3CX Hit by SmoothOperator

3CX, one of the world’s best known telephony applications, has been rocked by a devastating supply-chain attack that is infecting end-users.

The breach, designated ‘SmoothOperator’ is believed to affect both the 3CX Desktop app and PMA, 3CX’s recommended replacement. Once the trojanised payload is delivered to the 3CX end-user, it interacts with popular web browsers such as Chrome, Edge, Firefox and Brave – likely in an attempt to steal user data, including browser history, down the line.

In a video released earlier today – SentinelOne demonstrated the forensic detection of SmoothOperator which has risen dramatically in recent days. A sample of how the powerful endpoint security software blocks the threat can be seen in the video below.

Security analysts are rumoured to have discovered links to Labyrinth Collima, a North Korean Lazarus Group offshoot from Bureau 121 of the DPRK’s ‘Reconnaissance General Bureau.’ 3CX is believed to be in use by more than 12 million daily users around the world, among more than 600,000 organisations.

Managed detection and response specialists Huntress have published a wide-ranging report on the breach with a difficult verdict for organisations using 3CX:

“We anticipate that 3CX will not complete a root cause analysis of this incident for some time, and users should look for alternative telephony mechanisms for the foreseeable future.”

 

Remediation: organisations using 3CX are advised to…

1. Enforce mandatory password resets for all users.
2. Reset passwords for any web-based accounts which might have suffered credential harvesting via the user’s browser, and have multi-factor authentication (MFA) enabled for those accounts.
3. Invalidate any persistence tokens used for Microsoft 365, Google Workspace and other accounts that might allow automatic login without MFA.
4. Enable high security risk conditional access if using Microsoft Azure.

 

For Cyber Security expertise and assistance, please contact our team today.


Home PC Hack Topples LastPass

LastPass have confirmed that a hack on a staff member’s home PC led to a massive cyber security breach on the company.

The second stage of the attack used data stolen in LastPass’s August breach, cross-referenced with other stolen information, to launch a targeted sting on one of their DevOps engineers – installing a key logger on the staff member’s home PC which resulted in the loss of yet more data.

LastPass confirmed the attacker was able to steal the user’s master password, gaining access to corporate vault resources and shared folders. In the process, encrypted notes and decryption keys needed to access LastPass production backups based in Amazon Web Services (AWS) – cloud-based storage and critical database backups were also compromised.

Since the August 2022 breach, when LastPass source code was stolen, the company has admitted the breach also saw the theft of account usernames, hashed passwords, and some Multi-Factor Authentication (MFA) settings belonging to end users.

Unfortunately LastPass also acknowledged that saved URL for each password entry was unencrypted, giving potential attackers an obvious clue to the purpose of each set of credentials.

The breach highlights the way remote working culture has introduced significant new digital risks – such as the danger of home users accessing work data, resources and applications on devices that sit ‘outside’ of company cyber security protections.

LastPass is believed to be used by over 85,000 businesses and 30 million end users.

 

For Cyber Security Expertise & Support, please contact our team today.

Managed Cyber Security


The Problem with QR Codes

QR codes have become an easy way for companies to promote themselves – now that everyone carries a barcode scanner in their pocket (their smartphone) why not take advantage of this to better connect with customers?

Well…. because it can also be a cybersecurity nightmare.

Cryptocurrency platform Coinbase recently made headlines by using their Super Bowl half-time advert to advertise themselves with a bouncing QR code that users could scan live from their sofas. As many pointed out, this is literally the equivalent of clicking a blind link in an email from an unknown sender – with users unlikely to have checked where the link will take them, or what information they’re handing over when they get there.

Worse still, even if a company’s own QR codes are harmless, it’s very easy to generate imitations online that are not – leveraging a larger company’s advertising as a way to scam users.

QR codes can all too easily be planted by third-parties as a way of tricking the unsuspecting – in particular, you need to be wary of the following scams:

 

Parking Meters
– A fake parking meter QR code, stuck as a label, acts in a similar fashion to phishing emails and the carding-devices cybercriminals have famously used on ATMs to steal card details. By re-directing the user to a fake payment portal to pay their parking, this catches those who might otherwise be a rush. See also: fake parking penalty tickets.

 

qr code phone call

SMS/Phone Codes
– QR codes are generally used from smartphones with calling and SMS sending abilities, so it’s possible to prompt the user to send a text message to a number. Handy for business, certainly, but risky if the user doesn’t realise they’re calling or texting a premium number.

 

qr code tweet

Social Media Share
– Scan here to automatically tweet a link from @Lineal! Unfortunately that link is easily manipulated, causing the scanner to potentially become part of further phishing attempts on their own twitter followers.

 

Connecting to Wi-Fi
– In public spaces, many businesses will prompt users to join their free Wi-Fi via QR code. Clever and convenient, but obviously easy to use as a mechanism for a man-in-the-middle attack by those whose fake Wi-Fi network is simply a trap set for the unsuspecting user who’s just trying to access their email in a coffee shop, airport or hotel.

 

Guidance:

Think before you click – does the QR code match the rest of their branding? Where does the link preview point to? Is there anybody/anywhere you can double-check?

Use a Password Manager – although you might not spot a fake website URL, a password manager that normally autofills only a password on specific sites will recognise the fake immediately.

Assuming the device doesn’t sit within the container of a firewall that’s likely to detect threats as you browse the web, companies issuing work mobiles & tablets need to also extend endpoint security software to those devices – the same way you might a work laptop for those working on the move.

Most importantly, users need to be regularly educated on the importance of recognising phishing scams with organised training – to build personal resilience that extends to whatever device they happen to be using.

 

For Cybersecurity expertise and support, contact Lineal today.