Gremlin brings Chaos Engineering as a Service to Kubernetes

/0 Comments/in /by

The practice of Chaos Engineering developed at Amazon and Netflix a decade ago to help those web scale companies test their complex systems for worst-case scenarios before they happened. Gremlin was started by a former employee of both these companies to make it easier to perform this type of testing without a team of Site Reliability Engineers (SREs). Today, the company announced that it now supports Chaos Engineering-style testing on Kubernetes clusters.

The company made the announcement at the beginning of KubeCon, the Kubernetes conference taking place in San Diego this week.

Gremlin co-founder and CEO Kolton Andrus says that the idea is to be able to test and configure Kubernetes clusters so they will not fail, or at least reduce the likelihood. He says to do this it’s critical to run chaos testing (tests of mission-critical systems under extreme duress) in live environments, whether you’re testing Kubernetes clusters or anything else, but it’s also a bit dangerous to do be doing this. He says to mitigate the risk, best practices suggest that you limit the experiment to the smallest test possible that gives you the most information.

“We can come in and say I’m going to deal with just these clusters. I want to cause failure here to understand what happens in Kubernetes when these pieces fail. For instance, being able to see what happens when you pause the scheduler. The goal is being able to help people understand this concept of the blast radius, and safely guide them to running an experiment,” Andrus explained.

In addition, Gremlin is helping customers harden their Kubernetes clusters to help prevent failures with a set of best practices. “We clearly have the tooling that people need [to conduct this type of testing], but we’ve also learned through many, many customer interactions and experiments to help them really tune and configure their clusters to be fault tolerant and resilient,” he said.

The Gremlin interface is designed to facilitate this kind of targeted experimentation. You can check the areas you want to apply a test, and you can see graphically which parts of the system are being tested. If things get out of control, there is a kill switch to stop the tests.

Gremlin Kubernetes testing screen (Screenshot: Gremlin)

Gremlin launched in 2016. Its headquarters are in San Jose. It offers both a freemium and pay product. The company has raised almost $27 million, according to Crunchbase data.

How you react when your systems fail may define your business

18 months after acquisition, MuleSoft is integrating more deeply into Salesforce

/0 Comments/in /by

A year and a half after getting acquired by Salesforce for $6.5 billion, MuleSoft is beginning to resemble a Salesforce company — using its language and its methodologies to describe new products and services. This week at Dreamforce, as the company’s mega customer conference begins in San Francisco, MuleSoft announced a slew of new services as it integrates more deeply into the Salesforce family of products.

MuleSoft creates APIs to connect different systems together. This could be quite useful for Salesforce as a bridge between older software that may be on-prem or in the cloud. It allows Salesforce and its customers to access data wherever it lives, even from different parts of the Salesforce ecosystem itself.

MuleSoft made a number of announcements designed to simplify that process and put it in the hands of more customers. For starters, it’s announcing Accelerators, which are pre-defined integrations that let companies connect more easily to other systems. Not surprisingly, two of the first ones connect data from external products and services to Salesforce Service Cloud and Salesforce Commerce Cloud.

“What we’ve done is we’ve pre-built integrations to common back-end systems like ServiceNow and JIRA in Service Cloud, and we prebuilt those integrations, and then automatically connected that data and services through a Salesforce Lightning component directly in the Service console,” Lindsey Irvine, chief marketing officer at MuleSoft, explained.

What this does is allow the agent to get a more complete view of the customer by getting not just the data that’s stored in Salesforce, but in other systems as well.

The company also wants to put these kinds of integration skills in the hands of more Salesforce customers, so they have designed a set of courses in Trailhead, the company’s training platform, with the goal of helping 100,000 Salesforce admins, developers, integration architects and line of business users develop expertise around creating and managing these kinds of integrations.

The company is also putting resources into creating the API Community Manager, a place where people involved in building and managing these integrations can get help from a community of users, all built on Salesforce products and services, says Mark Dao, chief product officer at MuleSoft.

“We’re leveraging Community Cloud, Service Cloud and Marketing Cloud to create a true developer experience platform. And what’s interesting is that it’s targeting both the business users — in other words, business development teams and marketing teams — as well as external developers,” he said. He added that the fact this is working with business users as well as the integration experts is something new, and the goal is to drive increased usage of APIs using MuleSoft inside Salesforce customer organizations.

Finally, the company announced Flow Designer, a new tool fueled by Einstein AI, which helps automate the creation of workflows and integrations between systems in a more automated fashion without requiring coding skills.

MuleSoft Flow Designer requires no coding (Screenshot: MuleSoft)

Dao says this is about putting MuleSoft in reach of more users. “It’s about enabling use cases for less technical users in the context of the MuleSoft Anypoint Platform. This really requires a new way of thinking around creating integrations, and we’ve been making Flow Designer simpler and simpler, and removing that technical layer from those users,” he said.

API Community Manager is available now. Accelerators will be available by the end of the year and Flow Designer updates will be available Q2 2020, according to the company.

These and other features are all designed to take some of the complexity out of using MuleSoft to help connect various systems across the organization, including both Salesforce and external programs, to make use of data wherever it lives. MuleSoft does requires a fair bit of technical skill, so if the company is able to simplify integration tasks, it could help put it in the hands of more users.

Salesforce is buying MuleSoft at enterprise value of $6.5 billion

Why Were the Russians So Set Against This Hacker Being Extradited?

