Marzo, 2022

One of the most interesting parts of working at Google is learning what other people do here — it’s not uncommon to come across a job title you’ve never heard of. For example: ProFair Program Manager, or ProFair Analyst.

These roles are part of our Responsible Innovation team, which focuses on making sure our tech supports Google’s AI Principles. One way the team does this is by conducting proactive algorithmic product fairness — or ProFair — testing. This means bringing social and cultural perspectives to the testing process, to assess how an AI or ML application, dataset or technique might avoid reinforcing unfair bias. Three women who work on ProFair testing are Anne Peckham, N’Mah Y. and Cherish M. and today we’re asking them: What’s your job?

The job: ProFair Responsible Innovation

Anne is a program manager, N’Mah is an analyst and Cherish is also an analyst.

So…what do you do?

Anne Peckham, a program manager working on ProFair for Responsible Innovation, says she primarily helps others get things done. “I organize projects, figure out strategies, identify what needs to get done, provide documentation, keep track of learnings…and do it again for each project.” N’Mah is a ProFair analyst. “I lead Profair training across Google, coordinate an ethics fellowship program for Googlers and design and conduct fairness tests for products before launch.” Cherish, also an analyst, does this as well. “I help product teams understand how to improve products ahead of launch. I drive our company-wide program in teaching Googlers how to test products, too.” Cherish says a big part of her role is making sure when product teams are building something they think of everyone who will use it — referencing the Google AI Principle of “avoid[ing] creating or reinforcing unfair bias.” “Far ahead of launch time, I look for ways a proposed AI application, ML model or dataset might not function optimally for a user due to unfair bias, so we can help fix it proactively. ”

All three enjoy the variety that comes with this work. “I love how collaborative my role is,” Anne says. “I get to work on many types of projects and with lots of different teams — including the Responsible AI research group.” N’Mah also enjoys seeing the products she’s supported make a difference in the world once they’ve actually launched.

“This role forces me to think outside the box, which I enjoy, and I’m able to advocate for users who may not be in the room,” Cherish says. “This job is very cerebral in nature. And I love collaborating with others to build these products for good.”

How did you choose this job?

All three Googlers didn’t know ProFair was an option when they were first considering their careers. “For a while, I wanted to be a librarian, but coming out of college, I’d been interested in doing political science research or program operations,” Anne says. “I had an entry level job as a program assistant where I was making lists and helping others move goals forward, and that skill transferred to different sectors.”

“I wanted to be a lawyer, but ended up studying Middle East Studies and Spanish,” says N’Mah. “I focused on cross-cultural experiences, and that’s ultimately what drew me to this work.” That ended up aiding her, she says — it helps her understand how products impact people from different cultural backgrounds. Cherish also wanted to be a lawyer, and was interested in technology and ethics. “I was always interested in serving others,” she says. “But I had no idea this sort of career even existed! The teams and roles we work in were developed within the past few years.”

What would you tell someone who wants your job?

Today, there are more straightforward paths toward this work. “Thankfully people who are currently in school have networks to leverage to learn more about this work,” Cherish says. Still, she says, “there is no linear path.” Someone who wants to do this kind of work should be interested in technological innovation but also focused on doing so with social benefit top of mind.

Anne agrees with Cherish: “There is no single path to this kind of work, but I’ve noticed people who choose this career are curious and passionate about wherever it is they are working on. I love program management, but others are passionate about building testing infrastructure, or achieving the most social benefit. You see them bring that enthusiasm to their teams.” Anne mentions that she didn’t think there was “room” for her in this field, which is something to consider for those interested in similar careers: The point of Product Fairness work is that all perspectives and backgrounds are included, not just people with MBAs and computer science degrees. “Ultimately, technology shouldnt be built for homogenous audiences,” Cherish says — and who works in this field should be just as diverse, too.

N’Mah says you shouldn’t feel pigeon-holed by your academic or career background; different experiences, personal and professional, are needed here. “There are a variety of backgrounds you can come from to work in this space — that’s what makes the team great,” she says. “If you’re interested in cross-cultural connections, or socially beneficial technical solutions, this could be an area of interest.” And if you’re someone who’s aware of their own unconscious biases, you might be naturally inclined toward a career in product fairness.

Bonus question: For Women’s History Month, who are some of your women role models?

“I have a strong group of female friends from high school who I’ve kept in touch with over the years,” Anne says. “We’ve all pursued different paths and have various strengths in our careers, but when we meet up, I love hearing what they’re passionate about and what they’re working on.” N’Mah says Harriet Tubman has always been a symbol to her of what’s possible in this country. “She persevered during a challenging moment in history and has done so much to push America forward socially.” For Cherish, she looks up to Maya Angelou. “She had such an incredibly poignant impact on society through her activism and her literature.”

March is synonymous with college basketball. Though my basketball career peaked in middle school, I still find myself cheering for the underdog and watching replays of buzzer beaters night after night. As college basketball heats up, we’ll fill out our brackets (I’m partial to Carolina Blue!), and follow along to the latest women’s and men’s games. Here are some ways to use Search to keep up with your favorite teams and athletes, and catch the best plays from all 100+ games across the tournaments.

Stats leaderboard, trends addition

Across Search we are seeing that people can’t wait for the games to tip off. Search interest in the United States for “when does march madness start” increased +1,700% in the past month. But with bragging rights on the line, people are also searching for “Bracketology,” which has been a breakout search topic all throughout the regular season in the US. In the spirit of friendly competition, we’ve decided to share ours with you, because who needs a high NET ranking when you have search interest to help pick a winner?

Keeping up with every play on Search

Now, if it’s hard for you to catch every game or maybe you just need an excuse to relive every play, you can do just that. We partnered with Turner Sports, CBS and the NCAA to help you tune-in live with March Madness Live and bring you in-game highlights and post-game recaps, all accessible through Search. Simply look up or click on a specific game and you will have access to real-time content, ensuring you don’t miss a single moment of nail-biting basketball.

No matter which team you’re rooting for, we hope these features make Search work better for everyone. Here’s to a college basketball filled March and best of luck with your brackets.

When we design and build Google offices around the world, we strive to deliver on our commitment to sustainability. This means thinking about everything from reducing and diverting waste to cultivating healthy spaces and places to accelerating carbon-free energy strategies. It also means working with industry leaders to pave a path for others and push the boundary of what’s possible. The Living Building Challenge (LBC) by the International Living Future Institute (ILFI) is one of the most ambitious green building certifications in the world. Of the largest projects ever to pursue certification through ILFI, five are Google’s workplaces — including our newest office in Sunnyvale, California.

Our collaboration with ILFI started nearly 20 years ago when we set out to combat the “new office” smell from fresh carpet and paint. As a sustainability partner for Google, this was one of my first projects: to use better materials to create the healthiest possible indoor environment. We used LBC’s Red List as a guide for what chemicals to avoid in our building products. Beyond improving the health of our indoor spaces, we also paved the way for others to purchase healthier materials. Through our purchasing power we encouraged more manufacturers to create third-party healthy material labels for their products.

Since that first project, we’ve hit more milestones with buildings across the U.S.

In 2015, we took our focus on materials to the next level with our Chicago office renovation. The 1000 West Fulton Market office renovation included 237,000 square feet of office space to build out. We expanded the reach of our Red List scope and pursued the ILFI’s LBC Materials Petal Certification. To do so, our project team reviewed every building product that was installed, procured responsibly sourced lumber, and prioritized local trade partners.

Next up was our first ground-up developments: Charleston East and Bay View in Silicon Valley. At 1.1 million square feet, Bay View is set to open this year while Charleston East, at 600,000 square feet, is nearing completion. These two buildings allowed us to work with the LBC on a scale never done before.

And finally, our newest addition to Google’s Sunnyvale campus — 237 Moffett Park Drive (237 MPD) — aspires toward a different kind of moonshot: to be the largest renovation project and the third-largest project ever certified by ILFI in the world. With this 250,000-square-foot project we are pursuing the ILFI’s LBC Materials Petal Certification, and we’ve designed the project to achieve four of the seven Petals and an LEED v4 Platinum Certification.

The building was originally developed in the 1960’s as a research and development facility for one of the world’s first mainframe and supercomputer firms. We honored that legacy of innovation by transforming the existing building into a workplace that embodies regenerative design.

