Two critical vulnerabilities, identified as CVE-2024-21887 and CVE-2023-46805, are opening the door for data to be stolen, and they don’t stop there.  In addition, they allow for modifications to existing files in your environment and for remote files to be downloaded. 

So please REMOVE COMPROMISED DEVICES from your network and immediately prepare for an upcoming patch. 

There has been an emergency directive issued by CISA to mitigate all Ivanti 0-day vulnerabilities. 

Quick Points: 

• Vulnerabilities: CVE-2024-21887 (Command Injection) and CVE-2023-46805 (Authentication Bypass) 
• Likelihood: Low to Medium. Approximately 15,000-20,000 VPN gateways are potentially exposed 
• Impact: High. Potential for unauthenticated remote code execution, data theft, file modification, and reverse tunneling 
• Current Mitigation IS UNSTABLE: Ivanti has released an XML file as a temporary workaround that IS UNSTABLE 

What a year! 

I think we all deserve a quieter 2024, and that’s why I’m sending out this special edition Threat Intelligence.  Let’s see what we can learn from 7 dangerous themes that emerged in 2023 and apply those lessons to your MSP and your clients’ organizations.  

1. Ransomware Renaissance: Top of the list?  Yep.  The big casino heist. Was this the worst event of 2023? Probably not. It does, however, help us understand that no one is safe. The most important point of this story – casinos are highly regulated, have great training programs, and have people who are great at following rules.

2. Credential Crisis: This got really ugly in 2023.  Attackers got onto networks like normal users, then moved throughout the environment with privileged access. How is this lateral movement happening? The attackers were able to move through the network using single sign on tokens. Whether you’re using passwords, multifactor authentication, or password-less authentication – as long as trust exists in the network, a temporary login artifact is stored. That login artifact can often be replayed, leading to this lateral movement.  

a. BOTTOM LINE: In 2024, this type of lateral movement will continue.  

b. PRO TIP: Make sure you have user identity management and a mechanism in place to protect that user identity management system. Tokens and login artifacts should be treated as the crown jewels of your network. What mechanisms do you have in place to protect them from hackers? 

3. Supply Chain Siege: In 2023, hackers didn’t just use vulnerabilities.  They also gained access through vendors and supply chain attacks. In one example, over 60 Credit Unions’ networks were held for ransom. The way in? Using access one of their vendors had to their networks to deploy ransomware. These supply chain attacks are not single events, or unlucky breaks for the victims. They represent a continued trend that hackers where are exploiting weakness in an organization’s supply chain. 

a. BOTTOM LINE: This trend will continue into 2024 and beyond.  

b. PRO TIP: Steps to reduce the risk of supply chain threat include vendor evaluation, least privilege, and testing. The easiest way to test supply chain risk or insider threat exposure is a recurring penetration test focused on these threat vectors. As leaders in cybersecurity, educating organizations of this risk and testing is a necessity. 

3. Data Deluge: The biggest data breaches we’ve ever seen: 3.8 billion email and password combinations leaked to the dark web. You might be thinking you have multifactor authentication, so this isn’t a big deal. But here’s the thing: this data is used to improve the models hackers use to socially engineer their victims. The data is imported into tools to build social webs and AI models that allow hackers to figure out how people are connected and how to create an effective pretext while phishing users. 

a. BOTTOM LINE: This has been lucrative for hackers, so it’s probably part of their 2024 success plan already. 

b. PRO TIP: User training will be a critical component of your 2024 cyber security strategy. 

5. Email Compromise: Got a story about someone who wired money to a scam?  Well, join the crowd.  That was a huge issue in 2023, and if you haven’t heard a story about it, well, you’ve been living under a rock.   

a. BOTTOM LINE: The data shows that the number of victims and the amounts of money lost to these attacks continues to rise. 

b. PRO TIP: I recommend having a Funds Transfer Policy as part of the decisions you are guiding your clients on about security in Q1 of 2024. You’ll also want to include a M365 hardening project as part of your 2024 recommendations. Check out SecOps 160 for more details on this one. There’s even a script and a worksheet that will help you get it done. 

6. Unpreparedness Unraveled: Organizations often make assumptions about how prepared they are, and this is truly dangerous. This year, I personally helped 11 different MSPs respond to ransomware events. Only one of them had a solid plan that was both documented and tested with their client.   

a. BOTTOM LINE: Many organizations are assuming their IT teams have this under control.  

b. PRO TIP: Your opportunity in 2024 is to educate your clients that incident response and recovery is an operational issue, not just an IT issue. Help your clients by offering tabletop exercises as a starting point to find out where they need practice. Build this into your compliance as a service offering. And yes, all of your clients need compliance as a service. 

