 19 employees and three customers using the platform so far. For starters, it will be officially launching next week at Black Hat. After that, it has to continue building out the product and prove that it can work as described to stop the types of attacks we see on a regular basis.

Catalyst raises $15M from Accel to transform data-driven customer success

Managing your customers has changed a lot in the past decade. Out are the steak dinners and ballgame tickets to get a sense of a contract’s chance at renewal, and in are churn analysis and a whole bunch of data science to learn whether a customer and their users like or love your product. That customer experience revolution has been critical to the success of SaaS products, but it can remain wickedly hard to centralize all the data needed to drive top performance in a customer success organization.

That’s where Catalyst comes in. The company, founded in New York City in 2017 and launched April last year, wants to centralize all of your disparate data sources on your customers into one easy-to-digest tool to learn how to approach each of them individually to optimize for the best experience.

The company’s early success has attracted more top investors. It announced today that it has raised a $15 million Series A led by Vas Natarajan of Accel, who previously backed enterprise companies like Frame.io, Segment, InVision, and Blameless. The company had previously raised $3 million from NYC enterprise-focused Work-Bench and $2.4 million from True Ventures. Both firms participated in this new round.

Catalyst CEO Edward Chiu told me that Accel was attractive because of the firm’s recent high-profile success in the enterprise space, including IPOs like Slack, PagerDuty, and CrowdStrike.

When we last spoke with Catalyst a year and a half ago, the firm had just raised its first seed round and was just the company’s co-founders — brothers Edward and Kevin Chiu — and a smattering of employees. Now, the company has 19 employees and is targeting 40 employees by the end of the year.

Team Photo

In that time, the product has continued to evolve as it has worked with its customers. One major feature of Catalyst’s product is a “health score” that determines whether a customer is likely to grow or churn in the coming months based on ingested data around usage. CEO Chiu said that “we’ve gotten our health score to be very very accurate” and “we have the ability to take automated action based on that health score.” Today, the company offers “prefect sync” with Salesforce, Mixpanel, Zendesk, among other services, and will continue to make investments in new integrations.

One high priority for the company has been increasing the speed of integration when a new customer signs up for Catalyst. Chiu said that new customers can be onboarded in minutes, and they can use the platform’s formula builder to define the exact nuances of their health score for their specific customers. “We mold to your use case,” he said.

One lesson the company has learned is that as success teams increasingly become critical to the lifeblood of companies, other parts of the organization and senior executives are working together to improve their customer’s experiences. Chiu told me that the startup often starts with onboarding a customer success team, only to later find that C-suite and other team leads have also joined and are also interacting together on the platform.

An interesting dynamic for the company is that it does its own customer success on its customer success platform. “We are our own best customer,” Chiu said. “We login every day to see the health of our customers… our product managers login to Catalyst every day to read product feedback.”

Since the last time we checked in, the company has added a slew of senior execs, including Cliff Kim as head of product, Danny Han as head of engineering, and Jessica Marucci as head of people, with whom the two Chius had worked together at cloud infrastructure startup DigitalOcean.

Moving forward, Chiu expects to invest further in data analysis and engineering. “One of the most unique things about us is that we are collecting so much unique data: usage patterns, [customer] spend fluctuations, [customer] health scores,” Chiu said. “It would be a hugely missed opportunity not to analyze that data and work on churn.”

Capital One Data Theft Impacts 106M People

Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One Financial Corp. Incredibly, much of this breach played out publicly over several months on social media and other open online platforms. What follows is a closer look at the accused, and what this incident may mean for consumers and businesses.

Paige “erratic” Thompson, in an undated photo posted to her Slack channel.

On July 29, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.

That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.

“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised,” Capital One said in a statement posted to its site.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the statement continues. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”

The FBI says Capital One learned about the theft from a tip sent via email on July 17, which alerted the company that some of its leaked data was being stored out in the open on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of one Paige A. Thompson.

The tip that alerted Capital One to its data breach.

