When CUPS Overflow: Valuing Threat Intelligence
9–30–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, September 30, 2024, and we’ve got a good chance to look at some news about a specific vulnerability that can help us understand how to make the most of “threat intelligence” for our business. Let’s dive right in.
When CUPS Overflow: Valuing Threat Intelligence
There’s been quite a bit of discussion in certain parts of the cybersecurity ecosystem over the past week about a newly-discovered vulnerability in a small Linux utility known as “CUPS” - or the Common Unix Printing System.
This tool is an open-source component that enables your UNIX systems to function as print servers - and actually print things. The problem, of course, is that there’s a vulnerability that allows an attacker to use these printers to take over systems.
The rub here is that this vulnerability was released with a Common Vulnerability Scoring System - CVSS - of 9.9 out of 10, which makes it sound as bad as it can possibly be.
The truth, of course, is a little more nuanced.
In reality, this vulnerability, while it can be exploited, is part of a chain of exploits that requires a few different things to happen for an attacker to successfully exploit it, including:
The cups-browsed service has manually been enabled or started;
An attacker has access to a vulnerable server;
The server allows unrestricted access, such as the public internet, or gains access to an internal network where local connections are trusted;
Attacker advertises a malicious IPP server, thereby provisioning a malicious printer; and
A potential victim attempts to print from the malicious device
Which, then, ultimately, executes the malicious code and generates compromise.
Furthermore, this vulnerability doesn’t impact all Linux distributions, but it is possible and does impact some.
So while we want to be aware of zero days and their ability to potentially impact our enterprises, we don’t want to turn into Chicken Little (either to our leadership or our own teams) - because we simply can’t afford to run around like the sky is falling all the time.
How do we counter this? First of all, having a solid understanding of what’s in your environment is one of the best ways to counter this. No Linux systems? No problem.
Secondly, and this is something we talk about often on this show, having a solid Diversity of Defense and Defense in Depth in play will keep you from being impacted by vulnerabilities like this until they’re able to be patched.
In this case, not exposing servers to the internet, not allowing users local privileges that would enable them to add printers, and other basic controls would allow you to successfully disrupt this attack pattern - and having Endpoint Detection and Response capabilities deployed would help limit the impact if a single machine was compromised.
This is an important mindset shift to get right, because there’s going to continue to be zero days and new vulnerabilities - both from a threat research “name and announce” perspective and from actual attackers looking to compromise systems.
By being measured in both your responses and your defenses, you’ll be best positioned to success for the long run, which is what we’re all working towards. Remember, attackers want to win the battle, and we need to win the war.
Fundraising
From a fundraising perspective, we closed out Q3 with a massive week, with more than $41B in newly committed capital.
This includes a blockbuster announcement that Citigroup and Apollo Global Management launched a $25b private credit, direct funding program.
In addition, StepStone Group raised $7.4b for its fifth private equity secondaries fund Participants include Mubadala, while KKR raised $4.6b for its debut fund focused on North American midmarket buyouts.
All of these funds seem well-targeted to the market we’re going to see in the next cycle, which is why they’re able to put up these numbers.
It wasn’t all good news, though, with articles noting that Global M&A activity is expected to weaken until after the US election, and that startup M&A trends remain sluggish. While both of these things remain true, it’s also true that there’s good opportunity out there for strong companies with durable revenue.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
https://www.aquasec.com/blog/cups-a-critical-9-9-linux-vulnerability-reviewed/
https://news.crunchbase.com/ma/pe-leads-startup-ma-trends-ai-biotech/