Google launches TensorFlow Enterprise with long-term support and managed services

/0 Comments/in /by

Google open-sourced its TensorFlow machine learning framework back in 2015 and it quickly became one of the most popular platforms of its kind. Enterprises that wanted to use it, however, had to either work with third parties or do it themselves. To help these companies — and capture some of this lucrative market itself — Google is launching TensorFlow Enterprise, which includes hands-on, enterprise-grade support and optimized managed services on Google Cloud.

One of the most important features of TensorFlow Enterprise is that it will offer long-term support. For some versions of the framework, Google will offer patches for up to three years. For what looks to be an additional fee, Google will also offer to companies that are building AI models engineering assistance from its Google Cloud and TensorFlow teams.

All of this, of course, is deeply integrated with Google’s own cloud services. “Because Google created and open-sourced TensorFlow, Google Cloud is uniquely positioned to offer support and insights directly from the TensorFlow team itself,” the company writes in today’s announcement. “Combined with our deep expertise in AI and machine learning, this makes TensorFlow Enterprise the best way to run TensorFlow.”

Google also includes Deep Learning VMs and Deep Learning Containers to make getting started with TensorFlow easier, and the company has optimized the enterprise version for Nvidia GPUs and Google’s own Cloud TPUs.

Today’s launch is yet another example of Google Cloud’s focus on enterprises, a move the company accelerated when it hired Thomas Kurian to run the Cloud businesses. After years of mostly ignoring the enterprise, the company is now clearly looking at what enterprises are struggling with and how it can adapt its products for them.

Breaches at NetworkSolutions, Register.com, and Web.com

/0 Comments/in /by

Top domain name registrars NetworkSolutions.com, Register.com and Web.com are asking customers to reset their passwords after discovering an intrusion in August 2019 in which customer account information was accessed.

A notice to customers at notice.web.com.

“On October 16, 2019, Web.com determined that a third-party gained unauthorized access to a limited number of its computer systems in late August 2019, and as a result, account information may have been accessed,” Web.com said in a written statement. “No credit card data was compromised as a result of this incident.”

The Jacksonville, Fla.-based Web.com said the information exposed includes “contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder.”

The “such as” wording made me ask whether the company has any reason to believe passwords — scrambled or otherwise — were accessed.

A spokesperson for Web.com later clarified that the company does not believe customer passwords were accessed.

“We encrypt account passwords and do not believe this information is vulnerable as a specific result of this incident. As an added precautionary measure, customers will be required to reset passwords the next time they log in to their accounts. As with any online service or platform, it is also good security practice to change passwords often and use a unique password for each service.”

Both Network Solutions and Register.com are owned by Web.com. Network Solutions is now the world’s fifth-largest domain name registrar, with almost seven million domains in its stable, according to domainstate.com; Register.com listed at #17 with 1.7 million domains.

Web.com’s homepage currently makes no mention of the breach notification.

NetworkSolutions.com does not appear to currently link to any information about the incident on its homepage, nor does Web.com. To get to the advisory, one needs to visit notice.web.com.

Web.com said it has reported the incident to law enforcement and hired an outside security firm to investigate further, and is in the process of notifying affected customers through email and via its website.

The company says it plans to circle back with customers when it learns the results of its investigation, but I wonder whether we’ll ever hear more about this breach.

Web.com wasn’t clear how long the intrusion lasted, but if the breach wasn’t detected until mid-October that means the intruders potentially had about six weeks inside unnoticed. That’s a long time for an adversary to wander about one’s network, and plenty of time to steal a great deal more information than just names, addresses and phone numbers.

H/T to domaininvesting.com‘s Elliot Silver for the heads up on this notification.

WeFarm rakes in $13M to grow its marketplace and network for independent farmers

/0 Comments/in /by

Huge networks like Facebook and LinkedIn have a huge gravitational force in the world of social media — the size of their audiences make them important platforms for advertising and those who want information (for better or worse) to reach as many people as possible. But alongside their growth, we’re seeing a lasting role for platforms and networks focused on more narrow special interests, and today one of them — focused on farmers, of all communities — is picking up a round of funding to propel its growth.

WeFarm, a marketplace and networking site for small-holder farmers (that is, farms not controlled by large agribusinesses), has raised $13 million in a Series A round of funding, with plans to use the money to continue adding more users — farmers — and more services geared to their needs.

The round, which brings the total raised by the company to a modest $20 million, is being led by True Ventures, with AgFunder, June Fund; previous investors LocalGlobe, ADV and Norrsken Foundation; and others also participating.

WeFarm today has around 1.9 million registered users, and its early moves into providing a marketplace — helping to put farmers in touch with local suppliers of goods and gear such as seed and fertilizers — generated $1 million in sales in its first eight months of operations, a sign that there is business to be had here. The startup points out that this growth has been, in fact, “faster… than both Amazon and eBay in their early stages.”

