|
Listen to post:
Getting your Trinity Audio player ready...
|
Supply chain attacks are one of the top concerns for any organization as they exploit (no pun intended) the inherited trust between organizations. Recent examples of similar attacks include SolarWinds and Kaseya. On March 29th, a new supply chain attack was identified targeting 3CX, a VoIP IPXS developer, with North Korean nation-state actors as the likely perpetrators.
What makes the 3CX attack so devastating is the exploitation of a 10-year-old Microsoft vulnerability (CVE-2013-3900) that makes executables appear to be legitimately signed by Microsoft while, in fact, they are being used to distribute malware. This is not the first time this vulnerability has been exploited; earlier this year, the same tactic was used in the Zloader infection campaign. In the 3CX case, the two “signed” malicious DLLs were used to connect to a C&C (Command and Control) server and ultimately connect to a GitHub repository and download an information stealing malware that targets sensitive data users type into their browser.
Cato Networks SASE Threat Research Report H2/2022 | Download the ReportThe Cato Networks security group responded to this threat immediately. Customers whose systems were communicating with the second-stage payload server were contacted and informed of which devices were compromised. All domains and IPs associated with the campaign were blocked to limit any exposure to this threat.
Cato’s approach to such threats is one of multiple choke points, ensuring the threat is detected, mitigated, and prevented along its entire attack path. This can only be done by leveraging the private cloud backbone in which each PoP has the entire security stack sharing and contextualizing data for each network flow. Cato’s mitigation of the 3CX threat includes:
- Malicious domains are tagged as such and are blocked. The firewall rule for blocking malicious domains is enabled by default.
- IPS (Intrusion Prevention System) – Payload servers were added to the domain blocklist, this is complimentary to the firewall rules and is not dependent on them being enabled.
- Anti-malware – All 3CX associated trojans are blocked
- MDR (Managed Detection and Response) – the MDR team continues to monitor customer systems for any suspicious activities.
Cato Networks security group will continue to monitor this threat as it develops. For a detailed technical analysis of the attack see Cyble’s blog.
Etay Maor
Etay Maor is the Senior Director of Security Strategy at Cato Networks and an industry-recognized cybersecurity researcher. Previously, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Etay has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Etay is an adjunct professor at Boston College and is part of Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. He holds a BA in Computer Science and a MA in Counter-Terrorism and Cyber-Terrorism.
Dolev Moshe Attiya
Dolev Moshe Attiya is a seasoned Staff Cyber Security Engineer at Cato, specializing in threat analysis, research, and developing advanced countermeasures. With over five years of experience, Dolev plays a key role in fortifying Cato's security against emerging threats and CVEs, showcasing his commitment to excellence in the dynamic field of cybersecurity.