Tech shares set fresh records despite uncertain economy

Despite record-setting COVID-19 infections, American equities rose today. All major indices gained ground during regular trading, while tech stocks did even better.

The Nasdaq Composite set new 52-week and all-time highs, touching 10,462.0 points before closing at 10,433.65, up 2.21% on the day. Similarly, a basket of SaaS and cloud companies that has risen and fallen more sharply than even the tech-heavy Nasdaq closed this afternoon at 1,908.30 after touching 1,952.39 points. Both results were 52-week and all-time highs.

Such is the mood on Wall Street regarding the health of technology companies. It’s not hard to find bullish sentiment, jockeying to push tech shares higher. Some examples of today’s enthusiasm paint the picture:

  • The recent IPO for Lemonade is now worth $4.7 billion, according to Yahoo Finance. That price gives it a Q1-annualized revenue run rate multiple of around 45x. For a SaaS company, that would boggle the mind. As we’ve written, however, Lemonade has very un-SaaS-like gross margins, and has higher churn. The company’s stock rose around 17% today for no clear reason.
  • Tesla rose over 13% today to $1,371.58 per share, another huge day of gains for the company now worth in excess of $250 billion. Analysts expect the firm to report $4.83 billion in revenue in its most recent quarter, according to Yahoo Finance. That’s less than the company reported in its year-ago June quarter when it saw $6.35 billion in revenue. Since July 1, 2019, Tesla shares have appreciated in excess of 450%, despite the company prepping to report what the market anticipates will be revenue declines.
  • Amazon and Netflix also set new records today to toss a few more names into the mix.

You can’t swing your arms without running into a reason why it makes sense for SaaS stocks to be trading at record valuation multiples, or why one company or another is actually reasonably valued over a long-enough time horizon.

It’s worth noting that this putatively rational public investor thinking doesn’t fit at all with what the tech set used to pound into my head about the public markets, namely that they are infamously impatient and thus utter bilge for most long-term value creation. Going public was garbage, I was told; you have to report every three months and no one looks out a few years.

Now, I’m being told by roughly the same people that the market is doing the very thing that they said it didn’t do, namely price firms for future results instead of trailing outcomes. Fine by me either way, frankly, but I’d like to know which story is true.

Happily, we’re about to see if all this high-fiving and enthusiasm is real.

Earnings season beckons, and it should bring with it a dose or two of clarity. If the digital transformation has managed to accelerate sufficiently that most tech companies have managed to greatly boost their near-term value, hats off to the cohort and bully for the startups that must also be enjoying similar revenue upswells.

But that doesn’t have to happen. There are possible earnings result sets that can cause investors to dump tech shares, as Slack learned a month ago.

The background to all of this is that there are good reasons to have some doubts about the current health of the national economy. And, sure, most people are willing to allow that the stock market and the aggregate domestic economy are not perfectly linked — this is no less than partially true — but each day the stock market steps higher and COVID-19 surges again leading to re-closings around the nation makes you to wonder if this is all for real.

Earnings season is here soon. Let’s find out.

Nayya, bringing transparency to choosing and managing healthcare plans, raises $2.7 million

Entrepreneurs Roundtable Accelerator -backed Nayya is on a mission to simplify choosing and managing employee benefits through machine learning and data transparency.

The company has raised $2.7 million in seed funding led by Social Leverage, with participation from Guardian Strategic Ventures, Cameron Ventures, Soma Capital, as well as other strategic angels.

The process of choosing an employer-provided healthcare plan and understanding that plan can be tedious at best and incredibly confusing at worst. And that doesn’t even include all of the supplemental plans and benefits associated with these programs.

Co-founded by Sina Chehrazi and Akash Magoon, Nayya tries to solve this problem. When enrollment starts, employers send out an email that includes a link to Nayya’s Companion, the company’s flagship product.

Companion helps employees find the plan that is right for them. The software first asks a series of questions about lifestyle, location, etc. For example, Nayya co-founder and CEO Chehrazi explained that people who bike to work, as opposed to driving in a car, walking or taking public transportation, are 20 times more likely to get into an accident and need emergency services.

