Highlight of the week

The VoIP softwares 3CX (Windows & macOS versions) were compromised through a supply chain attack then used to distribute the ICONIC info stealer. The attack is for now attributed to the Lazarus group.

The first public information was provided by Crowdstrike on Reddit the 29th of March 2023. But the malicious version has been pushed to clients since March 22nd. Many 3CX’s clients have discussed since that day about the software being blocked by their AV/EDR. They resorted to allowlisting it, 3CX not taking any action to solve or investigate the issue. The C2 infrastructure used for the  malicious Windows version was activated in early December 2022. 3CX had probably been compromised even before that, allowing the Threat Actor to understand the build, update, deploy process of the company to properly stage the attack.

After an automatic update of the software, a reconnaissance payload (through a malicious version of ffmpeg) was deployed to Windows users, and potentially an additional payload for selected victims. As reported by Huntress, the shellcode-embedded PE file was coded to sleep for 7 days before reaching out to the C2, explaining the delay between the update and Crowdstrike seeing the first signs of malicious activity. It is worth noting that the malicious versions of the DLL could have been blocked, as they use the capability to add content to an EXE's authenticode signature section, a vulnerability known as CVE-2013-3900. Unfortunately, the patch is “opt-in” and the secure setting is not enabled by default… (and even reverted when upgrading to Windows 11).

The initial vector for the 3CX compromise is still unknown.

• https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
• https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
• https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
• https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
• https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/
• https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/
• https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2915720?redirectedfrom=MSDN
• Official response of 3CX https://www.3cx.com/blog/news/desktopapp-security-alert/
• An excellent perspective on attacking build pipelines, by Kelly Shortridge https://kellyshortridge.com/blog/posts/attackers-have-better-things-to-do-than-corrupt-your-builds/)

Selection of the week

Microsoft is moving to start addressing the risk of unpatched on-prem Exchange servers. They’ll deploy a “Transport-based Enforcement System” to gradually report, throttle then block unsupported and unpatched Exchange servers sending emails to Exchange Online. The scope will be very limited at first (Exchange 2007, over an inbound connector type of OnPremises) but it will then be extended to all versions regardless of how they send emails.

📰 https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/ba-p/3762078

Microsoft has announced Security Copilot, a “generative AI” to “empower your defenders”, already available in preview.

3 usages are highlighted: Incident Response, Threat Hunting and Security reporting. Obviously, for it to work well, users will need the full Microsoft package with Defender, Sentinel & Intune.

It will be interesting to see how they tackle the hallucination problem: if analysts must perform the analysis to make sure the “AI” got it right, it will be pointless very fast (their own demo, while explaining systems impacted by the log4j vulnerability, mentions “Windows 9”…)

📰 https://microsoft.com/en-us/security/business/ai-machine-learning/microsoft-security-copilot

The French service Cityscoot (short duration rental of motor scooters) was fined 125k€ by the CNIL: the service is (still!) geolocating its clients every 30s !

3 deficiencies to the GDPR were observed: not enough data minimisation (§5.1.c), no contractual framework for the processing carried out by a 3rd party (§28.3) and a failure to inform and obtain consent from users before recording and reading information on their personal equipment (§82 of the French Data Protection Act).

Cityscoot is thinking about to appeal to the Conseil d'Etat (Council of State).

📰 https://www.cnil.fr/en/geolocation-rental-scooters-cityscoot-fined-eu125000

The 3CX compromise is a good opportunity to remind you to map the attacks path specific to your environment. Mapping helps before an attack (what are my Protect and Detect chokepoints ?), as well as after/while under attack (what are the most likely next steps I should investigate ?).

🧰 Thanks to Kelly Shortridge again, design your attack trees here https://www.deciduous.app/

Some Protected Users are not, indeed, protected. A research by Aurélien CHALOT (@Defte_) and Thomas SEIGNEURET (@_zblurx) shows specific settings of the Protected User group are not applied when the default Administrator of a domain (RID500) is added to it:

• You can connect using the Kerberos authentication protocol with RC4.
• The forwardable flag is set in the service ticket.

The remediations are:

• set the attribute ms-DSSupportedProtocolEncryption to restrict the authentication protocol (but OverPass-the-Hash remains possible)
• activate the option “Account is sensitive …” to prevent delegation.

📝 Details and precise remediations: https://sensepost.com/blog/2023/protected-users-you-thought-you-were-safe-uh/

📝 Orange Cyberderense mindmap to attack Active Directory was updated with these Techniques:  https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg

Unsurprisingly, a new forum has been created in an attempt to replace the infamous raidforums and breachforums. A post from its administrator “Sinistery” mentions an “unparalleled level of operational security” and “no affiliation with these [previous] platforms”, but they’ll restore high ranks of past users… Let’s see how long this “pwnedforums.com” lasts !

A trove of leaked documents dubbed "the VulkanFiles" is shining a light on Putin’s cyberwarfare tactics. Documents from 2016 to 2019 show the capabilities developed by contractor NTC Vulkan to control communications and spread disinformation. The project Amezit caught eyes of Sekoia’s analysts with its “infrastructure […] and information level control features”.

📰 Global story: https://www.lemonde.fr/pixels/article/2023/03/30/vulkan-files-ce-que-les-documents-internes-de-l-entreprise-russe-revelent-des-obsessions-du-kremlin-pour-le-controle-d-internet_6167650_4408996.html & https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics

📝 Technical analysis: https://blog.sekoia.io/sekoia-io-analysis-of-the-vulkanfiles-leak/

Quick news:

• ChatGPT got its first temporary ban in Italy over privacy concerns (https://www.securityweek.com/italy-temporarily-blocks-chatgpt-over-privacy-concerns/).
• ChatGPT got its first data breach, thanks to a vulnerability in MinIO (CVE-2023-28432) used in their Docker images (https://www.securityweek.com/chatgpt-data-breach-confirmed-as-security-firm-warns-of-vulnerable-component-exploitation/).
• Companies are rushing to push awareness campaigns to their users about the risks associated with chatbot services.

Conclusion

Secure your build pipeline by first preventing Threat Actor accesses to your environment ! Then manage complex potential take-over of external libraries…

Have a good week.