Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, April 7th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes David Shipley of Beauceron Security will join me to discuss four news stories. But first a review of some of the headlines from the past seven days:
One of the biggest news items was the discovery that the desktop version of the 3CX softphone had been infected by an unknown threat actor. They did it by using a compromised digital certificate to fool Windows. This supply chain attack could have been worse. It’s one of the incidents David and I will discuss.
We’ll also look at the effort by police in 17 countries including Canada and the U.S. to shut the Genesis Marketplace, one of the biggest online sites selling stolen usernames, passwords and other credentials.
We’ll examine the use of third-party tracking codes on the websites of many American hospitals and why they are a privacy risk.
And we’ll discuss the newest ransomware strain called Rorschach.
Also in the news, Canada’s federal privacy commissioner began investigating a complaint that developers collected, used, and disclosed of personal information of Canadians without consent.
A New Jersey law firm called Genova Burns that represents Uber began sending out data theft notices to American Uber drivers after it was hacked in January. The attacker copied names, Social Security numbers and possibly tax identification numbers.
A whistleblower at Canada’s Manulife bank says the financial institution isn’t tightly limiting employee access to customers’ information. The person told CBC News that a particular customer database called Databarn with sensitive information could be accessed unnecessarily by over 100 employees. A report to management two years ago outlined problems, the source said, but wasn’t acted on. Manulife told the CBC that access restrictions were added after concerns were first raised.
Police in Spain arrested a 19-year-old suspected of being behind a number of large cyber attacks, including ones on a government tax agency and a judge’s council. He also allegedly ran a platform for selling stolen data.
Finally, users of internet-connected devices like smart garage door openers, alarms and plugs from a company called Nexx are being warned of critical vulnerabilities in the platform. The problem is it isn’t hard to crack the password protocol to devices. A researcher says anyone could open garage doors and turn off entry alarms because of the bugs. The researcher says Nexx has ignored attempts by himself and the U.S. Department of Homeland Security to explain the finding. Users should consider disabling the devices.
(The following is an edited transcript of one of the topics discussed. For the full conversation play the podcast)
Howard: Let’s start with the attack on 3CX, which makes a desktop and web voice-over-IP softphone for businesses. Around March 22nd, 3CX customers reported something unusual with an update. Then security firms noted that an update was being blocked for some reason. The reason was a compromised version of an update for the 3CX desktop app. The compromise included a code signing certificate used to fool Windows and allow its installation. By Wednesday, March 29th several cybersecurity firms were publicly warning about the compromise. This is a supply chain attack: Compromise an application to get at most — or all — of the users. Fortunately in this case it was caught early enough that few organizations were hit.
David Shipley: This was extraordinarily concerning. This is of the scale of the SolarWinds and the Kaseysa supply chain hacks we’re talking about a firm with 600,000 business customers, some major Fortune 500 companies and 12,000,000 users. So this could have been monumental had it played out in the worst possible way. I think that we got extremely lucky on this one. It seems that based on some attributions this seems to be a North Korean Lazarus group operation that seems to have been specifically targeting cryptocurrency firms, which makes a lot of sense given their current needs. But had this been another entity with another motivation we could have had the largest mass ransomware event in history.
Howard: The CEO [of 3CX] admitted his company didn’t take internal antivirus warnings seriously enough: They popped up — and it’s not uncommon for alerts to pop up — and the company said, ‘That couldn’t really be something serious.’
David: I want to be sympathetic because there’s so much insecurity. It’s like the boy who cried ‘Wolf’ [repeatedly]. You know, Microsoft’s working through an issue right now where it’s been super paranoid about a bunch of links that are completely innocuous and causing sysadmins to run around thinking users have clicked on a high-severity phishing link. False positives happen in this industry. I think if you are a major supply chain provider of software when alerts start popping up you should have a process to work with the vendors to look at your software — and I mean do a full software colonoscopy, where you look at all the code, all the things it’s doing, all the things that the security researchers ended up doing. So you can definitively with great comfort say, ‘No, this is not the big bad um situation –or, ‘Geez. It is.’
Howard: One lucky thing: The malware had a delay of several days before executing. Perhaps that was the creator’s way of thinking that they could hide the malware. But it also allowed word that something was suspicious to spread, so on the 29th when the malware began beaconing out to an unapproved server security researchers were somewhat prepared and they worked to dismantle the servers that were being contacted by the malware.
David: I think everything that could go right for the good guys at the stage that this was getting ready to ramp up went right. I think the reality is this looks like a fairly sophisticated operation that got inside a major supply chain provider. Some researchers are saying the company may have been compromised as far back as November, so the attackers had a lot of time to play this out. It seems things just went off the rails [for the attacker] in the last bit of the operation. Again, I’m still left with the discomforting feeling that we got really really lucky on this.
Howard: This incident raises the issue of software configuration management. This is essential for application developers to ensure that their code isn’t compromised before it’s sent out to users. What should developers be doing to prevent code compromise?
David: We’re really going to have to see what 3CX will share from its detailed investigation of the breach. It’s going to matter a lot where and how deeply the company was compromised, because if their entire infrastructure was owned, if the hacking group behind this had everything from getting code-signing certificates to being inside with access to the entire [application development] pipeline right down to desktop level access in the developers it’s going to be a tough ticket to figure out. If it was at the later stages of the deployment of the [development] pipeline where they [the attackers] were injecting things, are there opportunities to make sure that you’ve got good identity and access management and good change management processes before stuff gets packaged and sent to customers? If it was happening at the code level with the developers, what are the tools used to do automated code scanning? Hopefully, you do internal red teaming against your own code to actually see if it does something weird any kind of sandboxing prior to deployment. Those will be all interesting questions to see how mature their processes were. It all comes down to how badly was C3X owned? That’s going to be the multimillion-dollar question. Whether they’re going to be transparent with us about that is up in the air.
Howard: One good thing is that when a number of security companies noticed that there was unusual activity, rather than keep it a secret and notify only their customers they put up public alerts.
David: They did a great job. And what I loved about the work was it explained why they were arriving at their conclusions. I saw some fantastic write-ups that are almost like a tutorial for someone who needs to learn how to do malware analysis: How they started to unpack things step-by-step, use tools to actually try and understand what the stages of the malware were, what it was doing, some of the clever techniques that were used in terms of the obfuscation encryption and C3 modules. I thought the industry really represented itself well and provided a host of insights that hopefully can make us all more secure. But let’s not kid ourselves. This is the kind of big story that’s going to get executive attention around the world and going to sell more security stuff, so it works for them too.