The complaint doesn’t explicitly name the cloud hosting provider from which the Capital One credit data was taken, but it does say the accused’s resume states that she worked as a systems engineer at the provider between 2015 and 2016. That resume, available on Gitlab here, reveals Thompson’s most recent employer was Amazon Inc.

Further investigation revealed that Thompson used the nickname “erratic” on Twitter, where she spoke openly over several months about finding huge stores of data intended to be secured on various Amazon instances.

The Twitter user “erratic” posting about tools and processes used to access various Amazon cloud instances.

According to the FBI, Thompson also used a public Meetup group under the same alias, where she invited others to join a Slack channel named “Netcrave Communications.”

KrebsOnSecurity was able to join this open Slack channel Monday evening and review many months of postings apparently made by Erratic about her personal life, interests and online explorations. One of the more interesting posts by Erratic on the Slack channel is a June 27 comment listing various databases she found by hacking into improperly secured Amazon cloud instances.

That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations:

According to Erratic’s posts on Slack, the two items in the list above beginning with “ISRM-WAF” belong to Capital One.

Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts. In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were. Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites — often surreptitiously — designed to mine cryptocurrencies.

None of Erratic’s postings suggest Thompson sought to profit from selling the data taken from various Amazon cloud instances she was able to access. But it seems likely that at least some of that data could have been obtained by others who may have followed her activities on different social media platforms.

Ray Watson, a cybersecurity researcher at cloud security firm Masergy, said the Capital One incident contains the hallmarks of many other modern data breaches.

“The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats,” Watson said. “She allegedly used web application firewall credentials to obtain privilege escalation. Also the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.”

“The good news, however, is that Capital One Incidence Response was able to move quickly once they were informed of a possible breach via their Responsible Disclosure program, which is something a lot of other companies struggle with,” he continued.

In Capital One’s statement about the breach, company chairman and CEO Richard D. Fairbank said the financial institution fixed the configuration vulnerability that led to the data theft and promptly began working with federal law enforcement.

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” Fairbank said. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.

Bloomberg reports that in court on Monday, Thompson broke down and laid her head on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Thompson will be held in custody until her bail hearing, which is set for August 1.

A copy of the complaint against Thompson is available here.

Update, 3:38 p.m. ET: I’ve reached out to several companies that appear to be listed in the last screenshot above. Infoblox [an advertiser on this site] responded with the following statement:

“Infoblox is aware of the pending investigation of the Capital One hacking attack, and that Infoblox is among the companies referenced in the suspected hacker’s alleged online communications. Infoblox is continuing to investigate the matter, but at this time there is no indication that Infoblox was in any way involved with the reported Capital One breach. Additionally, there is no indication of an intrusion or data breach involving Infoblox causing any customer data to be exposed.”

Can Tricky TxHollower Malware Evade Your AV?

TxHollower is a loader-type malware that has been found to deliver a variety of payloads including AZORult, FormBook, GandCrab ransomware, LokiBot, NetWire, njRat, Pony, Remcos backdoor and SmokeLoader. Infections attributable to TXHollower have been occurring since early 2018 and have been rising rapidly thanks in part due to TXHollower’s ability to avoid some vendors’ security solutions. In this post, we take a look at TXHollower and give it a spin on one of our endpoints.

image of tx hollower

What is TxHollower?

TxHollower leverages Windows’ deprecated Transactional NTSF APIs (TxF) to perform Process Doppelgänging and Process Hollowing, two related threat actor techniques that make it possible to inject malicious code into memory by replacing that of a legitimate process.

Process Doppelgänging also allows TxHollower to avoid detection by some security solutions that over rely on monitoring particular system calls known to be abused by malware such as SetThreadContext and NtUnmapViewOfSection. Instead, TXHollower makes use of lesser known Transactional calls like NtCreateProcessEx and NtCreateThreadEx to perform tricks like stack pivoting to control the flow of program execution.

image of TxHollower in x32dbg

As a loader rather than a dropper, TxHollower carries encrypted versions of second-stage malware within its own executable, removing the need for calling out to a C2 server to obtain the payload. Loading in this way also serves to avoid another possible failure point for a malware infection. Once C2 IPs are seen in the wild, vendors will quickly update their definitions to alert on those known malicious IPs. TxHollower cuts off this avenue of detection by carrying the payload, which may be ransomware like GandCrab or a remote access trojan like Remcos, within the first stage infection executable file.

