Lessons from the Ivanti Connect Secure VPN Exploitation
1–16–2023 (Tuesday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, January 16, 2024, and we’re looking at another short week here in honor of Martin Luther King, Jr. Day here in the United States.
Lessons from the Ivanti Connect Secure VPN Exploitation
The big security news of the past week comes out of some research by the team at Volexity, who discovered a vulnerability in the Ivanti Connect Secure VPN - formerly known as PulseSecure, a company Ivanti acquired in 2020 (who then almost immediately suffered a series of high profile vulnerability exploitations in 2021).
Briefly, without diving too deep into the technical details of this vulnerability, the Volexity team “discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE)” - pretty much as bad as it gets. Attackers (attributed to China) were dropping a custom webshell to gain persistence into compromised environments.
To their credit, Ivanti created some official mitigation advice while they work on the patch, and have been updating that page regularly. Importantly, however, is the note that a patch is not yet available - so defenders have to consider the mitigations, taking down their VPNs altogether, or remaining vulnerable.
Later in the week, however, the stakes were raised as Volexity noticed that this vulnerability had been exploited at a global scale - with more than 1,700 devices being compromised in that short period, and noted that “additional threat actors appear to now have access to the exploit and are actively trying to exploit devices.”
Ivanti seems to be downplaying this threat, noting on an additional Knowledge Base article that responds directly to Volexity’s assertions - including citing the post - that Ivanti “ha[s] not observed or had any reports of additional actions taken by the threat actor after deploying the shell and obtaining the configuration.”
I think both companies are missing the main point here - which is that if you’re not actively following this drama, you’ll receive notice that there’s a patch on the 22nd (when it’s expected to drop), apply the patch in your regular cycle (or out of band, if you’re really ambitious), and move on.
That’s a problem, however, if you’re in one of those 1,700 organizations whose devices have already been compromised and persistent webshells deployed.
Volexity - who have a pretty stellar technical track record - found this initial threat vector by doing a month of deep research on logs of their own and their customers. Most organizations don’t have that level of logging or technical capability, and likely won’t be able to recognize this attack on their own.
This second-order impact shouldn’t be discounted, and should remind us of the importance of, and need for, Diversity of Defense and Defense in Depth.
I preach about the need for being Brilliant at the Basics, and that’s true for this, too - with concepts like Least Privilege and the ability to capture and retain logs. For devices like this, are you capturing logs and shipping them to a centralized, immutable location? Attackers are pretty good at covering their tracks by changing and deleting logs at this point, and having logs you can trust to review is critical.
From a least privilege perspective, are we limiting not only what these VPN devices can talk to but what ports and protocols they can use? Limiting those things helps reduce attack surface, identify anomalous connections and data flows, and reduce impact if they are ultimately compromised.
I know that it continues to sound like an impossible tasks - that all of these devices keep getting exploited by sophisticated threat actors and can seem a bit hopeless, but the reality is that deploying technology comes with responsibility, just like driving a car. It’s convenient to ignore the costs of fuel and the need for regular oil changes or preventative maintenance, but we do so at our own peril.
The takeaway here is that your task is to build a security program that can not only limit the opportunity for exploitation through good hygiene, regular patching, and least privilege, but also be definitively able to determine if exploitation has occurred. Otherwise, it’s left to “best guess” - which we wouldn’t tolerate in any other parts of our business. Let’s apply the same rigor to security and see if we can’t move this needle.
Fundraising
From a fundraising perspective, a pretty significant shift from last week. In terms of newly committed capital, we saw more than $56B committed, including
Lexington Partners raised $22.7b for its 10th private equity secondaries fund
BDT & MSD Partners raised $14b for their first fund since Byron Trott's firm merged last year with Michael Dell's family office (led by Gregg Lemkau). It's officially called BDT Capital Partners Fund 4.
That doesn’t even include the news that Ares Management is nearing a final close on more than €20b for a new direct lending fund, which would be the largest ever, per Bloomberg.
At the same time, however, Limited Partners are also asking these firms and their funds to up their game.
The Financial Times ran an article entitled “Private equity has to make returns the hard way” - by which they mean finding undervalued or undermanaged assets and creating value during their hold period, which is pretty much the point of the model - it can’t just be find and flip or buy and hold.
We also saw a Bloomberg article titled “Large Backers of Private Equity Are Asking For Their Money Back” - which isn’t exactly true. The article notes that "Sovereign wealth funds and state pension providers are among investors telling money managers they’ll only commit in their upcoming fund raises if their capital tied up in old funds is released.” Seems reasonable enough - you’ve got to deliver returns before we’ll re-up. If you go back to the FT article, maybe this does seem like the hard way, but it’s the same hard truths being faced by the very same privately held companies that these funds are investing in. You’ve got to find ways to run a profitable business that doesn’t rely on zero interest rates. If you can’t do that, it will be a hard way, indeed.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-110a
https://www.penews.com/articles/cinven-cheers-14-5bn-mega-fund-20240109
http://www.lexingtonpartners.com
https://www.ft.com/content/508534b8-830a-496c-aef8-73ad07e5d654
https://finance.yahoo.com/news/large-backers-private-equity-asking-050013044.html