The Joys of Owning an ‘OG’ Email Account

/0 Comments/in /by

When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online.

About 16 years ago — back when you actually had to be invited by an existing Google Mail user in order to open a new Gmail account — I was able to get hold of a very short email address on the service that hadn’t yet been reserved. Naming the address here would only invite more spam and account hijack attempts, but let’s just say the account name has something to do with computer hacking.

Because it’s a relatively short username, it is what’s known as an “OG” or “original gangster” account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.

What is endlessly fascinating is how many people think it’s a good idea to sign up for important accounts online using my email address. Naturally, my account has been signed up involuntarily for nearly every dating and porn website there is. That is to be expected, I suppose.

But what still blows me away is the number of financial and other sensitive accounts I could access if I were of a devious mind. This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few. I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into.

I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.

If for some reason I ever needed to order pet food or medications online, my phantom accounts at Chewy, Coupaw and Petco have me covered. If any of my Weber grill parts ever fail, I’m set for life on that front. The Weber emails I periodically receive remind me of a piece I wrote many years ago for The Washington Post, about companies sending email from [companynamehere]@donotreply.com, without considering that someone might own that domain. Someone did, and the results were often hilarious.

It’s probably a good thing I’m not massively into computer games, because the online gaming (and gambling) profiles tied to my old Gmail account are innumerable.

For several years until recently, I was receiving the monthly statements intended for an older gentleman in India who had the bright idea of using my Gmail account to manage his substantial retirement holdings. Thankfully, after reaching out to him he finally removed my address from his profile, although he never responded to questions about how this might have happened.

On balance, I’ve learned it’s better just not to ask. On multiple occasions, I’d spend a few minutes trying to figure out if the email addresses using my Gmail as a backup were created by real people or just spam bots of some sort. And then I’d send a polite note to those that fell into the former camp, explaining why this was a bad idea and ask what motivated them to do so.

Perhaps because my Gmail account name includes a hacking term, the few responses I’ve received have been less than cheerful. Despite my including detailed instructions on how to undo what she’d done, one woman in Florida screamed in an ALL CAPS reply that I was trying to phish her and that her husband was a police officer who would soon hunt me down. Alas, I still get notifications anytime she logs into her Yahoo account.

Probably for the same reason the Florida lady assumed I was a malicious hacker, my account constantly gets requests from random people who wish to hire me to hack into someone else’s account. I never respond to those either, although I’ll admit that sometimes when I’m procrastinating over something the temptation arises.

Losing access to your inbox can open you up to a cascading nightmare of other problems. Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address.

More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider. These may range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).

Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.

Maybe you’ve put off enabling multi-factor authentication for your important accounts, and if that describes you, please take a moment to visit twofactorauth.org and see whether you can harden your various accounts.

As I noted in June’s story, Turn on MFA Before Crooks Do It For You, people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.

Are you in possession of an OG email account? Feel free to sound off in the comments below about some of the more gonzo stuff that winds up in your inbox.

InfoSum raises $15.1M for its privacy-first, federated approach to big data analytics

/0 Comments/in /by

Data protection and data privacy have gone from niche concerns to mainstream issues in the last several years, thanks to new regulations and a cascade of costly breaches that have laid bare the problems that arise when information and data security are treated haphazardly.

Yet that swing has also thrown up a whole series of issues for organisations and business functions that depend on sharing and exchanging data in order to work. Today, a startup that has built a new way of exchanging data while still keeping privacy in mind — starting first by applying the concept to the “marketing industrial complex” — is announcing a round of funding as it continues to pick up momentum.

InfoSum, a London startup that has built a way for organizations to share their data with each other without passing it on to each other — by way of a federated, decentralized architecture that uses mathematical representations to organise, “read” and query the data — is today announcing that it has raised $15.1 million.

Data may be the new oil, but according to founder and CEO Nick Halstead, that just means “it’s sticky and gets all over the place.” That is to say, InfoSum is looking for a new way to use data that is less messy, and less prone to leakage, and ultimately devaluation.

The Series A is being co-led by Upfront Ventures and IA Ventures. A number of strategics using InfoSum — Ascential, Akamai, Experian, British broadcaster ITV and AT&T’s Xandr — are also participating in the round. The startup has raised $23 million to date.

Nicholas Halstead, the founder and CEO who previously had founded and led another big data company, DataSift (the startup that gained early fame as a middleman for Twitter’s firehose of data, until Twitter called time on that relationship to push its own business strategy), said in an interview that the plan is to use the funding to continue fueling its growth, with a specific focus on the U.S. market.

To that end, Brian Lesser — the founder and former CEO of Xandr (AT&T’s adtech business that is now a part of AT&T’s WarnerMedia), and previous to that the North American CEO of GroupM — is joining the company as executive chairman. Lesser had originally led Xandr’s investment into InfoSum and had previously been on the board of the startup.

InfoSum got its start several years ago as CognitiveLogic, founded at a time when Halstead was first starting to get his head around the problems that were becoming increasingly urgent in how data was being used by companies, and how newer information architecture models using data warehousing and cloud computing could help solve that.

“I saw the opportunity for data collaboration in a more private way, helping enable companies to work together when it came to customer data,” he said. This eventually led to the company releasing its first product two years ago.

In the interim, and since then, that trend, he noted, has only gained momentum, spurred by the rise of companies like Snowflake that have disrupted the world of data warehousing, cookies have started to increasingly go out of style (and some believe will disappear altogether over time) and the concept of federated architecture has become much more ubiquitous, applied to identity management and other areas.

All of this means that InfoSum’s solution today may be aimed at martech, but it is something that affects a number of industries. Indeed, the decision to focus on marketing technology, he said, was partly because that is the industry that Halstead worked most closely with at DataSift, although the plan is to expand to other verticals as well.

“We’ve done a lot of work to change the marketing industrial complex,” said Lesser, “but its bigger use cases are in areas like finance and healthcare.”

12 Paris-based VCs look at the state of their city

/0 Comments/in /by

Four years after the Great Recession, France’s newly elected socialist president François Hollande raised taxes and increased regulations on founder-led startups. The subsequent flight of entrepreneurs to places like London and Silicon Valley portrayed France as a tough place to launch a company. By 2016, France’s national statistics bureau estimated that about three million native-born citizens had moved abroad.

Those who remained fought back: The Family was an early accelerator that encouraged French entrepreneurs to adopt Silicon Valley’s startup methodology, and the 2012 creation of Bpifrance, a public investment bank, put money into the startup ecosystem system via investors. Organizers founded La French Tech to beat the drum about native startups.

When President Emmanuel Macron took office in May 2017, he scrapped the wealth tax on everything except property assets and introduced a flat 30% tax rate on capital gains. Station F, a giant startup campus funded by billionaire entrepreneur Xavier Niel on the site of a former railway station, began attracting international talent. Tony Fadell, one of the fathers of the iPod and founder of Nest Labs, moved to Paris to set up investment firm Future Shape; VivaTech was created with government backing to become one of Europe’s largest startup conference and expos.

Now, in the COVID-19 era, the government has made €4 billion available to entrepreneurs to keep the lights on. According to a recent report from VC firm Atomico, there are 11 unicorns in France, including BlaBlaCar, OVHcloud, Deezer and Veepee. More appear to be coming; last year Macron said he wanted to see “25 French unicorns by 2025.”

According to Station F, by the end of August, there had been 24 funding rounds led by international VCs and a few big transactions. Enterprise artificial intelligence and machine-learning platform Dataiku raised a $100 million Series D round, and Paris-based gaming startup Voodoo raised an undisclosed amount from Tencent Holdings.

We asked 12 Paris-based investors to comment on the state of play in their city:

10 Berlin-based VCs discuss how COVID-19 has changed the landscape

Alison Imbert, Partech

What trends are you most excited about investing in, generally?

All the fintechs addressing SMBs to help them to focus more on their core business (including banks disintermediation by fintech, new infrastructures tech that are lowering the barrier to entry to nonfintech companies).

What’s your latest, most exciting investment?

77foods (plant-based bacon) — love that alternative proteins trend as well. Obviously, we need to transform our diet toward more sustainable food. It’s the next challenge for humanity.

What are you looking for in your next investment, in general?
Impact investment: Logistic companies tackling the life cycle of products to reduce their carbon footprint and green fintech that reinvent our spending and investment strategy around more sustainable products.

Which areas are either oversaturated or would be too hard to compete in at this point for a new startup? What other types of products/services are you wary or concerned about?
D2C products.

How much are you focused on investing in your local ecosystem versus other startup hubs (or everywhere) in general? More than 50%? Less?
100% investing in France as I’m managing Paris Saclay Seed Fund, a €53 million fund, investing in pre-seed and seed startups launched by graduates and researchers from the best engineering and business schools from this ecosystem.

