SANS NewsBites

Cascading Supply Chain Attack Could Have Been Easily Prevented; Late Patching Can Be Life Threatening; Another Reminder: Sanitize All Equipment Before Reselling

April 21, 2023  |  Volume XXV - Issue #32

Top of the News


2023-04-20

3CX Supply Chain Attack Enabled by Trading Technologies Supply Chain Attack

Researchers from Mandiant investigating the recently disclosed 3CX supply chain attack say that attack was made possible by an earlier attack against a different supply chain. The earlier attack targeted Trading Technologies’ X-TRADER installer, adding a backdoor. In their blog, Mandiant writes, ”The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise.”

Editor's Note

The 3CX incident shows how important solid incident response is, not just for the company affected, but for the community at large. The exploited trading application may have been used by other users as well who up until now had no idea that it put their networks at risk. Thanks to Mandiant and 3CX for sharing these results.

Johannes Ullrich
Johannes Ullrich

The first two steps in the origin of the compromise appear to be (1) a personal-owned computer was used by an employee for remote access to 3CX and apparently that remote access allowed the use of reusable passwords; (2) the employee loaded trojaned stock trading software on that personal computer, and that harvested his reusable password for 3CX remote access – game over. Cascading supply chain attacks are an issue, certainly – but the reality is the cascade would never have started if policies requiring strong authentication for all remote access (especially BYOD access) were enforced.

John Pescatore
John Pescatore

The VEILEDSIGNAL malware, which was injected into the X-TRADER installer in late 2021, was subsequently downloaded by a 3CX employee in 2023, allowing their computer to be compromised and the attacker to deploy more malware, as well as to move laterally within the 3CX environment, ultimately infecting their desktop app. The net is that multiple pieces of malware were involved, not all of which were unknown, compromising both macOS and Windows environments, not all of which were unknown, so should have been detected. Mitigate the risks by both making sure your EDR platform is kept updated and alerts are actively responded to as well as teaching employees to use caution with third-party components, particularly older or unsupported items.

Lee Neely
Lee Neely

This is the first cascading software supply chain attack that has been openly reported. That said, it appears that this supply chain attack did not have a specific target in mind. Unfortunately for 3CX the attack was successful for two reasons: 1) poor implementation of cybersecurity best practices [download of non-work application, lack of network segmentation, access controls]; and 2) lack of security controls within the software development lifecycle [ability to manipulate the 3CX product].

Curtis Dukes
Curtis Dukes

2023-04-18

Missing Software Patch May Have Contributed to Australian Helicopter Training Accident

According to an Australian Broadcasting Corporation (ABC) report, a military helicopter training accident in March was due, at least in part, to failure to apply an available software patch to the aircraft. The patch prevents the helicopters from performing a “hot start.” The Australian Army MRH-90 Taipan helicopter ditched into the water during a routine training exercise. All 10 personnel aboard were accounted for; two suffered minor injuries.

Editor's Note

Does not yet seem proven that failure to apply the two year old patch was responsible for the accident, but good to use this item as part of efforts to reduce patching time on critical systems. Cybersecurity is not the only reason to fix broken software faster.

John Pescatore
John Pescatore

Safety system updates need to be installed, odds are the components associated with those systems are in high demand and downtime is precious often tied to financial impact. If you're having trouble getting traction on installing safety system updates, take this example to the next meeting.

Lee Neely
Lee Neely

Most modern militaries have well-oiled procedures for equipment maintenance, to include software updates. I suspect we will learn that there were other factors that led to the downing of this aircraft. It does, however, highlight that proper software maintenance is crucial no matter the application, as lives may depend on it.

Curtis Dukes
Curtis Dukes

2023-04-18

Sanitize Those Routers Before Reselling Them

At next week’s RSA Conference, researchers from ESET will present findings about data left on secondhand enterprise routers. ESET purchased several used routers for their test environment. They found that in many cases that the routers had not been wiped and that data remaining on the devices could be used to identify prior owners and their network configurations. The data could be used by malicious actors to launch a cyberattack.

Editor's Note

I wrote about this issue a few years ago when I purchased two used Gigamon devices from eBay. Both arrived with existing configurations describing the networks they were connected to. In one case, it was pretty easy to determine the prior owner (who was notified). One particularly concerning aspect was that the devices still used the default credentials. Usually, resetting the credentials will reset the configuration as well.

Johannes Ullrich
Johannes Ullrich

Routers, copiers, printers, all have NVRAM which you need to wipe. Some also include storage media which also needs to be addressed. Make sure that you have a documented decommissioning process, with validation, to ensure you're not leaving tidbits behind. NIST SP 800-88 R1 is a good reference for media sanitizing.

Lee Neely
Lee Neely

Preparing equipment for resell/excess depends on human interaction. Unfortunately, simple equipment sanitization steps are often overlooked resulting in the loss of sensitive data. We see examples of this reported on a yearly basis.

Curtis Dukes
Curtis Dukes

This vulnerability will be expensive to exploit. While low risk in itself, it points out the importance of cleansing any devices one sells. It is very unlikely that the reseller will do it. Not their risk.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2023-04-19

GitHub Adds npm Package Provenance to GitHub Actions

GitHub has added a feature to GitHub Actions that allows developers building npm registry packages to include a command flag that includes information about the code’s provenance. GitHub has noted an increasing number of attacks against npm packages; the new feature is intended to help improve supply chain integrity.

Editor's Note

The meaningful quote from the GitHub writeup: “You probably wouldn’t pick up a random flash drive you found on the street and plug it into your laptop, but we regularly do exactly this with open source packages.” They also point out that their use of the Supply-chain Levels for Software Artifacts (SLSA)specification for the provenance statements is only part of the battle. As we’ve learned with digital certificates, attestation without verification is useless. GitHub points to SigStore’s Rekor service and developer CLI tools as ways to bake verification into dev ops use of GitHub packages.

John Pescatore
John Pescatore

With this provenance feature, you can not only see exactly which repository and commit a package comes from but also verify the signing key, making it far more difficult for a doctored package to impersonate the genuine article. GitHub is requiring known CI/CD tools be used with Sigstore’s certificate authority to create a one-time use key pair to sign the provenance statement. As this rolls out, processes will need to be updated to require validation prior to acceptance of a downloaded package.

Lee Neely
Lee Neely

Most open source software comes with risk, perhaps high risk. Information about provenance can reduce that risk. Google Assured OSS is a source for open source software that comes with a representation from Google that they have vetted the software, will continue to check it, and will notify users of any vulnerabilities that are detected late. While this service is limited to Python and Java, it is both free and valuable. This is an example of the representation from a responsible source that any user of OSS would want to have.

William Hugh Murray
William Hugh Murray

2023-04-18

Microsoft Defender Threat Library

Microsoft has added file hash and URL search capabilities to its Defender Threat Intelligence (Defender TI) database. Microsoft writes that “including Hash and URL Intelligence within Defender TI to leverage static and dynamic analysis ... enables SOC analysts, threat hunters, and other information security professionals to obtain detailed intelligence on specific hashes or URLs identified within their network.”

Editor's Note

Not every shop has the capability, or budget, to do both static and dynamic code analysis, so being able to leverage work from Microsoft to identify and categorize potential threats helps them raise their game. Interesting service to consider to provide your analysts another resource to help them be more effective.

Lee Neely
Lee Neely

The addition of hash and URL search capabilities streamlines multiple steps that cyber threat analysts take while investigating network intrusions. It also benefits MSFT, making Defender a competitor to other threat intelligence platforms. I suspect future releases will integrate closely with MSFT Copilot.

Curtis Dukes
Curtis Dukes

2023-04-20

Medtronic Notifies InPen App Users of Personal Data Disclosure

Medtronic has notified users of its InPen Diabetes Management App that their personal data were disclosed to Google through tracking and authentication code used in the app. The affected data include both personal and health information.

Editor's Note

Tracking apps collect data that can be used for unintended consequences. In this case the use of Google Analytics, even with their privacy protections, resulted in added data disclosures. If you don't understand what data is shared with your app tracking, or if you are no longer viewing it, remove the tracking until you're certain exactly what is captured, when and how, and what is done with that data, including if it's made available or leverageable by third parties.

