{"id":642904,"date":"2023-04-29T10:05:59","date_gmt":"2023-04-29T15:05:59","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/04\/29\/3cx-data-breach-shows-organizations-cant-afford-to-overlook-software-supply-chain-attacks\/"},"modified":"2023-04-29T10:05:59","modified_gmt":"2023-04-29T15:05:59","slug":"3cx-data-breach-shows-organizations-cant-afford-to-overlook-software-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/04\/29\/3cx-data-breach-shows-organizations-cant-afford-to-overlook-software-supply-chain-attacks\/","title":{"rendered":"3CX data breach shows organizations can\u2019t afford to overlook software supply chain attacks\u00a0\u00a0"},"content":{"rendered":"<div id=\"boilerplate_2682874\">\n<p><em>Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success<\/em>. <em><a href=\"https:\/\/avolio.swapcard.com\/Transform2023\/registrations\/Start?utm_source=vb&#038;utm_medium=boiler&#038;utm_content=landingpage&#038;utm_campaign=T23_BoilerPlates\">Learn More<\/a><\/em><\/p>\n<hr>\n<\/div>\n<p>Last month, VoIP provider <a href=\"https:\/\/www.3cx.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">3CX<\/a> experienced a data breach after an employee downloaded a trojanized version of <a href=\"https:\/\/www.tradingtechnologies.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Trading Technologies<\/a>\u2019 X_Trader software. After breaking into the vendor\u2019s environment, North Korean threat actors then used an exploit to ship malicious versions of the 3CX desktop app to downstream customers as part of a <a href=\"https:\/\/venturebeat.com\/security\/the-software-supply-chain-new-threats-call-for-new-security-measures\/\">software supply chain<\/a> attack. \u00a0<\/p>\n<p>The incident resulted in the <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/xtrader-3cx-supply-chain\" target=\"_blank\" rel=\"noreferrer noopener\">compromise<\/a> of two critical infrastructure organizations and two financial trading entities. It\u2019s one of the first known instances where a threat actor chained together two supply chain attacks in one. \u00a0<\/p>\n<p>More importantly, this high-profile breach highlights the havoc that third-party compromise can wreak on an organization, and shows that organizations need to focus on mitigating upstream risk if they want to avoid similar incidents in future.\u00a0\u00a0<\/p>\n<p>After all, when considering that supply chain attacks <a href=\"https:\/\/www.csoonline.com\/article\/3677228\/supply-chain-attacks-increased-over-600-this-year-and-companies-are-falling-behind.html\" target=\"_blank\" rel=\"noreferrer noopener\">increased<\/a> by 633% over the past year, with 88,000 known instances, security leaders can\u2019t afford to assume that these attacks are rare or infrequent.\u00a0<\/p>\n<div><body><\/p>\n<div id=\"boilerplate_2803147\">\n<h3>Event<\/h3>\n<div>\n<p><span>Transform 2023<\/span><\/p>\n<div id=\"gm0a52976\">\n<p>Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.<\/p>\n<\/div>\n<\/div>\n<p><a href=\"https:\/\/avolio.swapcard.com\/Transform2023\/registrations\/Start?utm_source=vb&#038;utm_medium=incontent&#038;utm_content=landingpage&#038;utm_campaign=T23_incontent\"><br \/>\n                Register Now            <\/a>\n                        <\/p>\n<\/div>\n<p><\/body><\/p>\n<h2 id=\"h-understanding-the-risk-of-software-supply-chain-attacks\">Understanding the risk of software supply chain attacks\u00a0\u00a0<\/h2>\n<p>Ever since a Russian cybergang orchestrated the supply chain breach in December 2020 to gain access to <a href=\"https:\/\/www.wired.com\/story\/solarwinds-hack-supply-chain-threats-improvements\/\" target=\"_blank\" rel=\"noreferrer noopener\">SolarWinds<\/a> internal systems and shipped malicious updates to customers, as well as opening up access to as many 18,000 SolarWinds customers, these styles of attacks have remained a persistent threat to organizations.\u00a0<\/p>\n<p>One of the main reasons for this is that they\u2019re cost effective. For financially and espionage-motivated cybercriminals, supply chain attacks are a go-to choice because an organization can hack a single software vendor and gain access to multiple downstream organizations to maximize their reach.\u00a0<\/p>\n<p>At the same time, the ability of an intruder to situate themselves in-between the vendor and customer\u2019s relationship, puts them in a position to move laterally between multiple organizations at a time to gain access to as much data as possible.\u00a0<\/p>\n<p>\u201cSupply chain attacks are very difficult to pull off, but highly cost effective if they succeed, since they open a very wide attack surface, usually known and available exclusively to the attacker. This creates a \u2018hunting ground,\u2019 or even a sort of \u2018buffet\u2019 in which the threat actor has their choice of target organizations and can operate with fewer constraints,\u201d said Amitai Cohen, attack vector\u2013intel lead at <a href=\"https:\/\/www.wiz.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Wiz<\/a>, in an email to VentureBeat.\u00a0<\/p>\n<p>\u201cFor end-user software, the threat actor can gain initial access to every workstation or server in the target organization\u2019s network on which the app is installed,\u201d Cohen said.\u00a0<\/p>\n<h2 id=\"h-what-makes-the-3cx-breach-stand-out\">What makes the 3CX breach stand out\u00a0<\/h2>\n<p>According to <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/3cx-software-supply-chain-compromise\" target=\"_blank\" rel=\"noreferrer noopener\">Mandiant<\/a> consulting, the team that discovered the initial compromise vector of the breach, the incident was notable not just because of the linked software supply chain attacks, but because it highlighted that the North Korean threat actor, referred to as UNC4736, has developed the ability to launch these attacks.\u00a0<\/p>\n<p>\u201cThese types of breaches have been happening for a long time. This one was notable because it was the first time we had seen these things kind of daisy-chained together, where one sort of led to another,\u201d said Ben Read, Mandiant director of cyber-espionage analysis, in an interview with VentureBeat.