Which industries in your city and region seem well-positioned to thrive, or not, long term? What are companies you are excited about (your portfolio or not), which founders?
Deep tech, biotech and medical devices. Paris, and France in general, has thousands of outstanding engineers that graduate each year. Researchers are more and more willing to found companies to have a true impact on our society. I do believe that the ecosystem is more and more structured to help them to build such companies.

How should investors in other cities think about the overall investment climate and opportunities in your city?
Paris is booming for sure. It’s still behind London and Berlin probably. But we are seeing more and more European VC offices opening in the city to get direct access to our ecosystem. Even in seed rounds, we start to have European VCs competing against us. It’s good — that means that our startups are moving to the next level.

Do you expect to see a surge in more founders coming from geographies outside major cities in the years to come, with startup hubs losing people due to the pandemic and lingering concerns, plus the attraction of remote work?
For sure startups will more and more push for remote organizations. It’s an amazing way to combine quality of life for employees and attracting talent. Yet I don’t think it will be the majority. Not all founders are willing/able to build a fully remote company. It’s an important cultural choice and it’s adapted to a certain type of business. I believe in more flexible organization (e.g., tech team working remotely or 1-2 days a week for any employee).

Which industry segments that you invest in look weaker or more exposed to potential shifts in consumer and business behavior because of COVID-19? What are the opportunities startups may be able to tap into during these unprecedented times?
Travel and hospitality sectors are of course hugely impacted. Yet there are opportunities for helping those incumbents to face current challenges (e.g., better customer care and services, stronger flexibility, cost reduction and process automation).

How has COVID-19 impacted your investment strategy? What are the biggest worries of the founders in your portfolio? What is your advice to startups in your portfolio right now?
Cash is king more than ever before. My only piece of advice will be to keep a good level of cash as we have a limited view on events coming ahead. It’s easy to say but much more difficult to put in practice (e.g., to what extend should I reduce my cash burn? Should I keep on investing in the product? What is the impact on the sales team?). Startups should focus only on what is mission-critical for their clients. Yet it doesn’t impact our seed investments as we invest pre-revenue and often pre-product.

What is a moment that has given you hope in the last month or so? This can be professional, personal or a mix of the two.
There is no reason to be hopeless. Crises have happened in the past. Humanity has faced other pandemics. Humans are resilient and resourceful enough to adapt to a new environment and new constraints.

Salesforce beefing up field service offering with AI

/0 Comments/in /by

Salesforce has been adding artificial intelligence to all parts of its platform for several years now. It calls the underlying artificial intelligence layer on the Salesforce platform Einstein. Today the company announced some enhancements to its field service offerings that take advantage of this capability.

Eric Jacobson, VP of product management at Salesforce says that when COVID hit, it pretty much stopped field service in its tracks during April, but like many other parts of business, it began to pick up again later in the quarter, and people still needed to have their appliances maintained.

“Even though we’re sheltering in place, the physical world still has physical needs. Hospitals still have to maintain their equipment. Employees still need to have equipment replaced or repaired while working at home and people still need their washing machine [or other appliances] repaired,” Jacobson said.

Today’s announcements are designed in some ways for a COVID world where efficiency is more critical than ever. That means the field service tech needs to be prepared ahead of time on all of the details of the nature of the repair. He or she has to have the right parts and customers need to know when their technician will be there.

While it’s possible to do much of that in a manual fashion, adding a dose of AI helps streamline and scale that process. For starters, the company announced Dynamic Priority. Certainly humans are capable of prioritizing a list of repairs, but by letting the machine set priority based on factors like service agreement type or how critical the repair is, it can organize calls much faster, leaving dispatchers to handle other tasks.

Even before the day starts, technicians receive their schedule and, using machine learning, can determine what parts they are most likely to need in the truck for the day’s repairs. Based on the nature of the repair and the particular make and model of machine, the Einstein Recommendation Builder can help predict the parts that will be needed to minimize the number of required trips, something that is important at all times, but especially during a pandemic.

“It’s always been an inconvenience and annoyance to have somebody come back for a follow-up appointment. But now it’s not just an annoyance, it’s actually a safety consideration for you and for the technician because it’s increased exposure,” Jacobson explained.