/0 Comments/in /by

The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States. When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned an Israeli woman for seven years on trumped-up drug charges in a bid to trade prisoners. That effort failed as well, and Burkov had his first appearance in a U.S. court last week. What follows are some clues that might explain why the Russians are so eager to reclaim this young man.

Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Andrei Shirokov / Tass via Getty Images.

On the surface, the charges the U.S. government has leveled against Burkov may seem fairly unremarkable: Prosecutors say he ran a credit card fraud forum called CardPlanet that sold more than 150,000 stolen cards.

However, a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.

Burkov calls himself a specialist in information security and denies having committed the crimes for which he’s been charged. But according to denizens of several Russian-language cybercrime forums that have been following his case in the Israeli news media, Burkov was by all accounts an elite cybercrook who primarily operated under the hacker alias “K0pa.”

This is the same nickname used by an individual who served as co-administrator of perhaps the most exclusive Russian-language hacking forums ever created, including Mazafaka and DirectConnection.

A screen shot from the Mazafaka cybercrime forum, circa 2011.

Since their inception in the mid-aughts, both of these forums have been among the most difficult to join — admitting only native Russian speakers and requiring each applicant to furnish a non-refundable cash deposit and “vouches” or guarantees from at least three existing members. Also, neither forum was accessible or even visible to anyone without a special encryption certificate supplied by forum administrators that allowed the sites to load properly in a Web browser.

DirectConnection, circa 2011. The identity shown at the bottom of this screenshot — Severa — belonged to Peter Levashov, a prolific spammer who pleaded guilty in the United States last year to operating the Kelihos spam botnet.

Notably, some of the world’s most-wanted cybercriminals were members of these two highly exclusive forums, and many of those individuals have already been arrested, extradited and tried for various cybercrime charges in the United States over the years. Those include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

A user database obtained by KrebsOnSecurity several years back indicates K0pa relied on the same email address he used to register at Mazafaka and DirectConnection to register the user account “Botnet” on Spamdot, which for years was the closely-guarded stomping ground of the world’s most prolific spammers and virus writers, as well as hackers who created services catering to both professions.

As a reporter for The Washington Post in 2008, I wrote about the core offering that K0pa/Botnet advertised on Spamdot and other exclusive forums: A botnet-based anonymity service called FraudCrew. This service sold access to hacked computers, which FraudCrew customers used for the purposes of hiding their real location online while conducting cybercriminal activities.

FraudCrew, a botnet-based anonymity service offered by K0pa.

K0pa also was a top staff member at Verified, among the oldest and most venerated of Russian language cybercrime forums. Specifically, K0pa’s role at Verified was in maintaining its blacklist, a dispute resolution process designed to weed out “dishonest” cybercriminals who seek only to rip off less experienced crooks. From this vantage point, K0pa would have held considerable sway on the forum, and almost certainly played a key role in vetting new applicants to the site.

Prior to his ascendance at these forums, K0pa was perhaps best known for being a founding member of a hacker group calling themselves the CyberLords. Over nearly a decade, the CyberLords team would release dozens of hacking tools and exploits targeting previously unknown security vulnerabilities in Web-based services and computer software.

A cached copy of cyberlords[.]ru, circa 2005.

A DIRECT CONNECTION?

According to security firm Cybereason, Russia has a history of using contractors — even cybercriminals — to run intelligence operations. These crooks-turned-spies “offer a resource to the state while enjoying a cloak of semi-protected ‘status’ for their extracurricular activities, provided they are directed against foreign targets.”

“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,” reads a 2017 story from The Register on Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most technically advanced and bold cybercriminal community in the world.”

A banner that ran on top of the Verified cybercrime forum for many years.

It’s probably worth noting that also present on both DirectConnection and Mazafaka were the core members of a prolific gang of online bank robbers called the JabberZeus Crew, who used custom versions of the ZeuS Trojan to steal tens — if not hundreds — of millions of dollars from hacked small businesses across the United States. In 2011, most of that crew was rounded up in an international cybercrime crackdown, although virtually all of them escaped prosecution in their home countries (mainly Russia and Ukraine).

I mention this because K0pa also was in regular communications with — if not a core member of –the JabberZeus crew. This gang worked directly with the author of the ZeuS trojan — Evgeniy “Slavik” Bogachev — a Russian man with a $3 million bounty on his head from the FBI. The cybercriminal organization Bogchev allegedly ran was responsible for the theft of more than $100 million from banks and businesses worldwide that were infected with his ZeuS malware. That organization, dubbed the “Business Club,” had members spanning most of Russia’s 11 time zones.

In this 2011 screenshot of DirectConnection, we can see the nickname “aqua,” one of the JabberZeus crime gang actors. K0pa also was affiliated with the JabberZeus crew.

Fox-IT, a Dutch security firm that infiltrated the Business Club’s back-end operations, found that beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled his cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.

Likewise, the keyword searches that Slavik used to scour bot-infected systems in Turkey suggested the botmaster was searching for specific files from the Turkish Ministry of Foreign Affairs – a specialized police unit. Fox-IT said it was clear that Slavik was looking to intercept communications about the conflict in Syria on Turkey’s southern border — one that Russia has supported by reportedly shipping arms into the region.

To my knowledge, no one has accused Burkov of being some kind of cybercrime fixer or virtual badguy Rolodex for the Russian government. On the other hand, from his onetime lofty perch atop some of the most exclusive Russian cybercrime forums, K0pa certainly would have fit that role nicely.

