Amperity update gives customers more control over Customer Data Platform

The Customer Data Platform (CDP) has certainly been getting a lot of attention in marketing software circles over the last year as big dawgs like Salesforce and Adobe enter the fray, but Amperity, a Seattle-based startup, has been building a CDP solution since it launched in 2016, and today it announced some updates to give customers more control over the platform.

Chris Jones, chief product officer at Amperity, says this is an important step for the startup. “If you think about the evolution of our company, we started with an idea that turned into a [Marketing Data Platform], which was the engine that powered all of that, but that engine was largely operated by our delivery team. We’re now putting the power of that engine into the customers’ hands and giving them the full access to that,” Jones explained.

That is giving customers — which include Alaska Airlines, Nordstrom and The Gap — the power to control how the software works in the context of their companies, rather than using a black box approach where you have to use the software as delivered. He says that customers want the ability to start using the system to gain insights on their own.

One of the primary pieces in the newest version of Amperity to allow them to do that is Stitch, a tool that lets users pull together all of the interactions from a customer in a single view —  ingesting the data, sorting, deduplicating it and delivering a list of all the interactions a brand has had with a given customer. From there, they can use the new Customer 360 visualization to get a more graphical view of the data.

Amperity Stitch 2019

Amperity Stitch Screenshot: Amperity.

Jones says companies can use this data to help different groups within a company, whether marketing, sales or service, understand the customer better before or during an interaction. For example, a marketer can segment the data in a very granular way to find all of the regular customers who aren’t part of the company loyalty program, and deliver them an email listing all of the benefits of joining.

Amperity launched in 2016, and has raised $37 million across two rounds. Its most recent funding came in 2017, a $28 million investment led by Tiger Global Management, according to Crunchbase data.

Cathay Innovation leads Laiye’s $35M round to bet on Chinese enterprise IT

For many years, the boom and bust of China’s tech landscape have centered around consumer-facing products. As this space gets filled by Baidu, Alibaba, Tencent, and more recently Didi Chuxing, Meituan Dianping, and ByteDance, entrepreneurs and investors are shifting attention to business applications.

One startup making waves in China’s enterprise software market is four-year-old Laiye, which just raised a $35 million Series B round led by cross-border venture capital firm Cathay Innovation. Existing backers Wu Capital, a family fund, and Lightspeed China Partners, whose founding partner James Mi has been investing in every round of Laiye since Pre-A, also participated in this Series B.

The deal came on the heels of Laiye’s merger with Chinese company Awesome Technology, a team that’s spent the last 18 years developing Robotic Process Automation, a term for technology that lets organizations offload repetitive tasks like customer service onto machines. With this marriage, Laiye officially launched its RPA product UiBot to compete in the nascent and fast-growing market for streamlining workflow.

“There was a wave of B2C [business-to-consumer] in China, and now we believe enterprise software is about to grow rapidly,” Denis Barrier, co-founder and chief executive officer of Cathay Innovation, told TechCrunch over a phone interview.

Since launching in January, UiBot has collected some 300,000 downloads and 6,000 registered enterprise users. Its clients include major names such as Nike, Walmart, Wyeth, China Mobile, Ctrip and more.

Guanchun Wang, chairman and CEO of Laiye, believes there are synergies between AI-enabled chatbots and RPA solutions, as the combination allows business clients “to build bots with both brains and hands so as to significantly improve operational efficiency and reduce labor costs,” he said.

When it comes to market size, Barrier believes RPA in China will be a new area of growth. For one, Chinese enterprises, with a shorter history than those found in developed economies, are less hampered by legacy systems, which makes it “faster and easier to set up new corporate software,” the investor observed. There’s also a lot more data being produced in China given the population of organizations, which could give Chinese RPA a competitive advantage.

“You need data to train the machine. The more data you have, the better your algorithms become provided you also have the right data scientists as in China,” Barrier added.

However, the investor warned that the exact timing of RPA adoption by people and customers is always not certain, even though the product is ready.

Laiye said it will use the proceeds to recruit talents for research and development as well as sales of its RPA products. The startup will also work on growing its AI capabilities beyond natural language processing, deep learning, and reinforcement learning, in addition to accelerating commercialization of its robotic solutions across industries.

