Novo, a neobank for SMBs, banks $41M

Small businesses have traditionally been underserved when it comes to IT — they are too big and have too many requirements that can’t be met by consumer products, yet are much too small to afford, implement or thoroughly need apps and other IT build for larger enterprises. But when it comes to neobanks, it feels like there is no shortage of options for the SMB market, nor venture funding being invested to help them grow.

In the latest development, Novo, a neobank that has built a service targeting small businesses, has closed a round of $40.7 million, a Series A that it will be using to continue growing its business, and its platform.

The funding is being led by Valar Ventures with Crosslink Capital, Rainfall Ventures, Red Sea Ventures and BoxGroup all participating. The startup is not disclosing valuation, but Novo — originally founded in New York in 2018 but now based out of Miami — has racked up 100,000 SMB customers — which it defines as businesses that make between $25,000 and $100,000 in annualized revenues — and has seen $1 billion in lifetime transactions, with growth accelerating in the last couple of years.

There are a wide variety of options for small businesses these days when it comes to going for a banking solution. They include staying with traditional banks (which are starting to add an increasing number of services and perks to retain small business customers), as well as a variety of fintechs — other neobanks, like Novo — that are building banking and related financial tools to cater to startups and other small businesses.

Just doing a quick search, some of the others targeting the sector include Rho, NorthOne, Lili, Mercury, Brex, Hatch, Anna, Tide, Viva Wallet, Open and many more (and you could argue also players like Amazon, offering other money management and spending tools similar to what neobanks are providing). Some of these are not in the U.S., and some are geared more at startups, or freelancers, but taken together they speak to the opportunity and also the attention that it is getting from the tech industry right now.

As CEO and co-founder Michael Rangel — who hails from Miami — described it to me, one of the key differentiators with Novo is that it’s approaching SMB banking from the point of view of running a small business. By this, he means that typically SMBs are already using a lot of other finance software — on average seven apps per business — to manage their books, payments and other matters, and so Novo has made it easier by way of a “drag and drop” dashboard where an SMB can integrate and view activity across all of those apps in one place. There are “dozens” of integrations currently, he said, and more are being added.

This is the first step, he said. The plan is to build more technology so that the activity between different apps can also be monitored, and potentially automated

“We’re able to see this is your balance and what you should expect,” he said. “The next frontier is to marry the incoming with outgoing. We’re using the funding to build that, and it’s on the roadmap in the next six months.”

Novo has yet to bring cash advances or other lending products into its platform, although those too are on the roadmap, but it is also listening to its customers and watching what they want to do on the platform — another reason why it’s clever to make it easy to for those customers to integrate other services into Novo: not only does that solve a pain point for the customer, but it becomes a pretty clear indicator of what customers are doing, and how you could better cater to that.

Listening to the customers is in itself becoming a happy challenge, it seems. Novo launched quietly enough — between 2018 and the end of 2019, it had picked up only 5,000 accounts. But all that changed during 2020 and the COVID-19 pandemic, which Rangel describes as “just hockey stick growth. We grew like crazy.”

The reason, he said, is a classic example of why incumbent banks have to catch up with the times. Everyone was locked down at home, and suddenly a lot of people who were either furloughed or laid off were “spinning up businesses,” he said, and that led to many of them needing to open bank accounts. But those who tried to do this with high-street banks were met with a pretty significant barrier: you had to go into the bank in person to authenticate yourself, but either the banks were closed, or people didn’t want to travel to them. That paved the way for Novo (and others) to cater to them.

Its customer numbers shot up to 24,000 in the year.

Then other market forces have also helped it. You might recall that banking app Simple was shut down by BBVA ahead of its merger with PNC; but at the same time, it also shut down Azlo, it’s small business banking service. That led to a significant number of users migrating to other services, and Novo got a huge windfall out of that, too.

In the last six months, Novo grew four-fold, and Rangel attributed a lot of that to ex-Azloans looking for a new home.

The fact that there are so many SMB banking providers out there might mean competition, but it also means fragmentation, and so if a startup emerges that seems to be catching on, it’s going to catch something else, too: the eye of investors.

“The ability of the Novo team to grow the company rapidly during a year where businesses have faced unprecedented challenges is impressive,” said Andrew McCormack, founding partner at Valar Ventures, the firm co-founded by Peter Thiel, another big figure in fintech. “Novo tripled its small business customer base in the first half of 2021! Their custom infrastructure and banking platform put them in prime position to expand their services at an even faster pace as we come out of the health crisis. All of us at Valar Ventures are excited to join this team.”

Ukrainian Police Nab Six Tied to CLOP Ransomware

Authorities in Ukraine this week charged six people alleged to be part of the CLOP ransomware group, a cybercriminal gang said to have extorted more than half a billion dollars from victims. Some of CLOP’s victims this year alone include Stanford University Medical School, the University of California, and University of Maryland.

A still shot from a video showing Ukrainian police seizing a Tesla, one of many high-end vehicles seized in this week’s raids on the Clop gang.

According to a statement and videos released today, the Ukrainian Cyber Police charged six defendants with various computer crimes linked to the CLOP gang, and conducted 21 searches throughout the Kyiv region.

First debuting in early 2019, CLOP is one of several ransomware groups that hack into organizations, launch ransomware that encrypts files and servers, and then demand an extortion payment in return for a digital key needed to unlock access.

/

CLOP has been especially busy over the past six months exploiting four different zero-day vulnerabilities in File Transfer Appliance (FTA), a file sharing product made by California-based Accellion.

The CLOP gang seized on those flaws to deploy ransomware to a significant number of Accellion’s FTA customers, including U.S. grocery chain Krogers, the law firm Jones Day, security firm Qualys, and the Singaporean telecom giant Singtel.

Last year, CLOP adopted the practice of attempting to extract a second ransom demand from victims in exchange for a promise not to publish or sell any stolen data. Terabytes of documents and files stolen from victim organizations that have not paid a data ransom are now available for download from CLOP’s deep web site, including Stanford, UCLA and the University of Maryland.

CLOP’s victim shaming blog on the deep web.

It’s not clear how much this law enforcement operation by Ukrainian authorities will affect the overall operations of the CLOP group. Cybersecurity intelligence firm Intel 471 says the law enforcement raids in Ukraine were limited to the cash-out and money laundering side of CLOP’s business only.

“We do not believe that any core actors behind CLOP were apprehended, due to the fact that they are probably living in Russia,” Intel 471 concluded. “The overall impact to CLOP is expected to be minor although this law enforcement attention may result in the CLOP brand getting abandoned as we’ve recently seen with other ransomware groups like DarkSide and Babuk” [links added].

