Critical infrastructure organizations targeted in cascading 3CX attack
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of?Chainmail: Software Supply Chain Security News, which brings you the newest headlines from around the world, curated by the team at?ReversingLabs. This week:?Critical infrastructure organizations were also targeted in the cascading software supply chain attack on Trading Technologies, followed by 3CX. Also: 90 percent of technology professionals detected significant risks in their software supply chain this past year.
This Week’s Top Story
In the weeks following the discovery of a software supply chain attack on VOIP provider 3CX back in late March 2023, the security community has been hard at work putting the puzzle pieces together to determine how this incident occurred. In the infancy of its discovery, ReversingLabs Reverse Engineer Karlo Zanki detailed our researchers' analysis of the compromise, which yielded a number of concerns. And in just the past two weeks, much has been discovered that points to this attack being more worrisome than previously thought.
Here's the recap: In mid-April, 3CX released a statement confirming that the attackers behind the incident are North Korean, based on help from Google-owned security firm Mandiant. Then, last week, Mandiant made another discovery that was a first for software supply chain security: The attack on 3CX was actually caused by a prior software supply chain attack on Trading Technologies, a trading software company. This occurred due to a 3CX employee having the malicious installer for the company's X_TRADER software downloaded on their personal computer.
Now, the Threat Hunter team at security firm Symantec asserts that the X_TRADER supply chain attack not only impacted 3CX, but also multiple critical infrastructure organizations in the U.S. and Europe. The attackers, believed to be the same for both the Trading Technologies and 3CX attacks, used the trojanized installer to deploy the VEILEDSIGNAL multistage backdoor to not just 3CX's system, but also to the critical infrastructure organizations targeted. Targets include two energy sector companies, one in the U.S. and the other in Europe that “power suppliers generating and supplying energy to the grid,” says Symantec’s Director of Security Response Eric Chien. The two other known targets are financial trading organizations, and researchers find it likely that there are more, unknown organizations out there who were also targeted in this cascading supply chain attack.?
Mandiant has attributed these connected supply chain attacks to a North Korean threat actor it tracks as UNC4736, which they believe has ties to Lazarus, a well-known North Korean threat group. Google’s Threat Analysis Group (TAG) also believes that Lazarus caused the Trading Technologies supply chain attack. Symantec too agrees that the attackers are North Korean, and they assert that these attackers are highly capable: "The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out."?
The attributing of these attacks on North Korean threat actors is worrisome, given the fact that these attackers tend to also carry out cyber espionage campaigns. Also, it was previously thought that the supply chain attack on Trading Technologies was just financially motivated. However, the recent development regarding this attack also targeting critical infrastructure organizations demonstrates that it was motivated by more than just financial gain. This cascading attack could have been a part of a plan to hurt the U.S. and Europe’s stability and national security by inhibiting their critical infrastructure entities.?
News Roundup
Here are the stories we’re paying attention to…
Global research commissioned by ReversingLabs and conducted by Dimensional Research revealed evidence that organizations recognize, and have been impacted by, software supply chain security threats. The Survey found that nearly 90 percent of technology professionals detected significant risks in their software supply chain in the last year. More than 70 percent said that current application security solutions aren’t providing necessary protections. Check out this blog post to get a breakdown of the Survey’s highlights. (Financial Post)
The Open Source Security Foundation (OpenSSF) has announced the release of Supply-chain Levels for Software Artifacts (SLSA) v.1.0 with structure changes designed to make the software supply chain security framework more accessible and specific to individual areas of the software delivery lifecycle. SLSA is a community-driven supply chain security standards project that outlines increasing security rigor within the software development process. (CSO)
Amid the frenzy of academic interest in the possibilities and limitations of large language models, four researchers affiliated with Université du Québec, in Canada, have delved into the security of code generated by ChatGPT, the non-intelligent, text-regurgitating bot from OpenAI. And what they found was “worrisome.” As stated in the author’s pre-press paper: "We found that, in several cases, the code generated by ChatGPT fell well below minimal security standards applicable in most contexts. In fact, when prodded to whether or not the produced code was secure, ChatGPT was able to recognize that it was not." (The Register)?
Goldoson, a malware discovered and named by researchers at McAfee Labs, can steal data and commit click fraud, and has hitched a ride into 60 mobile apps via an infected third-party library. The infected apps have logged more than 100 million downloads from the official Google Play store and are available in other app stores in South Korea, researchers have found. The malware, if infected on Androids specifically, can perform a variety of nefarious activities. (DarkReading)
领英推荐
A new report from software supply chain management startup Lineaje finds an inherent risk of software supply chains being compromised when using the most popular open-source products and dependencies. “What’s in Your Open-Source Software?” was based on Lineage Data Labs researchers analyzing 41,989 open-source components embedded in the top 44 popular projects of the Apache Software Foundation across its last three versions. The analysis found that 68% of dependencies are on non-Apache Software Foundation open-source projects that put the foundation’s integrity at risk. A staggering 82% of components were found to have an “extremely high inherent risk” in that they were inherently risky from vulnerabilities, security issues, code quality, or maintainability concerns. (SiliconAngle)
Developers who use GitHub Actions to build software packages for the npm registry can now add a command flag that will publish details about the code's origin. This feature is intended to further enhance the security of the open source software supply chain, which has become a common target for cyberattacks. GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform, which provides a way to automate arcane command line input and software builds. It's often used by software developers to mechanize the build process for packages distributed through the company's npm registry, which hosts more than two million of these modular libraries. (The Register)
A security researcher has released yet another sandbox escape proof of concept (PoC) exploit that makes it possible to execute unsafe code on a host running the VM2 sandbox. VM2 is a specialized JavaScript sandbox used by a broad range of software tools for running and testing untrusted code in an isolated environment, preventing the code from accessing the host's system resources or external data. The library is commonly found in integrated development environments (IDEs), code editors, security tools, and various pen-testing frameworks. It counts several million downloads per month in the NPM package repository. (BleepingComputer)
Resource Roundup
In the latest episode, Matt Rose, Field CISO, ReversingLabs, gives a quick overview of what the ReversingLabs team will be up to and tips to prepare for the 2023 RSA Conference. Visit us this week at RSAC Booth 5428!?
On Demand: Deconstructing 3CX - Red Flags, Misses and How to Address the Software Supply Chain Threat
ReversingLabs Co-Founder/Chief Software Architect Tomislav Pericin and Field CISO Matt Rose delve into the details of the explosive software supply chain attack experienced by 3CX, a provider of enterprise voice over IP (VOIP) solutions. Beginning on March 22nd, 2023, it was discovered that 3CX had released and distributed malware-compromised versions of its 3CXDesktopApp desktop VoIP client directly to customers.
What’s in a name? Here's how bad actors are pushing malware on the Python Package Index under the guise of legitimate yet abandoned open source modules, written by ReversingLabs Software Threat Researcher Lucija Valenti?.?
[Read Now]
The conversation surrounding software supply chain attacks is a major theme at RSA Conference 2023. Here are the must-see sessions that your security teams will benefit from in understanding software supply chain security to the fullest.??
[Read Now]