Why is TxHollower On the Rise?

Researchers agree that samples of TxHollower found in the wild are unlikely to be from the same origin, in part because of the wide variety of payloads being seen, which suggests different kinds of threat actor objectives and campaigns. Rather, it looks as if the loader malware is being distributed in criminal circles to multiple actors, possibly sold as part of an exploit kit or framework. It’s also been noted that there are a number of variants of TxHollower itself with slightly different configurations and capabilities.

As TxHollower appears to be in use by various actors, that likely explains why no single infection vector has been identified. There has been some suggestion that malicious Word documents expoiting CVE-2017-11882 in Microsoft Office’s Equation Editor may carry the loader malware. As is common with attacks that rely on poisoned documents, these may be associated with fake invoices and receipts.

Can TxHollower Be Detected?

As we’ve noted, TxHollower has been crafted to avoid some security solutions by using lesser known API calls and by carrying an encrypted payload to avoid calling out to a C2 server. Despite these tricks, when we ran a sample on a SentinelOne-protected endpoint, the agent immediately alerted on the threat, both pre-execution and on-execution.

SHA1: f4f56f7830fc71658ddc90f8b39de6fac656682d

image of TxHollower in Sentinel One console

For the purpose of the demo, we set up the agent so that it would alert only in order to observe the malware in action. In a real-life deployment, the Protect policy would alert and block the malware from executing. After testing the malware and observing the detection in the management console, the admin was able to simply remediate the threat remotely to clean up the infected endpoint and return it to a healthy state.

If you’d like to see the full demo in action, check out the video below.

Conclusion

TxHollower is a threat to enterprises that are not sufficiently protected by a security solution that can detect in-memory, fileless malware using process injection techniques. The malware appears to be used as a loader for a variety of threats from ransomware to backdoor trojans and banking malware such as Osiris and Kronos. If your business is not yet protected by SentinelOne’s active EDR solution, contact us for a free demo and see how it can keep your organization safe.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Bindu Reddy, co-founder and CEO at RealityEngines, is coming to TechCrunch Sessions: Enterprise

There is surely no shortage of data in the modern enterprise, and data is the fuel for AI. Yet packaging that data in machine learning models remains a huge challenge for large companies. Without that capability, automating processes with AI underpinnings remains elusive for many companies.

RealityEngines wants to change that by creating research-driven cloud services that can reduce some of the inherent complexity of working with AI tools. We are excited to be including Bindu Reddy, co-founder and CEO at RealityEngines, at TechCrunch Sessions: Enterprise, taking place in San Francisco on September 5.

Reddy will be joining investor Jocelyn Goldfein, a managing director at Zetta Venture Partners, and others. They will be discussing with TechCrunch editors the growing role of AI in the enterprise, as companies try to take advantage of the capabilities machines have over humans to process large amounts of information quickly.

She knows from whence she speaks. Before founding RealityEngines, Reddy helped launch AI Verticals at AWS where she served as general manager. She was responsible for bringing to market Amazon Personalize and Amazon Forecast, two tools that help organizations create machine learning models.

Before that, she was CEO and co-founder at yet another AI startup called Post Intelligence, a company that purported to help social media influencers write AI-driven tweets. She later sold that company to Uber. If that isn’t enough for you, she served as head of Products for Google Apps, where she was in charge of Docs, Sheets, Slides, Sites and Blogger.

Early-bird tickets to see Bindu and our lineup of enterprise influencers at TC Sessions: Enterprise are on sale for just $249 when you book here; but hurry, prices go up by $100 soon! Students, grab your discounted tickets for just $75 here.