Fungible raises $200 million led by SoftBank Vision Fund to help companies handle increasingly massive amounts of data

Fungible, a startup that wants to help data centers cope with the increasingly massive amounts of data produced by new technologies, has raised a $200 million Series C led by SoftBank Vision Fund, with participation from Norwest Venture Partners and its existing investors. As part of the round, SoftBank Investment Advisers senior managing partner Deep Nishar will join Fungible’s board of directors.

Founded in 2015, Fungible now counts about 200 employees and has raised more than $300 million in total funding. Its other investors include Battery Ventures, Mayfield Fund, Redline Capital and Walden Riverwood Ventures. Its new capital will be used to speed up product development. The company’s founders, CEO Pradeep Sindhu and Bertrand Serlet, say Fungible will release more information later this year about when its data processing units will be available and their on-boarding process, which they say will not require clients to change their existing applications, networking or server design.

Sindu previously founded Juniper Networks, where he held roles as chief scientist and CEO. Serlet was senior vice president of software engineering at Apple before leaving in 2011 and founding Upthere, a storage startup that was acquired by Western Digital in 2017. Sindu and Serlet describe Fungible’s objective as pivoting data centers from a “compute-centric” model to a data-centric one. While the company is often asked if they consider Intel and Nvidia competitors, they say Fungible Data Processing Units (DPU) complement tech, including central and graphics processing units, from other chip makers.

Sindhu describes Fungible’s DPUs as a new building block in data center infrastructure, allowing them to handle larger amounts of data more efficiently and also potentially enabling new kinds of applications. Its DPUs are fully programmable and connect with standard IPs over Ethernet local area networks and local buses, like the PCI Express, that in turn connect to CPUs, GPUs and storage. Placed between the two, the DPUs act like a “super-charged data traffic controller,” performing computations offloaded by the CPUs and GPUs, as well as converting the IP connection into high-speed data center fabric.

This better prepares data centers for the enormous amounts of data generated by new technology, including self-driving cars, and industries such as personalized healthcare, financial services, cloud gaming, agriculture, call centers and manufacturing, says Sindu.

In a press statement, Nishar said “As the global data explosion and AI revolution unfold, global computing, storage and networking infrastructure are undergoing a fundamental transformation. Fungible’s products enable data centers to leverage their existing hardware infrastructure and benefit from these new technology paradigms. We look forward to partnering with the company’s visionary and accomplished management team as they power the next generation of data centers.”

Enterprise SaaS revenue hits $100B run rate, led by Microsoft and Salesforce

In its most recent report, Synergy Research, a company that monitors cloud marketshare, found that enterprise SaaS revenue passed the $100 billion run rate this quarter. The market was led by Microsoft and Salesforce.

It shouldn’t be a surprise at this point that these two enterprise powerhouses come in at the top. Microsoft reported $10.1 billion in Productivity and Business Processes revenue, which includes Office 365, the Dynamics line and LinkedIn, the company it bought in 2016 for $26.2 billion. That $10.1 billion accounted for the top spot with 17 percent

Salesforce was next with around 12%. It announced $3.74 billion in revenue in its most recent earnings statement with Service Cloud alone accounting for $1.02 billion in revenue, crossing that billion-dollar mark for the first time.

Adobe came in third, good for around 10% market share, with $2.74 billion in revenue for its most recent report. Digital Media, which includes Creative Cloud and Document Cloud, accounted for the vast majority of the revenue with $1.8 billion. SAP and Oracle complete the top companies

SaaS Q119

A growing market

While that number may seem low, given we are 20 years into the development of the SaaS market, it is still a significant milestone, not to be dismissed lightly. As Synergy pointed out, while the market feels mature, if finds that SaaS revenue still accounts for just 20 percent of the overall enterprise software market. There’s still a long way to go, showing as with the infrastructure side of the market, things change much more slowly than we imagine, and the market is growing rapidly, as the impressive growth rates show.

“While SaaS growth rate isn’t as high as IaaS (Infrastructure as a Service) and PaaS (Platform as a Service), the SaaS market is substantially bigger and it will remain so until 2023. Synergy forecasts strong growth across all SaaS segments and all geographic regions,” the company wrote in its report.

Salesforce is the only one of the top five that was actually born in the cloud. Adobe, an early desktop software company, switched to cloud in 2013. Microsoft, of course, has been a desktop stalwart for many years before embracing the cloud over the last decade. SAP and Oracle are traditional enterprise software companies, born long before the cloud was even a concept, that began transitioning when the market began shifting.