While CLOP as a moneymaking collective is fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE‘s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

How Does One Get Hired by a Top Cybercrime Gang?

The U.S. Department of Justice (DOJ) last week announced the arrest of a 55-year-old Latvian woman who’s alleged to have worked as a programmer for Trickbot, a malware-as-a-service platform responsible for infecting millions of computers and seeding many of those systems with ransomware.

Just how did a self-employed web site designer and mother of two come to work for one of the world’s most rapacious cybercriminal groups and then leave such an obvious trail of clues indicating her involvement with the gang? This post explores answers to those questions, as well as some of the ways Trickbot and other organized cybercrime gangs gradually recruit, groom and trust new programmers.

Alla Witte’s personal website — allawitte[.]nl — circa October 2018.

The indictment released by the DOJ (PDF) is heavily redacted, and only one of the defendants is named: Alla “Max” Witte, a 55-year-old Latvian national who was arrested Feb. 6 in Miami, Fla.

The DOJ alleges Witte was responsible for “overseeing the creation of code related to the monitoring and tracking of authorized users of the Trickbot malware, the control and deployment of ransomware, obtaining payments from ransomware victims, and developing tools and protocols for the storage of credentials stolen and exfiltrated from victims infected by Trickbot.”

The indictment also says Witte provided code to the Trickbot Group for a web panel used to access victim data stored in a database. According to the government, that database contained a large number of credit card numbers and stolen credentials from the Trickbot botnet, as well as information about infected machines available as bots.

“Witte provided code to this repository that showed an infected computer or ‘bot’ status in different colors based on the colors of a traffic light and allowed other Trickbot Group members to know when their co-conspirators were working on a particular infected machine,” the indictment alleges.

While any law enforcement action against a crime group that has targeted hospitals, schools, public utilities and governments is good news, Witte’s indictment and arrest were probably inevitable: It is hard to think of an accused cybercriminal who has made more stunningly poor and rookie operational security mistakes than this Latvian senior citizen.

For starters, it appears at one point in 2020 Witte actually hosted Trickbot malware on a vanity website registered in her nameallawitte[.]nl.

While it is generally a bad idea for cybercriminals to mix their personal life with work, Witte’s social media accounts mention a close family member (perhaps her son or husband) had the first name “Max,” which allegedly was her hacker handle.

Unlike many accused cybercriminals who hail from Russia or former Soviet countries, Witte did not feel obligated to avoid traveling to areas where she might be within reach of U.S. law enforcement agencies. According to her indictment, Witte was living in the South American nation of Suriname and she was arrested in Miami while flying from Suriname. It is not clear where her intended destination was.

A Google-translated post Witte made to her Vkontakte page, five years before allegedly joining the Trickbot group.

Alex Holden, founder of the cybersecurity intelligence firm Hold Security, said Witte’s greatest lapse in judgment came around Christmas time in 2019, when she infected one of her own computers with the Trickbot malware — allowing it to steal and log her data within the botnet interface.

“On top of the password re-use, the data shows a great insight into her professional and personal Internet usage,” Holden wrote in a blog post on Witte’s arrest.

“Many in the gang not only knew her gender but her name too,” Holden wrote. “Several group members had AllaWitte folders with data. They refer to Alla almost like they would address their mothers.”

So how did this hacker mom with apparently zero sense of self-preservation come to work for one of the world’s most predatory cybercriminal gangs?

The government’s indictment dedicates several pages to describing the hiring processes of the Trickbot group, which continuously scoured fee-based Russian and Belarussian-based job websites for resumes of programmers looking for work. Those who responded were asked to create various programs designed to test the applicant’s problem-solving and coding skills.

Here’s a snippet of translated instant message text between two of the unnamed Trickbot defendants, in which they discuss an applicant who understood immediately that he was being hired to help with cybercrime activity.

A conversation between two Trickbot group members concerning a potential new hire. Image: DOJ.

The following conversation, on or about June 1, 2016, concerned a potential new Trickbot hire who successfully completed a test task that involved altering a Firefox Web browser.

Other conversation snippets in the indictment suggest most new recruits understand that the projects and test tasks they are being asked to tackle are related to cybercrime activity.

“The majority understand that this is blackhat and asking for the commercial target,” wrote the defendant identified only as Co-Conspirator 8 (CC8).

But what about new hires that aren’t hip to exactly how the programs they’re being asked to create get used? Another source in the threat intelligence industry who has had access to the inner workings of Trickbot provided some additional context on how developers are onboarded into the group.

“There’s a two-step hiring process where at first you may not understand who you’re working for,” said the source. “But that timeframe is typically pretty short, like less than a year.”

After that, if the candidate is talented and industrious enough, someone in the Trickbot group will “read in” the new recruit — i.e. explain in plain terms how their work is being used.

“If you’re good, at some point they’re going to read you in and you’ll know, but if you’re not good or you’re not okay with that, they will triage that pretty quickly and your services will no longer be required,” the source said. “But if you make it past that first year, the chances that you still don’t know what you’re doing are very slim.”

According to the DOJ, Witte had access to Trickbot for roughly two years between 2018 and 2020.

Investigators say prior to launching Trickbot, some members of the conspiracy previously were responsible for disseminating Dyre, a particularly stealthy password stealer that looked for passwords used at various banks. The government says Trickbot members — including Witte — routinely used bank account passwords stolen by their malware to drain victim bank accounts and send the money to networks of money mules.

The hiring model adopted by Trickbot allows the gang to recruit a steady stream of talented developers cheaply and covertly. But it also introduces the very real risk that new recruits may offer investigators a way to infiltrate the group’s operations, and possibly even identify co-conspirators.

Ransomware attacks are nearly all perpetrated these days by ransomware affiliate groups which constantly recruit new members to account for attrition, competition from other ransomware groups, and for the odd affiliate who gets busted by law enforcement.

Under the ransomware affiliate model, a cybercriminal can earn up to 85 percent of the total ransom paid by a victim company he or she is responsible for compromising and bringing to the group. But from time to time, poor operational security by an affiliate exposes the gang’s entire operation.

On June 7, the DOJ announced it had clawed back $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists last month. The funds had been sent to DarkSide, a ransomware-as-a-service syndicate that disbanded after a May 14 farewell message to affiliates saying its Internet servers and cryptocurrency stash were seized by unknown law enforcement entities.

