Big Things and Little Things in Cybersecurity

4–8–2024 (Monday)

Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, April 8, 2024, and we’re back in the office after Spring Break, and we’ve got a few things to catch up on.

Little Things and Big Things in Cybersecurity

The last two weeks was marked by a lots of coverage on big, systemic challenges at Microsoft and Ivanti, and very small changes in an open source library called XZ Utils.

To start, on March 20th, Microsoft took licks from the Cyber Safety Review Board for the Summer 2023 Microsoft Exchange Online Intrusion by Chinese hackers.

The Board reported that Microsoft “could have prevented” the attack, and described a “cascade of security failures.”

“The Board finds that this intrusion was preventable and should never have occurred,” says the Cyber Safety Review Board. “The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

These failures of culture and security, of course, have now been exploited by Russian threat actors, as well, and tracking just which Exchange breach we’re talking about at Microsoft is getting more difficult.

Changing security culture is a difficult task because it’s squishy and involves people - the most difficult part of any security effort.

Microsoft isn’t the only one trying to change their security culture, either.

On April 4th, the CEO of much beleaguered tech company Ivanti, posted an open letter (and accompanying video) about their “commitment to security.”

The video was stiff, read from pre-written comments, and hard to watch at times. The background looks like it was shot from a hotel room with the bed in the background? There’s weird shading at the edges, and production value is really lacking. To be honest, I’m not sure what to make of this - it’s one thing to be authentic and shoot the video yourself. It’s another to release a polished PR piece with scripts and lighting.

This is neither of those things, and looks like a continued miss in tone and tenor. I understand that security culture changes are hard and take time, but I’m not confident that Ivanti is going to execute on them, given their track record and this message.

The very next day, security researchers disclosed “multiple Chinese hacker groups” actively exploiting Ivanti security flaws in the wild. The sheer number of threat actors leveraging these flaws is worth noting, and Mandiant’s analysis is strong. Grab the IOCs and YARA rules from their post, if you’re looking to run through your own logs.

From big things down to the other side of the spectrum - we also saw a minor performance impact - 500ms! - lead to the exposure of a highly advanced backdoor slotted into an opensource library by an unknown threat actor.

This is a wild story, and WIRED is now reporting that the persona of “Jia Tan made 6,000 code changes to at least seven projects between 2021 and February 2024.”

CISA is encouraging users to patch to a new version of this utility, and you should, but I doubt this is the last we’re going to hear of Jai Tan.

I would also note that Microsoft is the owner of GitHub, and may want to consider security culture in their open source, community maintained world as well as the world of Exchange Online.

Fundraising

Fundraising last week has bounced back to a very robust $18B in newly committed capital, including focused funds on pro sports, private markets, and the news that tech titan Thomas Bravo is targeting $20B for it’s 17th flagship buyout fund, and $7B for it’s fifth “Discover” midmarket fund.

So much for now being the time for smaller players?

IPO pulse? Reddit is down from its IPO price. Trump Media & Technology Group is down from its IPO price. Difficult choices ahead for investors and management teams, both.

You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.

Links

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

https://techcrunch.com/2024/03/08/microsoft-ongoing-cyberattack-russia-apt-29/

https://www.ivanti.com/blog/our-commitment-to-security-an-open-letter-from-ivanti-ceo-jeff-abbott

https://thehackernews.com/2024/04/researchers-identify-multiple-china.html

https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

https://www.wired.com/story/jia-tan-xz-backdoor/

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

Previous
Previous

Lessons from the Sisense Breach

Next
Next

Lessons from an Obscure Apple Crypto Bug