Getting to a billion

Yet in spite of being late to the game, these numbers show that the market is still dominated by the old guard enterprise software companies and how difficult it is to achieve market dominance for companies born in the cloud. Salesforce emerged 20 years ago as an early cloud adherent, but of all of the enterprise SaaS companies that were started this century only ServiceNow and WorkDay show up in the Synergy list lumped in “the next 10.”

That’s not to say there aren’t SaaS companies making some serious money, just not quite as much as the top players to this point. Jason Lemkin, CEO and founder at SaaStr, a company that invests in and supports enterprise SaaS companies, says a lot of companies are close to that $1 billion goal than you might think, and he’s optimistic that we are going to see more.

“We will have at least 100 companies top $1 billion in ARR, probably many more. It is just math. Almost everyone IPO’ing [SaaS company] has 120-140% revenue retention. That will compound $100 million or $200 million to $1 billion. The only question is when,” he told TechCrunch.

SaaS revenue numbers by company

Chart courtesy of SaasStr

He adds that annualized numbers are very close behind ARR numbers and it won’t take long to catch up. Yet as we have seen with some of the companies on this list, it’s still not easy to get there.

It’s hard to develop a billion dollar SaaS company, and it takes time and patience, and perhaps some strategic acquisitions to get there, but the market trajectory continues to move upward. It will likely only grow stronger as more companies move to software in the cloud, and that bodes well for many of the players in this market, even those that didn’t show up on Synergy’s chart.

Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers

It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors.

When an organization buys Office365 licenses from a reseller partner, the partner is granted administrative privileges in order to help the organization set up the tenant and establish the initial administrator account. Microsoft says customers can remove that administrative access if they don’t want or need the partner to have access after the initial setup.

But many companies partner with a CSP simply to gain more favorable pricing on software licenses — not necessarily to have someone help manage their Azure/O365 systems. And those entities are more likely to be unaware that just by virtue of that partnership they are giving someone at their CSP (or perhaps even outside contractors working for the CSP) full access to all of their organization’s email and files stored in the cloud.

This is exactly what happened with a company whose email systems were rifled through by intruders who broke into PCM Inc., the world’s sixth-largest CSP. The firm had partnered with PCM because doing so was far cheaper than simply purchasing licenses directly from Microsoft, but its security team was unaware that a PCM employee or contractor maintained full access to all of their employees’email and documents in Office365.

As it happened, the PCM employee was not using multi-factor authentication. And when that PCM employee’s account got hacked, so too did many other PCM customers.

KrebsOnSecurity pinged Microsoft this week to inquire whether there was anything the company could be doing to better explain this risk to customers and CSP partners. In response, Microsoft said while its guidance has always been for partners to enable and require multi-factor authentication for all administrators or agent users in the partner tenants, it would soon be making it mandatory.

“To help safeguard customers and partners, we are introducing new mandatory security requirements for the partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors, and Advisor partners,” Microsoft said in a statement provided to KrebsOnSecurity.

“This includes enforcing multi-factor authentication for all users in the partner tenants and adopting secure application model for their API integration with Microsoft,” the statement continues. “We have notified partners of these changes and enforcement will roll out over the next several months.”

Microsoft said customers can check or remove a partner’s delegated administration privileges from their tenants at any time, and that guidance on how do do this is available here and here.

This is a welcome — if long overdue — change. Countless data breaches are tied to weak or default settings. Whether we’re talking about unnecessary software features turned on, hard-coded passwords, or key security settings that are optional, defaults matter tremendously because far too many people never change them — or they simply aren’t aware that they exist.

Phishing | Revealing The Most Vulnerable Targets

Phishing and spearphishing remain the two most widely used vectors for network security breaches, business email compromises and other enterprise security issues. With the number of reported email phishing attacks up for the third quarter in a row, the problem is only increasing as attackers from APTs to unsophisticated buyers of ransomware-as-a-service on the DarkNet understand that the weakest link in every security solution ever-devised is always the human element.

Understanding why phishing attacks work and which people and departments are most vulnerable is an important part of developing your security posture. In this post we’ll take a tour of phishing techniques, vulnerable targets and organizational impacts to help you better prepare for the assault on your network, staff and business.


What Are The Business Impacts of Phishing Attacks?

As the councils of Lake City and Riviera Beach recently found out, the impact of staff that fall for a phishing link can be immediate and costly. Lake City handed hackers $460,000 to regain control of their email and servers in the same week that Riviera Beach reportedly stumped up $600,000 to recover from a similar ransomware attack. It appears that in both cases the criminals used social engineering to convince employees to click an email link which then downloaded malware to the victim’s device.