WeFarm is based out of London, but while the startup does have users out of the U.K. and the rest of Europe, Kenny Ewan, the company’s founder and CEO, said in an interview that it is seeing much more robust activity and growth out of developing economies, where small-scale agriculture reigns supreme, but those working the farms have been massively underserved when it comes to new, digital services.

“We are building an ecosystem for global small-scale agriculture, on behalf of farmers,” Ewan said, noting that there are roughly 500 million small-scale farms globally, with some 1 billion people working those holdings, which typically extend 1.5-2 hectares and often are focused around staple commercial crops like rice, coffee, cattle or vegetables. “This is probably the biggest industry on Earth, accounting for some 75-80% of the global supply chain, and yet no one has built anything for them. This is significant on many levels.”

The service that WeFarm provides, in turn, is two-fold. The network, which is free to join, first of all serves as a sounding board, where farmers — who might live in a community with other farmers, but might also be quite solitary — can ask each other questions or get advice on agricultural or small-holding matters. Think less Facebook and more Stack Exchange here.

That provided a natural progression to WeFarm’s second utility track: a marketplace. Initially Ewan said that it’s been working with — and importantly, vetting — local suppliers to help them connect with farmers and the wider ecosystem for goods and services that they might need.

Longer term, the aim will be to provide a place where small-holding farmers might be able to exchange goods with each other, or sell on what they are producing.

In addition to providing access to goods for sale, WeFarm is helping to manage the e-commerce process behind it. For example, in regions like Africa, mobile wallets have become de facto bank accounts and proxies for payment cards, so one of the key ways that people can pay for items is via SMS.

“For 90% of our users, we are the only digital service they use, so we have to make sure we can fulfill their trust,” Ewan said. “This is a network of trust for the biggest industry on earth and we have to make sure it works well.”

For True and other investors, this is a long-term play, where financial returns might not be as obvious as moral ones.

“We are enormously inspired by how Kenny and the Wefarm team have empowered the world’s farmers, and we see great potential for their future,” said Jon Callaghan, co-founder of True Ventures, in a statement. “The company is not only impact-driven, but the impressive growth of the Wefarm Marketplace demonstrates exciting commercial opportunities that will connect those farmers to more of what they need to the benefit of all, across the food supply chain. This is a big, global business.”

Still, given the bigger size of the long tail, the company that can consolidate and manage that community potentially has a very valuable business on its hands, too.

Datameer announces $40M investment as it pivots away from Hadoop roots

/0 Comments/in /by

Datameer, the company that was born as a data prep startup on top of the open-source Hadoop project, announced a $40 million investment and a big pivot away from Hadoop, while staying true to its big data roots.

The investment was led by existing investor ST Telemedia . Existing investors Redpoint Ventures, Kleiner Perkins, Nextworld Capital, Citi Ventures and Top Tier Capital Partners also participated. Today’s investment brings the total raised to almost $140 million, according to Crunchbase data.

Company CEO Christian Rodatus says the company’s original mission was about making Hadoop easier to use for data scientists, business analysts and engineers. In the last year, the three biggest commercial Hadoop vendors — Cloudera, Hortonworks and MapR — fell on hard times. Cloudera and Hortonworks merged and MapR was sold to HPE in a fire sale.

Starting almost two years ago, Datameer recognized that against this backdrop, it was time for a change. It began developing a couple of new products. It didn’t want to abandon its existing customer base entirely, of course, so it began rebuilding its Hadoop product and is now calling it Datameer X. It is a modern cloud-native product built to run on Kubernetes, the popular open-source container orchestration tool. Instead of Hadoop, it will be based on Spark. He reports they are about two-thirds done with this pivot, but the product has been in the hands of customers.

The company also announced Neebo, an entirely new SaaS tool to give data scientists the ability to process data in whatever form it takes. Rodatus sees a world coming where data will take many forms, from traditional data to Python code from data analysts or data scientists to SaaS vendor dashboards. He sees Neebo bringing all of this together in a managed service with the hope that it will free data scientists to concentrate on getting insight from the data. It will work with data visualization tools like Tableau and Looker, and should be generally available in the coming weeks.

The money should help them get through this pivot, hire more engineers to continue the process and build a go-to-market team for the new products. It’s never easy pivoting like this, but the investors are likely hoping that the company can build on its existing customer base, while taking advantage of the market need for data science processing tools. Time will tell if it works.

Yext Answers helps businesses provide better site search

/0 Comments/in /by

Yext helps businesses manage their presence on search and across the web; starting today, with the launch of Yext Answers, it’s also helping them provide a better experience on their own websites.

“It lets any company with a website answer a question about their own brand in a Google-like experience on their own site,” CEO Howard Lerman told me.

