The recent compromise of 3CX’s Electron Desktop Application (CVE-2023-29059) has highlighted the need for companies to remain vigilant of supply chain attacks involving the commercial software they use. A supply chain attack occurs when malware is introduced into legitimate software or through software updates, prior to that software reaching the consumers. Consumers who install or update software that has been modified are at risk of compromise and further attacks by the threat actor who introduced the malware into the software or others who may take advantage of the induced vulnerabilities. Follow these 5 best practices to stay ahead of supply chain attacks:
1. Patch Management
In the case of the 3CX software compromise, the Windows vulnerability being exploited (CVE-2013-3900) is ten years old and a fix exists. (Details on how to implement the fix can be found on Microsoft’s website: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900). Since known and patched vulnerabilities are frequently exploited by threat actors, it is important to stay on top of relevant patches and fixes for vulnerabilities affecting software used by you and your organization.
2. Anti-Virus
Anti-virus tools are effective at detecting and preventing known malware such as the malware used in the 3CX software compromise. Anti-virus software should be set up to check for updates at least once a day to stay protected against the latest threats. Anti-virus should be running continuous monitoring and scanning, as well as frequent full scanning.
3. Endpoint Monitoring
Endpoint monitoring using an Endpoint Detection and Response (EDR) product such as Carbon Black helps to fill in the detection gaps of anti-virus software. Endpoint monitoring detects and prevents advanced attacks such as fileless malware and ransomware. For optimal protection, all endpoints and servers in your organization should have an endpoint monitoring agent installed on them. 24/7 review of alerts from the endpoint monitoring software helps to ensure rapid response to any widescale network attack. Organizations that do not have the capacity for 24/7 review should engage an experienced third-party, such as Ankura, to assist in reviewing alerts at all hours.
4. Verify Downloaded Software
When downloading application software over the Internet, especially when that software is coming from a third-party vendor, it is important to verify that the downloaded software both matches the expected download and is free from malware. Frequently hashes for software are provided by the vendor for available downloads so that you can compare the hash provided to the hash of the file downloaded and ensure that the file has not been altered. If the hashes are not available publicly, try contacting them and asking them for the hashes. Once application software is downloaded, it should also be scanned for malware before being deployed.
5. Have an Incident Response Plan
While prevention and detection are important, when attacks are detected, it is also important to have an incident response plan in place to respond to the incident. An incident response plan should be formalized and include a plan of action for before, during, and after a security incident. The incident response plan should also include a list of contact points that should be notified in the event of an incident. Existing incident response plans should be tested and reviewed at least annually. Ankura provides services to assist in creating, reviewing, and testing your organization’s incident response plan.
If you suspect you may have already fallen victim to the 3CX or another supply chain attack, the Ankura global team of incident responders has a novel and scalable approach to address these incidents. We begin with an assessment of the vulnerability and identify the degree to which it was leveraged. Frequently, we discover that the compromise was limited in scope and can be quickly contained. If a broader compromise is detected, we can provide a bespoke scope of work to address the issue without “boiling the ocean.” The Ankura Incident Response Team is easy to reach by emailing incident@ankura.com, which is monitored by practice leaders around the globe for a rapid, 24-7 response.
Any questions regarding 3CX or other types of cyber incidents, please reach out to Brent Riley (brent.riley@ankura.com) and Todd Doss (todd.doss@ankura.com).
Authored by Amber Zee
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.