Further reading, including the fascinating story on the diplomatic back and forth between Russia and Israel mentioned in the first paragraph: The Russian Hacker Who Just Became One of Israel’s Most Famous Prisoners.

How Russia Recruited Elite Hackers for Its Cyberwar

The Good, the Bad and the Ugly in Cybersecurity – Week 46

/0 Comments/in /by

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Some of the tech industry’s leading names, Intel, Mozilla, Red Hat and Fastly have united to form the ByteCode Alliance. The aim of this new industry partnership is to build on and develop the work of a previous joint project involving Google, Microsoft and, again, Mozilla among others, namely WebAssembly. The new ByteCode Alliance intends to ensure that the WebAssembly ecosystem is put on a sound, security-first footing. The problem they’re hoping to solve is one most organizations will recognize: you either develop or adopt a modular application that in itself passes your security audit, but which has multiple dependencies, importing code from package registries like npm, PyPI and others. Security audits on those dependencies is a herculean if not impossible task, and there’s a real danger of opening the door to supply chain attacks. The ByteCode Alliance wants to ensure that WebAssembly – billed as “the foundations that the future of the internet will be built on” – can provide developers with a reusable set of components that promise to make running untrusted code safer in any environment. 

image of bytecode alliance

The Bad

Both old and new threat actors have emerged into the limelight this week. First, Lizard Squad popped their reptilian heads out of obscurity with two DDoS attacks on the UK’s Labour Party. Barely active since 2014, when the group claimed responsibility for attacks on North Korea, Sony and even Taylor Swift, Lizard Squad this week said they were behind two DDoS attacks on Labour Party servers. Although unsuccessful at knocking the party’s servers offline, the group – who support Brexit and are avowedly anti-Labour – promised more attacks from a “botnet connected to millions of devices around the world”. 

image of lizard squad

Meanwhile, a previously unknown threat actor has emerged targeting companies in Germany, Italy and the US. Their MO is straight out of Hacking 101: phishing emails carrying poisoned Word documents. The malspam, however, is carefully crafted to look like genuine email from government agencies such as the US Postal Service, the German Federal Ministry of Finance and the Italian Ministry of Taxation. Campaigns seen by researchers during October and November were low-volume and highly targeted. IT services companies, manufacturing and healthcare have been the primary targets to date. Victims that fell for the phishing lure were treated to Maze ransomware, the Cobalt Strike attack kit and the IcedID trojan for payloads.

image of fake U.S postal service doc

The Ugly

The dangers of a security solution whitelisting privileged processes is one thing, but Windows Defender has taken things to a whole new level of unsafe by simply whitelisting file names. As this POC by Grzegorz Tworek simply and reliably shows, Windows Defender’s real time scanning appears to give a green light to any executable called msiexec.exe. Tworek’s POC couldn’t be simpler. Compile an executable that does nothing other than download the eicar test file, and watch Defender ATP kick in and flag the downloaded file as malicious. 

image of code bypass windows defender

Repeat the experiment but this time compile the code and name the output file msiexec.exe. When you execute it this time, the eicar test file is again downloaded but ignored by Windows Defender. Cybersecurity doesn’t get much uglier than that!

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Why Salesforce is moving Marketing Cloud to Microsoft Azure

/0 Comments/in /by

When Salesforce announced this week that it was moving Marketing Cloud to Microsoft Azure, it was easy to see this as another case of wacky enterprise partnerships. But there had to be sound business reasons why the partnership came together, rather than going with AWS or Google Cloud Platform, both of which are also Salesforce partners in other contexts.

If you ask Salesforce, it says it was ultimately because of compatibility with Microsoft SQL.

“Salesforce chose Azure because it is a trusted platform with a global footprint, multi-layered security approach, robust disaster recovery strategy with auto failover, automatic updates and more,” a Salesforce spokesperson told TechCrunch. “Marketing Cloud also has a long standing relationship with Microsoft SQL which makes the transition to SQL on Azure a natural decision.”

Except for the SQL part, Microsoft’s chief rivals at AWS and Google Cloud Platform also provide those benefits. In fact, each of those reasons cited by the spokesperson — with the exception of SQL — are all part of the general cloud infrastructure value proposition that all the major cloud vendors provide.

There’s probably more to it than simply compatibility. There is also a long-standing rivalry between the two companies, and why in spite of their competition, they continue to make deals like this in the spirit of co-opetition. We spoke to a few industry experts to get their take on the deal to find out why these two seeming rivals decided to come together.

Retailer’s dilemma

Tony Byrne, founder and principal analyst at Real Story Group, thinks it could be related to the fact it’s a marketing tool and some customers may be wary about hosting their businesses on AWS while competing with Amazon on the retail side. This is a common argument for why retail customers in particular are more likely to go with Microsoft or Google over AWS.

“Salesforce Marketing Cloud tends to target B2C enterprises, so the choice of Azure makes sense in one context where some B2C firms are wary of Amazon for competitive reasons. But I’d also imagine there’s more to the decision than that,” Byrne said.

Three of Apple and Google’s former star chip designers launch NUVIA with $53M in series A funding

/0 Comments/in /by

Silicon is apparently the new gold these days, or so VCs hope.

