3CX Supply Chain Attack

October 4, 2023

3CX supply chain attack originated from breach at another software company. 3CX is a popular VoIP software provider that has over 600,000 customers and 12 million users worldwide. 3CX recently disclosed that their desktop application installers for Windows and macOS were trojanized.

This attack is an example of a supply chain attack. All customers of 3CX should re-assess the risks of this vendor going forward.

Security researchers have uncovered a new stage in the 3CX attack chain.

As more details emerge on the 3CX supply chain attack, experts say it’s a clear illustration of how attackers are increasingly targeting the software supply chains of large-scale applications that enterprises are reliant on. In this case, a trojanized version of the 3CX desktop app was used as the entry point for a larger attack against the VoIP vendor’s customers.

Until recently, the Windows and Mac versions of 3CX were distributed directly from the company’s website. However, the attackers took advantage of a vulnerability in one of the libraries used to compile the installers and turned them into tools that can sideload additional malware onto a target system. Security vendors such as SentinelOne, CrowdStrike and Sophos are all reporting that the 3CX desktop apps were tainted in this manner.

In a blog post, 3CX says it has contacted its affected customers and recommended that they uninstall the desktop application from their computers. The company also notes that it is working on an update for the product that will make it less susceptible to these types of attacks.

3CX reports on its website that it has more than 600,000 customers, including American Express, McDonald’s, the NHS and Coca-Cola. It also states that it has more than 242,000 publicly exposed phone management systems. Hammond cited the Shodan server search engine in his analysis, noting that many of these appear to be 3CX-based.

The attack on 3CX is thought to have originated from the Lazarus Group, which has been linked to the Stuxnet worm that targeted the US’s nuclear power plants in 2021. The attackers are believed to be looking for ways to disrupt industrial controls such as those used in power, oil and gas infrastructure.

In a blog post last week, Symantec noted that the same Trojan used against 3CX was subsequently used to infect two energy firms and another pair of financial trading organizations. Mandiant, meanwhile, has reported that the same hacking group is behind attacks on the futures trading software developed by Trading Technologies. In its post, Symantec said the X_Trader hack appears to be financially motivated.

The attack began with a Trojanized version of the 3CX desktop app.

As part of a supply chain attack, cyber threat actors compromise one organization and then move up the supply chain, infiltrating other organizations with malware. In this case, the attackers compromised a developer of VoIP software and then delivered an implant to its customers through their installers. The attack is being described as a “watershed incident” because of the scale and breadth of the affected users.

According to 3CX’s own security statement, the attack began with the insertion of malicious code into one of the bundled libraries that are included with the Windows and Mac versions of their Electron desktop applications. These bundled libraries are automatically deployed to users when the apps are updated.

The malware in this case was discovered by security researchers from CrowdStrike, Sophos, and SentinelOne. They noticed that a trojanized version of the 3CX client was spreading to new machines and performing reconnaissance activities. The trojanized 3CX application was then attempting to download a second stage of malware.

Once the second stage of malware is downloaded, it will contact command and control infrastructure (C&C) to download a payload that will then be executed on the machine. While the exact nature of this second stage is unknown, the Lazarus Group is known for targeting financial services, blockchain companies, and government defense entities.

Upon being detected, the trojanized 3CX client was stopped and quarantined by 3CX’s XDR platform. XDR gathers and analyzes threat intel from multiple sources, including security tools like YARA rules. It’s also able to synchronize with other security products to provide correlated and actionable alerts.

The attack was detected thanks to a combination of automated and human detection methodologies. The automated methods leveraged a variety of different telemetry signals, including process creation telemetry and suspicious behavior in EDR solutions. Human detection relied on the ability to identify patterns in logs and search for anomalies in real-time.

3CX has recommended that all customers immediately uninstall the 3CX Desktop App and begin using the 3CX Progressive Web App instead. The company also promised a new version of the app that will contain protections against this attack, although it has not yet revealed how attackers gained access to the company’s software supply chain.

The malware is an information stealer.