Lee Neely
Lee Neely

We’ve seen a raft of these notifications over the last month. You can expect for this matter to find its way into the court system. One question the court will decide on is whether [insert organization here] had a data management process in place to review data collected by the healthcare platform and its third-party providers. As this and other cases get adjudicated, it becomes an excellent case study for both Boards and executive leadership training.

Curtis Dukes
Curtis Dukes

2023-04-20

VMware Fixes Vulnerabilities in Log Analysis Tool

VMware has released an update for its VMware Aria Operations for Logs, previously known as vRealize Log Insights, to address a pair of vulnerabilities. The flaws, a deserialization vulnerability and a command injection vulnerability, could be exploited to execute arbitrary code as root.

Editor's Note

Two flaws here CVE-2023-20864, CVSS score of 9.8, a deserialization flaw, and CVE-2023-20865, CVSS score of 7.2, a command injection flaw, affect versions 4 through 8.10.2, you can cross check the VMware alert, updating if you're affected, better still, just update to 8.12. Note that deserialization flaw can be exploited by an unauthenticated user with network access.

Lee Neely
Lee Neely

2023-04-20

Point32Health Discloses Ransomware Attack

Massachusetts health insurer Point32Health has taken its systems offline to contain the effects of a ransomware attack. Point32Health detected the incident on April 17. They have notified law enforcement and regulators and are working with third party experts to investigate the attack and address associated problems.

Editor's Note

oint32Health has put out a system update, but doesn't specify which services are impacted, directing members to call the number on their ID card. Adds a scenario to consider during your tabletop - could your call center handle the volume of inquiries if you were in their situation? Ask: would you be better having more information on the notification, or would human nature be to call regardless and are you prepared?

Lee Neely
Lee Neely

Many ransomware attacks are targeted at smaller healthcare providers who don’t have the resources to protect themselves. In this case Point32Health is ranked as one of the top 20 health plans in the US with 9.8B in revenue for the year 2022. One would think that they have adequate cybersecurity resources to practice basic cyber hygiene.

Curtis Dukes
Curtis Dukes

2023-04-20

Smart City Cybersecurity Best Practices Guidance

Cybersecurity authorities from the Five Eyes nations (the US, the UK, Canada, Australia, and. New Zealand) have jointly released guidance for smart cities. The document, Cybersecurity Best Practices for Smart Cities, notes that the adoption of “smart” technologies increases attack surface, and urges cities to focus on secure planning and design, proactive supply chain risk management, and operational resilience.

Editor's Note

Having the risks related to creating smart cities all in this document can help make the case for having a secure design. The components of that design are familiar, secure authentication, manage changes, actively manage components, leverage zero trust, what is helpful is the components come with links to references that should be leveraged to answer the how question. If you're involved, make sure that your city planning commission reads the guide, twice.

Lee Neely
Lee Neely

The smart city concept is about integrating city services that are underpinned by operational technology, into a connected environment. The US military has had a similar approach with their netcentric warfare. What’s interesting is that the cybersecurity best practices for both environments remain the same. This guidance, specific to CISA, is just amplifying what’s available today.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Taking a Bite Out of Password Expiry Helpdesk Calls

https://isc.sans.edu/diary/Taking+a+Bite+Out+of+Password+Expiry+Helpdesk+Calls/29758

UDDIs Are Back: Attackers Rediscovering Old Exploits.

https://isc.sans.edu/diary/UDDIs+are+back+Attackers+rediscovering+old+exploits/29754/

3CX Software Supply Chain Compromise

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

Google Ghost Tokens

https://astrix.security/ghosttoken-exploiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/

PyPi Trusted Publishers

https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

Yet Another Google Chrome 0-Day

https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html

Oracle Critical Patch Update April 2023

https://www.oracle.com/security-alerts/cpuapr2023.html

Github Provenance Action for npm Packages

https://www.theregister.com/2023/04/19/github_actions_npm_origins/

Microsoft Revises Threat Actor Naming

https://learn.microsoft.com/de-de/microsoft-365/security/intelligence/microsoft-threat-actor-naming

Russian Attacks against Routers

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108

Information Leakage on Discarded Routers

https://www.welivesecurity.com/2023/04/18/discarded-not-destroyed-old-routers-reveal-corporate-secrets/