Salesforce also wants to give the customer the same capability they are used to getting in a rideshare app, where you can track the progress of the driver to your destination. Appointment Assistant, a new app, gives customers this ability, so they know when to expect the repair person to arrive.

Finally, Salesforce has teamed with ServiceMax to offer a new capability to get the big picture view of an asset with the goal of ensuring uptime, particularly important in settings like hospitals or manufacturing. “We’ve partnered with a long-time Salesforce partner ServiceMax to create a brand new offering that takes industry best practice and builds it right in. Asset 360 builds on top of Salesforce field service and delivers those specific capabilities around asset performance insight, viewing and managing up time and managing warranty processes to really ensure availability,” he said.

As with all Salesforce announcements, the availability of these capabilities will vary as each is in various forms of development. “Dynamic Priority will be generally available in October 2020. Einstein Recommendation Builder will be in beta in October 2020. Asset 360 will be generally available in November 2020. Appointment Assistant will be in closed pilot in US in October 2020,” according to information provided by the company.

How Salesforce beat its own target to reach $20B run rate ahead of schedule

InCountry raises $18M more to help SaaS companies store data locally

/0 Comments/in /by

We’re seeing a gradual expansion of national regulations that require data from SaaS applications to be stored locally in the country where it’s sourced and used. Today a startup that’s built a service around that need — specifically, data residency-as-a-service — is announcing some funding to continue building out its company amid strong demand.

InCountry, which provides a set of solutions — comprising software as well as some consultancy — that helps companies comply with local regulations when adopting SaaS products, has raised $18 million in funding.

This is technically an extension to its Series A, but in keeping with the growth of its business, it comes with a big bump to its valuation: the startup is now valued at “north” of $150 million. Founder and CEO Peter Yared said this is more than double the valuation of its previous round a little over a year ago

The money is coming from a mix of strategic and financial investors. It’s being led by Caffeinated Capital and Abu Dhabi’s Mubadala, with participation from new investor Accenture Ventures and previous investors Arbor Ventures, Felicis, Ridge Ventures, Bloomberg Beta and Team Builder Ventures. Accenture is one of InCountry’s key channel partners, reselling the software as part of bigger data management and integration contracts, Yared tells me.

The company has seen a decent bump in its business in the last year, expanding to 90 countries from 65, where it provides guidance and services to store and use data in compliance with legal requirements. Alongside that it has an increasingly long list of software packages that it covers with its products. The list currently includes Salesforce, ServiceNow, Twilio, Mambu and Segment, with customers including a large list of enterprises including stock exchanges, banks and pharmaceutical companies.

“This company was based off a crazy thesis,” Yared said with an almost incredulous laugh (he has a very jocular way of talking, even when he’s being serious). “Now it’s 20 months old, and our customers are banks, pharma giants, stock exchanges. We are proud that large institutions can trust us.”

A big bump in its business in recent times has been in Asia Pacific and the Middle East, which are two main regions when it comes to data residency regulations and therefore ripe ground for winning new customers — one reason why Mubadala is part of this round, Yared said.

“At Mubadala we are committed to backing visionary founders whose innovations fuel economies,” said Ibrahim Ajami, head of Ventures at Mubadala Capital. “Since day one, InCountry’s cloud solution has addressed a massive challenge in this era of regulation by giving businesses the tools to grow internationally while remaining compliant with data residency regulations. We’re doubling down on our investment and are supporting InCountry’s expansion into the MENA region because we believe they are the best team to help drive global business forward.”

Partly due to the growing ubiquity, flexibility and relatively cheap cost of cloud computing, software as a service  has been on a fast growth trajectory for years now. But even within that trend, it has had a huge boost in 2020 as a result of the global health pandemic.

COVID-19 has given the need for remote computing, and being able to access data wherever you happen to be — which in many cases today is no longer in your usual office space. On top of that, we have a lot more “wiggle room” in business, with organizations quickly scaling up and down with demand.

The knock-on effect has been a big boost for SaaS. But that growth has come with some caveats, and one of the biggest alongside security has been around data protection, and specifically national requirements in how data is stored and used. Arguably, SaaS companies have been more concerned with scaling their software and business funnels than they have been with how data is handled and how that has changed in keeping with local regulations, and that’s the opportunity that InCountry has stepped in to fill.

It provides not just a set of software to store and handle data in a secure way, but also an extensive list of legal advisors with expertise at the local level to help companies get their data policies in order. It’s an interesting model: While InCountry’s been an early mover in identifying this market opportunity and building technology to address it, it’s buffered its competitive position not with a sole focus on technology, but an extensive amount of human capital to get each implementation right.