“The proceeds of the victim’s ransom payment…had been transferred to a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address,” the DOJ explained, somewhat cryptically.

Multiple security experts quickly zeroed in on how investigators were able to retrieve the funds, which did not represent the total amount Colonial paid (~$4.4 million): The amount seized was roughly what a top DarkSide affiliate would have earned for scoring the initial malware infection that precipitated the ransomware incident.

Securing the Enterprise – “I Thought We Had That Configured?”

In this post, we dive into a scenario that many security professionals, at one time or another in their careers, may have experienced. It’s the moment when something unexpected occurs and someone asks: “I thought we had that configured?” That’s the moment when the security team starts reviewing their security stack, checking old emails, and reviewing tickets to understand what went wrong. Worst case? That glitch might have been the reason why there is an active threat to the environment.

Configuration Starts With Responsibility

But why do we have the paradox of misconfigurations in the first place? The most common reason is that the security team is not in control of managing the security capabilities. If the security team depends on the IT management team to push the security policies, there’s a gap between the team responsible for deciding the policies and the team that actually implements them.

And why aren’t security administrators able to manage security systems? If the Exchange Server is governed by the exchange administrators, the Okta Identity instance managed by the identity administrators, why shouldn’t the security tools be similarly managed by the security administrators?

The answer is often rooted in the legacy architecture that the enterprise is carrying. In the past, to configure security policies, teams were required to use group policies, System Center Configuration Manager, or Microsoft Endpoint Manager. Essentially, they were using the IT management tool to set up and maintain security. Therefore, even when an organization had security administrators, they depended on the IT team for any required change.

Today’s Security Challenges Require A Different Approach

While it might have worked in the past to have the IT team manage security controls, modern enterprises are at the stage where that is no longer scalable. Today, we aren’t just configuring a legacy antivirus and a password policy. We need to consider different attack surfaces and tune our preventative controls accordingly. The time when a security administrator could raise an IT ticket and then sit and wait is long behind us.

Ultimately, as security administrators, we are responsible for the organization’s security posture and accountable for the technologies related to it. We must ensure that the configurations are in place based on the security architects’ policies and frameworks.

To achieve that, it is paramount to control the technology and reduce external dependencies where possible. Therefore, it is essential to understand how to deploy and maintain the solution when selecting security technologies. We do not want to be faced with a situation where a policy had been thought through and decided on but never implemented because it had to be passed off to another team to be configured. And if we are faced with a discrepancy in policy and configuration, we need to have a better response than “I had asked the IT team to implement that policy.”

To see how you can start addressing these challenges, let’s look at how your organization can safely and securely manage configuration policies with the SentinelOne XDR platform. We’ll look at role-based access controls, endpoint detection and response policies, and device and network control.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Using Role-Based-Access-Control (RBAC)

The Security team deals with a lot of sensitive information. Therefore, the principle of least privilege is critical. The bottom line is that only people with an apparent business reason should have access to specific information. For example, as a security administrator, I should see the endpoint configuration, manage agent update cycles, and configure device policies and the firewall. Still, I do not need access to forensic capabilities or being able to access active incidents. With Role-Based-Access-Control (RBAC), this can be achieved.

In this example, you will find several distinct roles that are applied to this SentinelOne demo instance. One for security administrators that grant them access to anything related to the configuration of an endpoint, and three different roles for my Security Operations Center based on my Tier-level definition.

Each role provides granular access criteria. You can not only choose which sections of SentinelOne this role should have access to but also go one level deeper by component and even differentiate between view, edit, and delete rights.

EDR and EPP Policies

Sometimes you might need a little more flexibility when managing Endpoint Platform Protection (EPP) and Endpoint Detection and Response (EDR) capabilities, depending on whether it’s for your Privileged Access Workstation (PAW), High-Value Assets (HVA)-type services, or general workplace endpoints.

SentinelOne provides that flexibility by allowing you to configure a global policy for your SentinelOne instance, and you can determine if the same policy should be applied to all device groups or if, for example, a device group for HVA assets should have a different one.

Device and Network Control

Reducing the attack surface is a critical task for security administrators, so often the first step is to configure device restriction policies and the firewall.

SentinelOne provides security administrators with the ability to easily and quickly configure device restriction policies. You can choose between configuring these rules based on Vendor ID, Class, Serial ID, and Product ID, and you can select the action type so that you can either Allow Read & Write, Allow Read, or Block the access altogether.

SentinelOne also makes it simple for you to manage the firewall right within the SentinelOne console. When creating a new rule, you can first choose whether it should apply across Windows, macOS, and Linux, if it should be an Allow or Block rule, and later set if, for example, the policy is for a specific protocol, port, application, etc.


Conclusion

The increasing complexity in today’s threat landscape makes it clear that waiting several days to make a change to preventative controls is no longer acceptable. Security technologies have evolved and provided integrated security management capabilities that empower security administrators to make informed, risk-based decisions directly within the security console.

SentinelOne provides integrated security management capabilities that are truly designed for enterprise customers. Customers benefit from multi-tenancy and Role-Based-Access-Control (RBAC), which enable the principle of least privilege. If the security administrator needs to configure a device restriction policy, firewall rules, or optimize Endpoint Platform Protection (EPP) or Endpoint Detection and Response (EDR) controls, they can do that all within the SentinelOne management console in just a few clicks.

If you would like to learn more about how SentinelOne can help secure your organization, contact us or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Google opens Workspace to everyone

Google today announced that it is making Workspace, the service formerly known as G Suite (and with a number of new capabilities), available to everyone, including consumers on free Google accounts. The core philosophy behind Workspace is to enable deeper collaboration between users. You can think of it as the same Google productivity apps you’re already familiar with (Gmail, Calendar, Drive, Docs, Sheets, Slides, Meet, Chat, etc.), but with a new wrapper around it and deeper integrations between the different apps.

For individual users who want more from their Workspace, there will also be a new paid offering, though Google isn’t saying how much you’ll have to pay yet. (Update: Google Workspace Individual subscription will be $9.99/month, with an introductory price of $7.99/month.) With that, users will get access to “premium capabilities, including smart booking services, professional video meetings and personalized email marketing, with much more on the way.” We’ll likely hear more about this later this year. This new paid offering will be available “soon” in the U.S., Canada, Mexico, Australia, Brazil and Japan.

Consumers will have to switch from the classic Hangouts experience (RIP) to the new Google Chat to enable it — and with this update, all users will now have access to the new Google Chat, too. Until now, only paying G Suite/Workspace users had access to this new Workspace user experience.

