2023: In-depth examination of 3 attacks
that shook the foundations of computer networks…

It is no secret that understanding one’s adversary is a key factor in an organization’s security. However, the year 2023 was marked by sophisticated network attacks, exposing security vulnerabilities in crucial applications. Among the most notable incidents were attacks on 3CX, MoveIT, and ESXi, which undermined confidence in the security of interconnected networks. These attacks not only signify the advanced nature of current cyber threats but also underscore the crucial role of Network Detection and Response, NDR, in preempting and mitigating these dangers Analyzed by the Purple Team in the CTSR (Cyber Threat Semester Report), let’s take a closer look at these incidents that shook the landscape of global cybersecurity.
Le Lab Gatewatcher D

3CX: Compromised supply chain


The attack on the company 3CX highlighted the vulnerability of the supply chain. These attacks (T1195) have become a concerning topic and are among the most probable risks for 2024. The principle is simple: cybercriminals exploit vulnerabilities in the software supply chain of organizations to compromise their systems and access sensitive data. According to Gartner estimates, no less than 45% of organizations will fall victim to a software supply chain attack by 2025. Profitable: a single compromise can lead to hundreds or even thousands of victims. #snowballeffect!

  • Target: In our example, the 3CX attack targeted the 3CX VoIP server, a popular software solution used for business communication. Hackers, infiltrated the 3CX supply chain by injecting malicious code into the X_Trader application, published by Trading Technologies.

 

  • Method: Malicious updates downloaded by a 3CX employee, this cascading attack allowed the attackers to access the company’s network and the execution of unauthorized code on the server, compromising a significant portion of its clientele. The malicious updates contained payloads designed to establish backdoors, allowing attackers persistent access to the compromised systems. This access could be used for data exfiltration, eavesdropping on communications, or further malicious activities within the network.

 

  • Impact and implications: Businesses relying on the 3CX system for communication found their systems compromised, leading to potential data breaches and unauthorized access to sensitive communications. The stealthy nature of the attack, disguised as a legitimate update, posed significant challenges for detection. A range of businesses using the 3CX VoIP server software were impacted. This includes small to medium-sized enterprises and larger corporations across various sectors, particularly those heavily reliant on VoIP communications. Specific company names may not be publicly disclosed due to privacy and security reasons. Estimated financial losses likely includes costs associated with incident response, system restoration, potential ransom payments, and indirect losses like downtime and reputational damage

The incident highlights the need for increased vigilance at all levels of the supply chain to prevent damaging chain reactions. This is at the heart of many upcoming regulations, primarily the infamous NIS 2.

MoveIT: Zero-Day vulnerability and persistent exploitation


This vulnerability, initially disclosed on May 31, was assessed with a CVSS score of 9.8, indicating extreme severity. Special and precious gems, a true nightmare for editors, users, and developers. A Zero-Day flaw is an unknown vulnerability to the software publisher, so there is no update to fix the issue.

  • Target: Here, the secure transfer software MOVEit, designed by Progress Software, was the target of a series of large-scale attacks, highlighting a disturbing zero-day vulnerability.

 

  • Method: CVE-2023-34362, an SQL injection flaw in the MOVEit Transfer web application, was actively exploited by malicious actors, making this attack one of the most critical of the year. Attackers exploited this flaw to extract sensitive information from victims’ databases. In addition to data retrieval, they had the ability to execute malicious SQL queries, opening the door to manipulation or even deletion of crucial data. The Move-It software vulnerabilities exploited were primarily related to insufficient input validation, allowing attackers to execute remote code. This flaw permitted unauthorized access to files and data in transit.

 

  • Impact and implications: The most well-known name on the victim list is the British oil group Shell. Several American banks, insurance companies, and universities were also affected. Others indirectly affected as highlighted in our Cyber Threat Semester Report: Zellis, a payroll services provider for renowned entities such as British Airways, BBC, Boots, and DHL, was particularly impacted*.