While Lerman is officially announcing Yext Answers onstage at the company’s Onward conference this afternoon, the issue is clearly one he’s been thinking about for a while — in an interview earlier this year, he described user-generated content as “tyranny,” and claimed the company’s “founding principle is that the ultimate authority on how many calories are in a Big Mac is McDonald’s.”

It’s a theme that Lerman returned to when he demonstrated the new product for me yesterday, running a number of Google searches — such as “student checking account” — where a brand might want to be relevant, but where the results mostly come from SEO-optimized advice and how-to articles from third-party sites.

“The world of search became pretty cluttered with all these self-declared experts,” he said.

Answers Comparison AnswersNotLinks 1

The goal with Yext Answers is to turn a brand’s website into the source that consumers turn to for information on these topics. Lerman said the big obstacle is the simple fact that most site search is pretty bad: “The algorithms that are there today are the algorithms of 1995. It’s keyword-based document search.”

So if you don’t enter exactly the right keywords in exactly the right order, you don’t get useful results. Yext, on the other hand, has supposedly spent two years building its own search engine, with natural language processing technology.

As Lerman showed me, that means it can handle more complex, conversational queries like “broccoli cheese soup recipes in 10 minutes or less.” He also pointed out how Yext has tried to follow Google’s lead in presenting the results in a variety of formats, whether that’s just a straightforward answer to a question, or maps if you’re searching for store locations.

In addition, Yext Answers customers will get analytics about what people are searching for on their site. If people are searching for a question that the site isn’t answering, businesses can then take advantage of their company’s knowledge base to publish something new — and that, in turn, could also help them show up in search results elsewhere.

BBVA LiveExample3 1

Yext Answers has been beta testing with companies like Three Mobile, BBVA USA, IHA and Healthcare Associates of Texas. You also can try it out for yourself on the Yext site.

“Yext Answers represents a level of sophistication that elevates our current search into a predictive, insightful tool that provides opportunities to better understand what our patient population is interested in finding on our site,” said Lori Gillen, marketing director at Healthcare Associates of Texas, in a statement. “It is intelligent enough to understand complex relationships between HCAT-specific facts, like doctors to procedures or specialties to locations, and give insights into what our patients want to know.”

Yext Answers is now available in English-speaking countries.

CEO Howard Lerman on building a public company and the future of Yext

Takeaways from the $566M BriansClub breach

/0 Comments/in /by

Reporting on the exposure of some 26 million stolen credit cards leaked from a top underground cybercrime store highlighted some persistent and hard truths. Most notably, that the world’s largest financial institutions tend to have a much better idea of which merchants and which bank cards have been breached than do the thousands of smaller banks and credit unions across the United States. Also, a great deal of cybercrime seems to be perpetrated by a relatively small number of people.

In September, an anonymous source sent KrebsOnSecurity a link to a nearly 10 gb set of files that included data for approximately 26 million credit and debit cards stolen from hundreds — if not thousands — of hacked online and brick-and-mortar businesses over the past four years.

The data was taken from BriansClub, an underground “carding” store that has (ab)used this author’s name, likeness and reputation in its advertising since 2015. The card accounts were stolen by hackers or “resellers” who make a living breaking into payment card systems online and in the real world. Those resellers then share the revenue from any cards sold through BriansClub.

KrebsOnSecurity shared a copy of the BriansClub card database with Gemini Advisory, a New York-based company that monitors BriansClub and dozens of other carding shops to learn when new cards are added and when existing inventory is removed (sold).

Gemini estimates that the 26 million cards — 46 percent credit cards and 54 percent debit cards — representing almost one-third of the existing 87 million credit and debit card accounts currently for sale in the underground.

“While many of these cards were added in previous years, more than 21.6 million will not expire until after October 2019, offering cybercriminal buyers ample opportunity to cash out these records,” Gemini wrote in an analysis of the BriansClub data shared with this author.

Cards stolen from U.S. residents made up the bulk of the data set (~24 million of the 26+ million cards), and as a result these far more plentiful cards were priced much lower than cards from banks outside the U.S. Between 2016 and 2019, cards stolen from U.S.-based bank customers fetched between $12.76 and $16.80 apiece, while non-U.S. cards were priced between $17.04 and $35.70 during the same period.

Image: Gemini Advisory.

Unfortunately for cybercrime investigators, the person who hacked BriansClub has not released (at least not to this author) any information about the BriansClub users, payments, vendors or resellers. [Side note: This hasn’t stopped an unscrupulous huckster from approaching several of my financial industry sources with unlikely offers of said data in exchange for bitcoin].

But the database does have records of which cards were sold and which resellers (identified only by a unique number) supplied those cards, Gemini found.

“While neither the vendor nor the buyer usernames appeared in this database, they were each assigned ID numbers,” Gemini wrote. “This allowed analysts to determine how prolific certain threat actors were on BriansClub and derive relevant metrics from this data.”

