3CX Supply Chain Attack: what happened?

Popular software-based PBX phone system 3CX was recently targeted by a cybercriminal group, and infected with malware to steal information from users’ devices.

3CX is used by over 600,000 companies worldwide, and the supply chain attack has caused a significant stir, and drawn comparisons to other large breaches like the Kaseya and SolarWinds attacks.

The incident

In late March, a digitally authenticated and compromised edition of the 3CX Voice Over Internet Protocol (VOIP) Desktop software was used to target the firm's clientele. The supply chain compromise allowed malicious actors to conduct multi-stage attacks against the software, potentially enabling activity such as malware installation against affected users.

Security researcher Sophos released an alert stating that the attackers were targeting both Windows and macOS users of the 3CX app. Andriod and iOS versions of the software are not reported to be affected.

“The most common post-exploitation activity observed to date is the spawning of an interactive command shell,” Sophos said in an advisory issued via its Managed Detection and Response service.

While the Australian Cyber Security Centre (ACSC) has released alerts warning of an active state-sponsored intrusion campaign targeting 3CXDesktopApp users, it has not received any reports of Australian organisations being targeted in the campaign.

Affected software

3CX advised Windows Update 7 version numbers:

• 12.407
• 12.416

And Electron Mac App version numbers:

• 11.1213
• 12.402
• 12.407
• 12.416

Were all affected by the attack.

Sophos stated the most common post-exploitation event observed following the initial attack is the presence of an infostealer targeting the browsers on a compromised system.

Threat identification

Sophos MDR identified malicious activity directed at its customers that was stemming from 3CXDesktopApp, and observed the campaign leveraging a public file storage to host encoded malware. After news of the compromise began to spread, the repository was taken down.

The attack revolved around a DLL sideloading scenario with a number of components involved. This ensured customers were able to use the 3CX desktop app without noticing anything unusual. Sophos identified three components:

• exe, the clean loader
• dll, a DLL with an appended encrypted payload
• dll, a Trojanized loader

The cybercriminal group was revealed to be North Korean threat actors tracked as Lazarus Group. They replaced two DLLs used by the Windows desktop app with malicious versions that would download malware to devices.

3CX response

3CX notified partners and customers of the attack on March 30, and has provided them with updates as investigations into the incident continued. The company also released a public security incident report on April 1. 3CX urged users to avoid using the Electron App unless absolutely necessary, while another Electron App was rebuilt from the ground up with a new signed certificate to replace the affected version.

Following the announcement, 3CX extended all paid subscriptions expiry by three months, and offered free commercial one-year 4SC PRO subscriptions to their partners.

3CX appointed US cybersecurity firm Mandiant to fully investigate the incident, and are releasing regular updates via their blog.

Risk mitigation

3CX advises that its users:

• Uninstall the 3CX Electron Desktop App from all Windows and Mac devices.
• Continue AV scans and EDR solutions in your organisation’s networks for any potential malware.
• Switch to using the PWA Web Client App instead of the Desktop App.

Sophos MDR blocked the malicious domains for its clients, and published detections:

Static detections:

• Troj/Loader-AF (Trojanized ffmpeg.dll)
• Troj/Mdrop-JTQ (installers)
• Troj/Steal-DLG
• OSX/Mdrop-JTR (installers)
• OSX/Loader-AG (Trojanized libffmpeg.dylib)

Reputation detection:

• Mal/Generic-R / Mal/Generic-S (d3dcompiler with appended shellcode)

Memory detection:

• Mem/Loader-AH

Defend your systems and networks before it’s too late

As an advanced cyber security threat detection and response service, Sophos constantly monitors network devices for malicious activity and reports any unusual or suspicious activity to your organisation. Proactive threat hunting, detection, and elimination are provided by an expert security team who – as seen in the 3CX cyber-attack – are quick to discover and respond to even the most advanced threats.

Essential Tech is a leading Sophos MDR provider, and can advise you further about arming your organisation with this advanced security solution. Talk to them today and ensure you won’t get caught out in the event of an unexpected incident.