 

“MOVEit helps IT teams at almost every federal civilian agency and military branch to securely transfer mission-critical information and assure the performance of their networked infrastructure and applications”. Every military and civilian branch uses the software. This attack is even more concerning because the Cl0p group claims to have exploited the vulnerability since 2021, indicating advanced knowledge. This underscores the urgency of quickly detecting and resolving such vulnerabilities to prevent prolonged attacks. Affecting over 500 organizations, including giants, these attacks highlight the crucial challenges of protecting against sophisticated threats.

 

*CTSR January-July 2023, Gatewatcher

ESXi: Ransomware exploiting a 2021 vulnerability


On February 3, 2023, targeted attacks reactivated a vulnerability dating back to 2021 (CVE-2021-21974) against VMware ESXi hypervisors, orchestrating ransomware deployment.

  • Target: The ESXi attack was a ransomware attack targeting VMware ESXi hypervisors, which are used for virtualizing and managing multiple virtual machines (VMs) in enterprise environments.

 

  • Method: The attack was carried out by exploiting a heap-overflow vulnerability in the OpenSLP component of hypervisors. The Service Location Protocol (SLP) was used for transmitting information about services and their locations. Once exploited, the ransomware encrypted VMs, rendering them inaccessible to users. The attack occurs when receiving directory agent advertisements, where a failure in null character detection allows the diversion of the program’s execution flow, thereby authorizing the execution of arbitrary code. This vulnerability was exploited to deploy the EsxiArgs ransomware, characterized by the .args extension of encrypted files and was specifically designed to target ESXi servers, utilizing encryption algorithms that locked down virtual hard drives. The ransomware specifically targeted the hypervisor layer, which is a critical component in virtualized environments. By encrypting the VMs, attackers could demand a ransom for the decryption keys.

 

  • Detection: Detection was made possible by the Sigflow rule (sid 2044114) since February 3. Procedures for recovering encrypted files were provided by CERT FR, but the attack evolved with the emergence of a new strain of ransomware, EsxiArgs, rendering encrypted files unrecoverable. On February 10, a modification in the encryption method was observed, further complicating data restoration. These developments underscore the importance of promptly updating security patches, proactively detecting vulnerabilities, and having a deep understanding of the procedures needed to counter these sophisticated attacks.

 

  • Impact and implications: The attack had a global impact, affecting a wide range of numerous organisations in various sectors (technology, healthcare, finance, education, and government) that relied on the compromised file transfer software. The potential for lateral movement within affected networks raised serious concerns about the depth and breadth of the security breach. VMware’s recognition that attackers likely exploit all available vulnerabilities emphasizes the urgency of strengthening hypervisor security against persistent and evolving threats. A European hospital network was significantly impacted by the ESXi attack, resulting in the encryption of patient records and critical operational systems. The hospital had to revert to manual systems, causing delays in patient care and other services.

NDR Solutions, cornerstone of your cybersecurity strategy


These attacks underscore the critical importance of cybersecurity in an ever-evolving digital landscape, echoing the predictions made for 2024. They reveal similar patterns that emphasize pivotal lessons in cybersecurity practices and strategic responses. Key areas for attention include the exploitation of vulnerabilities, the effectiveness of social engineering, the critical need for advanced network monitoring, and the imperative of a robust incident response strategy. It’s crucial to recognize that cybersecurity is not merely a technological challenge but a comprehensive organizational responsibility.

Reflecting on the NDR strategies for the 3CX, Move-It, and ESXi attacks, a common theme emerges: advanced detection capabilities.

NDR systems utilise anomaly detection, analysing deviations from established network baselines. Traffic pattern analysis identifies unusual activities, and AI and machine learning enable NDR systems to adapt to new threats. The essence of effective NDR lies in its ability to perform real-time analysis and continuous monitoring. Companies must confront challenges such as protecting against supply chain attacks, zero-day vulnerabilities, and persistent exploitation of known flaws with determination. Collaboration between cybersecurity experts, software providers, and end-users remains crucial to strengthen network resilience and ensure a safer digital future.