Temporal Risk Hits Tax Filing Site; Patch and Investigate Use of Zimbra; 3CX Learns Virus Check Web Sites Should Not Outweigh Customer Observations

Despite multiple attempts to contact efile<dot>com after we found the issue with their site, the malware is still present as of this morning.

Johannes Ullrich

As Johannes states in his analysis, it can be really difficult to detect when a trusted partner site gets compromised. Because of that existing trust, users are less likely to contemplate content carefully. This is where your boundary protections, EDR, and other layered defenses come into play. Leverage the IOCs in the ISC posting to ensure none of your users were captured. Consider reaching out to your CPA to make sure they are aware of this issue so they can take steps to mitigate the risks.

Lee Neely

A good reminder that business cycles drive risk levels – from January 1 to mid-April, tax filer companies have more risk of business impact. Just as flower companies and soap-on-a-rope companies have work at risk before Mother’s Day and Father’s day. That medium severity CVSS vendor vulnerability score can turn critical when you add the Temporal factor.

John Pescatore

Never discount the ingenuity of evil-doers to separate a target’s ‘money’ from their wallet. Unfortunately, and way too often, legitimate websites are compromised and taken-over to enable an attack. Given that we’re currently in tax season here in the US, it stands to reason that sites offering tax services would be targeted. It appears that eFile<dot>com needs to redouble its efforts at basic cyber hygiene for its website. A good place to start is implementing IG1 from the CIS Critical Security Controls.

Curtis Dukes

While a lot of attention is placed on the threat actor, let’s defend against the attack. Two things you can do to protect now and prevent against future attacks: 1) A patch for this vulnerability has been available for over a year, patch now; and 2) Cross-site scripting is a method to inject malicious code in a webpage and has been around for over a decade. The OWASP organization has created a cross-site scripting prevention cheat sheet: use it.

Curtis Dukes

Zimbra has been releasing patches for various flaws on an almost monthly pace since releasing the patch for 2022-27926 (medium severity) in March 2022 – even if you escaped this attack, time to force all use to be patched. This attack was another harvesting of reusable passwords and could have been avoided/mitigated by use of multi-factor authentication.

John Pescatore

The Zimbra update has been added to the NIST KEV catalog with a due date of 4/26. Zimbra 9.0.0 patch 24 addresses this issue; you should be updating to patch 31. Zimbra patches are cumulative. Even so, carefully read the release/patch instructions.

Lee Neely

The ability to quickly and accurately triage reports like this is critical for a software vendor. False positives happen, and they happen often. But in the end, you need to know how your software behaves and how to assess if it does anything it is not supposed to do. It also helps immensely if you make it easy for the larger community to report security issues directly to a security team.

Johannes Ullrich

VirusTotal has a long disclaimer section making it clear what it should NOT be used for, and using it to ignore customers’ and security researchers’ observations was a bad and costly decision for 3CX. Good topic for a tabletop exercise for all software vendors.

John Pescatore

That's the trick with verification of reported issues. Just because VirusTotal says that code is not malicious, doesn't mean it is. Don't take VirusTotal out of your processes, just be careful to discount a vulnerability from a security researcher because VT says it's not. Instead, engage the researcher to see if their results are repeatable. Take the opportunity to build relationships which can help you in the future. Don't forget to publicly recognize and reward these partnerships.

Lee Neely

Seven days in ‘cybersecurity time’ can seem an eternity when it comes to discovering a vulnerability and offering a fix to your users. The root cause appears to have been poor implementation of cybersecurity best practices by the company on its infrastructure that led to malicious manipulation of its product. Testing the app on VirusTotal is rather straight-forward; digging through one’s software configuration management processes is costly without some indicator of where the manipulation was made. With supply-chain attacks you have to look at every facet of your software development lifecycle.

Curtis Dukes

3CX was the victim of a breach. Its customers were victims of a supply chain attack from which 3CX was responsible for protecting them. Suppliers, not their customers, are responsible for supply chain attacks.

William Hugh Murray

Cloud storage providers are like banks, but for data. There is no point in placing my data in the cloud if I can keep it more secure under my mattress. I hope Western Digital will earn its customers trust back by being open about what exactly happened.

Johannes Ullrich

This security incident has not only resulted in a loss of company data but more importantly, an extended period of downtime for small businesses (0-19 employees) who need access to their storage. Its communication to users of its service has been spotty at best. Expect some enterprising law firm to file a class action lawsuit in the coming months.

Curtis Dukes

Kudos to Western Digital for not only having a service outage page but also keeping it updated. The primary intended impact was for NSA services to not be able to reach cloud hosted media repositories. Unfortunately, the service seems to be returning "503 Service Temporarily Unavailable" error when you try to login. Since WD is rebuilding services, expect this to take a bit to recover. Keep an eye on their MyCloud status page for updates.