Companion asks questions in this vein, as well as questions around whether you take medication regularly or if you expect your healthcare costs to go up or down over the next year, without getting into the specifics of chronic ailments or diseases or particular issues.

Taking that data into account, Nayya then looks at the various plans provided by the employer to show you which one matches the user’s particular lifestyle and budget best.

Nayya doesn’t just pull information directly from the insurance company directory listings, as nearly 40% of those listings have at least one error or are out of date. It pulls from a broad variety of data sources, including the Centers for Medicare and Medicaid Services (CMS), to get the cleanest, most precise data around which doctors are in network and the usual costs associated with visiting those doctors.

Alongside Companion, Nayya also provides a product called “Edison,” which it has dubbed the Alexa for Helathcare. Users can ask Edison questions like “What is my deductible?” or “Is Dr. So-and-So in my network and what would it cost to go see her?”

The company helps individual users find the right provider for them with the ability to compare costs, location and other factors involved. Nayya even puts a badge on listings for providers where another employee at the company has gone and had a great experience, giving another layer of validation to that choice.

As the healthtech industry looks to provide easier-to-use healthcare and insurance, the idea of “personalization” has been left behind in many respects. Nayya focuses first and foremost on the end-user and aims to ensure that their own personal healthcare journey is as simple and straightforward as possible, believing that the other pieces of the puzzle will fall into place when the customer is taken care of.

Nayya plans on using the funding to expand the team across engineering, data science, product management and marketing, as well as doubling down on the amount of data the company is purchasing, ingesting and cleaning.

Alongside charging employers on a per seat, per month basis, Nayya is also looking to start going straight to insurance companies with its product.

“The greatest challenge is educating an entire ecosystem and convincing that ecosystem to believe that where the consumer wins, everyone wins,” said Chehrazi. “How to finance and understand your healthcare has never been more important than it is right now, and there is a huge need to provide that education in a data driven way to people. That’s where I want to spend the next I don’t know how many years of my life to drive that change.”

Nayya has five full-time employees currently and 80% of the team comes from racially diverse backgrounds.

OwnBackup lands $50M as backup for Salesforce ecosystem thrives

OwnBackup has made a name for itself primarily as a backup and disaster recovery system for the Salesforce ecosystem, and today the company announced a $50 million investment.

Insight Partners led the round, with participation from Salesforce Ventures and Vertex Ventures. This chunk of money comes on top of a $23 million round from a year ago, and brings the total raised to more than $100 million, according to the company.

It shouldn’t come as a surprise that Salesforce Ventures chipped in when the majority of the company’s backup and recovery business involves the Salesforce ecosystem, although the company will be looking to expand beyond that with the new money.

“We’ve seen such growth over the last two and a half years around the Salesforce ecosystem, and the other ISV partners like Veeva and nCino that we’ve remained focused within the Salesforce space. But with this funding, we will expand over the next 12 months into a few new ecosystems,” company CEO Sam Gutmann told TechCrunch.

In spite of the pandemic, the company continues to grow, adding 250 new customers last quarter, bringing it to over 2,000 customers and 250 employees, according to Gutmann.

He says that raising the round, which closed at the beginning of May, had some hairy moments as the pandemic began to take hold across the world and worsen in the U.S. For a time, he began talking to new investors in case his existing ones got cold feet. As it turned out, when the quarterly numbers came in strong, the existing ones came back and the round was oversubscribed, Gutmann said.

“Q2 frankly was a record quarter for us, adding over 250 new accounts, and we’re seeing companies start to really understand how critical this is,” he said.

The company plans to continue hiring through the pandemic, although he says it might not be quite as aggressively as they once thought. Like many companies, even though they plan to hire, they are continually assessing the market. At this point, he foresees growing the workforce by about another 50 people this year, but that’s about as far as he can look ahead right now.

Gutmann says he is working with his management team to make sure he has a diverse workforce right up to the executive level, but he says it’s challenging. “I think our lower ranks are actually quite diverse, but as you get up into the leadership team, you can see on the website unfortunately we’re not there yet,” he said.