According to Gemini, there were 142 resellers and more than 50,000 buyers of the card data sold through BriansClub. These buyers purchased at least 9 million of the 27.2 million cards available.

Image: Gemini Advisory

One reseller in particular (ID: 174,829) offered just shy of 6 million records, posted for $106 million. Of those, almost 940,000 were sold, grossing over $16 million in profits shared between BriansClub and the reseller. In the quote below, a “base” refers to a distinct batch of freshly-stolen card data uploaded to BriansClub.

“For context, the collective price for the entirety of exposed BriansClub records was $566 million, while the total dollar amount of all sold records exceeded $162 million,” Gemini noted. “The top 20 buyers bought 5% of the entire set of records in this shop, while the top 100 buyers accounted for 11%. The shop had a total of 11,000 bases, with most vendors uploading multiple bases.”

Image: Gemini Advisory

All the 26 million+ card records leaked from BriansClub were shared with multiple trusted sources that work directly with financial institutions to inform them when their customers’ cards go up for sale in the cybercrime underground.

Banks at this point basically have three options. Ignore the report and hope for the best. Cancel the card and reissue. Or monitor the card more closely and place tighter fraud controls on that account.

But here’s the thing: Not all banks got the data at the same time. The larger banks got it first and largely shrugged. At least according to anti-fraud sources at two large U.S.-based financial institutions: Their anti-fraud teams had already identified 90-95 percent of the cards as potentially compromised in one of hundreds of breaches since 2015, mostly those involving malware inside point-of-sale retail checkout systems.

The sources I spoke with at smaller financial institutions found out about the cards they’d issued to customers that wound up in the BriansClub data by receiving alerts last week from Visa and MasterCard. Most of those sources seemed genuinely surprised at the number of cards exposed, and two sources at different credit unions each estimated they were previously unaware of about 80 percent of the cards listed in the alerts from the credit card companies.

Also, smaller financial institutions are far more likely to eat the cost of re-issuing cards at risk of fraudulent use than are larger institutions, which typically have much a higher tolerance for financial losses from counterfeit card fraud. So far, however, there is no evidence this flood of card data intelligence to the banking sector is causing much of stampede for re-issuing cards.

Visa maintains that smaller financial institutions receive the same alerts sent to larger banks about cards thought to be exposed in specific breaches. The alerts include cards specific to each bank, but smaller banks are often limited in the resources they have available to do much with the reported card data, aside from re-issuing the card.

Gemini CEO and co-founder Andrei Barysevich said so far the feedback from the banks has been all over the place.

“While the larger US banks told us that most of the cards have been previously flagged as compromised, the mid and small size financial institutions were caught completely off-guard,” he said. “As to the European and Asian banks, to them the data was mostly new, in some cases upwards of 60% of cards were still open and active.”

I thought perhaps the card associations could provide some meta-statistics on the BriansClub dump, but also those hopes were dashed. MasterCard did not respond to requests for comment. Visa declined to share any information related to the BriansClub database (even though they got it indirectly care of Yours Truly), but issued the following statement:

“As part of our core mission to ensure security across the payment system, we are very aware of carder forums and other criminal enterprises. Visa continuously invests in intelligence and technology to detect cyber threats and works with law enforcement, clients and other partners, to mitigate and disrupt such threats.

“Whenever we discover compromised account information, Visa uses its payment intelligence and investigative capabilities to determine the source. We also work with our financial institution clients to provide card issuers with the compromised account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, by reissuing cards. Incidents such as these reinforce the need for secure technologies such as chip and tokenization to devalue account information so that even if stolen, data cannot be leveraged for fraud.””

Gemini found that exactly two-thirds of the stolen cards (66.6 percent) siphoned from BriansClub were Visa-branded, and 23 percent MasterCard. A full 85% of the total records were EMV (chip) enabled, with the remaining 15% using only a magnetic stripe.

One final note: Gemini report also challenges claims made by the administrator of BriansClub, namely that he removed the breached cards from his online store and that the data leak stemmed from a breach in February as his site’s data center.

The BriansClub admin, defending the honor of his stolen cards shop after a major breach.

“While the administrator of BriansClub, operating under the moniker ‘Brian Krebs,’ claimed that the breach took place in February 2019, this appears to be false,” Gemini observed in its report. “The number of records from South Korea corresponds to a previous spike in South Korean records that occurred from March 2019 through July 2019. If BriansClub were breached in February, the South Korean-issued cards would number under 10,000 rather than over 1 million.”

The report continues:

“This threat actor also claimed to have removed the compromised records from the shop. Gemini has found this claim to be false as well. Since BriansClub offers a ‘checker service’ for all purchased records to determine whether compromised payment cards are still open, it may be unnecessary to remove the cards. The shop likely assumes that even if the banks received the compromised card data from this breach, they are unlikely to close down and reissue every single card.”