What was once a no-go zone for venture investors, who feared the long development lead times and high technical risk required for new entrants in the semiconductor field, has now turned into one of the hottest investment areas for enterprise and data VCs. Startups like Graphcore have reached unicorn status (after its $200 million series D a year ago) while Groq closed $52M from the likes of Chamath Palihapitiya of Social Capital fame and Cerebras raised $112 million in investment from Benchmark and others while announcing that it had produced the first trillion transistor chip (and who I profiled a bit this summer).

Today, we have another entrant with another great technical team at the helm, this time with a Santa Clara, CA-based startup called NUVIA. The company announced this morning that it has raised a $53 million series A venture round co-led by Capricorn Investment Group, Dell Technologies Capital (DTC), Mayfield, and WRVI Capital, with participation from Nepenthe LLC.

Despite only getting started earlier this year, the company currently has roughly 60 employees, 30 more at various stages of accepted offers, and the company may even crack 100 employees before the end of the year.

What’s happening here is a combination of trends in the compute industry. There has been an explosion in data and by extension, the data centers required to store all of that information, just as we have exponentially expanded our appetite for complex machine learning algorithms to crunch through all of those bits. Unfortunately, the growth in computation power is not keeping pace with our demands as Moore’s Law slows. Companies like Intel are hitting the limits of physics and our current know-how to continue to improve computational densities, opening the ground for new entrants and new approaches to the field.

Finding and building a dream team with a “chip” on their shoulder

There are two halves to the NUVIA story. First is the story of the company’s founders, which include John Bruno, Manu Gulati, and Gerard Williams III, who will be CEO. The three overlapped for a number of years at Apple, where they brought their diverse chip skillsets together to lead a variety of initiatives including Apple’s A-series of chips that power the iPhone and iPad. According to a press statement from the company, the founders have worked on a combined 20 chips across their careers and have received more than 100 patents for their work in silicon.

Gulati joined Apple in 2009 as a micro architect (or SoC architect) after a career at Broadcom, and a few months later, Williams joined the team as well. Gulati explained to me in an interview that, “So my job was kind of putting the chip together; his job was delivering the most important piece of IT that went into it, which is the CPU.” A few years later in around 2012, Bruno was poached from AMD and brought to Apple as well.

Gulati said that when Bruno joined, it was expected he would be a “silicon person” but his role quickly broadened to think more strategically about what the chipset of the iPhone and iPad should deliver to end users. “He really got into this realm of system-level stuff and competitive analysis and how do we stack up against other people and what’s happening in the industry,” he said. “So three very different technical backgrounds, but all three of us are very, very hands-on and, you know, just engineers at heart.”

Gulati would take an opportunity at Google in 2017 aimed broadly around the company’s mobile hardware, and he eventually pulled over Bruno from Apple to join him. The two eventually left Google earlier this year in a report first covered by The Information in May. For his part, Williams stayed at Apple for nearly a decade before leaving earlier this year in March.

Apple hires leading ARM chip designer

The company is being stealthy about exactly what it is working on, which is typical in the silicon space because it can take years to design, manufacture, and get a product into market. That said, what’s interesting is that while the troika of founders all have a background in mobile chipsets, they are indeed focused on the data center broadly conceived (i.e. cloud computing), and specifically reading between the lines, to finding more energy-efficient ways that can combat the rising climate cost of machine learning workflows and computation-intensive processing.

Gulati told me that “for us, energy efficiency is kind of built into the way we think.”

The company’s CMO did tell me that the startup is building “a custom clean sheet designed from the ground up” and isn’t encumbered by legacy designs. In other words, the company is building its own custom core, but leaving its options open on whether it builds on top of ARM’s architecture (which is its intention today) or other architectures in the future.

Building an investor syndicate that’s willing to “chip” in

Outside of the founders, the other half of this NUVIA story is the collective of investors sitting around the table, all of whom not only have deep technical backgrounds, but also deep pockets who can handle the technical risk that comes with new silicon startups.

Capricorn specifically invested out of what it calls its Technology Impact Fund, which focuses on funding startups that use technology to make a positive impact on the world. Its portfolio according to a statement includes Tesla, Planet Labs, and Helion Energy.

Meanwhile, DTC is the venture wing of Dell Technologies and its associated companies, and brings a deep background in enterprise and data centers, particularly from the group’s server business like Dell EMC. Scott Darling, who leads DTC, is joining NUVIA’s board, although the company is not disclosing the board composition at this time. Navin Chaddha, an electrical engineer by training who leads Mayfield, has invested in companies like HashiCorp, Akamai, and SolarCity. Finally, WRVI has a long background in enterprise and semiconductor companies.

I chatted a bit with Darling of DTC about what he saw in this particular team and their vision for the data center. In addition to liking each founder individually, Darling felt the team as a whole was just very strong. “What’s most impressive is that if you look at them collectively, they have a skillset and breadth that’s also stunning,” he said.

He confirmed that the company is broadly working on data center products, but said the company is going to lie low on its specific strategy during product development. “No point in being specific, it just engenders immune reactions from other players so we’re just going to be a little quiet for a while,” he said.

He apologized for “sounding incredibly cryptic” but said that the investment thesis from his perspective for the product was that “the data center market is going to be receptive to technology evolutions that have occurred in places outside of the data center that’s going to allow us to deliver great products to the data center.”

Interpolating that statement a bit with the mobile chip backgrounds of the founders at Google and Apple, it seems evident that the extreme energy-to-performance constraints of mobile might find some use in the data center, particularly given the heightened concerns about power consumption and climate change among data center owners.

