FDA Starts to Take Action on Medical Device Security; Activate Incident Response for 3CX VoIP Desktop Client Compromise; Patch and Monitor Use of IBM Aspera Faspex File Transfer Software

Organizations using 3CX should be in full incident response mode by now. This malware allowed full remote control access to affected systems. At the very least, items like software used on the systems and browser histories are lost. But individual systems may have seen additional actions from the attackers that may not be documented in write-ups analyzing the malware. See the Top Note above for information on a special SANS life stream in this compromise.

The malicious code, which is bundled as an update, is both signed with the 3CX key so installers view it as legitimate and contains legitimate 3CX application components, making it hard to detect. 3CX is issuing both a new application and signing key, so that pushes out the release of that update effectively to next week. 3CX recommends moving to their PWA client, which is web based, has 99% of the functionality minus hot keys and BLF until updated versions can be tested and installed.

Targeting is an art form. This attack is attributed to the DPRK. While we may not consider the country highly sophisticated economically, they have a decent set of operators. This comes from the fact that this supply chain attack targeted the same type of footprint as the SolarWinds attacker, what appears to have been an SMB software maker in 3CX that made it to Fortune 500 companies. Their security may or may not have been as stringent as others in the space; it’s hard to tell. We now know that both Windows and it appears OSX versions of their 3CX software used for voice communications got backdoored and signed as valid releases. My takeaways are that supply chain attacks, specifically targeting developers, source code, and CI/CD, are not going away.I would recommend looking at this link to their forum where you see the thread of administrators freely talking during the incident before real disclosure: https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-4#post-558867. Patrick Wardle also protested a great writeup on looking at the MacOS version of the backdoored kit: https://twitter.com/patrickwardle/status/1641294247877021696.

There is a tendency in press headlines to focus on the type of attack vs. the type of vulnerability that enabled the attack to succeed. I’d so much rather see “Lack of Checking of Library Components by 3CX Impacts Hundreds of Companies” or “Reusable Admin Passwords Resulted in Colonial Gas Pipeline Shutdown.” Emphasizing that the keys were left in the ignition is not blaming the victim, it is identifying the failure that could have been avoided.

Supply chain attacks are insidious by design: attack once, exploit many (in this case over 600K customers). Historically, supply chain attacks have been attributed to nation states as they have the resources to implement such an attack. This disclosure highlights a company failure on two fronts: 1) the state of cybersecurity best practices used by the company; and 2) a lack of robust software configuration management processes by the company. Given the loose connection to a nation-state, don’t be surprised to hear more about this attack should a cyber insurance claim be made, or it makes its way into court to be litigated.

After over 15 years of FDA guidance to industry to take security seriously in medical devices, it is good to see this action. The bill that enabled this also authorized the FDA to staff up a skilled capability to review and approve/reject security plans in device certification applications – the onus is now on the FDA to do that effectively and rapidly.

This shouldn’t come as a surprise to the medical device manufacturers, and while it is not ‘Secure by Design,’ it is a step in the right direction. Between now and October 1st, training on what it means to be compliant will be necessary for FDA staff and its contractor support. Hopefully, over time FDA will define what it *actually* means for a medical device to be ‘cybersecure.’

Oddly today is National Bunsen Burner Day, just two days after amendments to the FD&C act went into effect. The good news is the FDA will partner with companies making premarket submissions prior to October 1st to address any cyber deficiencies. After October 1st, the submissions will be refused if they don't meet the cyber guidance. The cyber requirements don't have any surprises: the expectation is to address vulnerabilities, have a reasonable regular update cycle, address critical vulnerabilities ASAP, provide a SBOM, then a catch-all "any other requirements the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure." Regulations will evolve irrespective of that statement, so don't lose any sleep there.

This vulnerability was initially patched in January, and a PoC exploit has been available since February. No surprise that this is used now to install ransomware.

IBM's Aspera Faspex is a centralized file exchange application used to transfer large files or large volumes of files at very high speeds using their proprietary FASP protocol. The most critical vulnerability is CVE-2022-47986 has a raw CVSS 3 score of 9.8, and working POC code has been available since February. Make sure you're on at least Aspera Faspex 4.4.2 Patch Level 2. IBM first alerted customers to update January 26th and sent a reminder March 3rd to make sure this wasn't overlooked. See the Rapid7 posting for information on IOCs you'll want to check for.