According to data collected by Proofpoint’s State of the Phish 2019 report, over the last year, 65% of phishing attacks resulted in credential theft or a business email compromise, nearly 50% led to malware infections and almost a quarter to loss of business data.

image of impact from phishing attacks        Image courtesy of Proofpoint

The impacts on a business after falling victim to an attack can be devastating. Aside from outright financial loss such as in a ransomware attack, there are other impacts to consider. For example, in the ransomware attacks on Atlanta, Baltimore, Greenville, Riviera Beach, Lake City and many others, there were huges losses in terms of productivity. Businesses may also likely suffer damage to their reputation if they do not report an attack but it later comes to light due to its affect on customers or services, or if they report it in a non-transparent way. The recent case of an attack on Coinbase is a good example of transparent reporting in which the business not only “saved face” but increased its reputation due to timely and responsible reporting.

In the case of a business email compromise, or so-called “man-in-the-email” attack, the organization may suffer both financial loss through fraudulent wire transfers or other transactions as well as data and IP loss through the transfer of confidential information to unauthorized parties.

There are also impacts on internal teams to consider. Being the victim of a successful phishing attack places extra burden on the organization’s IT and SOC teams and could also cause frustration among other employees impacted by the attack.

What Phishing Techniques Should I Look Out For?

The majority of phishing attacks occur through emails, and often purport to come from a legitimate organization and/or use the name of a person the recipient is familiar with such as this one

image of phishing email

However, email is not the only means by which attackers attempt to social engineer targets. There’s also “smishing” – attempts to phish through SMS messages – and “vishing” – phone or voice message frauds that attempt to trick unsuspecting users.

Whether it’s by email, SMS, or voice, the name of the game is generally to manipulate vulnerable targets into one of three kinds of behavior: clicking a fraudulent link, opening a malicious attachment or entering data into a booby-trapped capture field, such as a fake login page on (what appears to be) a corporate website. 

Cybercriminals continue to register around 20 fake domains for every single business targeted. The aim is to secure domain names that are close enough to the real one so that users could easily be fooled into navigating to the clone of a corporate website. When the real is cloned and registered as or, it’s easy for unwary users to fall victim. On top of that, browser tricks that can mask or hide the real address of a site a user lands on are also known.

Macro and DDE malware hiding in attached documents have been well-documented, but continue to enjoy lasting success. On top of that, researchers have shown that it’s even possible for attackers to edit Youtube videos embedded in documents so that the video link redirects the unsuspecting user to a malicious site or delivers a malware payload.

In order to achieve their goals, cybercriminals are using a range of delivery techniques to scam business employees. These include targeted and generic business emails that request invoices to be paid, invite employees to sign-in to a cloud-base services in order to download or edit an online document, or threaten that an account or service will be suspended unless immediate action is taken.

image of email templates          Image courtesy of Proofpoint

Email subject lines to look out for include anything that might be “Urgent” or “Required”, whether it’s changing a password to paying a bill or cancelling a fake credit card charge.

Who Is Being Targeted by Phishing Attacks?

The short answer to that is: everybody! But in order to make better decisions about how to handle the threat and direct your phishing simulation and training activities, it’s helpful to get into the sticky details. Who is the most vulnerable, and what kinds of attacks do they fall for?

Cybercriminals target specific job functions and departments in different industries, relevant to their goals. For example, ransomware attackers are more likely to focus on phishing campaigns that target HR inboxes as these commonly receive large amounts of legitimate attachments. For that reason, HR staff habitually open attachments in order to get their work done, so slipping in a malicious PDF or Word.doc obviously has greater chance of success there as opposed to an inbox that does not regularly receive attached documents.

On the other hand, a malicious link sent to Marketing staff who are used to following news and trends across social media may have greater chance of success than file attachments. Credential phishing attacks which convince senior staff to enter login details to a fake form or website are more likely to reap greater rewards if targeted towards VPs and Directors. 

In Proofpoint’s report, the most targeted departments were Production/Operations, seeing some nearly 25% of all attacks, with Marketing, Management and Sales departments receiving approximately the same volume, around 10-12%, of phishing email.

image of targeted departments in phishing attacks          Image courtesy of Proofpoint

What Can I Do To Protect Against Phishing Attacks?