DTC has been a frequent investor in next-generation silicon, including joining the series A investment of Graphcore back in 2016. I asked Darling whether the firm was investing aggressively in the space or sort of taking a wait-and-see attitude, and he explained that the firm tries to keep a consistent volume of investments at the silicon level. “My philosophy on that is, it’s kind of an inverted pyramid. No, I’m not gonna do a ton of silicon plays. If you look at it, I’ve got five or six. I think of them as the foundations on which a bunch of other stuff gets built on top,” he explained. He noted that each investment in the space is “expensive” given the work required to design and field a product, and so these investments have to be carefully made with the intention of supporting the companies for the long haul.

That explanation was echoed by Gulati when I asked how he and his co-founders came to closing on this investor syndicate. Given the reputations of the three, they would have had easy access to any VC in the Valley. He said about the final investors:

They understood that putting something together like this is not going to be easy and it’s not for everybody … I think everybody understands that there’s an opportunity here. Actually capitalizing upon it and then building a team and executing on it is not something that just anybody could possibly take on. And similarly, it is not something that every investor could just possibly take on in my opinion. They themselves need to have a vision on their side and not just believe our story. And they need to strategically be willing to help and put in the money and be there for the long haul.

It may be a long haul, but Gulati noted that “on a day-to-day basis, it’s really awesome to have mostly friends you work with.” With perhaps 100 employees by the end of the year and tens of millions of dollars already in the bank, they have their war chest and their army ready to go. Now comes the fun (and hard) part as we learn how the chips fall.

Update: Changed the text to reflect that NUVIA is intending to build on top of ARM’s architecture, but isn’t a licensed ARM core.

YARA Hunting for Code Reuse: DoppelPaymer Ransomware & Dridex Families

/0 Comments/in /by

The Zero2Hero malware course with Vitali Kremez. Watch now!

The Zero2Hero malware course concludes with Vitali Kremez explaining how to hunt malware families such as DoppelPaymer, BitPaymer & Dridex loader using YARA rules.

image yara hunting

Whenever we discuss how to proactively hunt for malware of interest, whether it be crimeware or APT for threat intelligence purposes, YARA is the true swiss-army knife that makes the work of malware researchers and threat intelligence analysts that much easier. 

Malware developers work just like legitimate software developers, aiming to automate their work and reduce the time wasted on repetitive tasks wherever possible. That means they create and reuse code across their malware. This has a pay-off for malware hunters: we can learn how to create search rules to detect this kind of code reuse, reducing our workload, too! In this post, we will we learn how to write YARA rules for the following three crimeware variants belonging to the Dridex family:

  • 1 – BitPaymer ransomware (known as “wp_encrypt”) part of the Everis extortion case
  • 2 – DoppelPaymer ransomware leveraged in the PEMEX lockdown
  • 3 – Dridex Loader (known as “ldr”) botnet ID “23005” 

image of dopplepaymer

In a nutshell, our goal is to hunt for malware software developer code leveraging YARA code reuse rules rather than relying on rules covering easily changeable strings.

One of the primary original purposes of YARA was to classify and identify malware samples. It is a rather simple Ruby-based language syntax used to describe various patterns.

The latest YARA version is 3.11.0. YARA is a signature-based tool with multiple command-line interfaces in various programming languages. In other words, it is similar to static anti-virus signatures used to detect malicious files.

The major functionality of YARA is to scan folders for files and buffers for patterns. Many tools rely on YARA such as yarashop, for example.

Some of the most common uses of YARA for our purposes is to scan, categorize and identify malware samples of interest based on code and string reuse.

The typical YARA syntax example is as follows:

import <module>

<rule type> rule <rule name> : <tags>
{
    meta:
        <name> = ""
        ...
    strings:
        $<string name> = <value> <modifiers>
        ...
    condition:
        <some condition>
}


Let’s practice writing YARA rules for Zero2Hero:

/*

We practice writing YARA rules for Zero2Hero

*/

import "pe"

rule zero2hero_course : best 
{
    meta:
        // Comment
        description = "This is an example rule to demonstrate typical syntax"
        reference = "https://www.sentinelone.com/lp/zero2hero"
        author = "@VK_Intel"
        tlp = "white"

    strings:
        $hero = "helloworld" xor wide
        $unique_function = { ?? ?? 8b fa 8b ?? 8b cf e8 ?? ?? ?? ?? 85 c0 75 ?? 81 ?? }

    condition:
        uint16(0) == 0x5A4D and pe.exports("CryptEncrypt") and  all of them
}

The additional modifiers can be as follows:

    global: match before any subsequent rules 
    private: build other rules 
    none: match unless global is used

The tags are as follows:

    strings: regular expression, text or hex
    string modifiers: wide, ascii, xor, fullword, nocase

The conditions can be as follows:

    Boolean expressions
    Built-in, external, module variables, and functions

YARA String & Code Reuse Hunting 

There is a difference between writing YARA rules for malware hunting versus detection. In this part of the course, we aim to produce “looser” YARA rules for threat hunting purposes with the higher chance of capturing newer variants and false positives. In other contexts, you may want stricter YARA rules for a specific detection mechanism and malware strain.

By and large, efficient YARA rules are only as good as the data sources used to vet the YARA rules against. Anti-virus and malware researchers rely on large datasets of known good and known bad (and known random) samples to produce the most high-fidelity rules as it is often hard to predict YARA rule performance given the limited view of an individual researcher.

