How can you tell who your business is doing business with?
A world-first exploit has hit cyberspace recently, being a supply chain attack to a supply chain attack (if that makes sense). The attack refers to the recent 3CX incident, discovering that its 3CX DesktopApp 18.12.416 was spreading malware believed to have been orchestrated by a nation-state actor looking to cause severe damage. Threat experts at Mandiant claim it could be the first-ever instance of this occurring.
The software in question that this employee did install was called “X_TRADER” by Trading Technologies, which is a futures trading platform. Trading Technologies’ representative released a media statement claiming that the app was “decommissioned in April 2020” and “clients received multiple communications over the 18-month sunset period” advising them that it was no longer supported.
The key takeaways from this scenario are:
1. Users of company-owned devices were allowed to install any software they chose.
2. When breached, the supply chain wasn’t contained to a single computer or a small subset of users but a large vendor doing business internationally.
You may think I don’t use 3CX, so how does this affect me?
If you’re making money through B2B sales, then you’re familiar with dealing with suppliers, those parties also have their vendors, and the list goes on, so there are lessons to be learnt from being aware of the supply-chain risk.
Also, if your systems aren’t correctly configured, employees could download pirated software and unsupported end-of-life applications, install them on a company computer, and have a threat actor lurking behind a legitimate piece of software digitally signed, bypassing several security solutions.
Mitigations against these attacks could be reducing who has admin access, whitelisting and/or blacklisting applications allowed on a device, and system-wide monitoring services to provide an overview of what’s happening in the environment.
How do we get started?
Ideally, you or your provider would follow some cybersecurity framework in order of priority instead of slamming every security product under the sun while simultaneously crossing your fingers and toes. Feel free to reach out for a no-obligation consult and discovery session if you are still stuck.