“Collaboration doesn’t stop at the workplace — our products have been optimized for broad participation, sharing and helpfulness since the beginning,” said Javier Soltero, VP and GM, Google Workspace. “Our focus is on delivering consumers, workers, teachers and students alike an equitable approach to collaboration, while still providing flexibility that allows these different subsets of users to take their own approach to communication and collaboration.”

Image Credits: Google

Once enabled, users will encounter quite a few user interface changes. The left rail, for example, will look a little bit like the bottom bar of Gmail on iOS and Android now, with the ability to switch between Mail, Chat, Meet and Spaces (which — yeah — I’m not sure anybody really understands this one, but more about this later). The right rail will continue to bring up various plugins and shortcuts to features like Google Calendar, Tasks and Keep.

A lot of people — especially those who simply want Gmail to be Gmail and don’t care about all of this collaboration stuff in their private lives — will hate this. But at least for the time being, you can still keep the old experience by not switching from Hangouts to the new Google Chat. But for Google, this clearly shows the path Workspace is on.

Image Credits: Google

“Back in October of last year, we announced some very significant updates to our communication and collaboration product line and our business, starting with the new brand and identity that we chose around Google Workspace that’s meant to represent what we believe is the future direction and real opportunity around our product — less around being a suite of individual products and more around being an integrated set of experiences that represent the future of work,” Soltero explained in a press briefing ahead of today’s announcement.

And then there is “Spaces.” Until now, Google Workspace features a tool called “Rooms.” Rooms are now Spaces. I’m not quite sure why, but Google says it is “evolving the Rooms experience in Google Chat into a dedicated place for organizing people, topics, and projects in Google Workspace.”

Best I can tell, these are Slack-like channels where teams can not just have conversations around a given topic but also organize relevant files and upcoming tasks, all with an integrated Google Meet experience and direct access to working on their files. That’s all good and well, but I’m not sure why Google felt the need to change the name. Maybe it just doesn’t want you to confuse Slack rooms with Google rooms. And it’s called Google Workspace, after all, not Workroom. 

New features for Rooms/Spaces include in-line topic threading, presence indicators, custom statuses, expressive reactions and a collapsible view, Google says.

Both free and paid users will get access to these new Spaces once they launch later this year.

But wait, there’s more. A lot more. Google is also introducing a number of new Workspace features today. Google Meet, for example, is getting a companion mode that is meant to foster “collaboration equity in a hybrid world.” The idea here is to give meeting participants who are in a physical meeting room and are interacting with remote participants a companion experience to use features like screen sharing, polls, in-meeting chat, hand raise and Q&A live captions on their personal devices. Every participant using the companion mode will also get their own video tile. This feature will be available in September.

Image Credits: Google

Also new is an RSVP option that will allow you to select whether you will participate remotely, in a meeting room (or not at all), as well as new moderation controls to allow hosts to prevent the use of in-meeting chat and to mute and unmute individual participants.

On the security side, Google today also announced that it will allow users to bring their own encryption keys. Currently, Google encrypts your data, but it does manage the key for you. To strengthen your security, you may want to bring your own keys to the service, so Google has now partnered with providers like Flowcrypt, Futurex, Thales and Virtru to enable this.

With Client-side encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google’s native web-based collaboration, access content on mobile devices, and share encrypted files externally,” writes Google directors of product management Karthik Lakshminarayanan and Erika Trautman in today’s announcement.

Image Credits: Google

Google is also introducing trust rules for Drive to give admins control over how files can be shared within an organization and externally. And to protect from real phishing threats (not those fake ones your internal security organization sends out every few weeks or so), Google is also now allowing admins to enable the same phishing protections it already offers today to content within an organization to help guard your data against insider threats.

The Good, the Bad and the Ugly in Cybersecurity – Week 24

The Good

Lots of good news on the cyber front this week! Let’s start with “Slilpp”, the largest marketplace of compromised accounts on the darknet. The criminal trading site was taken down this week in a joint operation by law enforcement agencies from the U.S., Germany, the Netherlands, and Romania. According to the DOJ, Slilpp had been selling a variety of stolen credentials since 2012 and may have caused U.S. citizens over $200 million in losses. The takedown was made possible after the servers and domains hosting the site were identified and seized.

Meanwhile, the DOJ also said they were able to identity and retrieve some of the ransom payment made by Colonial Pipeline to the DarkSide ransomware group. After the Bitcoin wallets used in the transaction were identified and a seizure warrant was authorized, the FBI managed to retrieve approximately $2.3 million of cryptocurrency.

And finally, a big win for the FBI this week who executed the perfect, long-tail sting operation. It turns out the agency were behind the AN0M secure-messaging service that had been widely distributed among criminals worldwide since 2018. In a joint operation, law enforcement agencies arrested 800 suspects and seized 32 tons of drugs, 250 guns, 55 luxury cars and more than $148 million in cash and cryptocurrencies. Kudos to the FBI for its sophistication and patience.

The Bad

This week has thrown into sharp relief just how pervasive attacks by Chinese APTs are across the world thanks to two separate research publications. In one, researchers identified a new APT group that has been behind a series of targeted attacks in Africa and the Middle East since at least 2017.

“BackdoorDiplomacy” has been targeting Ministries of Foreign Affairs and telecommunication companies by exploiting vulnerable internet-facing devices such as F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels. Depending on the target type, a Linux backdoor or a Windows webshell were installed, providing the attackers with the ability to collect system information, take screenshots and exfiltrate files.

The researchers found similarities between BackdoorDiplomacy and other APT campaigns originating in Asia, mainly a group called CloudComputating (no, that’s not a typo!), a Chinese-speaking threat actor known for targeting Middle Eastern diplomatic targets.

Source: ESET

That publication coincides with another this week by SentinelLabs attributing an attack on Russian spy agency FSB earlier this year to a Chinese threat actor dubbed “Thundercats”. Initial speculation had wrongly assumed Western APTs were likely behind the attack.

While these two APTs are otherwise unrelated, the news breaking this week just serves to highlight how wide the geopolitical interest of Chinese nation-state sponsored APTs actually is. The West isn’t the only victim, and not necessarily the obvious culprit when some of its traditional “cyber opponents” get hit.