They are instructing their recruiting teams to look for diverse candidates whether by gender or ethnicity, and employees have formed a diversity and inclusion task force with internal training, particularly for managers around interviewing techniques.

He says going remote has been difficult, and he misses seeing his employees in the office. He hopes to have at least some come back before the end of the summer and slowly add more as we get into the fall, but that will depend on how things go.

Zoom announces new Hardware as a Service offering to run on ServiceNow

Zoom announced a new Hardware as a Service offering today that will run on the ServiceNow platform. At the same time, the company announced a deal with ServiceNow to standardize on Zoom and Zoom Phone for its 11,000 employees in another case of SaaS cooperation.

For starters, the new Hardware as a Service offering allows customers, who use the Zoom Phone and Zoom Rooms software, to acquire related hardware from the company for a fixed monthly cost. The company announced that initial solutions providers will include DTEN, Neat, Poly and Yealink.

The new service allows companies to access low-cost hardware and pay for the software and hardware on a single invoice. This could result in lower up-front costs, while simplifying the bookkeeping associated with a customer’s online communications options.

Companies can start small if they wish, then add additional hardware over time as needs change, and they can also opt for a fully managed service, where a third party can deal with installation and management of the hardware if that’s what a customer requires.

Zoom will run the new service on ServiceNow’s Now platform, which provides a way to manage the service requests as they come in. And in a case of one SaaS hand washing the other, ServiceNow has standardized on the Zoom platform for its internal communications tool, which has become increasingly important as the pandemic has moved employees to work from home. The company also plans to replace its current phone system with Zoom Phones.

One of the defining characteristics of SaaS companies, and a major difference from previous generations of tech companies, has been the willingness of these organizations to work together to string together sets of services when it makes sense. These kinds of partnerships not only benefit the companies involved, they tend to be a win for customers too.

Brent Leary, founder at CRM Essentials, sees this as a deal between two rising SaaS stars, and one that benefits both companies. “Everyone and their mother is announcing partnerships with Zoom, focusing on integrating video communications into core focus areas. But this partnership looks to be much more substantial than most, with ServiceNow not only partnering with Zoom for tighter video communication capabilities, but also displacing its current phone system with Zoom Phone,” Leary told TechCrunch.

Nvidia’s Ampere GPUs come to Google Cloud

Nvidia today announced that its new Ampere-based data center GPUs, the A100 Tensor Core GPUs, are now available in alpha on Google Cloud. As the name implies, these GPUs were designed for AI workloads, as well as data analytics and high-performance computing solutions.

The A100 promises a significant performance improvement over previous generations. Nvidia says the A100 can boost training and inference performance by over 20x compared to its predecessors (though you’ll mostly see 6x or 7x improvements in most benchmarks) and tops out at about 19.5 TFLOPs in single-precision performance and 156 TFLOPs for Tensor Float 32 workloads.

Image Credits: Nvidia

“Google Cloud customers often look to us to provide the latest hardware and software services to help them drive innovation on AI and scientific computing workloads,” said Manish Sainani, Director of Product Management at Google Cloud, in today’s announcement. “With our new A2 VM family, we are proud to be the first major cloud provider to market Nvidia A100 GPUs, just as we were with Nvidia’s T4 GPUs. We are excited to see what our customers will do with these new capabilities.”

Google Cloud users can get access to instances with up to 16 of these A100 GPUs, for a total of 640GB of GPU memory and 1.3TB of system memory.

How Do Attackers Use LOLBins In Fileless Attacks?

For malware authors, the idea of exploiting existing software on a user’s machine to achieve malicious purposes has a lot of attractions. For one, it means less work for them in developing custom malware. For another, it means less chance of being detected. After all, if you can hijack an existing and trusted piece of software to achieve your ends, the chances are better that you’ll go undetected. This technique, known as “Living off the Land”, has a long history, but it’s not getting old.

New “Living off the Land” binaries, or LOLBins, can appear with any software or OS update, or may have been lying around with undocumented abilities for some time: researchers at SentinelLabs just disclosed a previously unknown LOLBin, for example. In this post, we dig into what LOLBins are, why they are a concern, and most importantly how you can detect their malicious use.