How AdLoad macOS Malware Continues to Adapt & Evade

/0 Comments/in /by

Incidents of the aggressive AdLoad macOS malware have been increasing over the last few months as the malware continues to evade built-in macOS security and many third-party security solutions. AdLoad is certainly not new; it’s been around in one form or another since at least late 2017, but the developers have continued to adapt not only to avoid detection on installation but also to resist attempts to remove their malware. In this post, we take a deeper look into how AdLoad adapts and evades many macOS AV solutions as well as discuss how to properly detect and remove AdLoad malware.

image of adload

What is AdLoad?

AdLoad is an aggressive adware infection that installs a Man-in-The-Middle web proxy to redirect user’s web traffic through the attacker’s own preferred servers. The aim is to hijack and redirect user’s web browsers for monetary gain.

AdLoad is a malware that installs under a variety of different names: Kreberisec, Apollo, Aphrodite SearchDaemon and many others. The names are not entirely random. Most follow a pattern along the lines of 

SearchDaemon
Lookup
DataSearch
Results

or some combination thereof.

Some of the more recent names used include ‘ElementarySignalSearchDaemon’, ‘ArtemisSearchDaemon’, ‘GlobalQuestSearchDaemon’, ‘TrustedMacResultsSearchDaemon’, ‘NetSignalSearchDaemon’, ‘SimpleSearchAppDaemon’, ‘SearchQuestDaemon’ and – breaking the mould a little – ‘SearchQuest’ and ‘ResultSync’ among many others.

Here’s a partial list of some of the most common names circulating at the moment.

AphroditeLookup
AphroditeResults
ApolloSearch
ApolloSearchDaemon
ArtemisSearch
ArtemisSearchDaemon
ElementaryDataSearch
ElementarySignalSearchDaemon
FindData
GlobalConsoleSearch
GlobalQuestSearch
GlobalQuestSearchDaemon
Kreberisec
NetSignalSearchDaemon
ResultSync
SearchQuest
SearchQuestDaemon
SimpleFunctionSearch
SimpleSearchAppDaemon
TrustedMacResultsSearchDaemon
WebSearchStride

This malware has been known for some time, with at least two variants known to Apple’s XProtect definitions from November 2017 or earlier. Despite that, versions of AdLoad are still being reported in the wild by macOS users on Apple Support Communities forums.

image of asc complaints

Unfortunately for many macOS users, neither XProtect nor many other simple static engines detect it.

image of adload virustotal detection

This rule from Apple’s current XProtect definitions effectively requires the scanned binary to contain the string “getSafariVersion” in order to trigger a detection.

image of adload xprotect detection

image of hex to string translation

Alas, malware authors have long since refactored their code and current variants no longer contain that string. That breaks XProtect’s ability to detect the malware with the above rule, since the rule specifies that string as necessary, though not sufficient, for a detection.

In order to avoid simple static detections, the files have different hashes, though they are often of similar size.

image of AdLoad Hashes

Hitting on distinctive method names shows the files to be variants of the same malware:

Interestingly, XProtect’s “Mughthesec” definition gets closer to current AdLoad static signatures.

image of mughthesec

image of mughthesec yara rule

This definition requires, among other things, that the binary contains strings including the substring fallback as well as BerTaggedData. As we’ll see later, that suggests a close link between AdLoad and Mughthesec malware, but it still fails to catch the AdLoad malware which, while it does use BerTaggedData, it does not contain the substrings with fallback.

And clearly while static signature detections on BerTaggedObject and other static features of the binary might be good while they last, like Apple’s XProtect signatures they won’t last long. Malware authors will soon refactor once their success-to-detection rate starts to tumble in the wrong direction. We’ll see how to more effectively detect and protect against this kind of malware below.

AdLoad Dropped Files

Victims of AdLoad will find that the malware drops files in both some of the usual, easy to find places used by macOS malware as well as some much lesser known areas that can be hard to detect. The adware typically presents an authorization dialog that asks for an admin password. On collecting the password, the malware uses the credentials to drop a number of files in both the user and local computer domains. First, it will drop not only a LaunchAgent in the local user Library but also two LaunchDaemons in the local domain Library.

The following uses SearchQuest as the example name, but of course this may be replaced with any one of the names and patterns mentioned above.

First, the LaunchAgent is dropped at
/Users/aUser/Library/LaunchAgents/com.SearchQuest.plist

and targets the following executable in its Program Arguments:
/Users/aUser/Library/Application Support/com.SearchQuest/SearchQuest

Next, the first of two LaunchDaemons is dropped at
/Library/LaunchDaemons/com.SearchQuestDaemon.plist

which targets a corresponding item in:
/Library/Application Support/com.SearchQuestDaemon/SearchQuest

The second LaunchDaemon, in this example, lands here:
/Library/LaunchDaemons/com.SearchQuestP.plist

and targets a hidden item in /var/root:
/var/root/.SearchQuest/SearchQuestDaemon

This item itself calls a python script in the same folder:
/var/root/.SearchQuest/SearchQuest --mode socks5 --showhost -q -s /var/root/.SearchQuest/SearchQuest.py

image of running processes

SearchQuest is an instance of mitmpoxy, and is used here to run the python script SearchQuest.py in “quiet” mode in order to open a connection with a remote host.

image of mitmproxy

The SOCKS Proxy is enabled for localhost:8080 in Network Settings and is persistent across restarts.