A supply chain attack is a cyber-attack that starts at a vendor and works its way down the chain to the end user. Typically, the attacker will physically tamper with a piece of electronic hardware (computers, ATMs, power systems, factory data networks) to install undetectable malware for the purpose of causing harm to the end user.

More recently, the attackers will target software companies and attempt to compromise the update mechanism of a 3rd party product in order to distribute more malicious code at the point of use. This is a growing trend, as evidenced by a spate of recent attacks targeting VoIP and other software products.

The attackers in the 3CX case are using a Trojanized version of the desktop application to spread an information stealer. The malware gathers browsing history and other data and communicates with a number of command-and-control servers. It also includes features that allow it to collect login credentials for a wide variety of applications, including cryptocurrency wallets and exchanges, VPN clients and email and messaging apps.

According to Cisco Talos researchers, the stolen information is sent to the attackers via Telegram. The attackers may then use it to steal funds from the victim’s cryptocurrency wallet or exchange account. The information stealer is available for purchase on Dark Web forums and is relatively inexpensive in comparison to other similar malware.

It’s not clear how the attackers got their hands on a trojanized version of the 3CX software, or how they were able to use it to distribute additional malware to the company’s customers. In any event, the incident highlights how important it is for organizations to take steps to ensure that their third-party suppliers have strong cybersecurity measures in place.

3CX customers should consider re-assessing the risks of using this product going forward, a security expert from Sophos told CRN. “They should engage in a risk assessment of this particular vendor based on what’s happened,” Christopher Budd said. “And, if the outcome of that risk assessment is positive, they should work with that vendor to have an incident response plan in place so that they’re prepared.” This type of risk assessment should include questionnaires and a thorough review of broader industry data to determine the risk level of a commercial partnership.

The attack is believed to have originated from a breach at another software company.

Taking advantage of a vulnerability in an organization’s supply chain to gain access to its systems and steal information is a common strategy for cyber criminals. A well-known example is the Target data breach of 2013 when hackers infiltrated one of the company’s supplier networks to gain entry into the Target network.

Moreover, cyber criminals are increasingly resorting to supply chain attacks to exploit organizations in sectors other than the IT industry. For instance, the infamous Stuxnet worm was designed to attack industrial control systems used in critical infrastructure such as oil refineries and nuclear power plants.

In a supply chain attack, a threat actor takes advantage of the fact that most companies work with multiple suppliers. This means that if an attacker can infiltrate one of these third-party vendors, they can then use the vendor’s software update mechanism to distribute malicious software to the organization’s customers.

The attack on 3CX is an important reminder that every organization should take a proactive approach to secure their software supply chains. By securing their supply chain, organizations can protect themselves from malware threats that could lead to data breaches or system downtime.

Security experts have determined that the attack on the 3CX VoIP software came from a compromise at a different company, likely in the financial sector. It is believed that the attackers were able to obtain a key for the 3CX software from a third-party vendor that was involved in another financial data breach.

As a result, the attackers were able to create and distribute the Trojanized version of the 3CX software. The attackers also created a second-stage backdoor that was incorporated into the 3CX software. The second-stage backdoor was made to run on Windows and macOS systems and can download arbitrary payloads from a remote server.

In addition to the second-stage backdoor, the researchers found that the 3CX software contained a cryptographic vulnerability that was being used by the attackers to hide their communications. The researchers have reported the details of the cryptographic flaw to 3CX. The company has promised to release a new version of its software with the flaw patched.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs' risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey...

Vulnerability Prediction with Machine Learning

Vulnerability Prediction with Machine Learning

Advance vulnerability prediction with machine learning. Explore how AI can enhance proactive cybersecurity measures to mitigate potential risks. Machine learning is a field devoted to understanding and building methods that let machines “learn” – that is, methods that...

Recent Case Studies

Mid-size US based firm working on hardware development and provisioning, used DevOps-as-a-...
One of the fastest growing providers of wealth management solutions partnered to build a m...
A US based software startup working on the advancements in genomics diagnostics and therap...

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us