There are many subtle and intentional design features that make 237 MPD an exceptional space. The integrated design team created Oculus, a huge penetration cut through the roof and structure of the building that floods the interior with natural light and views. Materials are given a second chance throughout the building — from still-functioning components of the original mechanical systems to roughly 300 interior doors made with veneer from oak trees salvaged from the Mendocino complex fires of 2018. In total, 3,400 tons of waste (or 91 percent of total waste generated) was diverted from the landfill. Beyond the building, the grounds were designed with wet meadows in low-lying areas and native oak trees on higher ground to echo the region’s historical ecology, offer habitat for wildlife and reduce the demand for water.

237 MPD also looks to the future with innovative sustainability systems. A total of 5,000 on-site solar panels cover 91 percent of annual estimated energy demand. Helios, an interactive light sculpture, illuminates the building’s Net Zero Energy goals by showing the building’s live energy data. Furthermore, captured and stored rainwater reduces potable demand for toilet flushing by 30 percent and 100 percent of irrigation demand is met by municipally-supplied recycled water. All of these design features create a workplace that is regenerative and promotes well-being, underpinned by the industry’s most rigorous sustainability certification.

Our work here isn’t just about pursuing certification on bigger and bigger projects, it’s also about showcasing what is possible in regenerative building today as an inspiration to drive progress. In 2020, our 6 Pancras Square office in London became the first building in the world to be awarded a Zero Carbon certification, paving the way for a partnership between Google and ILFI to plan a volume approach to certification. In alignment to our aim to run our data centers and campuses on 24/7 carbon-free energy by 2030, we’re exploring how we can use the ILFI Zero Carbon certification efficiently and effectively across our real estate portfolio.

As we move forward, we’ll continue to approach our built environment as not simply a space for renovation, but also as an opportunity for regeneration.

In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group’s activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).

Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job. These groups specialize in breaching a target in order to open the doors—or the Windows—to the malicious actor with the highest bid.

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.

We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.

Spoofing Organizations and Identities

EXOTIC LILY’s attack chain has remained relatively consistent throughout the time we’ve been tracking the group:

One notable technique is the use of domain and identity spoofing as a way of gaining additional credibility with a targeted organization. In the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to “.us”, “.co” or “.biz”.

Initially, the group would create entirely fake personas posing as employees of a real company. That would sometimes consist of creating social media profiles, personal websites and generating a fake profile picture using a public service to create an AI-generated human face. In November 2021, the group began to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business proposal, such as seeking to outsource a software development project or an information security service.

Attackers would sometimes engage in further communication with the target by attempting to schedule a meeting to discuss the project’s design or requirements.

At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges.

Human-Operated Phishing at Scale

Further evidence suggests an operator’s responsibilities might include:

• customizing the initial “business proposal” templates when first reaching out to a targeted organization;
• handling further communications in order to gain affinity and trust;
• uploading malware (acquired from another group) to a file-sharing service prior to sharing it with the target.

A breakdown of the actor’s communication activity shows the operators are working a fairly typical 9-to-5 job, with very little activity during the weekends. Distribution of the actor’s working hours suggest they might be working from a Central or an Eastern Europe timezone.

Malware and Attribution

Although the group came to our attention initially due to its use of documents containing an exploit for CVE-2021-40444, they later switched to the delivery of ISO files with hidden BazarLoader DLLs and LNK shortcuts. These samples have some indicators that suggest they were custom-built to be used by the group. For example, metadata embedded in the LNK shortcuts shows that a number of fields, such as the “Machine Identifier” and “Drive Serial Number” were shared with BazarLoader ISOs distributed via other means, however other fields such as the command line arguments were unique for samples distributed by EXOTIC LILY.

In March, the group continued delivering ISO files, but with a DLL containing a custom loader which is a more advanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation. The loader can be recognized by its use of a unique user-agent “bumblebee” which both variants share. The malware, hence dubbed BUMBLEBEE, uses WMI to collect various system details such as OS version, user name and domain name, which are then exfiltrated in JSON format to a C2. In response, it expects to receive one of the several supported “tasks”, which include execution of shellcode, dropping and running executable files. At the time of the analysis, BUMBLEBEE was observed to fetch Cobalt Strike payloads.

EXOTIC LILY activities overlap with a group tracked as DEV-0413 (Microsoft) and were also described by Abnormal in their recent post. Earlier reports of attacks exploiting CVE-2021-40444 (by Microsoft and other members of the security community) have also indicated overlaps between domains involved in the delivery chain of an exploit and infrastructure used for BazarLoader and Trickbot distribution.