The Ugly

The huge profits made by the operators of “Slilpp”, as reported above, signals the importance of credential theft and trade as part of the cybercrime ecosystem. But one has to wonder: how did these criminals manage to amass such a significant amount of stolen credentials? Sometimes, traded credentials are harvested from massive data breaches. These are later sold on such markets but often, by the time buyers attempt to exploit them, users or account services have already changed their credentials after receiving a breach alert. But some criminals take the extra step to ensure the credentials they sell are valuable to their clients. Credentials that have been harvested individually (from a specific computer) in a stealthy manner are much more likely to be useful for monetization.

Researchers from NordLocker found a stash of 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files, allowing access to 1 million sites, including Facebook, Twitter, Amazon, and Gmail accounts.

Source: NordLocker

These were harvested by a dedicated malware, which, in addition to obtaining and extracting these credentials, also took a screenshot of the victim’s computer, and added another image capture from the computer’s webcam. All in all, this malware infected over 3 million Windows-based computers and stole 1.2 terabytes of data between 2018-2020, showing just how lax most users’ security habits are (many saved passwords on text and notepad files) and how ineffective the security products installed on these machines were, too, in terms of identifying and blocking this stealer.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

12 Things To Know About macOS Monterey and Security

Apple’s WorldWide Developer Conference (WWDC) 2021 kicked off this week in its second outing as a virtual event in light of the ongoing concerns over COVID-19 transmission. Will this be the last isolation-enforced WWDC? We certainly hope so. On the positive side, it’s fair to say that the sessions have become remarkably more effective as Apple has embraced the advantages that pre-recording offers. It’s also fair to say that the notion of people missing out on shared experiences has played a central role in the new features that Apple has on offer this year.

In this post, we’ll be covering what’s new from a security angle in macOS 12, and much of that will revolve around how people share both data and experiences with each other and with the businesses they interact with in their digital lives. There’s a lot of features to discuss, so let’s jump straight in and see what’s new in security with macOS Monterey.

1. System Requirements – A Little More Complex This Time Around

The first rule of security is keep your systems patched, but if your system won’t support the latest software then you’re already off to a bad start. Only models in the following list are officially supported for macOS 12:

  • Mac Pro (Late 2013 and later)
  • Mac mini (Late 2014 and later)
  • ‌MacBook Air‌ (Early 2015 and later)
  • MacBook Pro (Early 2015 and later)
  • ‌iMac‌ (Late 2015 and later)
  • MacBook (Early 2016 and later)
  • ‌iMac‌ Pro (2017 and later)

In general, if you’re running hardware that’s hit the 6 year mark you know you’re living on the edge with Apple. Even so, there’s some surprises about what’s not in the list of supported devices for macOS Monterey. In particular, while the 2014 Mac mini remains supported, the beefier and more expensive late 2014 iMac is dropped, as is everything else from 2014 or earlier aside from the late 2013 Mac Pro. 2015 MacBooks are also left behind to chug out the rest of their days on Big Sur or earlier.

macOS 12 also introduces a more complex mix of device dependency for its range of new features. For example, 2017 MacBook Pros can take advantage of the new Universal Control features but not AirPlay to Mac (for which, aside from the 2017 iMac Pro, you’ll need a Mac that’s at least a 2018 model or later). Also, unsurprisingly, there are features that will only work on M1 Macs, such as Live Text. Others, like Erase All Contents, require either an M1 Mac or an Intel Mac with a T2 chip. More on both of these below.

Suffice to say, if you’re looking to upgrade your current Mac or Macs to take advantage of some specific feature or features in Monterey, be sure to check the system requirements first. Don’t be that person who innocently dives into the upgrade and then spams IT with complaints that ‘it doesn’t just work’!

2. Private Relay – Neither Tor Nor VPN

According to Apple’s WWDC, Private Relay hides your IP address and browsing activity from websites and ISPs. No one, not even Apple, is supposed to be able to see both your IP address and what you are accessing.

Private Relay is both a buy-in and an opt-in service. To buy-in, you need to subscribe to iCloud+, the new name for Apple’s paid iCloud storage offerings. If you’re not using iCloud at all or only using the free 5GB iCloud storage, Private Relay won’t be available to you. Those on any paid iCloud storage option can choose to opt-in to Private Relay via System Preferences.

Apple made a lot of noise about privacy and Private Relay this week; however, there’s some pretty big caveats to take into account here. First and foremost, if you’re looking to avoid censorship based on your geolocation, Private Relay is not for you. Apple has specifically stated that users can’t use Private Relay to pretend to be from a different region. Private Relay still tags your browsing activity with an approximate location (e.g., your city), it’s just much less fine-grained than your true IP address.

Secondly, an organization or network can block the hostname of the iCloud Private Relay proxy server, essentially preventing you from accessing that network unless you turn Private Relay off. Organizations that require visibility into network traffic aren’t going to be blind-sided by the Private Relay feature.

For those with maximum need for anonymity, it’s also not clear exactly how robust Apple’s anonymizing is. Apple says it’s working with a 3rd party vendor (widely rumoured to be Cloudflare) in a way such that only Apple knows your true IP and only the vendor knows your activity. Lacking further details than we have already, it’s not immediately clear why Apple and the vendor couldn’t collaborate to put the two together, perhaps at the behest of law enforcement agencies.

In short, Private Relay looks useful for stopping advertising tracking and other public scraping data collection methods, but it’s no substitute for Tor, nor is it a substitute for a VPN if your main use for the latter is to escape geolocation restrictions.

3. Mail Offers A Mixed Bag of Privacy Protections

With macOS 12, Apple has also chosen to beef up Mail’s privacy protections with two key features: preventing remote content from leaking your IP or tracking your viewing behaviour and providing anonymous email addresses.

Mail on macOS 11 Big Sur and earlier already allows you to block messages from loading remote content via a Preferences setting, but the drawback with that is that you’re left with text-only messages that lose a lot of rich content. With macOS 12 Monterey, Mail will allow you to enjoy remote content without leaking your IP. Moreover, the sender won’t be able to determine when or even if you read the email. This effectively stops spammers and unscrupulous marketeers from trying to track your behaviour with things like invisible pixels. Apple says that:

“Since Mail content may be loaded automatically after delivery, the time of Mail viewing will no longer be correct. And since that content is loaded without revealing people’s IP addresses and without detailed headers, the location and type of device reading the Mail aren’t revealed. And you’ll see your emails as being opened, regardless of if the user read it or not.”

iCloud subscribers (aka iCloud+ users) will also be able to take advantage of an unlimited number of random email addresses for use in things like web forms when you are forced to supply an email address to access some service.

