Issue: Attackers are Living Off the Land by using native tools within business systems- and many companies can’t detect them. Attackers are increasingly Living Off the Land (LOL) by manipulating legitimate credentials, tools, data, and…Read More
Welcome to the second edition of #ForgepointTIPS (Threat Intelligence Portfolio Spotlight), where we examine the latest cybersecurity trends and threats and provide actionable insights for industry decision-makers. Today we explore #3CX: what we know (and don’t), what history can teach us about assumptions, and how CXOs should respond to supply chain attacks. Helpful reading? Subscribe and tell a friend…
Issue: 3CX hack is a significant software supply chain breach
The 3CX hack is the latest example of how our understanding of supply chain attacks will evolve – as we learn the way victims are impacted and by which vectors. Let’s take a look at the 3CX hack against the lens of past experiences.
On March 30th, VoIP provider 3CX, which serves over 600,000 companies globally and has over 12 million daily users, was hacked via a significant breach of the software supply chain. Attackers delivered malware through legitimate software updates that 3CX pushed to its customers.
Current information suggests the attacker may be North Korean group Labyrinth Chollima (associated with “Lazarus Group”). The group has previously perpetrated broad initial access and opportunistic activities (DDOS, cryptomining and similar) – followed by actions against select targets to achieve objectives of espionage or business damage/interruption (via wipers, ransomware, or media exposure of sensitive information).
Impact: The blurry lines of known and unknown in supply chain (software and services) attacks
According to public information, more than 70% of 3CX customers are IT services and audit/compliance providers – pointing to potential targeting of specific industries. The actual targets – be it service providers or their clients – remain unknown, as does the intended impact. Previous supply and service chain attacks have shown that what we initially believe about an attack is often different from what we learn over time.
The Solarwinds attack perpetrated by APT29 exploited Solarwinds software used by Managed IT Services Providers (initial victim) to gain select access to target victims. The attackers’ vector involved inserting malicious code into the Orion IT Monitoring and Management Software. Although it was estimated that as many as 18,000 customers may have downloaded the malicious software update, only 100 companies and a dozen US Federal Agencies were target victims subsequently exploited for objective activities. APT29 is believed to be a Russian state-sponsored group.
Solarwinds taught us that a vector can create numerous initial victims in a supply chain attack, but the target victims and ultimate objectives of the attack aren’t known initially.
The Cloud Hopper attack perpetrated by APT10 exploited Cloud-hosted web, email, and active directory access managed by Managed Internet Services Providers (initial victims) in order to gain access to target victims.
The attackers’ vector involved compromising accounts and escalating privileges in cloud-hosted services to gain access to target victims – diplomatic, political, and commercial organizations (in defense and aerospace industries) – who then had sensitive information stolen. APT10 is believed to be a Chinese state-sponsored group.
We learned that attack vectors may exploit the service supply chain to access a subset of target victims – who may be chosen based on the economic and political interests of a nation-state, eager to steal valuable information for the purposes of espionage.
Action: act on what you know, monitor what you don’t.
1. Stay up to date with information as it evolves.
Read the latest intel while being mindful that information about intent, impact, and target victims will change over time.
Follow CISA’s high-level guidance on the 3CX hack here. You can also learn more in ReversingLabs’ snapshot of the known and unknown facts. Zoom out with Huntress’ blog post on the broader meaning of the 3CX hack before diving into the details in their more technical post here.
2. Focus on who is impacted and why they are targeted, and relate it to your business.
Focusing only on tools and telemetry (the technical details of how specific utilities are exploited) misses the risk comprehension you need to communicate with company leadership and take effective action for your organization.
Investigate why your organization might be targeted based on intelligence regarding known victims and the impacts they are facing. Assess probability and impact according to the functions of your business involving the affected technology and take defensive measures accordingly.
3. Implement defenses according to the functional needs of your organization.
Utilize MFA + MDR + DLP to challenge access and interrupt malicious activities. More broadly, assess your understanding of the types of incidents your organization faces and its overall reliance on technical infrastructure, tools and service providers. Adapt your incident response plans and policies accordingly.
***This blog was originally featured on our Forgepoint TIPS LinkedIn newsletter. Read the original post on LinkedIn here.***
You may also enjoy:
On behalf of Forgepoint Capital, I’m proud to announce our $18 million (€17 million) Series A investment in Lynx with the participation of Banco Santander. When I first met Co-Founder and CTO Carlos Santa Cruz through our relationship with…Read More
Forgepoint Capital is proud to participate in the Santander X Global Challenge: Cyberprotect the Future alongside Banco Santander to advance cybersecurity innovation and investment globally. We would like to congratulate the 6 winning companies…Read More