That can prove to be a costly thing to get wrong. In the EU in July, the Court of Justice of the European Union (CJEU) put down the EU-US Privacy Shield — a framework that let businesses transfer personal data between the European Union and the United States while ensuring compliance with data protection regulations. This has impacted some 5,000 companies, which now have to rethink how they handle their data. The fine for not complying with storing data locally means that they can be fined up to 4% of their revenues.

Yared tells me that for now, the main competitor to something like InCountry has been companies building their own policies in house. Some of those solutions would have been done completely in house and some in partnership with integrators, but all of them were hard to scale and were painful to maintain, one reason why companies and their business partners are turning to working with his startup.

“Accenture Ventures is pleased to support InCountry as it continues to expand globally,” said Tom Lounibos, managing director, Accenture Ventures, in a statement. “InCountry’s software solutions are helping companies address the critical issue of becoming and remaining compliant with a multitude of data residency laws. This expansion will help support enterprises as they unlock their business across borders.”

Fresh off $200M Series D, Gong acquires early-stage startup Vayo

/0 Comments/in /by

Gong announced a $200 million Series D investment just last month, and loaded with fresh cash, the company wasted no time taking advantage. Today, it announced it was buying early-stage Isreali sales technology startup Vayo. The companies did not share terms of the deal, but Gong CEO Amit Bendov said the deal closed a couple of weeks ago.

The two companies match up quite well from a tech standpoint. While Gong searches unstructured data like emails and phone call transcripts and finds nuggets of data, Vayo looks at structured data, which is essentially the output of the Gong search process. What’s more, it handles large amounts of data at scale.

“Vayo helps find customer interactions at a large scale to identify trends like customers likely to churn or usage is going up, or your deals are starting to slow down — and they do this for structured data at scale,” Bendov told TechCrunch.

He said this ability to identify trends was really what attracted him to the company, even though it was still at an early stage of development. “It’s a perfect fit for Gong. We take unstructured data — emails, audio calls video calls — and extract insights. Customers, especially with a large organization, don’t want to see individual interactions but high order insights […] and they’ve developed [a solution] to identify trends on large data volumes for customer interactions,” he said.

Vayo was founded in 2018 and raised $1.7 million in seed capital, according to Crunchbase. Joining forces with Gong gives them an opportunity to develop the technology inside a company that’s growing quickly and is extremely well capitalized, having raised more than $300 million in the last 18 months.

Avshi Avital, CEO at Vayo, who has joined Gong with his four fellow employees, gave a familiar argument for selling the company. “With Gong we found the perfect partner to realize this mission faster and maximize the impact of the technology we built given the scale of their customer base and growth potential,” he said.

The plan is to fold the Vayo tech into the Gong platform, a process that will take three to six months, according to Bendov.

Gong raises another $200M on $2.2B valuation

Google Cloud lets businesses create their own text-to-speech voices

/0 Comments/in /by

Google launched a few updates to its Contact Center AI product today, but the most interesting one is probably the beta of its new Custom Voice service, which will let brands create their own text-to-speech voices to best represent their own brands.

Maybe your company has a well-known spokesperson for example, but it would be pretty arduous to have them record every sentence in an automated response system or bring them back to the studio whenever you launch a new product or procedure. With Custom Voice, businesses can bring in their voice talent to the studio and have them record a script provided by Google. The company will then take those recordings and train its speech models based on them.

As of now, this seems to be a somewhat manual task on Google’s side. Training and evaluating the model will take “several weeks,” the company says and Google itself will conduct its own tests of the trained model before sending it back to the business that commissioned the model. After that, the business must follow Google’s own testing process to evaluate the results and sign off on it.

For now, these custom voices are still in beta and only American English is supported so far.

It’s also worth noting that Google’s review process is meant to ensure that the result is aligned with its internal AI Principles, which it released back in 2018.

Like with similar projects, I would expect that this lengthy process of creating custom voices for these contact center solutions will become mainstream quickly. While it will just be a gimmick for some brands (remember those custom voices for stand-alone GPS systems back in the day?), it will allow the more forward-thinking brands to distinguish their own contact center experiences from those of the competition. Nobody likes calling customer support, but a more thoughtful experience that doesn’t make you think you’re talking to a random phone tree may just help alleviate some of the stress at least.

