Cyber Month in Review April 2023

Welcome back to this month’s security review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber-aware.

3CX Desktop App Compromised in Supply Chain Attack

April started off pretty rocky, with the tail-end of March seeing a terrifying supply chain attack which led to the compromise of 3CX, its software and associated users. With 3CX having around 600,000 customer companies and 12 million daily users, the event is likely to have affected many, with the attack having since been revealed (with high confidence) to be carried out by an advanced threat actor/cluster named ‘UNC4736’, which has a North Korean nexus.

The attackers managed to infect 3CX systems and trojanize the digitally signed 3CX Desktop application, affecting a variety of versions for both Windows and MacOS (see versions affected below). The attack flow and payloads involved differ slightly from Windows to MacOS, with Mandiant’s investigation finding that Windows systems were targeted with malware named ‘Taxhaul’ (or TxrLoader), using DLL sideloading to achieve persistence and reducing the likelihood of detection, later deploying the 2nd stage downloader malware named ‘Coldcat’. MacOS systems, on the other hand, were identified to have a backdoor named ‘Simplesea’, which supports commands including shell command execution, file transfer, file execution, file management, and configuration updating.

What Should I Do

Whilst investigation and updates are still coming in, the following information will help you assess the impact and find the steps needed to remediate (as of 18/04/23):

Impacted Versions:

According to NIST, the known affected versions are:

• • 3CX DesktopApp Electron Windows Application shipped in Update 7: 18.12.407 and 18.12.416.

• • 3CX DesktopApp Electron macOS Application: 18.11.1213, 18.12.402, and 18.12.416.

Uninstall the Desktop App: 3CX recommends that users uninstall the 3CX Electron Desktop App from all Windows or MacOS computers.

Details on how to do this and PowerShell scripts for mass uninstall can be found here: Uninstalling the Desktop App from Windows and Mac (3cx.com).

Investigate:

If you have identified any instance of the 3CX Electron Desktop App on your network, it is important to investigate further and identify any indicators of compromise. AV scans should be continued to help with obvious detections, and EDR solutioning should be employed to help detect the more subtle IOCs.

Try looking into what connections your device has made and whether any of the known c2 domains are listed. If they are listed, try looking into the process tree further and note what interactions were made to understand the potential impact.

Sophos have listed a number of IOCs in a repository here: IoCs/3CX IoCs 2023-03.csv at master · Sophoslabs/IoCs · GitHub, with XDR queries here for those who are Sophos XDR customers: Update 2: 3CX users under DLL-sideloading attack: What you need to know – Sophos News.

CISA has also listed a number of other useful links and reports, which can be found here: Supply Chain Attack Against 3CX Desktop App | CISA.

3CX Moving Forward:

3CX has since released an update (06/04/23) detailing that the preferred option moving forward is installing 3CX as a native web app or downloading the new build 18.12.425, which has no evidence of compromise. See here for details: V18 Update 7 Electron Desktop App – Build 18.12.425 (3cx.com).

3CX has released an update (06/04/23) stating that the preferred option moving forward is installing 3CX as a native web app or downloading the new build 18.12.425, which has no evidence of compromise. For details, see here: V18 Update 7 Electron Desktop App – Build 18.12.425 (3cx.com).

---

Business Cyber Security Posture Assessment
31% of business reported a cyber incident last year. Don’t be next. Take this FREE assessment to uncover your cyber security weaknesses.

Start Assessment

---

UK Criminal Records Office

It’s not just 3CX being targeted this month, as the UK Criminal Records Office (ACRO), responsible for running criminal record checks on individuals for convictions, cautions, etc., has confirmed that the issues experienced on their online portal since January 17th resulted from a cyber security incident, which caused them to take the portal offline on March 29th.

The incident involves a decade’s worth of sensitive information, and they are currently working with the NCSC and ICO for further investigation. There is no additional information on what or who caused the incident.

What Should I do

ACRO sent an email to customers, stating that they had “no conclusive evidence that personal data has been affected by the cyber security incident,” but also that “the personal data which could have been affected is any information you supplied to us, including identification information and any criminal conviction data.”

Until the investigation reveals more, users have been urged to use strong and unique passwords for online accounts and to keep an eye out for suspicious activity such as phishing emails.

 

Javascript VM2

Javascript VM2 is a well-known library used by various software tools for running and testing untrusted code in a sandbox environment. The related software usually includes tools such as IDEs, code editors, and security/pentest tools.

Unfortunately, VM2 has not had the best luck this month, as multiple sandbox escape flaws have been identified for the library, with CVE-2023-29017 being discovered near the start of the month and CVE-2023-29199 and CVE-2023-30547 being discovered more recently.

CVE-2023-29017 holds a CVSS score of 10/10, allowing an attacker to “bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.”

CVE-2023-29199 and CVE-2023-30547, on the other hand, allow the attacker to leak unsanitised host exceptions to escape the sandbox and run arbitrary code in the host context

What Should I do

Check your network for the following:

• Any internal development that has utilised the VM2 library.