Evidence suggests that active training such as running simulated phishing campaigns has a measurable impact on reducing the success rate of phishing attempts but training needs to be continuous. The phishing landscape does not stand still, and staff churn is likely to mean that there will always be a portion of your workforce that is not up to speed with the training programs that you have previously offered.

There are a number of resources you can use if you don’t already have your own training programs in place, from the simple but useful tests like Jigsaw’s Phishing Quiz to more convincing simulations provided by companies such as Proofpoint and KnowB4.

On top of training, be sure that you have good security solution like SentinelOne that can autonomously block code execution from phishing attacks – whether that is a malicious attachment or fileless malware executing in memory – and that can inspect encrypted traffic and enforce firewall control to block known phishing domains.


Understanding who, how and what is involved in phishing attacks is vital to an organization if it is to effectively manage the threat. Knowing which people and departments in your organization are most targeted, under what circumstances and with what techniques can help your infosec team to be able to better detect and respond to attacks.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Fellow raises $6.5M to help make managers better at leading teams and people

Managing people is perhaps the most challenging thing most people will have to learn in the course of their professional lives – especially because there’s no one ‘right’ way to do it. But Ottawa-based startup Fellow is hoping to ease the learning curve for new managers, and improve and reinforce the habits of experienced ones with their new people management platform software.

Fellow has raised $6.5 million in seed funding, from investors including Inovia Capital, Felicis Ventures, Garage Capital and a number of angels. The funding announcement comes alongside the announcement of their first customers, including Shopify (disclosure: I worked at Shopify when Fellow was implemented and was an early tester of this product, which is why I can can actually speak to how it works for users).

The Fellow platform is essentially a way to help team leads interact with their reports, and vice versa. It’s a feedback tool that you can use to collect insight on your team from across the company; it includes meeting supplemental suggestions and templates for one-on-ones, and even provides helpful suggestions like recommending you have a one-on-one when you haven’t in a while; and it all lives in the cloud, with integrations for other key workplace software like Slack that help it integrate with your existing flow.

Fellow co-founder and CEO Aydin Mirzaee and his co-founding team have previous experience building companies: They founded Fluidware, a survey software company, in 2008 and then sold it to SurveyMonkey in 2014. In growing the team to over 100 people, Mirzaee says they realized where there were gaps, both in his leadership team’s knowledge and in available solutions on the market.

“Starting the last company, we were in our early 20s, and like the way that we used to learn different practices was by using software, like if you use the Salesforce, and you know nothing about sales, you’ll learn some things about sales,” Mirzaee told me in an interview. “If you don’t know about marketing, use Marketo, and you’ll learn some things about marketing. And you know, from our perspective, as soon as we started actually having some traction and customers and then hired some people, we just got thrown into it. So it was ‘Okay, now, I guess we’re managers.’ And then eventually we became managers of managers.”

Fellow Team Photo 2019

Mirzaee and his team then wondered why a tool like Salesforce or Marketo didn’t exist for management. “Why is it that when you get promoted to become a manager, there isn’t an equivalent tool to help you with that?” he said.

Concept in hand, Fellow set out to build its software, and what it came up with is a smartly designed, user-friendly platform that is accessible to anyone regardless of technical expertise or experience with management practice and training. I can attest to this first-hand, since I was a first-time manager using Fellow to lead a team during my time at Shopify – part of the beta testing process that helped develop the product into something that’s ready for broader release. I was not alone in my relative lack of management knowledge, Mirzaee said, and that’s part of why they saw a clear need for this product.

“The more we did research, the more we figured out that obviously, managers are really important,” he explained. “70% of customer engagements are due to managers, for instance. And when people leave companies, they tend to leave the manager, not the company. The more we dug into it the more it was clear that there truly was this management problem –  management crisis almost, and that nobody really had built a great tool for managers and their teams like.”

Fellow’s tool is flexible enough to work with specific management methodologies like setting SMART goals or OKRs for team members, and managers can use pre-set templates or build their own for things like setting meeting talking points, or gathering feedback from the colleagues of their reports.

Right now, Fellow is live with a number of clients including Shoify, Vidyard, Tulip, North and more, and it’s adding new clients who sign up on a case-by-case basis, but increasing the pace at which it onboard new customers. Mirzaee explained that it hopes to open sign ups entirely later this year.