The BLINDINGCAN RAT and Malicious North Korean Activity

/0 Comments/in /by

There has been a great deal of coverage lately around malicious activities attributed to North Korea (and/or adjacent entities). Most recently, this has culminated in the release of MAR (Malware Analysis Report) AR20-232A, which covers activities associated with the BLINDINGCAN RAT. This tool is the latest in a very long line of tools which allow attackers to maintain access to target environments as well as establish ongoing control of infected hosts. In this post, we give an overview of this campaign in context of other related campaigns, describing its infection vector, execution and high-level behavior.

Infection Vector

As we know, email phishing attacks are still the dominant method of delivering malware when it comes to these types of attacks. The BLINDINGCAN campaigns are no different, but their phishing lure comes with an interesting twist: malicious documents utilized in the campaign masquerade as job offers and postings from high-value defense contractors such as Boeing.

This isn’t the first time such a lure has been used. Sophisticated attackers have sought to mimic entities in the defense, military, and government space in the past. This is especially true, historically, with campaigns tied to North Korea. Even early on in 2020, Operation North Star followed a very similar modus operandi, and by some accounts these campaigns may be related.

CISA maintains a running repository of North Korean / Hidden Cobra related advisories and details. Their alerts cover campaigns from 2017 to present, including (but not limited to):

  • WannaCry – Massively destructive “ransomware” with SMB spreading capabilities.
  • Delta Charlie – Backdoor and Denial-of-Service tool set
  • Volgmer – Backdoor
  • FALLCHILL – Full-function RAT
  • BANKSHOT – RAT and proxy/tunneling tool set
  • HARDRAIN – RAT and proxy tool set w/ Android support
  • SHARPKNOT – MBR Wiper
  • TYPEFRAME – RAT and proxy/tunneling tool set
  • KEYMARBLE – Full-function RAT
  • FASTCash – RAT and proxy/tunneling tool set (Financial attacks)
  • BADCALL – RAT and proxy tool set w/ Android support
  • ELECTRICFISH – proxy/tunneling tool set
  • HOPLIGHT – proxy/tunneling tool set with pseudo-SSL spoofing
  • ARTFULPIE – Downloader and launcher tool set
  • CROWDEDFLOUNDER – Full-function RAT
  • TAINTEDSCRIBE – Downloader and launcher with LFSR (LInear Feedback Shift Register) support
  • COPPERHEDGE – Full-function RAT, cryptocurrency and crypto-exchange focused.

In short, the DPRK has a long history of these types of campaigns and it does not appear to be letting up in frequency or aggressiveness. Moreover, North Korea is no stranger to playing the ‘long-game’. Reflecting back on earlier attacks from the region (e.g., Operation Troy, Ten Days of Rain, Dark Seoul, and the Sony attack) we see similar tactics and aggressiveness.

The BLINDINGCAN campaign has been specifically focused on defense and aerospace targets, primarily based in Europe and the United States. According to AR20-232a: “The FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers” along with “compromised infrastructure from multiple countries to host its command and control (C2) infrastructure”.

The objective of these attacks is to gain intelligence and to understand the key technologies that fall under the umbrella of the targeted entity, as well as those adjacent to them (contactors, partners, etc.)

BLINDINGCAN RAT: Execution and Behavior

The malicious documents themselves, upon launch, attempt to exploit CVE-2017-0199. This particular flaw allows for remote code execution via maliciously crafted documents. More specifically, CVE-2017-0199 is a result of the flawed processing of RTF files and elements by way of a potent combination of object links and HTA payloads.

This vulnerability is a common vector of attack for malicious actors, and despite the flaw being patched long ago, attackers bet on the fact (often successfully) that at least some of their targets will still be exposed to the flaw, allowing them to achieve their foothold.

You can see this behavior immediately upon launching one of the malicious documents.

The samples we analyzed reach out to a remote server (C2) for additional components. Once established, a keylogging and clipboard monitoring component is dropped, and additional information is extracted from the targeted hosts. WMI commands are utilized to gleen basic system details:

start iwbemservices::execquery - select * from win32_computersystemproduct

The RAT component (e.g., 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d) can be found in both 32 and 64 bit varieties. The executable payloads employ multiple levels of obfuscation.

