Supply chain attacks have become increasingly common in recent years, with cybercriminals exploiting the weakest link in the chain to gain access to valuable information or inflict damage. The most recent case is 3CX, a VoIP communications company that was compromised to distribute trojanized versions of its Windows desktop application in a large-scale supply chain attack. The attack exploited a 10-year-old Windows vulnerability, which is still being exploited by threat actors, and even worse, the fix from Microsoft is still “opt-in” and removed after upgrading to Windows 11.
The Dangers of Supply Chain Attacks
Supply chain attacks have become a growing concern for businesses and individuals alike. These attacks target the vulnerabilities of the supply chain, which is made up of a complex web of interconnected suppliers, vendors, and contractors that are critical to the operations of a company. Cybercriminals can gain access to a company’s sensitive data or systems by compromising the security of one of the many links in the supply chain. For example, they may target a third-party vendor that has access to a company’s network, such as a cloud service provider or a software developer. A recent exemple is the cyber attack targeting the Danish Railway system.
The impact of a successful supply chain attack can be devastating, with potentially severe consequences for businesses and individuals. The attackers can steal sensitive data, disrupt critical operations, compromise financial systems, and damage the reputation of the company. In addition, businesses may face legal liabilities and regulatory fines for failing to protect their customers’ information. As supply chain attacks become increasingly sophisticated and widespread, it is important for businesses and individuals to understand the risks and take proactive steps to mitigate them.
The Case of 3CX and a 10-Year-Old Windows Vulnerability
The recent 3CX supply chain attack is a prime example of the dangers of supply chain attacks and how they can exploit vulnerabilities in the weakest link in the supply chain. The attackers were able to compromise two DLLs used by the Windows desktop application, replacing them with malicious versions that download additional malware to computers. What is particularly concerning is that one of the malicious DLLs used in the attack was a legitimate DLL signed by Microsoft, named d3dcompiler_47.dll, and despite the DLL being modified, Windows still showed it as correctly signed by Microsoft.
The decade-old Windows vulnerability that was exploited in the 3CX supply chain attack is a serious issue, as it is still being exploited by numerous threat actors. The vulnerability, known as CVE-2013-3900, is a “WinVerifyTrust Signature Validation Vulnerability” that allows content to be added to an EXE’s authenticode signature section (WIN_CERTIFICATE structure) in a signed executable without invalidating the signature. Although Microsoft disclosed this vulnerability in 2013, it has remained an opt-in fix that can only be enabled by manually editing the Windows Registry.
Furthermore, the fix is removed after upgrading to Windows 11, making the device vulnerable again, and the vulnerability has been used in recent attacks such as the 3CX supply chain and a Zloader malware distribution campaign in January. The implications of a vulnerability that is still being exploited after ten years and the opt-in fix that offers little protection are significant and raise concerns about the need for more stringent security measures to protect against supply chain attacks.
The Importance of Risk Management when Vulnerability can’t be fixed
In situations where vulnerabilities cannot be fixed or mitigated, cyber risk management becomes a crucial aspect of protecting against supply chain attacks. Companies should focus on preventive measures that reduce the impact of a potential attack. One such measure is network segmentation, which divides a network into smaller subnetworks, making it more difficult for an attacker to move laterally across the network. By segmenting the network, companies can limit the damage caused by a supply chain attack and prevent an attacker from gaining access to sensitive information.
Another preventive measure is implementing access controls, which limit access to resources and data based on user roles and permissions. This ensures that only authorized personnel have access to sensitive data, reducing the risk of data theft and other malicious activities. Access controls can also prevent attackers from moving laterally across the network and limit the damage caused by a supply chain attack.
Finally, companies should prioritize employee education and awareness. Supply chain attacks often involve social engineering tactics that exploit human vulnerabilities, such as phishing emails and other forms of social engineering. By educating employees on the risks and warning signs of supply chain attacks, companies can reduce the likelihood of an attack being successful. Regular training and awareness programs can ensure that employees remain vigilant and aware of potential threats, reducing the likelihood of a successful supply chain attack.
The case of 3CX and a 10-year-old Windows vulnerability is a stark reminder of the dangerous reality of supply chain attacks and the critical importance of applying security updates and patches promptly. While the opt-in fix from Microsoft may offer some protection, it is clear that more needs to be done to address the root cause of the vulnerability and prevent its exploitation. Businesses and individuals must take cybersecurity seriously, implement best practices to mitigate risks, and stay up-to-date with the latest security updates and patches. Failure to do so can result in devastating consequences, both financially and reputationally.
When a vulnerability cannot be fixed or mitigated, companies should prioritize cyber risk management and preventive measures to reduce the impact of a potential attack. Network segmentation, access controls, and employee education are all important measures that can help prevent or limit the damage caused by a supply chain attack. By taking proactive steps to protect against these types of attacks, companies can ensure that they are prepared to defend against the ever-evolving threat landscape.