We’re talking Kubernetes at TC Sessions: Enterprise with Google’s Aparna Sinha and VMware’s Craig McLuckie

Over the past five years, Kubernetes has grown from a project inside of Google to an open source powerhouse with an ecosystem of products and services, attracting billions of dollars in venture investment. In fact, we’ve already seen some successful exits, including one from one of our panelists.

On September 5th at TC Sessions: Enterprise, we’re going to be discussing the rise of Kubernetes with two industry veterans. For starters we have Aparna Sinha, director of product management for Kubernetes and the newly announced Anthos product. Sinha was in charge of several early Kubernetes releases and has worked on the Kubernetes team at Google since 2016. Prior to joining Google, she had 15 years experience in enterprise software settings.

Craig McLuckie will also be joining the conversation. He’s one of the original developers of Kubernetes at Google. He went on to found his own Kubernetes startup, Heptio, with Joe Beda, another Google Kubernetes alum. They sold the company to VMware last year for $505 million after raising $33.5 million, according to Crunchbase data.

The two bring a vast reservoir of knowledge and will be discussing the history of Kubernetes, why Google decided to open source it and how it came to grow so quickly. Two other Kubernetes luminaries will be joining them. We’ll have more about them in another post soon.

Kubernetes is a container orchestration engine. Instead of developing large monolithic applications that sit on virtual machines, containers run a small part of the application. As the components get smaller, it requires an orchestration layer to deliver the containers when needed and make them go away when they are not longer required. Kubernetes acts as the orchestra leader.

As Kubernetes, containerization and the cloud-native ethos it encompasses has grown, it has helped drive the enterprise shift to the cloud in general. If you can write your code once, and use it in the cloud or on prem, it means you don’t have to manage applications using different tool sets and that has had broad appeal for enterprises making the shift to the cloud.

TC Sessions: Enterprise (September 5 at San Francisco’s Yerba Buena Center) will take on the big challenges and promise facing enterprise companies today. TechCrunch’s editors will bring to the stage founders and leaders from established and emerging companies to address rising questions, like the promised revolution from machine learning and AI, intelligent marketing automation and the inevitability of the cloud, as well as the outer reaches of technology, like quantum computing and blockchain.

Tickets are now available for purchase on our website at the early-bird rate of $395; student tickets are just $75.

Student tickets are just $75 – grab them here.

We have a limited number of Startup Demo Packages available for $2,000, which includes four tickets to attend the event.

For each ticket purchased for TC Sessions: Enterprise, you will also be registered for a complimentary Expo Only pass to TechCrunch Disrupt SF on October 2-4.

Breach at Cloud Solution Provider PCM Inc.

A digital intrusion at PCM Inc., a major U.S.-based cloud solution provider, allowed hackers to access email and file sharing systems for some of the company’s clients, KrebsOnSecurity has learned.

El Segundo, Calif. based PCM [NASDAQ:PCMI] is a provider of technology products, services and solutions to businesses as well as state and federal governments. PCM has nearly 4,000 employees, more than 2,000 customers, and generated approximately $2.2 billion in revenue in 2018.

Sources say PCM discovered the intrusion in mid-May 2019. Those sources say the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp.

One security expert at a PCM customer who was recently notified about the incident said the intruders appeared primarily interested in stealing information that could be used to conduct gift card fraud at various retailers and financial institutions.

In that respect, the motivations of the attackers seem similar to the goals of intruders who breached Indian IT outsourcing giant Wipro Ltd. earlier this year. In April, KrebsOnSecurity broke the news that the Wipro intruders appeared to be after anything they could quickly turn into cash, and used their access to harvest gift card information from a number of the company’s customers.

It’s unclear whether PCM was a follow-on victim from the Wipro breach, or if it was attacked separately. As noted in that April story, PCM was one of the companies targeted by the same hacking group that compromised Wipro.

The intruders who hacked into Wipro set up a number of domains that appeared visually similar to that of Wipro customers, and many of those customers responded to the April Wipro breach story with additional information about those attacks.

PCM never did respond to requests for comment on that story. But in a statement shared with KrebsOnSecurity today, PCM said the company “recently experienced a cyber incident that impacted certain of its systems.”

“From its investigation, impact to its systems was limited and the matter has been remediated,” the statement reads. “The incident did not impact all of PCM customers; in fact, investigation has revealed minimal-to-no impact to PCM customers. To the extent any PCM customers were potentially impacted by the incident, those PCM customers have been made aware of the incident and PCM worked with them to address any concerns they had.”