AdLoad, a Malware That Doesn’t Give Up

AdLoad doesn’t stop with a LaunchAgent and two LaunchDaemons in its attempt to maintain persistence. It also installs a user cron job and an executable in a subfolder of the user’s Library Application Support folder. The sub folder has a UUID-like hex pattern of 8-4-4-4-12 characters, and the executable inside it has a name with a different UUID-like hex with the same 8-4-4-4-12 pattern.

This is just a random example, the UUID numbers are unique to each user and are likely used as part of campaign tracking.

30 */2 * * * /Users/aUser/Library/Application Support/712B5686-92B3-919D-DD36-13A5745D87D2/74C08AE4-8ACE-51CA-54F7-0ED0A530ECAA h >/dev/null 2>&1}

This code runs every 2hrs and 30 minutes. The target of the cronjob is a Macho executable that imports Apple’s JavaScriptCore framework, which allows the binary to evaluate JavaScript scripts and likewise make available native objects, methods and functions to the JavaScript environment.

Optional Extras: AdLoad & Friends

In every infection I’ve seen of this malware to date, there’s always a number of others that appear to be brought along to the party. Tests in both VMs and ‘bare metal’ lab machines have proved inconclusive to date as to whether these additional installations are payloads directly dropped by AdLoad itself or are subsequent infections. We have seen a number of cases where a Pay-per-Install PUP installer delivers adware, which in turn delivers other PPI installers and further adware. The ties between the players in this game of monetizing unwanted downloads and browser hijacks seem to be becoming increasingly closer.

Adding to the variance in what gets installed is the way campaigns tailor payloads depending on local settings, which are usually harvested at install time. These include the geolocation of the victim, device make and model, operating system version and language settings.

Nevertheless, AdLoad is often frequently found alongside other adware/PUP installations variously known as “Mughthesec”, “SurfBuyer”, “Souter”, “MyShopcoupon”, “MMInstall” and “MMProt”. All use a similar infection mechanism, which begins with a redirect to a scam website that invites the user to download a “needed” Flash Player or other media player component. These are typically unsigned and the user is provided instructions on how to open the application by bypassing Apple’s built-in Gatekeeper and XProtect safeguards.

image of installer

Other IOCs to watch out for that we’ve seen on some occasions with this threat, albeit not consistently for reasons mentioned above, are

  1. modified sudoers file
  2. installation of the attackers SSH known_hosts key in ~/.ssh
  3. A configuration Profile to lock down browser settings (in System Preferences > Profiles)
  4. Browser extensions such as “AnySearch”, “SearchIt” and similar names
  5. Creation of folder /User/aUser/Applications and malicious files dropped therein

Detecting and Protecting Against AdLoad

SentinelOne customers are protected against AdLoad, which is detected as a threat and blocked when it tries to execute – regardless of how the malware is coded internally – as the AI behavioral engine detects the malicious behaviour rather than relies on static signatures.

For those who are not yet protected by SentinelOne, manual removal may be something of a race against time. With multiple persistence agents – launch agents, daemons, cron jobs and processes running in memory out of /var/root – it can sometimes take several attempts to beat all of these before one of them manages to re-write the deleted components back to disk. Somewhat like the malware itself, however, persistence does pay off. As long as you have identified all the malicious processes and persistence agents, repeatedly removing them will eventually beat the race.

Conclusion

We have seen an increasing number of reports of attempted AdLoad infections and increasing concern among macOS users. AdLoad is extremely difficult to remove for individual users, and even some 3rd party solutions that detect it after-the-fact are unable to outrun the malware’s multiple persistence mechanisms. Hopefully, this post has provided some insight in how to detect and remove the AdLoad malware. If you’d like to see how SentinelOne can autonomously protect your Mac users from this kind of threat, please contact us for a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Stealthy search startup Searchable.ai snags $2M seed

/0 Comments/in /by

Searchable.ai wants to solve an old problem around search in the enterprise. The stealthy startup announced a $2 million seed round.

Defy Partners led the round with a slew of other participants, including Paul English, co-founder of Kayak; Wayne Chang, co-founder of Crashlytics; Brian Halligan, co-founder and CEO of HubSpot; Jonathan Kraft, president and COO of the Kraft Group and the New England Patriots; MIT Prof. Edward Roberts; Eric Dobkin, founder and chairman emeritus of Goldman Sachs Global Equity Capital Markets; and Susquehanna International Group.