• Any external application you may use which incorporates the VM2 library.

For internal instances that utilise VM2, make sure to upgrade to version 3.9.17 as soon as possible to address the flaw. For external instances that you utilise, you may be exposed for longer, so make sure to check with the vendor for updates.

 

APC Critical Unauthenticated RCE

Schneider Electric released a notification this month regarding multiple vulnerabilities found within its APC and Schneider branded ‘Easy UPS Online Monitoring’ software. Uninterruptable Power Supply devices (UPS) are an essential part of business continuity and environmental protection for a variety of network infrastructures (from small businesses right up to data centres), with APC being one of the better-known brands and the ‘Easy UPS Online Monitoring software is used to configure and manage these APC/Schneider products.

The vulnerabilities in question could allow unauthenticated arbitrary remote code execution and allow attackers to take over the devices or lose functionality altogether. The individual CVEs are listed below, with more detail available on the official advisory linked further down.

• CVE-2023-29411 (CVSS score: 9.8): Missing authentication for a critical function that could allow changes to admin credentials and lead to potential RCE on the Java RMI interface.

• CVE-2023-29412 (CVSS score: 9.8): Improper handling of case sensitivity could cause RCE when manipulating internal methods through the Java RMI interface.

• CVE-2023-29413 (CVSS score: 7.5): Missing authentication for a critical function that could cause DoS when accessed by an unauthenticated user on the Schneider UPS monitor service.

What should I do?

The above vulnerabilities affect APC and Schneider Electric’ Easy UPS Online Monitoring Software’ v2.5-GA-01-22320 and earlier on all Windows versions and Windows Server 2016,2019 and 2022. Admins should apply the patch as soon as possible to v2.5-GS-01-23036 or later, with more details being available here: files (Schneider-electric.com)

 

SLP bug used for DDoS amplification

Researchers from BitSight and Curesec discovered a vulnerability in the legacy Service Location Protocol (SLP) this month, being tracked as CVE-2023-29552 with a CVSS score of 8.6. The exploitation of the vulnerability could allow attackers to use spoofed UDP traffic to launch massive denial of service amplification attacks as high as 2200x! Despite being a legacy protocol that wasn’t intended for internet visibility/use, a recent scan by the researchers found more than 54,000 exploitable SLP instances over 2000 organisations – including occurrences within VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), and others. What should I do? (At a Glance) Given the severity of the vulnerability and potential impact on your network, admins should review their infrastructure and disable (or at least restrict) network access to SLP servers, making sure to pay particular attention to shadow IT (systems often forgotten or otherwise used outside of normal IT admin approval/control). Services such as VMware, which have been affected by the SLP flaw, should also be contacted for guidance if applicable.

• For the full report, visit the BitSight article here: New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) | BitSight

• For the technical details, see here: NVD – CVE-2023-29552 (nist.gov) 

• To see the impacted VMware versions (and response), see here: VMware Response to CVE-2023-29552 – Reflective Denial-of-Service (DoS) Amplification Vulnerability in SLP – VMware Security Blog – VMware.

 

NCSC warns against heightened threat against Western infrastructure.

In an important update from the NCSC (UK’s National Cyber Security Centre), a new class of Russian cyber adversaries has been identified. The NCSC states that these “state-aligned groups are often sympathetic to Russia’s invasion and are ideologically, rather than financially motivated.”

Committing acts akin to modern-day privateering, these groups are aligned with Russian interests without being subjected to formal state control, allowing them to act without the usual constraints enforced and targeting as they wish, making them less predictable.

What Should I Do 

With the groups gradually moving from DDoS and website defacements to more disruptive attacks against critical Western infrastructure (including the UK), the NCSC recommends all organisations review and (where possible) implement the following guidance:

• Actions to take when the cyber threat is heightened | NCSC.gov.uk
• Secure system administration | NCSC.gov.uk

It’s important for organisations to also understand that while they may not be directly attributed to critical infrastructure, attacks with such goals can sometimes have ‘spillover’ where your business is inadvertently targeted or affected either as part of the supply chain or simply as collateral (as seen in the 3CX attack), so make sure to review the guidance above!

You can see the alert for more detail here: Heightened threat of state-aligned groups against western critical national infrastructure | NCSC.gov.uk

 

Conclusion

Ransomware attacks have soared in the last couple of months, with a ransomware attack happening once every 11 seconds. This was further compounded in April with additional attacks like the 3CX supply chain attack, forcing admins to adapt and investigate quickly. An important notice from the NCSC has also given IT admins a lot to review and think about as we go into the months ahead, as we all need to review, adapt, and improve our systems and methods to keep on top of the increasingly heightened cyber threat.

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others, such as the TP-Link Archer botnet exploit, HP LaserJet critical bug, MSI’s security breach, and Papercut’s severe remote takeover exploit, are examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyber-aware!

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.