On June 24, PCM announced it was in the process of being acquired by global IT provider Insight Enterprises [NASDAQ:NSIT]. Insight has not yet responded to requests for comment.

Earlier this week, cyber intelligence firm RiskIQ published a lengthy analysis of the hacking group that targeted Wipro, among many other companies. RiskIQ says this group has been active since at least 2016, and posits that the hackers may be targeting gift card providers because they provide access to liquid assets outside of the traditional western financial system.

The breach at PCM is just the latest example of how cybercriminals increasingly are targeting employees who work at cloud data providers and technology consultancies that manage vast IT resources for many clients. On Wednesday, Reuters published a lengthy story on “Cloud Hopper,” the nickname given to a network of Chinese cyber spies that hacked into eight of the world’s biggest IT suppliers between 2014 and 2017.

How Two Firefox Zero Days Led to Two macOS Backdoors

Last week was a busy week for macOS malware. Along with a Gatekeeper POC being deployed in the wild only days after being published and a hulking 2.5GB cryptominer on the loose stealing resources from those tempted by pirate software, there was also the big reveal of two Firefox zero-days being used in the wild to deliver at least two different kinds of malware. These both turned out to be new variants of old friends: OSX.Netwire/Wirenet and OSX.Mokes, a backdoor that contains code indicative of recording user behaviour and exfiltrating it to a server in encrypted form.

In this post, we’ll review how the two Firefox zero days were used to achieve remote code execution, discuss the malware dropped by threat actors leveraging these zero days in the wild, and reveal six unpublished IOCs used by one of the backdoors. 

image of how firefox zero days led to two  backdoors

FireFox 0-Days Used in Targeted Attacks

On April 15, Samuel Groß, a researcher from Google’s Project Zero, reported a zero day vulnerability in the Firefox browser that could lead to a remote code execution (RCE) exploit. It seems Mozilla didn’t get around to fixing the bug until the Coinbase security team reported it being actively exploited in an attack against their network on June 17. 

According to Mozilla, CVE-2019-11707 was fixed on June 18, 24 hours after Coinbase’s report, noting that they were aware of “targeted attacks” occurring in the wild.

image of first firefox zero day

Interestingly, Groß had noted that any threat actor trying to exploit the Array.pop type confusion to achieve remote code execution would still need a separate sandbox escape if they wanted to do anything more ambitious than universal cross-site scripting (UXSS). However, a second Firefox zero-day achieving exactly such a sandbox escape was also seen by Coinbase during the attack on their servers. Firefox subsequently released a second update two days later to also address that.

image of second firefox zero day

The sandbox escape leverages the fact that browsers are typically not themselves sandboxed, but rather run web pages as separate processes in a sandbox container as seen in the following image. 

image of sandboxed processes

This means that attackers should not be able to run malicious code from a website to do things like read, write or execute files on the local disk as the webcontent is effectively separated both from the parent process and the machine at large.

However, the sandbox escape using Prompt:Open exploits a flaw in the IPC messaging between the parent and child processes, effectively allowing the child process to instruct the non-sandboxed parent to open content of the child’s choosing. Combined with CVE-2019-11707, this allows attackers to achieve arbitrary code execution.

Exploiting these vulnerabilities, the threat actors targeting Coinbase dropped two separate pieces of malware, as revealed by Coinbase researcher Philip Martin.

image ot tweet from coinbase researcher

The second of the two hashes


is a variant of Netwire.A/Wirenet.C, and surprisingly is still detected by reputation agents, including macOS’s built-in XProtect, using signatures created back in 2016.

image of netwire A malware

The first one, however, is far more interesting. This 13MB binary is a cross-platform backdoor utilitizing the Qt framework and appearing to target both macOS and Windows devices.

image of hex code showing powershell

Due to its close similarities to the Mokes.A malware, first discovered by Kaspersky in 2016, researchers have dubbed this sample Mokes.B. Let’s take a closer look at it.

VirusTotal Doesn’t Tell You Everything

The discovery of Mokes.B seemed to cause quite a stir as not only was it dropped by two zero days, but its own reputation was initially unknown on VirusTotal. When we first looked at it, none of VirusTotal’s detection engines recognized it. 

image of virustotal detections

VirusTotal show the detection status of a number of engines running on their own servers, and screenshots like this can be real attention grabbers on social media. However, it’s important to understand that what such an image shows is not what is often believed. Specifically, the lack of detections on VT does not necessarily mean no security solutions are detecting the malware in the wild.

