Cascading Supply Chain Attack Could Have Been Easily Prevented; Late Patching Can Be Life Threatening; Another Reminder: Sanitize All Equipment Before Reselling

The 3CX incident shows how important solid incident response is, not just for the company affected, but for the community at large. The exploited trading application may have been used by other users as well who up until now had no idea that it put their networks at risk. Thanks to Mandiant and 3CX for sharing these results.

Johannes Ullrich

The first two steps in the origin of the compromise appear to be (1) a personal-owned computer was used by an employee for remote access to 3CX and apparently that remote access allowed the use of reusable passwords; (2) the employee loaded trojaned stock trading software on that personal computer, and that harvested his reusable password for 3CX remote access – game over. Cascading supply chain attacks are an issue, certainly – but the reality is the cascade would never have started if policies requiring strong authentication for all remote access (especially BYOD access) were enforced.

John Pescatore

The VEILEDSIGNAL malware, which was injected into the X-TRADER installer in late 2021, was subsequently downloaded by a 3CX employee in 2023, allowing their computer to be compromised and the attacker to deploy more malware, as well as to move laterally within the 3CX environment, ultimately infecting their desktop app. The net is that multiple pieces of malware were involved, not all of which were unknown, compromising both macOS and Windows environments, not all of which were unknown, so should have been detected. Mitigate the risks by both making sure your EDR platform is kept updated and alerts are actively responded to as well as teaching employees to use caution with third-party components, particularly older or unsupported items.

Lee Neely

This is the first cascading software supply chain attack that has been openly reported. That said, it appears that this supply chain attack did not have a specific target in mind. Unfortunately for 3CX the attack was successful for two reasons: 1) poor implementation of cybersecurity best practices [download of non-work application, lack of network segmentation, access controls]; and 2) lack of security controls within the software development lifecycle [ability to manipulate the 3CX product].

Curtis Dukes

Does not yet seem proven that failure to apply the two year old patch was responsible for the accident, but good to use this item as part of efforts to reduce patching time on critical systems. Cybersecurity is not the only reason to fix broken software faster.

John Pescatore

Safety system updates need to be installed, odds are the components associated with those systems are in high demand and downtime is precious often tied to financial impact. If you're having trouble getting traction on installing safety system updates, take this example to the next meeting.

Lee Neely

Most modern militaries have well-oiled procedures for equipment maintenance, to include software updates. I suspect we will learn that there were other factors that led to the downing of this aircraft. It does, however, highlight that proper software maintenance is crucial no matter the application, as lives may depend on it.

Curtis Dukes

I wrote about this issue a few years ago when I purchased two used Gigamon devices from eBay. Both arrived with existing configurations describing the networks they were connected to. In one case, it was pretty easy to determine the prior owner (who was notified). One particularly concerning aspect was that the devices still used the default credentials. Usually, resetting the credentials will reset the configuration as well.

Johannes Ullrich

Routers, copiers, printers, all have NVRAM which you need to wipe. Some also include storage media which also needs to be addressed. Make sure that you have a documented decommissioning process, with validation, to ensure you're not leaving tidbits behind. NIST SP 800-88 R1 is a good reference for media sanitizing.

Lee Neely

Preparing equipment for resell/excess depends on human interaction. Unfortunately, simple equipment sanitization steps are often overlooked resulting in the loss of sensitive data. We see examples of this reported on a yearly basis.

Curtis Dukes

This vulnerability will be expensive to exploit. While low risk in itself, it points out the importance of cleansing any devices one sells. It is very unlikely that the reseller will do it. Not their risk.

William Hugh Murray

The meaningful quote from the GitHub writeup: “You probably wouldn’t pick up a random flash drive you found on the street and plug it into your laptop, but we regularly do exactly this with open source packages.” They also point out that their use of the Supply-chain Levels for Software Artifacts (SLSA)specification for the provenance statements is only part of the battle. As we’ve learned with digital certificates, attestation without verification is useless. GitHub points to SigStore’s Rekor service and developer CLI tools as ways to bake verification into dev ops use of GitHub packages.

John Pescatore

With this provenance feature, you can not only see exactly which repository and commit a package comes from but also verify the signing key, making it far more difficult for a doctored package to impersonate the genuine article. GitHub is requiring known CI/CD tools be used with Sigstore’s certificate authority to create a one-time use key pair to sign the provenance statement. As this rolls out, processes will need to be updated to require validation prior to acceptance of a downloaded package.

Lee Neely

Most open source software comes with risk, perhaps high risk. Information about provenance can reduce that risk. Google Assured OSS is a source for open source software that comes with a representation from Google that they have vetted the software, will continue to check it, and will notify users of any vulnerabilities that are detected late. While this service is limited to Python and Java, it is both free and valuable. This is an example of the representation from a responsible source that any user of OSS would want to have.

William Hugh Murray

Not every shop has the capability, or budget, to do both static and dynamic code analysis, so being able to leverage work from Microsoft to identify and categorize potential threats helps them raise their game. Interesting service to consider to provide your analysts another resource to help them be more effective.

Lee Neely

The addition of hash and URL search capabilities streamlines multiple steps that cyber threat analysts take while investigating network intrusions. It also benefits MSFT, making Defender a competitor to other threat intelligence platforms. I suspect future releases will integrate closely with MSFT Copilot.

Curtis Dukes

Tracking apps collect data that can be used for unintended consequences. In this case the use of Google Analytics, even with their privacy protections, resulted in added data disclosures. If you don't understand what data is shared with your app tracking, or if you are no longer viewing it, remove the tracking until you're certain exactly what is captured, when and how, and what is done with that data, including if it's made available or leverageable by third parties.

Lee Neely

We’ve seen a raft of these notifications over the last month. You can expect for this matter to find its way into the court system. One question the court will decide on is whether [insert organization here] had a data management process in place to review data collected by the healthcare platform and its third-party providers. As this and other cases get adjudicated, it becomes an excellent case study for both Boards and executive leadership training.

Curtis Dukes

Two flaws here CVE-2023-20864, CVSS score of 9.8, a deserialization flaw, and CVE-2023-20865, CVSS score of 7.2, a command injection flaw, affect versions 4 through 8.10.2, you can cross check the VMware alert, updating if you're affected, better still, just update to 8.12. Note that deserialization flaw can be exploited by an unauthenticated user with network access.

Lee Neely

oint32Health has put out a system update, but doesn't specify which services are impacted, directing members to call the number on their ID card. Adds a scenario to consider during your tabletop - could your call center handle the volume of inquiries if you were in their situation? Ask: would you be better having more information on the notification, or would human nature be to call regardless and are you prepared?

Lee Neely

Many ransomware attacks are targeted at smaller healthcare providers who don’t have the resources to protect themselves. In this case Point32Health is ranked as one of the top 20 health plans in the US with 9.8B in revenue for the year 2022. One would think that they have adequate cybersecurity resources to practice basic cyber hygiene.

Curtis Dukes

Having the risks related to creating smart cities all in this document can help make the case for having a secure design. The components of that design are familiar, secure authentication, manage changes, actively manage components, leverage zero trust, what is helpful is the components come with links to references that should be leveraged to answer the how question. If you're involved, make sure that your city planning commission reads the guide, twice.

Lee Neely

The smart city concept is about integrating city services that are underpinned by operational technology, into a connected environment. The US military has had a similar approach with their netcentric warfare. What’s interesting is that the cybersecurity best practices for both environments remain the same. This guidance, specific to CISA, is just amplifying what’s available today.

Curtis Dukes