We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft). While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.

Improving User Protection

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. In collaboration with Gmail and Safe Browsing, we are improving protections by adding additional warnings for emails originating from website contact forms, better identification of spoofing, and adjusting the reputation of email file sharing notifications. Additionally, we’re working with Google’s CyberCrime Investigation Group to share relevant details and indicators with law enforcement.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from this threat actor’s activities. We hope that improved understanding of the group’s tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

Indicators of Compromise (IOCs)

Recent domains used in email campaigns:

• conlfex[.]com
• avrobio[.]co
• elemblo[.]com
• phxmfg[.]co
• modernmeadow[.]co
• lsoplexis[.]com
• craneveyor[.]us
• faustel[.]us
• lagauge[.]us
• missionbio[.]us
• richllndmetals[.]com
• kvnational[.]us
• prmflltration[.]com
• brightlnsight[.]co
• belcolnd[.]com
• awsblopharma[.]com
• amevida[.]us
• revergy[.]us
• al-ghurair[.]us
• opontia[.]us

BazarLoader ISO samples:

• 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
• 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
• c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Recent BUMBLEBEE ISO samples:

• 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
• 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
• 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
• 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
• 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

Recent BUMBLEBEE C2:

• 23.81.246[.]187:443

Welcome to the latest edition of “My Path to Google,” where we talk to Googlers, interns and alumni about how they got to Google, what they do in their roles and how they prepared for their interviews.

Today, Leann Johnson shares her interesting journey to Google and how she prepared for her technical interviews along the way.

What do you do at Google?

I’m a software engineer for the Google Compute Engine team in Google Cloud. My mission is simple: push software updates to our customers’ machines as often as possible without disrupting their day-to-day operations. My days are typically packed with a lot of meetings — from team syncs to one-on-one sessions with the talented engineers I have the privilege of leading. Outside of meetings, you can find me writing design documents, strategizing long-term projects, reviewing code changes and eating Google’s delicious food.

What were you up to before Google?

I grew up in the Baltimore/Washington, D.C. area, and studied math and computer science in college. After graduating, I did general programming and web development for eight years at NASA’s Goddard Space Flight Center in Maryland. During that time, I also got my master’s degree in computer science. While it was hard to leave a job where I literally met astronauts on a regular basis, Google and the Pacific Northwest came calling, and I couldn’t resist.

Why did you apply to Google?

I didn’t seriously consider applying at first, because I was happy in the position I already had. Then one day, Google invited me to participate in the Foobar Challenge, which is a series of difficult programming exercises. I remember how excited I was to get the invitation, and it took me about a month and a half to complete all five levels of the challenge. At the end, the tool asked if I wanted to submit my information to a Google recruiter. I thought really hard about that — starting the process of interviewing, leaving my job at NASA and moving my children to a new city. Ultimately, I decided that the potential benefits to my career and children’s future outweighed the anxiety, stress and fear that might accompany the process. So I took a leap and submitted my information.

What inspires you to come in (or log in) to work every day?

I really enjoy the opportunity to work on Google-scale (very, very large) projects. That’s just not something you get to do at most companies. Plus, seemingly every single person I work with — from fresh graduates to tenured leadership — is pretty brilliant. The food is also highly motivating!

How did you prepare for your interview?

I mainly read technical interview prep books. Though I’d been coding professionally for eight years, I hadn’t experienced the typical programming interviews that I was going to face at Google, so I needed to brush up on those skills. I also created flash cards, which is a very effective memorization technique, and watched a lot of Google’s YouTube videos about what to expect during technical interviews.

Any tips for aspiring Googlers?

Yes, particularly for engineers! First, practice speaking out loud when you’re solving problems, especially if you typically work them out in your head. Second, don’t skimp on the preparation — know your algorithms and the interview structure. The more you’re used to the format, the less stressful the actual interviews will feel. And finally, remember the interviewers want you to do well. They are not there to criticize every tiny mistake. Getting a few hints is OK. Your main goal is to show the interviewer how you think and that you are capable of solving challenging problems, even if you don’t come up with the perfect answer — I certainly didn’t!

Any advice for your past self?

I wish I could go back and tell my past self that I was intelligent and capable enough to get a job at Google. I think a lot of the anxiety and stress I felt throughout the interview process came from not feeling adequate, which wasn’t the case!