While this is a great idea, it’s not likely to thwart businesses that insist on knowing your real email address. Apple’s anonymized email addresses use @privaterelay.appleid.com as the domain name. It’s inevitable that many businesses will simply refuse to accept that domain name in their forms, just as they do with many existing email anonymizer services. So while we applaud the idea, it’s likely that in reality many businesses will easily circumvent this privacy initiative.

4. Safari Gets Some More Security Smarts

Apple has added some extra security protections to Safari in macOS 12. Among those are the ability to automatically upgrade an HTTP address to its HTTPS equivalent (where available). By ensuring that Safari loads the HTTPS version of websites, you gain the advantages of encrypted communications with that site. HTTPS is pretty much everywhere now, and some browsers like Chrome automatically warn you when you’re not viewing an HTTPS site, but having Safari automatically switch to the encrypted version without user interaction is a nice added feature.

Safari Preferences also gain a new option in the Privacy tab to hide IP addresses from known trackers. Apple calls this “Intelligent Tracking Prevention” and says it prevents trackers from profiling you using your IP address. That’s a freebie quite separate from iCloud+ subscription and Private Relay. In our test, this was turned on by default, but head over to Safari prefs and check if you want to ensure you’re taking advantage of this feature.

5. Passwords Available Here, There and Everywhere

Poor password security has long been a bug bear for individuals and organizations alike, and the standing advice is “use a password manager”. In macOS 12, Apple has taken a stab at stealing some of the market share vendors like 1Password have cornered in recent years with its new Passwords feature in System Preferences.

In the first beta, the new Passwords pane looks pretty much like a replica of the same pane in Safari preferences, and there’s another duplication of password content with the venerable old Keychain Access application. Quite how this is going to develop over time remains to be seen, but about the kindest thing we can say at the moment is you’re spoilt for choice as to how and where you look up saved passwords on macOS Monterey.

The new feature in System Preferences allows you to lookup and manage saved passwords for applications and websites, and to generate verification codes for 2FA in much the same way as apps like Google Authenticator. Interestingly, Apple says that, once setup, the built-in authenticator can autofill verification codes when you sign into a site.

Passwords also offers the ability to import and export passwords to or from other password managers. Perhaps in recognition that many Apple users are also Windows users, the latter can also manage passwords saved to iCloud via a new iCloud Passwords app. There’s even an iCloud Passwords extension for the Edge browser.

Clearly, Apple is making serious inroads into the entire password management space. It will be interesting to see how the existing players in that space respond. Users could be in for a treat with some new 3rd party features if those developers start to feel threatened by Apple’s password grab.

6. Mic Alert – Orange Is the New Green

There’s some interesting developments in macOS Monterey in the way that users interact with AV components and media. We’ll start with the recording indicator. macOS users have long been familiar with the hardware-enabled camera indicator – the green light next to the webcam (aka iSight cam) along the top edge of Mac displays. Similar protections haven’t been available to prevent audio snooping, however. Up until macOS 12, there’s been no obvious way to tell whether the microphone is active or not.

In Monterey, Apple has addressed that with a software-driven recording indicator. Now when any microphone-enabled device is in use, a small orange indicator appears in the menu bar next to the Control Center icon. You can also see which application is accessing your Mac by clicking on the Control Center icon. In addition, as with the current release version of macOS, you can see which applications have Microphone access in the Privacy tab of System Preferences.

7. FaceTime Links – Opening the Door To More ‘Zoom Bombing’?

If there is one software application that will be remembered specifically for its role during the COVID-19 era, odds on favorite to claim that mantle will be Zoom. The video conferencing software has become so ubiquitous that “to zoom” is now a verb much like “to google”. Zoom’s spectacular success has not been without privacy concerns, however, including some high profile cases of “zoom bombing” – unwanted and uninvited guests disrupting what should otherwise be private virtual gatherings.

Apple’s FaceTime app has been around for a lot longer than Zoom and should have a much higher profile, but FaceTime has arguably never really been much use for anything other than contacting a few select friends and relatives that are also Apple device users. In macOS Monterey, Apple has taken steps to bring FaceTime to prime time with new sharing links that allow anyone to join a FaceTime meeting from within their browser – no Apple ID or even Apple device required.

There are, unfortunately, security caveats with such easy access to another person’s virtual world. From unwanted attendees to tech support scammers throwing out links to unsuspecting recipients, we hope that Apple has learned the hard lessons that Zoom and other teleconferencing apps have painfully taken on the chin this past 18 months or so. It’ll be interesting to see what this feature looks like in the public release of macOS Monterey in the fall.

8. Erase All Contents – The Feature We’ve All Been Waiting For?

Selling your Mac or repurposing it within the enterprise from one user to another just got a whole lot easier in macOS Monterey, so long as that’s an M1 or T2-enabled Mac (T2s are those with the touch bar, if you’re losing track of all the Apple designators flying around these days).

Where available, ‘Erase All Contents’ appears in the System Preferences application menu, and thus can be initiated by a user from within their normal login session, no trip to Recovery required.

We can see one really interesting, probably unintended, use for this feature among security researchers. M1 Macs currently lack the ability to virtualize macOS in hypervisor software like Parallels or VM Fusion, and even if you test macOS malware on a dedicated device, there’s currently no easy method to bring that device back to a clean state for the next test, at least not without a tedious trip to Recovery or using third-party software to reinstall the entire system via APFS snapshots. The ‘Erase All Contents’ feature, however, could provide a nice way to do exactly that, a potentially better workaround while we wait, fingers tapping in frustration, for macOS virtualization on the M1.

Meanwhile, Mac admins can rejoice if, as rumored, MDM support for initiating ‘Erase All Contents’ arrives in a later beta.

If, like us, your first thought on hearing of the ‘Erase All Contents’ capability was that it might be weaponized by threat actors as a kind of macOS ‘wiperware’, the word is that the feature can’t be activated from the command line. We’ll have to wait until we’re further into the beta cycle to fully test that, but we’re pleased to know that the thought had already occurred to Apple, too.

9. Legacy Data – Now Your Secrets Don’t Have To Die With You

Data security isn’t only about preventing unauthorized access. It’s also important to make sure we can maintain access to our data over time, and that includes transferring our data to others when we pass on. To that end, there’s two changes in macOS 12 related to Apple IDs, the “one stop shop” sign-in credential for accessing Apple services across their range of devices, including Macs.

The Account Recovery Contacts feature is a means of designating one or more trusted persons who can help a user to reset their passwords and regain access to their Apple ID account in the event they lose access through forgotten or inaccessible passwords. We’re not all mavens of perfect organization, and many of us support users, family and friends who struggle with the complexities of technology, so this will certainly be a welcome feature for many.