Configuration data for the RAT is embedded in the payloads and is both encrypted and encoded. Embedded configuration artifacts are AES-encrypted with a hard-coded key. Upon decrypting, the resulting data is then decoded via XOR. Strings in the malware are RC4 encrypted.

The RAT module will initially pull basic system data. The aforementioned WMI command is part of this system reconnaissance process. In this stage, the malware will pull local network data, system name, OS version details, processor/platform details and MAC address details, and then push this data to the C2.

The core RAT feature set boils down to the following:

  • Gather and transmit defined set of System features
  • Create, terminate and manipulate processes
  • Create, terminate and manipulate files
  • Self-updating / self-deletion (cleaning of malicious code from the system when necessary)

Conclusion

While the malware and implants discussed here are specific to operations attributed to North Korea, the delivery and weaponization states are common to most other APT groups and non-nation-state backed campaigns.

The key takeaways here are 1) it is important to keep abreast of the evolution of malicious attacks generated from this region, but also 2) we can apply what we have learned from other past attacks to improve our posture and reduce overall exposure, along with the potential negative repercussions of suffering from such an attack. Prevention, as always, is key. The SentinelOne Singularity Platform is fully capable of detecting and preventing malicious activity associated with HIDDEN COBRA and BLINDINGCAN.

Indicators of Compromise

SHA256
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1
8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d
7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971

SHA1
0ecc687d741c7b009c648ef0de0a5d47213f37ff
3f6ef29b86bf1687013ae7638f66502bcf883bfd
9feef1eed2a8a5cbfe1c6478f2740d8fe63305e2
C70edfaf2c33647d531f7df76cd4e5bb4e79ea2e

Domains
agarwalpropertyconsultants[.]com
curiofirenze[.]com
automercado.co[.]cr

MITRE ATT&CK
Phishing: Spearphishing Attachment [T1566]
Command and Scripting Interpreter: PowerShell [T1059]
Exploitation for Client Execution [T1203]
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547]
Process Injection [T1055]
Deobfuscate/Decode Files or Information [T1140]
System Time Discovery [T1124]
Account Discovery [T1087]
Query Registry [T1012]
Process Discovery [T1424]
System Owner/User Discovery [T1033]
Automated Collection [T1119
Data from Local System [T1533]]
Remote File Copy [T1544
Automated Exfiltration [T1020]]
Exfiltration Over C2 Channel [T1041]

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

The Good, the Bad and the Ugly in Cybersecurity – Week 35

/0 Comments/in /by

The Good

This week’s “Good” story also has a few sobering lessons. A Russian national has been arrested in the U.S. on charges of conspiracy related to an attempted cyber attack on electronic vehicle manufacturer Tesla. Egor Kriuchkov is accused of attempting to bribe a Tesla employee with an offer of $1m in Bitcoin in return for installing malware on the company’s network as well as providing details about the company’s infrastructure.

Kriuchkov, who was nabbed by the FBI as he tried to leave the country, allegedly told the unnamed employee that his Russian-based team of cyber criminals would first steal data from Tesla and then hit them with a ransom demand for $4 million dollars. The criminals intended to mount a DDoS attack at the time the malware was installed in order to distract the security team. Kriuchkov allegedly claimed that this method had been successful against other high-profile targets and had netted the gang similar amounts. It is believed that Kriuchkov may have been referring to the ransomware attack on Carlson Wagonlit Travel earlier this month.

Recruiting insiders as a means of breaching security controls is a technique one would normally associate with nation-state actors engaged in espionage, but clearly cyber crime gangs are also both able and willing to invest in the ‘long game’ too, particularly when the rewards are so rich. Kudos to the Tesla employee for thwarting what could have been, in the words of Tesla CEO Elon Musk, a very “serious attack” on the company.

The Bad

Unfortunately, for every attack thwarted, there are so many that are not. This week, researchers have detailed how notorious QakBot (aka QBot, QuakBot) malware has been evolving from banking trojan to malware delivery platform, not unlike Emotet, TrickBot and other so-called “Swiss Army knife” tools. Development this year has been rapid, with at least 15 iterations noted between January and August. Recent QakBot activity has been driven my malspam, but attacks have also been targeting the government and military, as well as manufacturing, across Europe and the United States.

QakBot’s success rides on the back of an MO that is depressingly familiar: a phishing mail leveraging a reply chain attack carries a poisoned document utilizing Visual Basic to download second-stage payloads and communicate with the attacker’s C2 (C&C) server. There is some suggestion that QakBot is also being delivered by rival platform Emotet in some cases.

