homepage
Open menu
Contact Sales

SANS NewsBites

FDA Starts to Take Action on Medical Device Security; Activate Incident Response for 3CX VoIP Desktop Client Compromise; Patch and Monitor Use of IBM Aspera Faspex File Transfer Software

March 31, 2023  |  Volume XXV - Issue #26

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2023-03-31

3CX Supply Chain Attack - What you need to know! (livestream/recording)

At the beginning of the week, the 3CX VoIP DesktopClient was compromised by what is believed to be a threat group associated with the North Korean government. Millions of users of the 3CX software are affected. The malware in the compromised version of the 3CX VoIP client exfiltrated data from affected users, allowing full remote control of infected systems.

More details of this event will be discussed during the "Off-by-One" live stream on Friday, March 31st at 1400 ET (1800 UTC). The stream will also be recorded. 

https://www.youtube.com/watch?v=cCf3Km_j5bY

2023-03-30

3CX Desktop VoIP Client Hit with Supply Chain Attack

A supply chain attack targeting the 3CX desktop VoIP client affects both Windows and macOS users. The attack gained notice when 3CX users began complaining that security products were flagging and, in some cases, removing the software from their computers. 

Editor's Note

Organizations using 3CX should be in full incident response mode by now. This malware allowed full remote control access to affected systems. At the very least, items like software used on the systems and browser histories are lost. But individual systems may have seen additional actions from the attackers that may not be documented in write-ups analyzing the malware. See the Top Note above for information on a special SANS life stream in this compromise.

Johannes Ullrich
Johannes Ullrich

The malicious code, which is bundled as an update, is both signed with the 3CX key so installers view it as legitimate and contains legitimate 3CX application components, making it hard to detect. 3CX is issuing both a new application and signing key, so that pushes out the release of that update effectively to next week. 3CX recommends moving to their PWA client, which is web based, has 99% of the functionality minus hot keys and BLF until updated versions can be tested and installed.

Lee Neely
Lee Neely

Targeting is an art form. This attack is attributed to the DPRK. While we may not consider the country highly sophisticated economically, they have a decent set of operators. This comes from the fact that this supply chain attack targeted the same type of footprint as the SolarWinds attacker, what appears to have been an SMB software maker in 3CX that made it to Fortune 500 companies. Their security may or may not have been as stringent as others in the space; it’s hard to tell. We now know that both Windows and it appears OSX versions of their 3CX software used for voice communications got backdoored and signed as valid releases. My takeaways are that supply chain attacks, specifically targeting developers, source code, and CI/CD, are not going away.I would recommend looking at this link to their forum where you see the thread of administrators freely talking during the incident before real disclosure: https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-4#post-558867. Patrick Wardle also protested a great writeup on looking at the MacOS version of the backdoored kit: https://twitter.com/patrickwardle/status/1641294247877021696.

Moses Frost
Moses Frost

There is a tendency in press headlines to focus on the type of attack vs. the type of vulnerability that enabled the attack to succeed. I’d so much rather see “Lack of Checking of Library Components by 3CX Impacts Hundreds of Companies” or “Reusable Admin Passwords Resulted in Colonial Gas Pipeline Shutdown.” Emphasizing that the keys were left in the ignition is not blaming the victim, it is identifying the failure that could have been avoided.

John Pescatore
John Pescatore

Supply chain attacks are insidious by design: attack once, exploit many (in this case over 600K customers). Historically, supply chain attacks have been attributed to nation states as they have the resources to implement such an attack. This disclosure highlights a company failure on two fronts: 1) the state of cybersecurity best practices used by the company; and 2) a lack of robust software configuration management processes by the company. Given the loose connection to a nation-state, don’t be surprised to hear more about this attack should a cyber insurance claim be made, or it makes its way into court to be litigated.

Curtis Dukes
Curtis Dukes

2023-03-30

FDA Now Requires New Product Submissions to Include Cybersecurity Plans

The US Food and Drug Administration (FDA) now requires medical device manufacturers to include cybersecurity plans in new product applications. The requirement was established to comply with Section 3305 of the Consolidated Appropriations Act, 2023, Ensuring Cybersecurity of Medical Devices, which amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. Effective October 1, 2023, the FDA will reject submissions that do not include such plans. Between now and October 1, the “FDA [plans to] work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.”

2023-03-30

Ransomware Actors are Exploiting IBM Aspera Faspex Vulnerability

Researchers from Rapid7 warn that threat actors are actively exploiting a known vulnerability in IBM Aspera Faspex to install ransomware on servers. IBM released a patch to address the pre-authentication YAML deserialization vulnerability in Ruby on Rails code in January 2023.