Some of the known bad and known good data sources for YARA rules performance include VirusTotal, Hybrid-Analysis, VirusBay, Malpedia, Microsoft, and VirusShare. Florian Roth’s tool yarGen includes some of the necessary string and opcode datasets for YARA performance checks as well. Another excellent tool for YARA rule management is the KLara tool developed by Kaspersky.

One of the major abilities of YARA rules that lead to successful and long-term hits is combining both string-based and code-based coverage. We believe that the key to efficient YARA rules depends on simple and clear rulesets utilizing both. I highly recommend watching Jay Rosenberg’s presentation from Confidence Conference 2019 entitled Utilizing YARA to Find Evolving Malware.

When creating code reuse YARA rules, we need to be aware of compilation flags, different compilers, and slightly altered code that can change the code and break the YARA rules. Consequently, we should wild card ?? certain instances such as used registers, which can change from one sample to another. 

For example, various instructions such as xor eax produce different opcodes depending on the xor’ed register. Skipping opcodes with “[1-2]” from one to two bytes is often necessary to survive compilers and make the YARA rules cover different environments.

The cyclical nature of the YARA rule development can be described in the following 7 steps:

    1. Malware analysis 
    2. Identification of malware string and code “uniqueness”
    3. Prototype the YARA rule based on the findings
    4. Test the YARA prototype rule across diverse malware family and clean and malware data sources
    5. Deploy the rule to hunt for the samples
    6. Review and monitor for possible false positives and/or false negatives outside of the testing phase and initial malware analysis
    7. Repeat

Practical Crimeware Code Reuse: “Dridex” Malware Family

Dridex by far is one of the most complex and sophisticated pieces of malware on the crimeware landscape. 

The malware is also referred to as “Bugat” and “Cridex” by various researchers. The original Bugat malware dates back to 2010, which at some point rivaled the “Zeus” banking malware.

The development group behind it is responsible for the three malware variants, which are the subject of our YARA course:

  • 1 – BitPaymer ransomware (known as “wp_encrypt”) part of the Everis extortion case
  • 2 – DoppelPaymer ransomware leveraged in the PEMEX lockdown
  • 3 – Dridex Loader (known as “ldr”) botnet ID “23005” 

image of Dridex

The YARA rule for the overarching code reuse across the Dridex developer samples is based on the unique API hashing function used to resolve the Windows API calls. It is one of the most obvious unique features of this family.

The Dridex developer family can be described by this YARA rule as follows based on the API hashing function (as seen on the screenshot above):

rule dridex_family
{
    strings:
        $code = { 5? 5? 8b fa 8b ?? 8b cf e8 ?? ?? ?? ?? 85 c0 75 ?? 81 ?? ?? ?? ?? ?? 7? ?? }

    condition:
        $code
}

Always test the rules, for example, via command-line:

yara -s

Testing the YARA rule reveals multiple hits on the Dridex family across the folder.

image of yara hunt

Uniting Code Reuse & String Detection 

I. DoppelPaymer ransomware contains a peculiar string reused across samples we can add to the Dridex family code reuse. It copies the unicode string "setup runn" to eax via lstrcpyW API call.

The possible specific DoppelPaymer ransomware rule is as follows:

image of yara rule for DoppelPaymer

rule crime_win32_ransomware_doppelpaymer_1
{
    strings:
        $str1 = "Setup runn" wide
        $code = { 5? 5? 8b fa 8b ?? 8b cf e8 ?? ?? ?? ?? 85 c0 75 ?? 81 ?? ?? ?? ?? ?? 7? ??}

    condition:
        $code and $str1
}

II. BitPaymer ransomware contains the same referenced string across the samples aimed to act as anti-Windows Defender emulator checking the existence of the file "C:aaa_TouchMeNot_.txt", which is indicative of Windows Defender sandbox activity.

The possible specific BitPaymer ransomware rule is as follows:

image of Bitpaymer

rule crime_win32_ransomware_bitpaymer_1
{
    strings:
        $str1 = "C:aaa_TouchMeNot_.txt" wide
        $code = { 5? 5? 8b fa 8b ?? 8b cf e8 ?? ?? ?? ?? 85 c0 75 ?? 81 ?? ?? ?? ?? ?? 7? ??}

    condition:
        $code and $str1
}

III. Across the Dridex loader samples, this malware carries the same string "installed" called via OutputDebugStringW many times acting as anti-emulator. It is indicative of the Dridex loader.

The possible specific Dridex loader rule is as follows:

image of Dridex Loader

rule crime_win32_loader_dridex_1
{
    strings:
        $str1 = "installed" wide
        $code = { 5? 5? 8b fa 8b ?? 8b cf e8 ?? ?? ?? ?? 85 c0 75 ?? 81 ?? ?? ?? ?? ?? 7? ??}
    condition:
        $code and $str1
}


The final YARA rule, for example, covering both code and strings for the DoppelPaymer ransomware unpacked payload is as follows:

rule crime_win32_doppelpaymer_ransomware_1 
{
    meta:
        description = "Detects DoppelPaymer payload Nov 11 Signed"
        author = "@VK_Intel"
        reference = "https://twitter.com/VK_Intel/status/1193937831766429696"
        date = "2019-11-11"
        hash1 = "46254a390027a1708f6951f8af3da13d033dee9a71a4ee75f257087218676dd5"

    strings:
        $s1 = "Setup run" wide
        $hash_function = { 5? 5? 8b fa 8b ?? 8b cf e8 ?? ?? ?? ?? 85 c0 75 ?? 81 ?? ?? ?? ?? ?? 7? ??}

    condition:
        ( uint16(0) == 0x5a4d and
            filesize < 2500KB and
            ( all of them )
        )
}