The Digital Legacy program is a seperate feature that allows users to designate other people to “pass their data on to” in the event of death. People designated as “Legacy Contacts” will be able to access all accounts and personal information of the deceased. It’s a great idea and something that many people have been drawing attention to for some time. Just a word of caution: be certain you’re not hoarding any personal or family secrets on your Apple devices that you don’t want discovered after you’re gone.

10. Live Text – A Data Exfiltration Dream Come True?

Those action/spy movies where someone sneaks into an office and quickly photographs lots of confidential files before the ‘victim’ returns always had one gaping flaw: imagine being the poor grunt back at Spy HQ who has to start wading through all those photos and laboriously (and accurately) transcribe them all into text. How long would that even take? Surely a lot longer than the movies would have us believe.

We’ve had expensive and not entirely accurate OCR (Optical Character Recognition) programs for decades, and some 3rd party note-taking apps have been offering more convenient solutions for a while, but in macOS 12, Apple is promising to take OCR to the next level with its new Live Text feature.

According to the blurb, text in photos is now “completely interactive”, so you should be able to use copy and paste just like in a text document. Live Text is available in Photos, Screenshot, Quick Look, and Safari, but…only so long as you have an M1 Mac.

OK, rapid data exfiltration worries aside, that makes life a lot easier for those of us with legitimate use-cases where we need to do things like screenshot slides from video presentations and the like. And the grunt at Spy HQ just breathed a huge sigh of relief.

11. New Automation Possibilities with Shortcuts for macOS

The Mac has always been way ahead of any other platform when it comes to automation. AppleScript is the reigning deity in that regard, with Automator playing a useful but largely underutilized secondary role. With macOS Monterey, Apple brings iOS’s Shortcuts to the Mac in what looks like a bid to reinvigorate automation with an eventual successor to Automator.

Early indications are that Shortcuts will be just as powerful as Automator. Monterey includes a migration tool to convert most Automator workflows into Shortcuts. Just like Automator, Shortcuts can run Shell Scripts and AppleScripts, manage files, copy content and more.

The downside of automation is, of course, security. Being able to kick off a complex chain of events involving files, folders and user contents leaves open myriad possibilities for abuse, particularly if malicious actors can easily distribute actions that will do such deeds for them.

With Shortcuts, Apple has built in lots of sharing options so that users, organizations and developers can easily distribute Shortcuts to others. To prevent malicious use, Apple notarizes Shortcuts shared either via iCloud or if they are exported as standalone files. Shortcuts files are code signed with the identity of the person who sent them, and there’s a Shortcuts command-line tool if you need to re-sign a Shortcut before sharing it with others.

We are big fans of automation, and we look forward to exploring what can be done with Shortcuts as we get further into testing macOS Monterey.

12. And What About Application Security?

It’s not always true that no news is good news. Just as at this point last year we had to say “nothing to see here”, so with macOS 12 Monterey there are no new announcements regarding Apple’s security technologies to block, detect and remove malware (Gatekeeper, XProtect and MRT.app, respectively).

Given the fallibility of those technologies, recently admitted by Apple itself, that’s perhaps a bigger surprise this time around than it was with macOS 11 Big Sur.

Conclusion

It’s early days for macOS Monterey, and there’s a lot to test to see how these new features fit into our daily routines, but we hope this post has given you a heads up on what to look out for as far as security is concerned.

SentinelOne is, of course, already busy working on support for macOS Monterey. As always, our standard disclaimer applies to beta software. We are working to ensure that the SentinelOne Agent will be released up to 45 days after Apple announces the public release of macOS 12. Depending on the type of changes introduced in this new version, our goal is to shorten this time if possible and to provide early availability releases for testing with Apple Beta releases. Interested customers can find out more through the support portal available from within their Management console.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Payments giant Stripe launches Stripe Tax to integrate sales tax calculations for 30+ countries

On the heels of acquiring sales tax specialist TaxJar in April, today Stripe is making another big move in the area of tax. The $95 billion payments behemoth is launching a new product called Stripe Tax, which will provide automatic, updated sales tax calculations (covering sales tax, VAT and GST) and related accounting services to Stripe payments customers initially in some 30 countries and across the U.S.

Stripe Tax is a separate service from TaxJar, but the two are not unconnected. As Stripe Tax was being built out of Stripe’s offices in Dublin over the last several months, Stripe’s business lead for EMEA Matt Henderson told me that the team had identified TaxJar as a strong company in the field. That ultimately led to M&A between them.

Sales tax — and specifically a more seamless way to deal with charging and tracking sales tax — is a painful issue for people doing business online.

Digital and physical goods are taxed in over 130 countries, Stripe said, and within that there can be a huge amount of variation and compliance complexity, since codes get updated all the time, too. Mishandled sales tax, meanwhile, can result in pretty hefty fines, sometimes up to 30% interest on past-due amounts.

Unsurprisingly, a sales tax tool has been the most-requested feature from Stripe’s customers, Henderson said, a call that presumably only got louder in the last year, as e-commerce and digital transactions went through the roof with COVID-19.

Arguably, that makes Stripe Tax one of the company’s more significant product launches, not to mention the first since announcing its monster funding round earlier this year.

Previously, Stripe customers would have resorted to using a third-party service (like TaxJar) to work out sales tax. Or, more typically, those Stripe customers would have opted to limit the number of places they sold goods and services, in order to minimize the pain of dealing with multiple, complex and usually quite localized tax codes.

“No one leaps out of bed in the morning excited to deal with taxes,” said John Collison, co-founder and president of Stripe in a statement. “For most businesses, managing tax compliance is a painful distraction. We simplify everything about calculating and collecting sales taxes, VAT, and GST, so our users can focus on building their businesses.”

Stripe said that a survey of its customers found that two-thirds of respondents said the challenge of implementing sales tax actually limited their growth.

TaxJar has built a strong system for handling that, but the company — based out of Massachusetts but with a remote team — is primarily focused on the U.S. market, which has sales tax that is complicated enough (there are 11,000 different tax jurisdictions in the country).

That leaves a lot on the table for building out sales tax tools for the rest of the world: The wider focus of Stripe Tax thus fills a particular geographical gap for the company, regardless of how well TaxJar and Stripe integrate over time.

There is another key difference worth noting between the two.