The Rest of the Week's News

2023-03-29

Microsoft Investigating Reports that Defender is Generating False Positives

Microsoft is investigating reports that its Defender service is identifying legitimate URLs as malicious. On Twitter, Microsoft says, “We've confirmed that users are still able to access the legitimate URLs despite the false positive alerts. We're investigating why and what part of the service is incorrectly identifying legitimate URLs as malicious.”

Editor's Note

When you read about the 3CX event above, did you shake your head and say "How could they believe that the alert they saw was a false positive?” Now think again: How did you decide that the alerts from Defender were false positives?

Johannes Ullrich
Johannes Ullrich

Recent updates to the Defender SafeLinks feature resulted in these false positives; these updates have been rolled back. Check issue DZ534539 in your Microsoft 365 admin center for more details.

Lee Neely
Lee Neely

While an annoyance for users of the Defender service, chalk it up to Microsoft’s increased effort to better defend its customers. Malicious links and attachments are the primary means used by evil doers to establish an attack foothold. If you can limit users from ‘clicking’ those links it’s a good day for the defender. Microsoft will diagnose the problem, QA test the fix, and push the update. What’s the old adage… ‘no pain, no gain.’

Curtis Dukes
Curtis Dukes

2023-03-28

North Dakota Will Require Computer Science Course for HS Graduation

The US state of North Dakota has passed legislation requiring cybersecurity to be taught in public schools. Starting two years from this autumn, students in North Dakota public schools will be required to complete a computer science or cybersecurity class as a graduation requirement.

2023-03-29

Open Letter Calls for AI Development Pause

An open letter signed by tech luminaries urges “all AI labs to immediately pause for at least 6 months the training of AI systems more powerful than GPT-4.” The letter references the Asilomar AO Principles, which note that “Advanced AI could represent a profound change in the history of life on Earth, and should be planned for and managed with commensurate care and resources.”

2023-03-30

Vulnerabilities in ProPump and Controls Osprey Pump Controller

Nine vulnerabilities affecting ProPump and Controls Osprey Pump Controller could be exploited to gain unauthorized access and administrative control, access and modify data, and cause denial-of-service conditions. The researcher who found the vulnerabilities reported them to ProPump and Controls, the US Cybersecurity and Infrastructure Security Agency (CISA), and Carnegie Mellon University’s Vulnerability Information and Coordination Environment. The vulnerabilities affect Osprey Pump Controller version 1.01.

2023-03-30

Google’s Threat Analysis Group Details Zero-Days Used in Spyware Campaigns

Amnesty International’s Security Lab has discovered “a sophisticated hacking campaign by a mercenary spyware company targeting Google’s Android operating system.” Security Lab shared the technical details with Google’s Threat Analysis Group (TAG), which allowed Google and other affected vendors to release updates to protect affected devices. In a blog post, Google’s TAG provides details about both the zero-day vulnerability disclosed by Amnesty International and a zero-day vulnerability in iOS that was used in a different spyware campaign.

2023-03-30

CISA Adds 10 Items to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 10 vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including several that have been used in attacks that install commercial spyware on mobile devices. Federal Civilian Executive Branch agencies have until April 20 to mitigate these vulnerabilities.

Internet Storm Center Tech Corner

Bypassing PowerShell Strong Obfuscation

https://isc.sans.edu/diary/Bypassing+PowerShell+Strong+Obfuscation/29692

Network Data Collector Placement Makes a Difference

https://isc.sans.edu/diary/Network+Data+Collector+Placement+Makes+a+Difference/29664

Extracting Multiple Streams From OLE Files

https://isc.sans.edu/diary/Extracting+Multiple+Streams+From+OLE+Files/29688

Malicious 3CX Dekstop App Update

https://www.youtube.com/watch?v=cCf3Km_j5bY (livestream/recording)

https://www.3cx.com/blog/news/desktopapp-security-alert/

https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

https://objective-see.org/blog/blog_0x73.html

https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/

3CXDesktop App Compromise

https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/

Microsoft Defender False Positives

https://twitter.com/MSFT365Status/status/1641048649525260289

https://admin.microsoft.com/Adminportal/Home?ref=/servicehealth/:/alerts/DZ534539 (requires login)

Active Exploitation of IBM Aspera Faspex CVE-2022-47986

https://www.rapid7.com/blog/post/2023/03/28/etr-active-exploitation-of-ibm-aspera-faspex-cve-2022-47986/

QNAP Patch for sudo vulnerability

https://www.qnap.com/en/security-advisory/qsa-23-11

Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online

https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/ba-p/3762078

Bypassing Wi-Fi Encryption by Manipulating Transmit Queues

https://papers.mathyvanhoef.com/usenix2023-wifi.pdf