7. Compliance Conundrum: Compliance has changed cybersecurity forever and it’s just getting started. CMMC might only impact less than 5% of your clients, and maybe it will be years before any real case law exists or enforcement happens around it. However, cyber insurance requires a compliance program, and when people sign up for cyber insurance, they make commitments to security controls. Making these commitments means, not only do you have to implement them, but you also have to gather evidence that these controls are implemented.  The key is to build out a compliance program that will be able to be iterated and expanded to support other standards like SOC2, ISO27001, CMMC, PCI, or FTC Safeguards as they become more mainstream. 

a. BOTTOM LINE: In 2024, part of your security strategy should include introducing your clients to compliance programs and educating them. This elevates you from a security perspective into a thought leader and advisor. 

b. PRO TIP: To get started, we have a turnkey system in the portal that you can use on your clients and your own MSP to build your compliance program. 

Ultimately in 2024 the MSPs who will see the most growth are also the ones that are thinking about what happened in 2023 from a security standpoint and coming up with ways to reduce these risks in their 2024 offerings.  

Inquire now to get you started on this journey!

The situation with the Citrix Bleed vulnerability has escalated.   

At least 60 credit unions across the U.S. have been knocked offline by a ransomware attack against their 3rd party cloud provider in the past few days. Citrix Bleed was the attacker’s way in, but this email isn’t just about another vulnerability.  

This email is about something far worse: supply chain attacks! We’re seeing case after case of devastating supply chain attacks that are crippling critical infrastructure, leaving everyday businesses as victims. 

One of the largest examples of this unfolded on July 2, 2021 against Kaseya, a Miami-based software company, a case that brings into focus the level of damage that can be inflicted by a supply-chain attack.  That attack against Kaseya disrupted nurseries, schools, pharmacies, and supermarkets in 17 countries.  Millions of people were impacted. 

Supply chain attacks are tricky because they work through existing relationships, and you can’t simply block them. Your MSP’s reputation is on the line, and guess what?  If hackers use you to get to your clients, your clients are in danger because of you. So, if you don’t take proactive steps, you’ve unknowingly added trojan horse software to your whitelists. 

Throughout 2023 we’ve seen attack after attack.  You may remember some of the major ones: 

• February 2023 – Applied Materials Supply Chain Attack: A key partner of Applied Materials was targeted, causing a staggering $250 million loss in Q1 2023. This caused significant shipment delays and financial turmoil! 
• February 2023 – University of San Francisco Attack: Imagine a doctor not being able to operate because of a system being offline for several days. Staff members were unable to access records or schedule surgeries and personal information belonging to clinical trial participants was stolen.  
• March 2023 – 3CX Supply Chain Attack: Malware was silently delivered to and hidden in a number of client organizations. It acted as a ticking time bomb, with the hackers in control of the detonator switch.
• June 2023 – MOVEit Supply Chain Attack: Personal data and flight safety was compromised in a massive breach, compromising travel security for thousands. 

Supply Chain Attacks are no joke. We anticipate more issues around supply chain attacks with entry ways such as the Citrix Bleed vulnerability. 

Once you deploy a product, your vendor is given unchecked access to your network. You need to commit to becoming vigilant and increasing the readiness of your MSP and your clients. 

What’s the solution? Start by using a Level 1 pen test to see if you find any vulnerabilities in your client’s environment. 

Then, meet with the client to establish a recurring cadence with comprehensive, Level 3 pen tests that demonstrate supply chain attack vectors. One weak link can totally devastate your reputation, and it’s important that you’re not blindsided by that reality. 

Having a comprehensive test done regularly is the major line of defense to stop a supply chain compromise. You can use your quarterly meetings to guide clients to go from basic defense to a powerful shield of defense in layers. 

As you continue to prepare your clients to survive a supply chain risk in the New Year, we want you to know that we’ve got your back. We’ll be adding additional details related to supply chain attacks in our pen test findings to ensure you don’t become a victim of a hacker with unchecked control over your clients. 

Please, don’t ignore this invisible threat, reach out to your PSM about recurring Level 3 pen tests for you and your clients today before a mistake that some other company made becomes your problem.