Supply Chain Attack or AI Feature?
5–28–2024 (Tuesday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, May 28, 2024, and I hope that folks are settling back into their work routines here after the Memorial Day holiday in the US. As is typical of the Pacific Northwest, it rained on our camping trip - thanks for asking.
Supply Chain Risks Continue
In a bit of a shift from what we’ve been talking about (although not entirely unrelated), we’re seeing a good bit of news coming out in the last week around some attacks that we might characterize as “supply chain” attacks - but may also represent something a little bit different.
The first of these stories involves the compromise of some software used in courtrooms across the us. The firm, known as JAVS - or Justice AV Solutions - has disclosed an issue where legitimate versions of their software (distributed directly from their website) included backdoor malware known as GateDoor.
This software “executes PowerShell scripts and downloads additional malware that steals sensitive information (e.g., credentials stored in browsers)” - and have been thoroughly dissected in analysis by companies like Rapid7 and others.
Essentially, it appears that an open-source video codec (or processing standard) was used to insert this code by adding a letter - instead of the legit tool ffmpeg, a compromised lookalike was used called fffmpeg.
The impact, of course, goes beyond just stealing credentials - attacks like this can result in the disclosure of sensitive information, and evade some of the defensive controls we talk about on this program regularly.
Meanwhile, Windows has announced an AI-driven feature called “Recall” that essentially does the same thing - captures a record of all the on-screen activity that can then be queried or replayed by the user to help “recall” things they were doing on their machines. This might include passwords, tokens, or codes - of course - but could also include other sensitive data on screen, whether that be disappearing messages in Signal or ePHI in an application.
Microsoft notes that the data “encrypted with Bitlocker and tied to the user’s account, remain local and are not shared, even with other users on the same device […] and users retain full control over what Recall records” - but we all also know that users are not always a reliable security control, to say the least.
Not to mention the fact that AI-driven LLMs - or Large Language Models - are driving this. These technologies remain somewhat mercurial, even when the big players are putting them out. Google is taking a bit of a hit on their own AI-enhanced search that’s reportedly encouraging users to “eat a rock a day” and “put glue on pizza” - driven by the fact that AI is essentially unable to see sarcastic content.
So, where does that leave us, as defenders? I think it re-emphasizes the need to do two things:
1: Focus on a strategy that’s built on Diversity of Defense and Defense in Depth; and
2: Assume breach and defend accordingly.
To go back to the example from the JAVS court software, if you are compromised by an attack like this, but have robust multi-factor authentication deployed (particularly a phishing resistant factor like a YubiKey), and have controls around your sessions and cookies to prevent replay, as well as robust endpoint controls with 24/7 monitoring and auto-isolation playbooks, sitting in a well-segmented network with least privilege and robust access control lists, you’re probably much less worried about this.
If you’re missing one or more of those defenses, however, you may be in for a rough go. It really does come back to the basics, and the attackers are finding new ways to pull old tricks. Don’t feel like you need to get fancy until the basics are well and truly buttoned up.
Fundraising
From a fundraising perspective, we’re back to the bigger numbers, as predicted. Last week saw nearly $12B in newly committed capital, which should be noted as a particular success given the coverage of fundraising in this new environment that Axios highlighted, suggesting that “GPs are stuck in an IRR model and clinging to companies for dear life.”
This IRR model - or Internal Rate of Return - makes it very hard to sell a strong asset. One PE CEO characterized this as GPs falling in love with assets - “If they own a great business that's compounding at double digits, they're reticent to sell it, because trying to find a new asset that they can acquire today that they're going to grow at double digits" is going to be tough.”
At the same time, LPs are not seeing DPI - or Distributions to Paid In Capital - match, making LPs hesitant to commit more capital.
All this to say that future-oriented projection models, like IRR, are falling out of favor for hard-money measures like DPI. Funds that raise are raising with that expectation, and LPs investing are investing with that expectation. Kudos to those who raise, let’s hope your DPI is at least 1X!
In the meantime, however, there will remain some dissonance, particularly for funds originated in 2019-2022, at least according to Bloomberg.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.helpnetsecurity.com/2024/05/23/javs-viewer-malware/
https://www.axios.com/newsletters/axios-pro-rata-0c4078e8-6399-4310-990f-970e01851ac4.html