FortiGuard Labs is aware that a digitally signed 3CX desktop app was reportedly used in a supply chain attack against 3CX Voice over Internet Protocol (VoIP) customers. A previously unknown infostealer was deployed to the victims at the end of the infection chain. At this time, Windows and MacOS versions were reportedly trojanized.The 3CX desktop app is a popular software phone client that enables users to make calls, have live chats, hold video conference calls, and is available for Windows, MacOS, Linux, Android and iOS. 3CX claims to more than 600,000 companies use their service and have more than 12 million userbase.Why is this Significant?This is significant because 3CX, a very popular software phone client that the company claims to serve more than 600,000 companies, was reportedly trojanized to deliver an unknown infostealer to victims through a supply chain attack.How Widespread is the Attack?Currently there is no indication available as to how widespread the attack is. FortiGuard Labs is closely monitoring the situation and will update this Threat Signal when new information becomes available.Who is Behind this Attack?Unconfirmed reports suggest LAZARUS group may be the perpetrator of this attack.Who is LAZARUS?LAZARUS, also known as APT38/HIDDEN COBRA has been linked to multiple high-profile, financially-motivated attacks in various parts of the world – some of which have caused massive infrastructure disruptions. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that almost netted nearly $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, LAZARUS would have pulled off a heist unlike any other. Although LAZARUS failed in their attempt, they were still able to net around 81 million dollars in total.What Malware is Delivered to the Victims of this Supply Chain Attack?A previously unknown infostealer that collects system information and steals information from popular Web browsers was reportedly deployed to the victims.Has the Vendor Released an Advisory?3CX released an advisory on March 30th, 2023. See the Appendix for a link to “3CX DesktopApp Security Alert”.What is the Status of Protection?FortiGuard Labs currently has the following AV signatures in place for some of the known and available files involved in this attack:W64/Agent.CFM!trOSX/Agent.CN!trCurrently available network IOCs are blocked by Webfiltering.FortiGuard Labs is investigating for additional coverage. This Threat Signal will be updated when new protection information becomes available. Latest detials of all protections can be found in the FortiGuard 3CX Supply Chain Attack Outbreak Alert.
MindsDB is an open source machine learning platform. An unsafe extraction is being performed using `shutil.unpack_archive()` from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a **TarSlip** or a **ZipSlip variant**. Unpacking files using the high-level function `shutil.unpack_archive()` from a potentially malicious tarball without validating that the destination file path remained within the intended destination directory may cause files to be overwritten outside the destination directory. An attacker could craft a malicious tarball with a filename path, such as `../../../../../../../../etc/passwd`, and then serve the archive remotely using a personal bucket `s3`, thus, retrieve the tarball through **mindsdb** and overwrite the system files of the hosting server. This issue has been addressed in version 22.11.4.3. Users are advised to upgrade. Users unable to upgrade should avoid ingesting archives from untrusted sources.
PDFZorro PDFZorro Online r20220428 using TCPDF 6.2.5, despite having workflows claiming to correctly remove redacted information from a supplied PDF file, does not properly sanitize this information in all cases, causing redacted information, including images and text embedded in the PDF file, to be leaked unintentionally. In cases where PDF text objects are present it is possible to copy-paste redacted information into the system clipboard. Once a document is “locked” and marked for redaction once, all redactions performed after this feature is triggered are vulnerable.
Avanquest Software RAD PDF (PDFEscape Online) 3.19.2.2 is vulnerable to Information Leak / Disclosure. The PDFEscape Online tool provides users with a “white out” functionality for redacting images, text, and other graphics from a PDF document. However, this mechanism does not remove underlying text or PDF object specification information from the PDF. As a result, for example, redacted text may be copy-pasted by a PDF reader.
2023-02-16, Version 16.19.1 ‘Gallium’ (LTS), @richardlau
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High) CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium) CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