Lee Neely

Take a look at the ICA announcement, notice all the communication paths they leveraged to let people know they would be impacted. Make sure your BCP includes a similar depth of communication coverage. This is particularly important for service disruptions which are really "in the face" of customers, having a message about the problem as well as acknowledging their discomfort is an important step to maintaining that relationship.

Lee Neely

This issue impacts Elementor Pro when used with the WooComerce plugin through a flaw in their AJAX handler. You can exploit the vulnerability to create a new administrator account. The issue was reported to the authors on March 18th and an updated version (3.11.7) was released March 22nd. This should be already installed with your plugin updates, verify it is.

Lee Neely

Practitioner's Note: Yes, patch immediately and look for indicators of compromise. Importantly, consider auto-patching and continuous scanning solutions for WordPress. The platform's bad security reputation comes mostly from vulnerable plugins.

Christopher Elgee

WordPress usage for content management is now approaching 40 percent of the entire Internet. With WordPress, critical vulnerabilities most often crop up by the use of plugins that render websites exploitable; this vulnerability is no different. It was only a week ago that a similar, equally serious vulnerability was found in the WooCommerce Payment plug-in. Some sage cybersecurity advice: if you’re a WordPress shop, patch early and patch as often as apps are updated.

Curtis Dukes

At this point Capita believes the attack was limited to only parts of their network and has no evidence of customer, supplier, or collaborator data having been compromised. While they are not stating the state of the investigation, their focus appears to be on final restoration of services to customers, not the investigation. One hopes they produce a final public statement rather than embedding information in a regulatory filing. Transparent disclosure of incidents through regular customer communication channels should precede and match any disclosures contained in reports required by regulators.

Lee Neely

These file types will also be blocked in Excel, Word, PowerPoint and Outlook. This expands on the default blocking of macros from files with "the mark of the web" as that move resulted in hackers leveraging embedded files to deliver malware. When the block occurs, users will get a message that access to the file was blocked by their administrators. M365 administrators can set policies to block added file types as needed, or even unblock specific file types to allow them to be opened. Use caution allowing the file types MS has blocked.

Lee Neely

This is a continuation of Microsoft’s effort at ‘collective defense.’ A couple weeks ago Microsoft surprised the community by announcing it would block messages from vulnerable on-premise Exchange servers to its Exchange online service. Most considered it a bold but welcome action. Now it’s focused on some of the bigger operating system security risks – malware delivery via applications. It’s betting that a little reduction in ease of use – forcing the user to download the attachment to the desktop – can result in better protection for its customers.

Curtis Dukes

Another week, another high-profile loss of PII data. The good news: TMX has offered its customers 12-months of complimentary credit monitoring and identity protection services. But by now, who doesn’t already have free credit monitoring and identity protection services as a result of some previous data theft. My question: should companies be storing PII data in the first place? Sure, they need PII initially to complete the business transaction, but maintain for years after and become a tempting target of cyber thieves.

Curtis Dukes

Not reporting because the incident was considered immaterial is risky. Transparency is key, and your customers deserve it. Gone are the days when nobody reads the 8-K to highlight anything you slipped in. Today, the first disclosure in this filing is taken as negative, and that is easily avoidable. Figure out your notification process before you need it, talk it through, remember that you're going to have other avenues of mandatory disclosure, hopefully having one data source for both situations for consistency and simplicity.

Lee Neely

What’s troubling is that Lumen experienced two cybersecurity incidents in a relatively short time period. It sure doesn’t seem as though they learned anything about the state of their cybersecurity program from the first incident. The good news is that Lumen now has a greater emphasis on ‘trust and transparency.’ I mean, that’s why they made the disclosure; that, and because it’s required by SEC rules.

Curtis Dukes

The reason for this requirement is for the Department to know what assets (HW, SW, and data sensitivity) it has on the enterprise and in need of oversight by its cybersecurity program. Circumventing the CIO does not bode well for having an effective cybersecurity program to protect government assets and patient information.

Curtis Dukes

Ensure your CIO and CISO are involved in IT acquisitions. To not only mitigate supply chain risks, but also align with enterprise direction. Blindsiding either of them can be a career-limiting move, or result in undesired publicity, negative audit findings, or other damage to your reputation.

Lee Neely

The core recommendation revolves around malicious code detection on their Linux servers. The good news is there are now EDR solutions for Linux systems which support enterprise deployment and managing. As the IRS is using a FedRAMP solution, control SI-3, Malicious Code Protection, which includes requirements non-signature-based detection was in-scope as a required control. One wonders how this was either tailored out or the risk accepted without controls on their Linux servers. If you're working on security baselines, be sure that you're carefully considering controls to tailor out, or otherwise mark as N/A or not technically feasible. At a minimum, revisit them annually to ensure the basis for that decision is unchanged.

Lee Neely