What is a LOLBin?

Any executable that comes installed as part of your operating system by default that can be used to further an attack can be considered a LOLBin. In addition, executables added by users for legitimate purposes could be exploited as a LOLBin, particularly if it is part of some common or widely used 3rd party software installation.

The key to understanding what a LOLBin is revolves less around its origin and more around whether the executable is found on the system prior to the malware attack.

In such cases, that executable is likely to be treated without suspicion by both users and admins and potentially even whitelisted as benign by some security tools.

In targeted attacks, an actor may first surveil a system for LOLBins unique to the victim’s environment, but typically attackers are interested in efficiency and prefer to write malware that will make use of commonly-found executables, such as scripting engines like bash and PowerShell as well as utilities like msiexec, psxec and desktopimgdownldr, which have unexpected or little-known capabilities useful to threat actors. On macOS, osascript is a LOLBin widely exploited by attackers for executing malicious AppleScripts.

Aside from being potentially ignored by both users and security tools, LOLBins like those just mentioned can allow malicious actors to communicate with remote servers and blend in with typical network activity. Other LOLBins may help attackers to perform functions such as compile code, achieve persistence, dump processes and hijack DLLs.

How Do Attackers Use LOLBins In Fileless Attacks?

Fileless attacks have been increasing in recent years, although there is some misunderstanding about exactly what makes an attack ‘fileless’. Such attacks may still be initiated through documents (like email attachments) and they may leave behind files (like persistence agents), but what makes them fileless is that the code is executed in-memory.

The main idea behind a fileless attack is that code execution occurs in-memory rather than by spawning a process that executes compiled code from a source file.

This means that the attack cannot be detected just by scanning a system for malicious binaries or executable files. In addition, once memory has been purged (such as by a reboot) there may be little or no evidence of the attack for incident responders and threat hunters to detect.

A typical scenario for a fileless attack might begin with a phishing attempt, in which the target is socially-engineered to click on a malicious link or attachment. This may execute JavaScript or VBScript or call a LOLBin like PowerShell to download and execute malicious code in-memory.

This second-stage payload may go on to use other LOLBins like WMI (Windows Management Instrumentation) to execute code to do things like achieve persistence, open a backdoor or contact a C2 server to exfiltrate data. Fileless attacks may be combined with other threats such as ransomware and keyloggers.

What Are Some Examples of Fileless Attacks Using LOLBins?

Fileless attacks using LOLBins are quite common and have been documented on Windows, Linux and Mac platforms. Indeed, insofar as the attack can hijack native tools that either exist on all platforms or have equivalents, these kinds of attacks can be platform-agnostic. APT group Lazarus, for example, has been observed distributing MS Word documents that will execute an in-memory attack using LOLBins regardless of whether the attachment is opened on Windows or a Mac.

image of visual basic sub autorun

Among some of the more high-profile attacks that have leveraged LOLBins and a fileless attack vector were those on the DNC (Democratic National Committee) in the previous US election year and the attack on Equifax in 2017 that resulted in billion dollar losses for the company and the exposure of records belonging to nearly 150 million people.

Why Do Security Researchers Worry About LOLBins?

As we have seen, LOLBins present a problem because they are a legitimate part of the environment that can be coerced to do the threat actors‘ work for them. Of course, some LOLBins like PowerShell are well-known and can be monitored and/or locked down to prevent abuse.

However, keeping an inventory of the functionality of every legitimate executable on the system and whether it could be leveraged for malicious purposes isn’t really practical. Not only do operating systems contain a vast amount of built-in binaries that are being added to or updated with new functionality all the time, there is also a massive amount of widely-used 3rd party software in the enterprise environment whose full functionality may not be documented.

As a result, security practitioners are continually engaged in research to unearth new or undiscovered LOLBins before attackers do.

But even when discovered, there remains the problem of how to deal with the use of that legitimate tool to ensure it is being used only for its intended purpose.

How Can You Detect the Malicious Use of LOLBins?

With no recognizable file signature and ever-revolving C2 IP addresses, security teams can be engaged in a wearying game of whackamole trying to chase stealthy attacks that their current tools are not equipped to handle.