When you read about the 3CX event above, did you shake your head and say "How could they believe that the alert they saw was a false positive?” Now think again: How did you decide that the alerts from Defender were false positives?

Recent updates to the Defender SafeLinks feature resulted in these false positives; these updates have been rolled back. Check issue DZ534539 in your Microsoft 365 admin center for more details.

While an annoyance for users of the Defender service, chalk it up to Microsoft’s increased effort to better defend its customers. Malicious links and attachments are the primary means used by evil doers to establish an attack foothold. If you can limit users from ‘clicking’ those links it’s a good day for the defender. Microsoft will diagnose the problem, QA test the fix, and push the update. What’s the old adage… ‘no pain, no gain.’

Obviously, a good thing to hear but it has to be done well. Since the majority of vulnerabilities that enable attacks come from IT admin and development failures, and since more kids will work in IT than in IT security, in order to be effective, the curriculum will need to be focused as much on avoiding vulnerabilities as in detecting them later on.

While I am thrilled to see a requirement to include a cybersecurity or computer science class in the curriculum, there needs to be guidance to ensure that such courses are relevant as well as funding to obtain and/or train instructors in the needed expertise. While many resources needed can now be obtained for reasonable cost on-line, asking an instructor to simply start teaching these subjects without adequate experience and training will be counterproductive.

Governor Burgum is a technologist and understands the value in educating the future workforce on cybersecurity. I, for one, would like to see other states adopt this legislation as understanding of computer science and cybersecurity principles is key to future job opportunities. Well done!

We can and should teach science and computer hygiene at the high school level, both necessary for "digital natives." The objective should be familiarity with the concepts rather than job level skills. Even such modest goals may take a generation.

A pause of AI development is not likely going to happen, and I do not think such a pause will be productive. In my opinion, the OpenAI team did us all a great service by letting ChatGPT escape from the ivory tower. This exposure started a much more informed and broad discussion of the impact of these tools. I just wish OpenAI would spend less effort on its silly (and easily bypassed) attempts to restrict the uses of ChatGPT. Exposing and developing these tools will give us all a chance to figure out what their capabilities and limitations are, and how to use them responsibly.

My friend Joshua pointed out to me that a six-month pause would get us past the next election. My concern is that our adversaries are also working on AI and will not be slowing down, so we need to keep moving to remain competitive as well as resolve issues which are undermining the reputation of these services. Regardless, make sure that you're cross checking AI provided information, and use caution feeding it proprietary information, which could show up elsewhere.

While perhaps a nice gesture by tech luminaries, does anyone really think there will be a pause? Yeah, didn’t think so. Technology advancements in general offer profound change in the history of humankind, yet most were not planned for or managed with care. Nations view AI as critical to their national security and are engaged in an ‘arms race’ to fully develop the technology. That said, I hope we don’t get to a point where we see the realization of ‘Skynet'.

The introduction of the tractor caused an increase in agricultural productivity so disruptive that it took two world wars, the Great Depression, a reduction in the work week by forty percent, and fifty years to compensate for the increase. At the end we were all wealthier, but it was more painful getting there than it needed to be. There are things that we can do to ease the disruption, things that we can do to ease the coming increase in productivity. Tax automation, not labor. Tax robots, not people. Tax AI, not jobs. Preemptively shorten the work week. Institute a universal basic income. Encourage creativity.

Before you dismiss these campaigns, realize these are not nation states leveraging 0-days, these are smaller vendors which are stockpiling these, largely off our radar. Google is tracking 30 such vendors that sell their exploits or other capabilities, typically to government-backed actors. Keep an eye on this research.

Commercial spyware has become a multi-billion dollar business, largely financed by governments. Notwithstanding recent action by the administration to limit its sale here in the US, it will continue as a business given the demand for zero-day exploits. For as long as humans have inhabited the planet, they have spied on each other. This is just the latest tool to be used.