Malware Samples

DoppelPaymer Ransomware (unpacked) SHA-256: 46254a390027a1708f6951f8af3da13d033dee9a71a4ee75f257087218676dd5

BitPaymer Ransomware (unpacked) SHA-256 78e180e5765aa7f4b89d6bcd9bcef1dd1e0d0261ad0f9c3ec6ab0635bf494eb3

Dridex Banker (unpacked) SHA-256 ce509469b80b97e857bcd80efffc448a8d6c63f33374a43e4f04f526278a2c41

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Moveworks snags $75M Series B to resolve help desk tickets with AI

/0 Comments/in /by

Moveworks, a startup using AI to help resolve help desk tickets in an automated fashion, announced a $75 million Series B investment today.

The round was led by Iconiq Capital, Kleiner Perkins and Sapphire Ventures. Existing investors Lightspeed Venture Partners, Bain Capital Ventures and Comerica Bank also participated. The round also included a personal investment from John W. Thompson, a partner at LightSpeed Venture Partners and chairman at Microsoft. Today’s investment brings the total raised to $105 million, according to the company.

That’s a lot of money for an early-stage company, but CEO and co-founder Bhavin Shah says his company is solving a common problem using AI. “Moveworks is a machine learning platform that uses natural language understanding to take tickets that are submitted by employees every day to their IT teams for stuff they need, and we understand [the content of the tickets], interpret them, and then we take the actions to resolve them [automatically],” Shah explained.

He said the company decided to focus on help desk tickets because they saw data when they were forming the company that suggested a common set of questions, and that would make it easier to interpret and resolve these issues. In fact, they are currently able to resolve 25-40% of all tickets autonomously.

He says this should lead to greater user satisfaction because some of their problems can be resolved immediately, even when IT personnel aren’t around to help. Instead of filing a ticket and waiting for an answer, Moveworks can provide the answer, at least part of the time, without human intervention.

Aditya Agrawal, a partner at Iconiq, says that the company really captured his attention. “Moveworks is not just transforming IT operations, they are building a more modern and enlightened way to work. They’ve built a platform that simplifies and streamlines every interaction between employees and IT, enabling both to focus on what matters,” he said in a statement.

The company was founded in 2016, and in the early days was only resolving 2% of the tickets autonomously, so it has seen major improvement. It already has 115 employees and dozens of customers (although Shah didn’t want to provide an exact number).

Eigen nabs $37M to help banks and others parse huge documents using natural language and ‘small data’

/0 Comments/in /by

One of the bigger trends in enterprise software has been the emergence of startups building tools to make the benefits of artificial intelligence technology more accessible to non-tech companies. Today, one that has built a platform to apply the power of machine learning and natural language processing to massive documents of unstructured data has closed a round of funding as it finds strong demand for its approach.

Eigen Technologies, a London-based startup whose machine learning engine helps banks and other businesses that need to extract information and insights from large and complex documents like contracts, is today announcing that it has raised $37 million in funding, a Series B that values the company at around $150 million – $180 million.

The round was led by Lakestar and Dawn Capital, with Temasek and Goldman Sachs Growth Equity (which co-led its Series A) also participating. Eigen has now raised $55 million in total.

Eigen today is working primarily in the financial sector — its offices are smack in the middle of The City, London’s financial center — but the plan is to use the funding to continue expanding the scope of the platform to cover other verticals such as insurance and healthcare, two other big areas that deal in large, wordy documentation that is often inconsistent in how its presented, full of essential fine print, and typically a strain on an organisation’s resources to be handled correctly — and is often a disaster if it is not.

The focus up to now on banks and other financial businesses has had a lot of traction. It says its customer base now includes 25% of the world’s G-SIB institutions (that is, the world’s biggest banks), along with others that work closely with them, like Allen & Overy and Deloitte. Since June 2018 (when it closed its Series A round), Eigen has seen recurring revenues grow sixfold with headcount — mostly data scientists and engineers — double. While Eigen doesn’t disclose specific financials, you can see the growth direction that contributed to the company’s valuation.

The basic idea behind Eigen is that it focuses what co-founder and CEO Lewis Liu describes as “small data.” The company has devised a way to “teach” an AI to read a specific kind of document — say, a loan contract — by looking at a couple of examples and training on these. The whole process is relatively easy to do for a non-technical person: you figure out what you want to look for and analyse, find the examples using basic search in two or three documents and create the template, which can then be used across hundreds or thousands of the same kind of documents (in this case, a loan contract).

Eigen’s work is notable for two reasons. First, typically machine learning and training and AI requires hundreds, thousands, tens of thousands of examples to “teach” a system before it can make decisions that you hope will mimic those of a human. Eigen requires a couple of examples (hence the “small data” approach).

Second, an industry like finance has many pieces of sensitive data (either because it’s personal data, or because it’s proprietary to a company and its business), and so there is an ongoing issue of working with AI companies that want to “anonymise” and ingest that data. Companies simply don’t want to do that. Eigen’s system essentially only works on what a company provides, and that stays with the company.