In many scenarios, it is simply not effective to block LOLBins that may be essential to the productivity of some of the teams in your organization.

The key to defeating attacks leveraging LOLBins lies in a behavioral AI engine that can detect malicious behavior based on what code does, rather than where it comes from. Rather than inspecting files to see if they contain malicious code, a behavioral AI engine looks at activity on the endpoint and distinguishes between malicious and benign activity.

Using contextual information, the agent can not only recognize that some activity is malicious, but can also distinguish the source of the malicious activity without laying the blame at the door of the native tool invoked by the malicious process.

Conclusion

Stealth is one of every threat actor’s primary objectives, and natively existing binaries, LOLBins, provide perfect camouflage for malware that wants to hide in plain sight. While it’s vital that we continue to research the capabilities in our environment, the task of detecting malicious processes on execution regardless of their source is one that readily lends itself to an automated, machine learning algorithm. If you would like to see how SentinelOne can help protect your organization against all kinds of threat actors, contact us for a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

E-Verify’s “SSN Lock” is Nothing of the Sort

One of the most-read advice columns on this site is a 2018 piece called “Plant Your Flag, Mark Your Territory,” which tried to impress upon readers the importance of creating accounts at websites like those at the Social Security Administration, the IRS and others before crooks do it for you. A key concept here is that these services only allow one account per Social Security number — which for better or worse is the de facto national identifier in the United States. But KrebsOnSecurity recently discovered that this is not the case with all federal government sites built to help you manage your identity online.

A reader who was recently the victim of unemployment insurance fraud said he was told he should create an account at the Department of Homeland Security‘s myE-Verify website, and place a lock on his Social Security number (SSN) to minimize the chances that ID thieves might abuse his identity for employment fraud in the future.

DHS’s myE-Verify homepage.

According to the website, roughly 600,000 employers at over 1.9 million hiring sites use E-Verify to confirm the employment eligibility of new employees. E-Verify’s consumer-facing portal myE-Verify lets users track and manage employment inquiries made through the E-Verify system. It also features a “Self Lock” designed to prevent the misuse of one’s SSN in E-Verify.

Enabling this lock is supposed to mean that for the next year thereafter, if an unauthorized individual attempts to fraudulently use a SSN for employment authorization, he or she cannot use the SSN in E-Verify, even if the SSN is that of an employment authorized individual. But in practice, this service may actually do little to deter ID thieves from impersonating you to a potential employer.

At the request of the reader who reached out (and in the interest of following my own advice to plant one’s flag), KrebsOnSecurity decided to sign up for a myE-Verify account. After verifying my email address, I was asked to pick a strong password and select a form of multi-factor authentication (MFA). The most secure MFA option offered (a one-time code generated by an app like Google Authenticator or Authy) was already pre-selected, so I chose that.

The site requested my name, address, SSN, date of birth and phone number. I was then asked to select five questions and answers that might be asked if I were to try to reset my password, such as “In what city/town did you meet your spouse,” and “What is the name of the company of your first paid job.” I chose long, gibberish answers that had nothing to do with the questions (yes, these password questions are next to useless for security and frequently are the cause of account takeovers, but we’ll get to that in a minute).

Password reset questions selected, the site proceeded to ask four, multiple-guess “knowledge-based authentication” questions to verify my identity. The U.S. Federal Trade Commission‘s primer page on preventing job-related ID theft says people who have placed a security freeze on their credit files with the major credit bureaus will need to lift or thaw the freeze before being able to answer these questions successfully at myE-Verify. However, I did not find that to be the case, even though my credit file has been frozen with the major bureaus for years.

After successfully answering the KBA questions (the answer to each was “none of the above,” by the way), the site declared I’d successfully created my account! I could then see that I had the option to place a “Self Lock” on my SSN within the E-Verify system.

Doing so required me to pick three more challenge questions and answers. The site didn’t explain why it was asking me to do this, but I assumed it would prompt me for the answers in the event that I later chose to unlock my SSN within E-Verify.