\u00a0He added the attack also alerted security experts that \u201cNorth Korea has the technical ability to carry these things off.\u201d<\/p>\n<p>Another concerning element of this incident is the fact that the breach remained undiscovered for a significant period of time, leading to concerns that there could be other unknown organizations affected.\u00a0\u00a0<\/p>\n<p>\u201cAnd the other part is that the Trading Technologies [breach] occurred back in the spring of 2022 and as far as we\u2019re aware, the specifics of it hadn\u2019t come to light before now. So there\u2019s a possibility that this has happened in other places and no one has found it yet,\u201d Read said.\u00a0<\/p>\n<h2 id=\"h-more-to-come-from-unc4736\">More to come from UNC4736<\/h2>\n<p>At this stage, it\u2019s too early to say whether the success of this breach will inspire other threat actors to launch similar attacks. However, Symantec principal intelligence analyst Dick O\u2019Brien, who has been closely monitoring the incident, believes that the UNC4736 group behind the attack are likely to conduct similar attacks in future.\u00a0<\/p>\n<p>\u201cWe\u2019re seeing a North Korean sponsored actor getting its foothold into multiple organizations in multiple geographies. And while the motivation right now seems to be probably financial; with North Korea, you can never really rule out anything else occurring,\u201d O\u2019Brien said.\u00a0<\/p>\n<p>\u201cI wouldn\u2019t be surprised at all if we see another supply chain attack from this group,\u201d O\u2019Brien said. \u201cI think that the reach this group has gotten through the supply chain attacks is a cause for concern.\u201d\u00a0<\/p>\n<p>As a result, organizations need to be hardening their internal network controls to prevent such actors from moving laterally from system to system, as part of what Read calls an \u201cassume compromise\u201d approach.\u00a0<\/p>\n<p>In practice, this means incorporating <a href=\"https:\/\/venturebeat.com\/security\/report-orgs-with-zero-trust-segmentation-avoid-5-major-cyberattacks-annually\/\">network segmentation<\/a>, which is dividing a network into smaller parts and implementing <a href=\"https:\/\/venturebeat.com\/security\/access-management-must-get-stronger-in-a-zero-trust-world\/\">zero trust<\/a> access controls to limit privileged access to resources. That way, if an attacker does gain access to the environment, their mobility is limited, making the incident easier to contain.\u00a0<\/p>\n<h2 id=\"h-how-organizations-can-mitigate-third-party-risk\">How organizations can mitigate third-party risk <\/h2>\n<p>While internal controls like network segmentation and zero-trust access controls\u00a0go some way to mitigating the risk of lateral movement once an attacker has entered an organization\u2019s environment, they do little to address the risks of an upstream software vendor being breached in the first place.\u00a0<\/p>\n<p>Given that organizations can\u2019t control the internal security practices and processes of third-party vendors, Cohen argues customers need to \u201cchoose vendors with a proven security track record.\u201d\u00a0<\/p>\n<p><a href=\"https:\/\/www.gartner.com\/en\/legal-compliance\/insights\/third-party-risk-management\" target=\"_blank\" rel=\"noreferrer noopener\">Gartner<\/a> suggests that organizations can test the security standing of a vendor by conducting due diligence in the form of risk assessments, not just prior to signing a contract with a third party, but throughout the entire commercial relationship.\u00a0<\/p>\n<p>As part of the risk assessment, an organization should request internal audits and risk reports, issue questionnaires, and analyze broader industry data (e.g., does the organization belong to an industry at higher risk of cyberattacks) to quantify the level of risk presented by a commercial partnership.\u00a0<\/p>\n<p>It\u2019s also useful to review what regulations the organization is compliant with and verifying proof of any certifications issued by third-party standard assessment organizations, such as the <a href=\"https:\/\/www.iso.org\/home.html\" target=\"_blank\" rel=\"noreferrer noopener\">ISO<\/a>, to better understand the level of controls implemented within the environment.\u00a0\u00a0<\/p>\n<p>While due diligence alone won\u2019t mitigate third-party risk completely, it can help enterprises screen out vendors with less-defined or effective security procedures.<\/p>\n<p><strong>VentureBeat&#8217;s mission<\/strong> is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. <a href=\"https:\/\/info.venturebeat.com\/website-preference-center.html?utm_source=VBsite&#038;utm_medium=bottomBoilerplate\" data-type=\"URL\" data-id=\"https:\/\/info.venturebeat.com\/website-preference-center.html\">Discover our Briefings.<\/a><\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/venturebeat.com\/security\/3cx-data-breach-shows-organizations-cant-afford-to-overlook-software-supply-chain-attacks\/\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Tim Keary<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More Last month, VoIP provider 3CX experienced a data breach after an employee downloaded a trojanized version of Trading Technologies\u2019 X_Trader software. After breaking into the vendor\u2019s environment, North Korean threat actors then<\/p>\n","protected":false},"author":1,"featured_media":642905,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[252,94,46],"tags":[],"class_list":{"0":"post-642904","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-breach","8":"category-shows","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/642904","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=642904"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/642904\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/642905"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=642904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=642904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=642904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}