That 3CX supply chain attack keeps getting worse: More victims found

In Brief We thought it was probably the case when the news came out, but now it’s been confirmed: The X_Trader supply chain attack behind the 3CX compromise last month wasn’t confined to the telco developer.

Quite the contrary, in fact, according to Symantec. “To date, [we] found that among the victims are two critical infrastructure organizations in the energy sector, one in the US and the other in Europe. In addition to this, two other organizations involved in financial trading were also breached,” Symantec announced without naming any names. 

For those unfamiliar with the incident, 3CX reported a supply chain attack that saw its 3CX DesktopApp compromised with a trojanized version of the X_Trader futures trading app published by Trading Technologies. 

3CX’s VoIP products are used by a variety of high-profile clients, including Mercedes Benz, Air France, the UK’s National Health Service. 3CX’s CEO copped to the compromise when customers began noticing strange behavior in their instances of the DesktopApp.

It’s still not immediately clear when or exactly where the supply chain attack started, but Symantec said it appears to be financially motivated and is targeting critical infrastructure targets. With that in mind, Symantec said the behavior lines up with North Korean habits of engaging in financially-motivated attacks that double as espionage missions. 

With that in mind, “it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation,” Symantec warned. 

As we noted in previous coverage of the 3CX attack, North Korea wouldn’t be a surprise source. It attacked the X_Trader installer in 2021 to install the VEILEDSIGNAL backdoor. Technical analysis of the malware by both Symantec and Mandiant found traces of VEILEDSIGNAL in the chain of attacks used to compromise installs of 3CX DesktopApp. 

Symantec published a list of indicators of compromise (IOCs) with its analysis of the malware. If your environment is running any 3CX software it might be a good idea to ensure those IoCs are included in your security software.

Critical vulnerabilities of the week

Google Chrome received important updates last week, including one that addressed a nasty bug – CVE-2023-2136, which is already under active attack.

The flaw allows an attacker to bypass the sandboxing tech in the Chrome browser by exploiting an integer overflow issue in Skia graphics engine.

The hypothetical attacker would already need to have compromised the renderer process to manage it, but it’s clear that hasn’t been a problem – at least someone is using the exploit for the bug.

“Google is aware that an exploit for CVE-2023-2136 exists in the wild,” the Chocolate Factory warned.

‘Twas also a vulnerable week for Cisco, which reports multiple critical problems in several software products:

  • CVSS 9.9 – multiple CVEs: Cisco Industrial Network Director contains a pair of vulnerabilities that could allow an authenticated attacker to inject arbitrary OS commands or access sensitive data.
  • CVSS 9.1 – CVE-2023-20154: Cisco Modeling Labs has an external authentication vulnerability that could give an unauthenticated attacker admin access to the platform’s web interface. 
  • CVSS 8.8 – Multiple CVEs: SNMP in Cisco IOS and IOS XE are lousy with vulnerabilities that could give a remote attacker the ability to remotely execute code or force a system reload.
  • CVSS 8.8 – CVE-2023-20046: Cisco StarOS’s SSH implementation contains a flaw that could let an authenticated remote attacker escalate their privileges on affected devices. 
  • CVSS 8.6 – CVE-2023-20125: Cisco BroadWorks Network Server has a vulnerability that could allow an attacker to exhaust system resources and cause a denial of service.

VMware also reported a vulnerability on Thursday it described as ranging from 7.2 to 9.8 on the CVSS scale, and spanning two CVEs. The issue affects VMware Aria Operations for Logs, which contains a deserialization vulnerability through which a remote unauthenticated actor can execute arbitrary code with root permissions. 

CISA shared a trio of critical industrial control systems vulnerabilities, too:

  • CVSS 10.0 – CVE-2023-2131: INEA’s ME RTU firmware versions prior to 3.36 are vulnerable to OS command injection.
  • CVSS 9.8 – Multiple CVEs: Multiple versions of Schneider Electric’s Easy UPS Online Monitoring software contain authentication issues which could allow an attacker to escalate privileges, bypass authentication, and the like.
  • CVSS 8.6 – Multiple CVEs: All versions of Omron PLC CJ, PLC CS and PLC NX1P2 are vulnerable to authentication bypass vulnerabilities that could allow an attacker to pose as an authorized user.

There’s also a pair of new known exploited vulnerabilities:

  • CVSS 9.8 – CVE-2023-27350: PaperCut NG v.22.0.5 contains an authentication bypass vulnerability that allows an attacker to execute arbitrary code.
  • CVSS not rated yet – CVE-2023-2136: Chrome’s rendering engine, Skia, has an integer overflow issue that could allow sandbox escape.

Also, Oracle released a series of security updates that patch hundreds of vulnerabilities in Oracle, Solaris and Linux systems. They’re too lengthy to cover here, but it’s a good idea to update your Oracle systems to apply the latest patches. 

Finland sentences CEO for a breach at his company

Leave it to the Finns to come up with such a novel concept: The former CEO of a hacked psychotherapy center was handed a prison sentence for his role in failing to pseudonymize and encrypt patient health records, as required under the EU’s General Data Protection Regulation.

The court originally said the seriousness of the crime justified an unconditional jail sentence, but since former boss Ville Tapio had no prior criminal record the court settled on a three month suspended sentence, the Finnish Broadcasting Company (Yle) reported.

The breach occurred in 2020 and saw tens of thousands of patient records published online, where cyber criminals used the patient records – including session notes and personal details – to blackmail those caught up in the leak. Tapio was fired by the board of the Vastaamo psychotherapy clinic shortly after the breach. 

The court said this week that the company’s database stored patient records in plain language without adequate encryption, and characterized Tapio’s behavior as “particularly reprehensible” given the sensitive nature of the information Vastaamo stored. 

French police arrested the alleged hacker in the case, Julius “Zeekill” Kivimäki, in February. First identified as a suspect in the case in October of last year, Kivimäki has a considerable cyber crime rap sheet. ®

READ MORE HERE