After selecting and answering those questions and clicking the “Lock my SSN” button, the site generated an error message saying something went wrong and it couldn’t proceed.

Alas, logging out and logging back in again showed that the site did in fact proceed and that my SSN was locked. Joy.

But I still had to know one thing: Could someone else come along pretending to be me and create another account using my SSN, date of birth and address but under a different email address? Using a different browser and Internet address, I proceeded to find out.

Imagine my surprise when I was able to create a separate account as me with just a different email address (once again, the correct answers to all of the KBA questions was “none of the above”). Upon logging in, I noticed my SSN was indeed locked within E-Verify. So I chose to unlock it.

Did the system ask any of the challenge questions it had me create previously? Nope. It just reported that my SSN was now unlocked. Logging out and logging back in to the original account I created (again under a different IP and browser) confirmed that my SSN was unlocked.

ANALYSIS

Obviously, if the E-Verify system allows multiple accounts to be created using the same name, address, phone number, SSN and date of birth, this is less than ideal and somewhat defeats the purpose of creating one for the purposes of protecting one’s identity from misuse.

Lest you think your SSN and DOB is somehow private information, you should know this static data about U.S. residents has been exposed many times over in countless data breaches, and in any case these digits are available for sale on most Americans via Dark Web sites for roughly the bitcoin equivalent of a fancy caffeinated drink at Starbucks.

Being unable to proceed through knowledge-based authentication questions without first unfreezing one’s credit file with one or all of the big three credit bureaus (Equifax, Experian and TransUnion) can actually be a plus for those of us who are paranoid about identity theft. I couldn’t find any mention on the E-Verify site of which company or service it uses to ask these questions, but the fact that the site doesn’t seem to care whether one has a freeze in place is troubling.

And when the correct answer to all of the KBA questions that do get asked is invariably “none of the above,” that somewhat lessens the value of asking them in the first place. Maybe that was just the luck of the draw in my case, but also troubling nonetheless. Either way, these KBA questions are notoriously weak security because the answers to them often are pulled from records that are public anyway, and can sometimes be deduced by studying the information available on a target’s social media profiles.

Speaking of silly questions, relying on “secret questions” or “challenge questions” as an alternative method of resetting one’s password is severely outdated and insecure. A 2015 study by Google titled “Secrets, Lies and Account Recovery” (PDF) found that secret questions generally offer a security level that is far lower than just user-chosen passwords. Also, the idea that an account protected by multi-factor authentication could be undermined by successfully guessing the answer(s) to one or more secret questions (answered truthfully and perhaps located by thieves through mining one’s social media accounts) is bothersome.

Finally, the advice given to the reader whose inquiry originally prompted me to sign up at myE-Verify doesn’t seem to have anything to do with preventing ID thieves from fraudulently claiming unemployment insurance benefits in one’s name at the state level. KrebsOnSecurity followed up with four different readers who left comments on this site about being victims of unemployment fraud recently, and none of them saw any inquiries about this in their myE-Verify accounts after creating them. Not that they should have seen signs of this activity in the E-Verify system; I just wanted to emphasize that one seems to have little to do with the other.

The Good, the Bad and the Ugly in Cybersecurity – Week 27

The Good

Another high-profile cybercriminal has received a well-deserved sentence from a federal judge in Alexandria, VA. Aleksei Burkov, who pleaded guilty in January, was charged with conspiracy to commit computer intrusion, device fraud, identify theft, and money laundering stemming from his involvement with two well-known forums. Both forums, one of which was Cardplanet, were long-standing gathering places for cybercriminals to meet and trade stolen information.

The second forum involved was a much more guarded and heavily-vetted environment. The upper echelon would pay $5000 for the privilege of access to the forum and associated services from the participants. Burkov potentially faced 15 years of prison time after being extradited to the United States in November of 2019.

Ultimately the judge awarded him 9 years, noting that Burkov had already been incarcerated since 2015. It is estimated that the forums collectively facilitated near $20 million in credit card fraud and other identity-based crimes. It’s always good to see these cases end in a positive way (for the good guys!).