The malware has the ability to function as a backdoor, and some variants contain a plugin that allows the operators to control the infected device by means of a VNC connection. Stealing credentials and harvesting emails for use in further malspam campaigns are primary objectives, but the malware can also recruit victims’ devices into a botnet and even use them as control servers for other machines. Researchers say QakBot operators have the ability to conduct bank transactions on the victim’s machine without their knowledge.


Source: Check Point

Defending against this malware, like so many others, is primarily a matter of stopping the initial vector of code execution through phishing. Users are also advised to look out for the usual lures such as job advertisements, COVID-19 and Election 2020 themed subjects, along with unexpected invoice and payment reminders.

The Ugly

Attackers are always looking for new infection vectors, and what could be better for them (and worse for us) than an unpatched vulnerability in one of the world’s most widely used sharing platforms, Google Drive? This week a researcher discovered that non-executable documents uploaded and shared to Google Drive can be surreptitiously switched out for malicious executables without warning thanks to the Manage Versions feature.

The proof of concept shows that a file shared among users as, say, Invoice.pdf could be updated to Invoice.exe and the same link to the original file, if clicked, would now execute the malicious file without any warning to the users. To make matters worse, despite the fact that some anti-malware tools might recognize the file as malicious, Google Chrome appears to implicitly trust anything downloaded directly from Google Drive.

Being able to change file version without doing a check on the file type seems like a dangerous flaw that attackers could exploit in spearphishing campaigns: share an innocent file with a user, encourage them to collaborate, then switch it out for malware, and the next time they visit the link…

It’s not immediately clear from the report whether Google plans to address this problem in the future, but until Google enforce file type validation in the ‘Manage Versions’ feature, this is a risk that all Google Drive users should be aware of.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Steno raises $3.5 million led by First Round to become an extension of law offices

/0 Comments/in /by

The global legal services industry was worth $849 billion in 2017 and is expected to become a trillion-dollar industry by the end of next year. Little wonder that Steno, an LA-based startup, wants a piece.

Like most legal services outfits, what it offers are ways for law practices to run more smoothly, including in a world where fewer people are meeting in conference rooms and courthouses and operating instead from disparate locations.

Steno first launched with an offering that centers on court reporting. It lines up court reporters, as well as pays them, removing both potential headaches from lawyers’ to-do lists.

More recently, the startup has added offerings like a remote deposition videoconferencing platform that it insists is not only secure but can manage exhibit handling and other details in ways meant to meet specific legal needs.

It also, very notably, has a lending product that enables lawyers to take depositions without paying until a case is resolved, which can take a year or two. The idea is to free attorneys’ financial resources — including so they can take on other clients — until there’s a payout. Of course, the product is also a potentially lucrative one for Steno, as are most lending products.

We talked earlier this week with the company, which just closed on a $3.5 million seed round led by First Round Capital (it has now raised $5 million altogether).

Unsurprisingly, one of its founders is a lawyer named Dylan Ruga who works as a trial attorney at an LA-based law group and knows first-hand the biggest pain points for his peers.

More surprising is his co-founder, Gregory Hong, who previously co-founded the restaurant reservation platform Reserve, which was acquired by Resy, which was acquired by American Express. How did Hong make the leap from one industry to a seemingly very different one?

Hong says he might not have gravitated to the idea if not for Ruga, who was Resy’s trademark attorney and who happened to send Hong the pitch behind Steno to get Hong’s advice. He looked it over as a favor, then he asked to get involved. “I just thought, ‘This is a unique and interesting opportunity,’ and said, ‘Dylan, let me run this.’ ”

Today the 19-month-old startup has 20 full-time employees and another 10 part-time staffers. One major accelerant to the business has been the pandemic, suggests Hong. Turns out tech-enabled legal support services become even more attractive when lawyers and everyone else in the ecosystem is socially distancing.

Hong suggests that Steno’s idea to marry its services with financing is gaining adherents, too, including amid law groups like JML Law and Simon Law Group, both of which focus largely on personal injury cases.

Indeed, Steno charges — and provides financing — on a per-transaction basis right now, even while its revenue is “somewhat recurring,” in that its customers constantly have court cases.

Still, a subscription product is being considered, says Hong. So are other uses for its videoconferencing platform. In the meantime, says Hong, Steno’s tech is “built very well” for legal services, and that’s where it plans to remain focused.