24 April 2023
This has been quite a week of disclosures. The American Bar Association (ABA) disclosed that over 1 million credentials have been taken. “On March 23 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that you may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.” It’s a little nerve-wracking because the first look didn’t find the original breach. They noted that they first discovered the unusual activity at least 11 days after the attackers infiltrated the network. While much faster than statistics (over 280 days according to published reports such as Ponemon’s 2022 Breach Report.) You can read more about it here: https://www.infosecurity-magazine.com/news/american-bar-association-breach-1/
In other news, 3CX and Mandiant disclosed that after further investigation the supply chain attack not only was a real attack (3CX previously reported it was an attack and then a false positive only to determine with Mandiant’s help that it was a very sophisticated attack via the supply chain) and that it didn’t just target 3CX. There’s a good write-up of it here for more details: https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
What’s this mean to you? Well, the ABA breach resulted in a lot of very old passwords and hashes. If you decided that you don’t need to rotate your passwords on a regular basis and don’t have a strong MFA in place for sites you use that password, you may find that you’ll wish you did. Good password hygiene is important and a) not using the same password for multiple accounts, b) regularly changing passwords and c) using strong MFA especially for your high-value accounts (i.e. banking) are all best practices and fairly common. It’s the older accounts that people still are using the same passwords for that can bite you. Change your passwords, limit their use across accounts and if you are not already, start using MFA such as FIDO 2 MFA.
I’m sure my fellow third-party risk and technical family will be interested to find solutions to the sophisticated 3CX attack. That’s a much harder item to address since it has such deep implications on the way software is written these days. The challenge is to know the source of your software, verify that it’s legitimate, and effectively scan it for malware before including it in your own code. Easier said than done. The attackers didn’t target 3CX, but they sounded the alarm and brought it to the forefront.
There will likely be additional disclosures from other places as the code bases get scanned and more places identify how far the malware got. Stay vigilant.
Big Headline Breaches and How They May Affect You
24 April 2023
This has been quite a week of disclosures. The American Bar Association (ABA) disclosed that over 1 million credentials have been taken. “On March 23 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that you may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.” It’s a little nerve-wracking because the first look didn’t find the original breach. They noted that they first discovered the unusual activity at least 11 days after the attackers infiltrated the network. While much faster than statistics (over 280 days according to published reports such as Ponemon’s 2022 Breach Report.) You can read more about it here: https://www.infosecurity-magazine.com/news/american-bar-association-breach-1/
In other news, 3CX and Mandiant disclosed that after further investigation the supply chain attack not only was a real attack (3CX previously reported it was an attack and then a false positive only to determine with Mandiant’s help that it was a very sophisticated attack via the supply chain) and that it didn’t just target 3CX. There’s a good write-up of it here for more details: https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
What’s this mean to you? Well, the ABA breach resulted in a lot of very old passwords and hashes. If you decided that you don’t need to rotate your passwords on a regular basis and don’t have a strong MFA in place for sites you use that password, you may find that you’ll wish you did. Good password hygiene is important and a) not using the same password for multiple accounts, b) regularly changing passwords and c) using strong MFA especially for your high-value accounts (i.e. banking) are all best practices and fairly common. It’s the older accounts that people still are using the same passwords for that can bite you. Change your passwords, limit their use across accounts and if you are not already, start using MFA such as FIDO 2 MFA.
I’m sure my fellow third-party risk and technical family will be interested to find solutions to the sophisticated 3CX attack. That’s a much harder item to address since it has such deep implications on the way software is written these days. The challenge is to know the source of your software, verify that it’s legitimate, and effectively scan it for malware before including it in your own code. Easier said than done. The attackers didn’t target 3CX, but they sounded the alarm and brought it to the forefront.
There will likely be additional disclosures from other places as the code bases get scanned and more places identify how far the malware got. Stay vigilant and be ready to patch early and often.