The Bad

This week, macOS security got a nasty shock in the form of a rare ransomware threat targeting the platform. Dubbed variously “EvilQuest”, “ThiefQuest” and “MacRansom.K”, this trojan displays both data stealing and encryption (ransomware) traits.

The lure and delivery of the trojan is all too familiar, unfortunately. The malware has been spreading via torrents offering pirated or “cracked” versions of a number of popular macOS applications including Ableton Live, Mixed in Key, and Little Snitch. The malware arrives as a .DMG file containing a package-based installer for the trojanized application. Upon launch, the installer requests elevated privileges, establishes both user-level and root-level persistence, and proceeds to activate additional functionality. Files do indeed get encrypted at this point; however, some additional behaviors occur adding to the list of malicious activities. “EvilQuest” appears to install a keylogger as well as a reverse shell, potentially allowing the threat actor direct and on-going access. The malware also retrieves multiple remote scripts, one of which is used specifically for file exfiltration.

The trojan will recursively seek all files under the /Users folder matching a hard-coded extension list and proceed to transmit them externally. Others have noted that there are limits to the file size that can be transferred (800k), which may prevent exfiltration of various file types (.wallet, for example). In addition, there seem to be some issues with the encryption itself, in that filetypes beyond the hard-coded extension set could end up encrypted.

Although analysis is still ongoing, this unusually complex (for macOS) malware looks like a first attempt at targeting the Apple Mac platform with malware that has the same kind of combined ransomware/wiper plus data stealing capabilities seen in malware families hitting the Windows universe of late (e.g., Ragnar, Netwalker, Snake). Expect it not to be the last.

The Ugly

In perhaps this week’s most serious security news, U.SCERT, along with many other agencies, released alerts concerning a critical vulnerability in Palo Alto Networks’ PAN-OS. The flaw, assigned CVE-2020-2021, lies in an authentication bypass in SAML Authentication. Through this vulnerability, attackers could potentially execute arbitrary code and take full control of affected devices and systems. More specifically, an unauthenticated attacker (assuming network access) could access the vulnerable resources and login to perform administrative actions such as opening up interfaces for future stages of attack or modifying permissions on existing accounts.

The problematic SAML implementation exists in code residing on multiple Palo Alto Networks products including VPN Gateways and firewalls: two big places you want to keep attackers out of. Specific software affected includes Prisma Access and GlobalProtect Gateway, among others. Palo Alto Networks posted their advisory on June 29th, which includes mitigation and workaround instructions. SAML can be temporarily disabled to prevent exploitation of the flaw, and a fix has been released in the form of updated versions of PAN-OS.

This is a critical flaw, and thankfully (this time) the vendor has provided a fix in a timely and well-communicated manner. We encourage all to review their exposure to this vulnerability and take the required steps to mitigate. Keeping all applications and services up to date and at the latest patch level, while not always straightforward, is paramount as we strive to defend our networks against current and future attacks.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

QuestDB nabs $2.3M seed to build open source time series database

QuestDB, a member of the Y Combinator summer 2020 cohort, is building an open source time series database with speed top of mind. Today the startup announced a $2.3 million seed round.

Episode1 Ventures led the round with assistance from Seedcamp, 7percent Ventures, YCombinator, Kima Ventures and several unnamed angel investors.

The database was originally conceived in 2013 when current CTO Vlad Ilyushchenko was building trading systems for a financial services company and he was frustrated by the performance limitations of the databases available at the time, so he began building a database that could handle large amounts of data and process it extremely fast.

For a number of years, QuestDB was a side project, a labor of love for Ilyushchenko until he met his other co-founders Nicolas Hourcard, who became CEO and Tancrede Collard, who became CPO, and the three decided to build a startup on top of the open source project last year.

“We’re building an open source database for time series data, and time series databases are a multi-billion-dollar market because they’re central for financial services, IoT and other enterprise applications. And we basically make it easy to handle explosive amounts of data, and to reduce infrastructure costs massively,” Hourcard told TechCrunch.

He adds that it’s also about high performance. “We recently released a demo that you can access from our website that enables you to query a super large datasets — 1.6 billion rows with sub-second queries, mostly, and that just illustrates how performant the software is,” he said.