TaxJar came to Stripe’s attention with an established operation — 23,000 customers at the time of the announcement. Stripe (wisely) bolted that on as a standalone business, which means that new and existing customers that use TaxJar can continue to use it as is. That is to say, at least for now, they do not need to be Stripe payments customers in order to use TaxJar, even if the integration between the two platforms will only improve over time.

Stripe Tax, on the other hand, is being built from the ground up as a product aimed specifically at increasing touchpoints and stickiness with Stripe customers.

Stripe Tax provides real-time tax calculation based on customer location and product sold; transparent itemizing for customers; tax ID management in areas (like Europe) where business customers can provide their code and get a reverse charge on tax if they are under a certain turnover threshold themselves; and reconciliation and reporting across all transactions to make filing and remittance easier.

But there is for now no way to use Stripe Tax outside of Stripe payments.

This could pose some problems for some customers. These days, many of the strongest retailers will take an “omnichannel” approach that might cover selling through marketplaces, selling through websites, selling through social media and more — and not all of those experiences may be powered by Stripe. It will be worth watching whether future iterations of Stripe Tax can account for that.

Stripe’s most significant product launch prior to Stripe Tax — Stripe Treasury last December — underscores how the company is currently very focused on diversifying outside of its basic payments business and opening the platform to much wider, more scaled transactions.

Treasury, which is still in invite-only mode, saw Stripe partner with established banks to provide a business banking service, providing a way for its customers to handle money that they generate from their Stripe-powered businesses.

The full country list where Stripe Tax is launching is Australia, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, New Zealand, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, the United States and the United Kingdom.

Updated to correct the number of customers TaxJar has to 23,000.

Slintel scores $20M Series A as buyer intelligence tool gains traction

One clear outcome of the pandemic was that it pushed more people to do their shopping online, and that was as true for B2B as it was for B2C. Knowing which of your B2B customers are most likely to convert puts any sales team ahead of the game. Slintel, a startup providing that kind of data, announced a $20 million Series A today.

The company has attracted some big-name investors, with GGV leading the round and Accel, Sequoia and Stellaris also participating. The investment brings the total raised to over $24 million, including a $4.2 million seed round from last November.

That’s a quick turnaround from seed to A, and company founder and CEO Deepak Anchala says that while he had plenty of runway left from the seed round, the demand was such that it seemed prudent to take the A money sooner than he had planned. “So we had enough cash in the bank, but investors came to us and we got a pretty good valuation compared to the previous round, so we decided to take it and use that money to go faster,” Anchala said.

Certainly the market dynamics were working in Slintel’s favor. Without giving revenue details, Anchala said that revenue grew 5x last year in the middle of the worst of the pandemic. He says that meant buyers were spending less time with sales and marketing folks to understand products and more time online researching on their own.

“So what Slintel does as a product is we mine buyer insights. We understand where the buyers are in their journey, what their pain points are, what products they use, what they need and when they need it. So we understand all of this to create a 360-degree view of the buyer that you provide these insights to sales and marketing teams to help them sell better,” he said.

After growing at such a rapid clip last year, the company expected more modest growth this year at perhaps 3x, but with the added investment, he expects to grow faster again. “With the funding we’re actually looking at much bigger numbers. We’re looking at 5x in our revenue this year, and also trying for 4x revenue next year.”

He says that the money gives him the opportunity to improve the product and put more investment into marketing, which he believes will contribute to additional sales. Since the round closed six weeks ago, he says that he has increased his advertising budget and also hopes to attract customers via SEO, free tools on the company website and events.

The company had 45 employees at the time of its seed round in November and has more than doubled that number in the interim, to 100 spread out across 10 cities. He expects to double again by this time next year as the company is growing quickly. As a global company with some employees in India and some in the U.S., he intends to be remote-first even after offices begin to reopen in different areas. He says that he plans to have company gatherings each quarter to let people gather in person on occasion.

 

TestBox launches with $2.7M seed to make it easier to test software before buying

When companies are considering buying a particular software service, they typically want to test it in their own environments, a process that can be surprisingly challenging. TestBox, a new startup, wants to change that by providing a fully working package with pre-populated data to give the team a way to test and collaborate on the product before making a buying decision.

Today the company announced it was making the product widely available; they also announced a $2.7 million seed round from SignalFire and Firstminute Capital along with several other investors and industry angels.

Company co-founder Sam Senior says he and his co-founder Peter Holland recognized that it was challenging for companies buying software to test it in a realistic way. “So TestBox is the very first time that companies are going to be able to test drive multiple pieces of enterprise software with an insanely easy-to-use live environment that’s uniquely configured to them with guided walk-throughs to make it really easy for them to get up to speed,” Senior explained.

He says that until now, even with free versions or free testing periods, it was hard to test and collaborate in that kind of environment with key stakeholders in the company. TestBox comes pre-populated with data generated by GPT-3 OpenAI to test how the software behaves and lets participants grade different features on a simple star rating system and provide comments as needed. All the feedback is recorded in a “notebook,” giving the company a central place to gather all the data.

What’s more, it puts the company buying the software more in control of the process instead of being driven by the vendor, which is typically the case. “Actually, now [the customer gets to] be the one who defines the experience, making them lead the process, while making it collaborative, and giving them more confidence [in their decision],” he said.

For now, the company plans to concentrate on customer support software and is working with Zendesk, HubSpot and Freshdesk, but has plans to expand and add partners over time. It has been talking with Salesforce about adding Service Cloud and hopes to have them in some form on the platform later this year. It also plans to expand into other verticals over time, like CRM, martech and IT help desks.

Senior is a former Bain consultant who worked with companies buying enterprise software, and saw the issues firsthand that they faced when it came to testing software before buying. He quit his job last summer, and began by talking to 70 customers, vendors and experts to get a real sense of what they were looking for in a solution.

He then teamed up with Holland and built the first version of the software before raising their seed money last October. The company began hiring in February and has eight employees at this point, but he wants to keep it pretty lean through the early stage of the company’s development.

Even at this early stage, the company is already taking a diverse approach to hiring. “Already when we have been working with recruiting firms, we’ve been saying that they need to split the pipeline as much as they can, and that’s been something we have spent a long, long time on. […] We spent actually six months with an open role on the front end because we are looking to build more diversity in our team as quickly as possible,” he said.

He reports that the company has a fairly equitable gender and ethnic split to this point, and holds monthly events to raise awareness internally about different groups, letting employees lead the way when it makes sense.

At least for now, he’s planning on running the company in a distributed manner, but acknowledges that as it gets bigger, he may have to look at having a centralized office as a home base.