The prestigious group of investors saw that Searchable.ai is trying to solve a big problem around findability. Company co-founder Brian Shin says that knowledge workers have been struggling for years trying to find a way to better utilize all of the information that exists within an organization.

“The problem we’re really solving is that there are a trillion documents created every year in Microsoft Office, Google Docs, etc., and it’s really difficult if you’re a knowledge worker to find what you need in terms of either a document, an asset like a slide or worksheet within a document or the actual answer to a question that you have,” Shin said.

The questioning part could be particularly valuable because it lets you ask a natural language question and find a specific piece of information within a document, rather than just the document itself. “Let’s say you have a giant spreadsheet, you could actually ask a question of all your spreadsheets and find the atomic unit of knowledge that you’re actually looking for,” he said.

The product itself is not quite ready for the big reveal, but if it works as described, it will be a huge boost to knowledge workers who have continually struggled to find a nugget of information they know is out there across the myriad documents in an organization.

Shin is an experienced entrepreneur who has helped launch and sell three companies. He reports he has raised $100 million in venture capital and most recently has worked as a venture capitalist himself, but he saw this opportunity and decided to jump back into the development side of things.

He admits he’s giving up a lot to go back to the startup lifestyle, but he and his co-founders decided this was worth it. “You know the draw, the compulsion to do another startup is is really what this is about. So my three other colleagues and I have have all started companies before and we’re all giving up big jobs to do this, and I’m so excited about the team and the massive opportunity.”

He promised more details about the company and the solution would be coming early next year.

Kandji announces $3.375M seed for sophisticated Apple MDM solution

/0 Comments/in /by

Kandji, a new Apple MDM solution that promises to go far beyond Apple’s base MDM protocol and other solutions on the market, emerged from stealth today with a $3.375 million seed investment. The product is also publicly available for the first time starting today.

The round, which closed in March, was led by First Round Capital with help from Webb Investment Network, Lee Fixel, John Glynn and other unnamed investors.

Company co-founder and CEO Adam Pettit says the company’s founders have a deep knowledge in Apple. They all worked at Apple before leaving to run an Apple IT consultancy for more than 10 years.

He said that while they were at the consultancy, they developed a proprietary stack of tools to help with highly sophisticated Apple device deployments at large organizations, and it occurred to them that there was an unserved market opportunity to turn that knowledge into a new product.

Two years ago they sold the consultancy, took that knowledge and built Kandji from the ground up. Pettit says the new product gives customers access to a set of management tools that they would have charged six figures to implement at that their old firm.

One of the key differentiators between Kandji and other MDM solutions, or even Apple’s base MDM functionality, is a set of one-click compliance tools. “We’re the only product that has almost 200 of these one-click policy frameworks we call parameters. So an organization can go in and browse by compliance framework, or we have pre-built templates for companies that don’t necessarily have a specific compliance mandate in mind,” he said.

The parameters have all of the tools built-in to automatically deploy a set of policies related to a given compliance framework without having to go through and manually set all of those different switches yourself. On the flip side, if you want to get granular and create your own parameters, you can do that too.

He says one of the reasons he and his partners were willing to give up the big-dollar consultancy was because they saw a huge opportunity for firms that couldn’t afford those kind of services, but still had relatively large Apple device deployments. “I mean there’s a big need outside of just the specific kind of sophisticated compliance work we would do [at our previous firm]. We saw this big need in general for an Apple MDM solution like ours,” he said.

After selling their previous firm, the founders bootstrapped for a year while they developed the initial version of Kandji before seeking funding. Today, the company has 16 employees and a set of initial customers that have been testing the product.

Even after Microsoft wins, JEDI saga could drag on

/0 Comments/in /by

The DoD JEDI contract saga came to a thrilling conclusion on Friday afternoon, appropriately enough, with one final plot twist. The presumptive favorite, Amazon, did not win, stunning many, including likely the company itself. In the end, Microsoft took home the $10 billion prize.

This contract was filled with drama from the beginning, given the amount of money involved, the length of the contract, the winner-take-all nature of the deal — and the politics. We can’t forget the politics. This was Washington after all, and Jeff Bezos does own The Washington Post.

Then there was Oracle’s fury throughout the procurement process. The president got involved in August. The current defense secretary recused himself on Wednesday, two days before the decision came down. It was all just so much drama, even the final decision itself, handed down late Friday afternoon — but it’s unclear if this is the end or just another twist in this ongoing tale.

In a victory over Amazon, Microsoft wins $10B Pentagon JEDI cloud contract

Some perspective on $10 billion

Before we get too crazy about Microsoft getting a $10 billion, 10-year contract, consider that Amazon earned $9 billion last quarter alone in cloud revenue. Microsoft reported $33 billion last quarter in total revenue. It reported around $11 billion in cloud revenue. Synergy Research pegs the current cloud infrastructure market at well over $100 billion annually (and growing).