He sees open source as a way to build adoption from the bottom up inside organizations, winning the hearts and minds of developers first, then moving deeper in the company when they eventually build a managed cloud version of the product. For now, being open source also helps them as a small team to have a community of contributors help build the database and add to its feature set.

“We’ve got this open source product that is free to use, and it’s pretty important for us to have such a distribution model because we can basically empower developers to solve their problems, and we can ask for contributions from various communities. […] And this is really a way to spur adoption,” Hourcard said.

He says that working with YC has allowed them to talk to other companies in the ecosystem who have built similar open source-based startups and that’s been helpful, but it has also helped them learn to set and meet goals and have access to some of the biggest names in Silicon Valley, including Marc Andreessen, who delivered a talk to the cohort the same day we spoke.

Today the company has seven employees, including the three founders, spread out across the US, EU and South America. He sees this geographic diversity helping when it comes to building a diverse team in the future. “We definitely want to have more diverse backgrounds to make sure that we keep having a diverse team and we’re very strongly committed to that.”

For the short term, the company wants to continue building its community, working on continuing to improve the open source product, while working on the managed cloud product.

SEC filing indicates big data provider Palantir is raising $961M, $550M of it already secured

Palantir, the sometimes controversial, but always secretive, big data and analytics provider that works with governments and other public and private organizations to power national security, health and a variety of other services, has reportedly been eyeing a public listing this autumn. But in the meantime it’s also continuing to push ahead in the private markets.

The company has filed a Form D — its first in four years — indicating that it is in the process of raising nearly $1 billion — $961,099,010, to be exact — with $549,727,437 of that already sold, and a further $411,371,573 remaining to be raised.

It’s not clear if this fundraise would essentially mean a delay to a public listing, or if it would complement it. Nor is it clear whether this filing is additionally covering secondary or previously undisclosed funding that it is now getting in order ahead of a public listing. The Form D notes that 58 investors who already have invested in the offering, which might indicate that at least some of this is secondary, and that “of the total remaining to be sold, all but $671,576.25 represents shares of common stock already subscribed for.”

The filing, alternatively, could confirm a report from back in September 2019 that the company was seeking to raise between $1 billion and $3 billion, its first fundraising in four years. That report noted Palantir was targeting a $26 billion valuation, up from $20 billion four years ago. A Reuters article from June put its valuation on secondary market trades at between $10 billion and $14 billion.

The bigger story of that Reuters report was that Palantir said in June that it had closed funding from two strategic investors that both work with the company: $500 million in funding from Japanese insurance company Sompo Holdings, and $50 million from Fujitsu. Together, it seems like these might account for $550 million already sold on the Form D.

To date, Palantir has raised $3.3 billion in funding, according to PitchBook data, which names no fewer than 108 investors on its cap table.

If you dig into the PitchBook data (some of which is behind a paywall) it also seems that Palantir has raised a number of other rounds of undisclosed amounts. Confusingly (but probably apt for a company famous for being secretive) some of that might also be part of this Form D amount.

We have reached out to Palantir to ask about the Form D and will update this post as we learn more.

While Palantir was last valued at $20 billion when it raised money four years ago, there are some data points that point to a bigger valuation today.

In April, according to a Bloomberg report, the company briefed investors with documents showing that it expects to make $1 billion in revenues this year, up 38% on 2019, and breaking even in the first time since being founded 16 years ago by Peter Thiel, Nathan Gettings, Joe Lonsdale, Stephen Cohen and current CEO Alex Karp.

(The Bloomberg report didn’t explain why Palantir was briefing investors, whether for a potential public listing, or for the fundraise we’re reporting on here, or something else.)

On top of that, the company has been in the news a lot around the global novel coronavirus pandemic. Specifically, it’s been winning business, in the form of projects in major markets like the U.K. (where it’s part of a consortium of companies working with the NHS on a COVID-19 data trove) and the U.S. (where it’s been working on a COVID-19 tracker for the federal government and a project with the CDC), and possibly others. Those projects will presumably need a lot of upfront capital to set up and run, possibly one reason it is raising money now.