Transparency in Cybersecurity
3–11–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, March 11, 2024, and - we’re going to revisit some stories we’ve covered here before and talk about transparency in cybersecurity.
Transparency Over Everything
Late on Friday, Microsoft shared a blog post and new SEC 8-K filing that outlined the fact that Russian hackers remain in Microsoft’s systems, and are continuing to launch attacks.
In their post, Microsoft notes that “we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”
Their post goes on to note that:
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.”
That’s an incredible volume, and Microsoft the attack as being “characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus.”
They close the post by noting that “Our active investigations of Midnight Blizzard activities are ongoing, and findings of our investigations will continue to evolve. We remain committed to sharing what we learn.” And yet - they haven’t really shared anything of substance here, such as what kind of secrets (passwords, API keys, access tokens?) or what kind of TTPs are in use beyond “some aspects of the attack such as password sprays”?
Is it possible that this is the reason “on Thursday, the U.S. National Security Agency and Department of Homeland Security recommended that customers evaluate the security record of their vendors, audit the logs of activity on their accounts and limit the authority of users.”
Last week, Britain’s National Cyber Security Centre (NCSC) and international partners from the Five Eyes alliance warned that the SVR is adapting its techniques to hack into organizations that have moved networks into cloud-hosted environments.
Another company providing very little transparency into their ongoing cybersecurity challenges is, of course, Change Healthcare, who are now promising to have pharmacy, payments, and claims platforms back up within the next 7 days or so.
Color me skeptical - particularly as we see all of the law enforcement agencies denying involvement in an AlphV/BlackCat shutdown, indicating that they likely have conducted a rug pull and exited with the $22M - leaving terabytes of medical data with other threat actors who haven’t been paid. One report said “The affiliates noted that they still have 4 TB of data they stole from Change Healthcare” while another report last week suggests that “the attack may be linked to state-backed cyber espionage groups in China”.
I’m sure the Department of Defense data in Change’s systems would be particularly interesting to pair with the data they stole from the Office of Personnel Management a few years back, if for nothing else than to update their files.
Because I’m already on the train of criticizing lack of transparency, I’ll throw one more into the mix with the Cybersecurity and Infrastructure Agency themselves having to come out and note in a “do as I say, not as I do moment,” that they had two Ivanti systems impacted by threat actors and need to be taken offline.
The article says “CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline.”
But here’s why all this is important - not sharing details on the attacks, attackers, or vulnerabilities doesn’t make the victim in these events any less a victim. The horse has left the barn for these organizations, but there’s hope that others might be able to learn and add defenses or additional situational awareness if they could be made aware of what’s happening.
When we don’t share, we let the bad guys win. And they’re winning left and right - at great cost to each and every one of us.
I understand that there are financial and regulatory implications here, and that legal teams across the country are going to push the “less is more” strategy here - but I’ll put a chip down on the other side of the table and note that more is more, and less only benefits the threat actors.
If you want a debrief on what went wrong and why, I suggest checking out the write-up from the British Library on their recent cybersecurity incident. We would do well to have more debriefs like this, and find that it was a combination of exposing a vulnerable Remote Desktop Protocol to the Internet, limited logging / visibility, and limited resiliency that jammed them up.
But, like most things in the library, we can only learn from the information if we’re exposed to it in the first place. Quit keeping it to yourself so the threat actors can continue to act. Share, so that the defenders can at least have a fighting chance.
Fundraising
From a fundraising perspective, we’re back to more normal amounts, with a combined total of about $15.5B committed, led by a combined $3.8B from Spark Capital for its eight flagship VC fund and its fifth growth fund.
This brings the total for 2024 up to more than $200B in committed capital, in what is a very difficult fundraising and IPO environment. Despite the headwinds, the funds seem to be doing okay, near as I can tell.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://techcrunch.com/2024/03/08/microsoft-ongoing-cyberattack-russia-apt-29/
https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-access
https://therecord.media/europol-doj-nca-deny-involvement-in-alphv-blackcat-ransomware-takedown
https://www.scmagazine.com/news/change-healthcare-hacker-may-be-linked-to-china-espionage-gangs
https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf