Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Consider supply chain in your incident response plan
You may feel you’re ready to face an in-house cyber incident. But are you ready to respond in the event that part of your supply chain is affected? Here are some tips to consider when reflecting on your incident response planning:
- catalog partners and suppliers and conduct a supply chain vulnerability audit
- establish secure communications protocols and incident notification processes
- establish clear rollback procedures for software upgrades and installations
- implement security tools and strategic network configurations to limit exposure
- limit access and data exchange to minimum necessary for business purposes
- limit and audit access controls using a zero-trust model
- vet and regularly audit suppliers
- document and test your incident response plan
3CX voice/video conferencing software victimized by supply chain attack
In an April 1 blog post, Nick Galea, CEO of 3CX, confirmed a software supply chain attack on the company’s 3CXDesktopApp software. The multi-platform software serves as a virtual PBX for voice and video conferencing. The company is used by about 600,000 customers with an estimated 12 million daily users around the world, including dozens of high-profile companies like car manufacturers, food & beverage, and hospitality concerns.
3CX has posted a complete security alert home page with details on compromised versions of the software, and recommended workarounds. Various 18.12.x versions in Update 7, for both Windows and Mac, may be affected. 3CX, with assistance from Mandiant, is working to validate their software and is building a new, clean version of the application from the ground up for re-distribution.
Users of 3CX products are strongly encouraged to follow the 3CX blog for the latest updates and instructions on mitigating the potential impact of the infected software versions.
Unconfirmed reports have linked the attack to North Korean threat actor group called Lazarus. According to analysis by SentinelOne, the elaborate and sophisticated attack has been a long time in the making: “Our investigation into the threat actor behind this supply chain is ongoing. The threat actor has registered a sprawling set of infrastructure starting as early as February 2022,” though the first indication of an attempt to exploit the compromised software came on March 8, 2023.
U.S. consumer lender TMX Finance discloses breach affecting nearly 5M people
TMX Finance and its subsidiaries TitleMax, TitleBucks, and InstaLoan have disclosed a data breach that exposed the personal data of 4,822,580 customers in the United States.
In a breach disclosure letter dated March 30, TMX announced: “On February 13, 2023, we detected suspicious activity on our systems and promptly took steps to investigate the incident… Based on the investigation to date, the earliest known breach of TMX’s systems started in early December 2022. On March 1, 2023, the investigation confirmed that information may have been acquired between February 3, 2023 – February 14, 2023.”
Extensive personal data was disclosed in the breach, including:
- name,
- date of birth,
- passport number,
- driver’s license number,
- federal/state identification card number,
- tax identification number,
- social security number and/or financial account information,
- phone number,
- mailing address, and
- email address.
According to the breach disclosure letter, TMX believes the security incident has now been contained, but is continuing to monitor its systems for suspicious activity and “continue to evaluate ways to further enhance the security of [their] systems.” The letter indicated that THX has “implemented additional security features, such as additional endpoint protection and monitoring, as well as resetting all employee passwords”.
Founded in 1998, TMX Finance Corporate Services, Inc. is a subsidiary of TMX Finance, LLC, a consumer lending company based in Savannah, Georgia. The company has no affiliation to the TMX Group, a Canadian financial services company and stock exchange operator.
Patch alert: WordPress Websites using Elementor Pro
Elementor has released a patch for a high-severity vulnerability that could expose WordPress websites that use Elementor Pro in combination with WooCommerce e-commerce add-in software. The vulnerability only affects Elementor Pro (i.e., the paid version of the plug-in) – the freeware download offered on the WordPress website is not known to be at risk.
Security researchers at NinTechNet have provided a detailed analysis of how the vulnerability can be exploited. Successful exploitation of the bug could allow an authenticated threat actor to completely take over an Elementor Pro WordPress site with WooCommerce enabled.
Reports by researchers at Patchstack have documented exploit attempts in the wild, and have provided IOAs and IOCs in their analysis.
WordPress websites using Elementor Pro Version 3.11.6 or older of the plug-in are urged to patch as soon as possible, and to monitor the Elementor website for any additional patches to the software as exploitation of the vulnerability may widen.