What it does show is that the signature-based engines supplied to VirusTotal by AV vendors did not recognize the malware. AI-powered behavioral engines like those used in SentinelOne, however, are not available to VirusTotal and the detection status on VT does not represent how SentinelOne works on a real endpoint.  

In fact, we tested OSX.Mokes.B very early on and found that our behavioral engine immediately alerted on the executable, reported on the persistence agent it dropped and revealed further IOCs that, to our knowledge, have yet to be recorded by other researchers. 

How We Detect OSX.Mokes.B

Here is how the attack appears in the SentinelOne management console, along with relevant links to MITRE ATT&CK framework, Recorded Future and VirusTotal.

image of detection in console

On the agent side, running the attack code produces a notification alert for the end user, but the really interesting details are provided in the console for the IT admin or security team. The raw log reveals that aside from the executable and persistence agent, another file is dropped in the User’s ~/Library/Application Support folder.

image of sentinelone console raw data

This turns out to be a zero byte file with a hardcoded MD5 hash for a file name. The purpose of this file seems to be to track which of the six hardcoded malware names have already been used in the infection. To see how this works, let’s take a closer look at the behavior.

As other researchers have noted, both the original Mokes.A and the new Mokes.B variant use six hardcoded sets of names for the malware and its persistence agent.

image of dropped malware names

These sets consist of one or more folder names and a file executable name dropped in the ~/Library folder. The executable name is also the same as the name of the ~/Library/LaunchAgents plist item used for persistence.

1. ~/Library/App Store/storeaccountd
2. ~/Library/
3. ~/Library/Skype/soagent
4. ~/Library/Dropbox/quicklookd
5. ~/Library/Google/Chrome/accountd
6. ~/Library/Firefox/Profiles/trustd

However, what does not appear to have been noted by previous researchers is that as the malware is dropped, a zero byte tracking file is also dropped in ~/Library/Application Support folder. The name of the tracking file depends on which of the six set of malware names has been dropped. 

The empty tracking files have md5 hash strings for names and are correlated with the malware names as follows:

1. ~/Library/Application Support/c8030abb9b95ba961a1c8ebcab43c862  
# written when App Store/storeaccountd is used

2. ~/Library/Application Support/e5d4af62734babc54f43d8a11f640be2 
# written when is used

3. ~/Library/Application Support/ece82aa35ebd3223504634661d07bd41 
# written when Skype/soagent is used

4. ~/Library/Application Support/bfad2737fe8ea987c1cc5f8f38031677 
# written when Dropbox/quicklookd is used

5. ~/Library/Application Support/474d33349c808c86f0039d6130eb1c3e 
# written when Google/Chrome/accountd is used

6. ~/Library/Application Support/c494e0efe766d657a55a1fd37f5d94c1 
# written when Firefox/Profiles/trustd is used

However, the hash string used in the name of the tracking file is not related to the md5 hash of either the plist or the executable dropped and appears to be arbitrary.

image of md5 hashes

We noted that these tracking files are only written once, when the malware is first dropped, and are not rewritten by the persistence agent if they are deleted. 

What Does Mokes.B Actually Do?

Mokes.B is a backdoor that has functions related to exfiltrating user data, keylogging, and capturing screenshots from the victim’s device.

image of code showing screenshots

Mokes.B reaches out to the following IP address, which belongs to a server located in Germany. The location is shown in the SentinelOne management console:

image of sentinel one showing ip address location

Using netcat, we can see that the server is up and running. However, we weren’t able to initiate any communication from the server to our infected machines. Given the recent media attention, it is unsurprising that the attackers are no longer interested in responding.

image of netcat


The use of recently discovered and hitherto unpublished Firefox zero days along with cross-platform malware indicates a threat actor with some expertise and resources. With that in mind, it seems reasonable to conclude that this won’t be the last we hear of them. Given that the only known use of this attack in the wild was against a cryptocurrency exchange, we can also speculate that the perpertrators were more likely criminal than political (although the two are not necessarily mutually exclusive). 

All Firefox users are urged to update to the latest version, and enterprise users should ensure they have a capable next-gen security solution in place. As our analysis has shown, SentinelOne’s behavioral AI can not only detect these kinds of attacks without relying on reputation, it can also reveal further IOCs that other solutions may miss. If you’re not already protected by SentinelOne, try a free demo to see how we can protect your organization.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security