What we have here is a contract that’s worth a billion a year. What’s more, it’s possible it might not even be worth that much if the government uses one of its out clauses. The deal is actually initially guaranteed for just two years. Then there are a couple of three-year options, with a final two-year option at the end if it gets that far.

The DOD recognized that with the unique nature of this contract, going with a single vendor, it wanted to keep its options open should the tech world shift suddenly under its feet. It didn’t want to be inextricably tied to one company for a decade if that company was suddenly disrupted by someone else. Given the shifting sands of technology, that part of the strategy was a wise one.

Putting the Pentagon $10B JEDI cloud contract into perspective

Where the value lies

If the value of this deal was not the contract itself, it begs the question, why did everyone want it so badly? The $10 billion JEDI deal was simply a point of entree. If you could modernize the DoD’s infrastructure, the argument goes, chances are you could do the same for other areas of the government. It could open the door for Microsoft for a much more lucrative government cloud business.

But it’s not as though Microsoft didn’t already have a lucrative cloud business. In 2016, for example, the company signed a deal worth almost a billion dollars to help move the entire department to Windows 10. Amazon too, has had its share of government contracts, famously landing the $600 million to build the CIA’s private cloud.

But given all the attention to this deal, it always felt a little different from your standard government contract. Just the fact the DoD used a Star Wars reference for the project acronym drew more attention to the project from the start. Therefore, there was some prestige for the winner of this deal, and Microsoft gets bragging rights this morning, while Amazon is left to ponder what the heck happened. As for other companies like Oracle, who knows how they’re feeling about this outcome.

Microsoft shows off government cloud services with JEDI due date imminent

Hell hath no fury like Oracle scorned

Ah yes, Oracle; this tale would not be complete without discussing the rage of Oracle throughout the JEDI RFP process. Even before the RFP process started, they were complaining about the procurement process. Co-CEO Safra Catz had dinner with the president to complain that the contract process wasn’t fair (not fair!). Then it tried complaining to the Government Accountability Office. They found no issue with the process.

They went to court. The judge dismissed their claims that involved both the procurement process and that a former Amazon employee, who was hired by the DoD, was involved in the process of creating the RFP. They claimed that the former employee was proof that the deal was tilted toward Amazon. The judge disagreed and dismissed their complaints.

What Oracle could never admit was that it simply didn’t have the same cloud chops as Microsoft and Amazon, the two finalists. It couldn’t be that they were late to the cloud or had a fraction of the market share that Amazon and Microsoft had. It had to be the process or that someone was boxing them out.

Government denies Oracle’s protest of $10B Pentagon JEDI cloud RFP

What Microsoft brings to the table

Outside of the politics of this decision (which we will get to shortly), Microsoft brought to the table some experience and tooling that certainly gave it some advantage in the selection process. Until we see the reasons for the selections, it’s hard to know exactly why the DoD chose Microsoft, but we know a few things.

First of all there are the existing contracts with the DoD, including the aforementioned Windows 10 contract and a five-year $1.76 billion contract with DoD Intelligence to provide “innovative enterprise services” to the DoD.

Then there is Azure Stack, a portable private cloud stack that the military could stand up anywhere. It could have great utility for missions in the field when communicating with a cloud server could be problematic.

Microsoft continues to build government security credentials ahead of JEDI decision

Fool if you think it’s over

So that’s that right? The decision has been made and it’s time to move on. Amazon will go home and lick its wounds. Microsoft gets bragging rights and we’re good. Actually, this might not be where it ends at all.

Amazon, for instance, could point to Jim Mattis’ book where he wrote that the president told the then Defense Secretary to “screw Bezos out of that $10 billion contract.” Mattis says he refused, saying he would go by the book, but it certainly leaves the door open to a conflict question.

It’s also worth pointing out that Jeff Bezos owns The Washington Post and the president isn’t exactly in love with that particular publication. In fact, this week, the White House canceled its subscription and encouraged other government agencies to do so as well.

Then there is the matter of current Defense Secretary Mark Espers suddenly recusing himself last Wednesday afternoon based on a minor point that one of his adult children works at IBM (in a non-cloud consulting job). He claimed he wanted to remove any hint of conflict of interest, but at this point in the process, it was down to Microsoft and Amazon. IBM wasn’t even involved.

If Amazon wanted to protest this decision, it seems it would have much more solid ground to do so than Oracle ever had. An Amazon spokesperson would only say that the company “was keeping its options open.”

The bottom line is a decision has been made, at least for now, but this process has been rife with controversy from the start, just by the design of the project, so it wouldn’t be surprising to see Amazon take some protest action of its own. It seems oddly appropriate.

Why the Pentagon’s $10 billion JEDI deal has cloud companies going nuts