Eigen was founded in 2014 by Dr. Lewis Z. Liu (CEO) and Jonathan Feuer (a managing partner at CVC Capital Partners, who is the company’s chairman), but its earliest origins go back 15 years earlier, when Liu — a first-generation immigrant who grew up in the U.S. — was working as a “data-entry monkey” (his words) at a tire manufacturing plant in New Jersey, where he lived, ahead of starting university at Harvard.

A natural computing whiz who found himself building his own games when his parents refused to buy him a games console, he figured out that the many pages of printouts he was reading and re-entering into a different computing system could be sped up with a computer program linking up the two. “I put myself out of a job,” he joked.

His educational life epitomises the kind of lateral thinking that often produces the most interesting ideas. Liu went on to Harvard to study not computer science, but physics and art. Doing a double major required working on a thesis that merged the two disciplines together, and Liu built “electrodynamic equations that composed graphical structures on the fly” — basically generating art using algorithms — which he then turned into a “Turing test” to see if people could detect pixelated actual work with that of his program. Distill this, and Liu was still thinking about patterns in analog material that could be re-created using math.

Then came years at McKinsey in London (how he arrived on these shores) during the financial crisis where the results of people either intentionally or mistakenly overlooking crucial text-based data produced stark and catastrophic results. “I would say the problem that we eventually started to solve for at Eigen became tangible,” Liu said.

Then came a physics PhD at Oxford where Liu worked on X-ray lasers that could be used to decrease the complexity and cost of making microchips, cancer treatments and other applications.

While Eigen doesn’t actually use lasers, some of the mathematical equations that Liu came up with for these have also become a part of Eigen’s approach.

“The whole idea [for my PhD] was, ‘how do we make this cheaper and more scalable?,’ ” he said. “We built a new class of X-ray laser apparatus, and we realised the same equations could be used in pattern matching algorithms, specifically around sequential patterns. And out of that, and my existing corporate relationships, that’s how Eigen started.”

Five years on, Eigen has added a lot more into the platform beyond what came from Liu’s original ideas. There are more data scientists and engineers building the engine around the basic idea, and customising it to work with more sectors beyond finance. 

There are a number of AI companies building tools for non-technical business end-users, and one of the areas that comes close to what Eigen is doing is robotic process automation, or RPA. Liu notes that while this is an important area, it’s more about reading forms more readily and providing insights to those. The focus of Eigen is more on unstructured data, and the ability to parse it quickly and securely using just a few samples.

Liu points to companies like IBM (with Watson) as general competitors, while startups like Luminance is another taking a similar approach to Eigen by addressing the issue of parsing unstructured data in a specific sector (in its case, currently, the legal profession).

Stephen Nundy, a partner and the CTO of Lakestar, said that he first came into contact with Eigen when he was at Goldman Sachs, where he was a managing director overseeing technology, and the bank engaged it for work.

“To see what these guys can deliver, it’s to be applauded,” he said. “They’re not just picking out names and addresses. We’re talking deep, semantic understanding. Other vendors are trying to be everything to everybody, but Eigen has found market fit in financial services use cases, and it stands up against the competition. You can see when a winner is breaking away from the pack and it’s a great signal for the future.”

Salesforce announces it’s moving Marketing Cloud to Microsoft Azure

/0 Comments/in /by

In the world of enterprise software, there are often strange bedfellows. Just yesterday, Salesforce announced a significant partnership with AWS around the Cloud Information Model. This morning, it announced it was moving its Marketing Cloud to Microsoft Azure. That’s the way that enterprise partnerships shimmy and shake sometimes.

The companies also announced they were partnering around Microsoft Teams, integrating Teams with Salesforce Sales Cloud and Service Cloud.

Salesforce plans to move Marketing Cloud, which has been running in its own data centers, to Microsoft Azure in the coming months, although the exact migration plan timeline is not clear yet. This is a big deal for Microsoft, which competes fiercely with AWS for customers. AWS is the clear market leader in the space, but Microsoft has been a strong second for some time now, and bringing Salesforce on board as a customer is certainly a quality reference for the company.

Brent Leary, founder at CRM Essentials, who has been watching the market for many years, says the partnership says a lot about Microsoft’s approach to business today, and that it’s willing to partner broadly to achieve its goals. “I think the bigger news is that Salesforce chose to go deeper with Microsoft over Amazon, and that Microsoft doesn’t fear strengthening Salesforce at the potential expense of Dynamics 365 (its CRM tool), mainly because their biggest growth driver is Azure,” Leary told TechCrunch.

Microsoft and Salesforce have always had a complex relationship. In the Steve Ballmer era, they traded dueling lawsuits over their CRM products. Later, Satya Nadella kindled a friendship of sorts by appearing at Dreamforce in 2015. The relationship has ebbed and flowed since, but with this announcement, it appears the frenemies are closer to friends than enemies again.

Microsoft gives Salesforce a shove with new Dynamics 365 integrated cloud platform

Let’s not forget though, that it was just yesterday that Salesforce announced a partnership with AWS around the Cloud Information Model, one that competes directly with a different partnership between Adobe, Microsoft and SAP; or that just last year Salesforce announced a significant partnership with AWS around data integration.

These kinds of conflicting deals are confusing, but they show that in today’s connected cloud world, companies that will compete hard with one another in one part of the market may still be willing to partner in other parts when it makes sense for both parties and for customers. That appears to be the case with today’s announcement from these companies.

AWS, Salesforce join forces with Linux Foundation on Cloud Information Model