That 3CX supply chain attack keeps getting worse: Other vendors hit

Trending 5 months ago

In Brief We thought it was astir apt nan lawsuit erstwhile nan news came out, but now it's been confirmed: The X_Trader proviso concatenation onslaught down nan 3CX discuss past period wasn't confined to nan telco developer.

Quite nan contrary, successful fact, according to Symantec. "To date, [we] recovered that among nan victims are 2 captious infrastructure organizations successful nan power sector, 1 successful nan US and nan different successful Europe. In summation to this, 2 different organizations progressive successful financial trading were besides breached," Symantec announced without naming immoderate names. 

For those unfamiliar pinch nan incident, 3CX reported a proviso concatenation onslaught that saw its 3CX DesktopApp compromised pinch a trojanized type of nan X_Trader futures trading app published by Trading Technologies. 

3CX's VoIP products are utilized by a assortment of high-profile clients, including Mercedes Benz, Air France, nan UK's National Health Service. 3CX's CEO copped to nan discuss erstwhile customers began noticing unusual behaviour successful their instances of nan DesktopApp.

It's still not instantly clear erstwhile aliases precisely wherever nan proviso concatenation onslaught started, but Symantec said it appears to beryllium financially motivated and is targeting captious infrastructure targets. With that successful mind, Symantec said nan behaviour lines up pinch North Korean habits of engaging successful financially-motivated attacks that double arsenic espionage missions. 

With that successful mind, "it cannot beryllium ruled retired that strategically important organizations breached during a financial run are targeted for further exploitation," Symantec warned. 

As we noted successful erstwhile sum of nan 3CX attack, North Korea wouldn't beryllium a astonishment source. It attacked nan X_Trader installer successful 2021 to instal nan VEILEDSIGNAL backdoor. Technical study of nan malware by some Symantec and Mandiant recovered traces of VEILEDSIGNAL successful nan concatenation of attacks utilized to discuss installs of 3CX DesktopApp. 

Symantec published a database of indicators of discuss (IOCs) pinch its study of nan malware. If your situation is moving immoderate 3CX package it mightiness beryllium a bully thought to guarantee those IoCs are included successful your information software.

Critical vulnerabilities of nan week

Google Chrome received important updates past week, including 1 that addressed a nasty bug – CVE-2023-2136, which is already nether progressive attack.

The flaw allows an attacker to bypass nan sandboxing tech successful nan Chrome browser by exploiting an integer overflow rumor successful Skia graphics engine.

The hypothetical attacker would already request to person compromised nan renderer process to negociate it, but it's clear that hasn't been a problem – astatine slightest personification is utilizing nan utilization for nan bug.

"Google is alert that an utilization for CVE-2023-2136 exists successful nan wild," nan Chocolate Factory warned.

'Twas besides a susceptible week for Cisco, which reports aggregate captious problems successful respective package products:

  • CVSS 9.9 – multiple CVEs: Cisco Industrial Network Director contains a brace of vulnerabilities that could let an authenticated attacker to inject arbitrary OS commands aliases entree delicate data.
  • CVSS 9.1 – CVE-2023-20154: Cisco Modeling Labs has an outer authentication vulnerability that could springiness an unauthenticated attacker admin entree to nan platform's web interface. 
  • CVSS 8.8 – Multiple CVEs: SNMP successful Cisco IOS and IOS XE are lousy pinch vulnerabilities that could springiness a distant attacker nan expertise to remotely execute codification aliases unit a strategy reload.
  • CVSS 8.8 – CVE-2023-20046: Cisco StarOS's SSH implementation contains a flaw that could fto an authenticated distant attacker escalate their privileges connected affected devices. 
  • CVSS 8.6 – CVE-2023-20125: Cisco BroadWorks Network Server has a vulnerability that could let an attacker to exhaust strategy resources and origin a denial of service.

VMware besides reported a vulnerability connected Thursday it described arsenic ranging from 7.2 to 9.8 connected nan CVSS scale, and spanning two CVEs. The rumor affects VMware Aria Operations for Logs, which contains a deserialization vulnerability done which a distant unauthenticated character tin execute arbitrary codification pinch guidelines permissions. 

CISA shared a trio of captious business power systems vulnerabilities, too:

  • CVSS 10.0 – CVE-2023-2131: INEA's ME RTU firmware versions anterior to 3.36 are susceptible to OS bid injection.
  • CVSS 9.8 – Multiple CVEs: Multiple versions of Schneider Electric's Easy UPS Online Monitoring package incorporate authentication issues which could let an attacker to escalate privileges, bypass authentication, and nan like.
  • CVSS 8.6 - Multiple CVEs: All versions of Omron PLC CJ, PLC CS and PLC NX1P2 are susceptible to authentication bypass vulnerabilities that could let an attacker to airs arsenic an authorized user.

There's besides a brace of caller known exploited vulnerabilities:

  • CVSS 9.8 – CVE-2023-27350: PaperCut NG v.22.0.5 contains an authentication bypass vulnerability that allows an attacker to execute arbitrary code.
  • CVSS not rated yet – CVE-2023-2136: Chrome's rendering engine, Skia, has an integer overflow rumor that could let sandbox escape.

Also, Oracle released a bid of information updates that spot hundreds of vulnerabilities successful Oracle, Solaris and Linux systems. They're excessively lengthy to screen here, but it's a bully thought to update your Oracle systems to use nan latest patches. 

Finland sentences CEO for a breach astatine his company

Leave it to nan Finns to travel up pinch specified a caller concept: The erstwhile CEO of a hacked psychotherapy halfway was handed a situation condemnation for his domiciled successful failing to pseudonymize and encrypt diligent wellness records, arsenic required nether nan EU's General Data Protection Regulation.

The tribunal primitively said nan seriousness of nan crime justified an unconditional jailhouse sentence, but since erstwhile leader Ville Tapio had nary anterior criminal grounds nan tribunal settled connected a 3 period suspended sentence, nan Finnish Broadcasting Company (Yle) reported.

The breach occurred successful 2020 and saw tens of thousands of diligent records published online, wherever cyber criminals utilized nan diligent records – including convention notes and individual specifications – to blackmail those caught up successful nan leak. Tapio was fired by nan committee of nan Vastaamo psychotherapy session soon aft nan breach. 

The tribunal said this week that nan company's database stored diligent records successful plain connection without capable encryption, and characterized Tapio's behaviour arsenic "particularly reprehensible" fixed nan delicate quality of nan accusation Vastaamo stored. 

French constabulary arrested nan alleged hacker successful nan case, Julius "Zeekill" Kivimäki, successful February. First identified arsenic a fishy successful nan lawsuit successful October of past year, Kivimäki has a sizeable cyber crime rap sheet. ®