Problem Statement:
A supply chain attack on enterprise phone company #3CX (VoIP/PBX software provider with more than 600,000 customers and 12 million daily users) may have compromised thousands of business networks. Many companies and end users are reporting that a vulnerability in the widely used 3CXDesktopApp is being exploited in a supply chain campaign. 3CX is a widely used software program that uses internet for PHONE CALLS (& video conferencing) rather than copper lines. This is the best example of widespread #supplychainrisk we have seen since SolarWinds (~18K affected) in 2020 and Kaseya (~1.5K) in 2021.
Problem Analysis:
- The attackers somehow gained the ability to hide malware inside 3CX apps that were digitally signed using the company’s official signing key. Resulting in a default automatic update process and would result in information-stealing #malware being installed on the victim’s host (cloud service, network, End User Device etc.).
- It's very prevalent, potentially ~600,000 customers prevalent. There are 12 MILLION users of this communication system (3CX) every single day. You may be using this system to make outgoing/incoming phone calls without realizing it.
- Affects Windows AND MACs
- Uncovers the issues related to what threat actors can do with access to source code
- It is possible that additional malicious activity may have taken place if the threat actor deemed the endpoint to be of sufficient interest)
Why is this SO Critical
Demonstrates rise in supply chain attacks using legitimate services and lack of integration between security/supporting services. In this case saying 3CX application update files have been compromised. The malware was found reading from a GitHub repository that had seemingly legitimate icon files, but which contained encrypted data. When the trusted and legitimate services such as GitHub are compromised, it compromises the whole eco system. Most organizations treat these as False Positive and automatically allow network / service access without proper checks. These alerts are usually ignored until something major happens (Ransomware, DDOS or other attacks).
Who’s behind this:
Threat group is tied to the North Korean government compromised the 3CX software build system and used the control to push Trojanized versions of the company’s DesktopApp programs for Windows and macOS. The malware causes infected machines to beacon to actor-controlled servers and, depending on unknown criteria, the deployment of second-stage payloads to specific targets. In a few cases, the attackers carried out “hands-on-keyboard activity” on infected machines, meaning the attackers manually ran commands on them.
Recommendation / Solution:
- Block all the mentioned IOCs and Appy the patches/Fix from 3CX.
- Keep your windows systems and OS systems up to date with latest patches.
- Look for related EDR activity, NDR Activity
- Antivirus/EDR agent should be fully complaint with latest signatures.
- Block all the mentioned IOCs
- Business Continuity Plan (especially for out of band communication tools are a NECESSARY backup)
- Organizations should consider implementing a multilayered approach to security to protect possible entry points into the system (endpoint, email, web, and network)
- Create awareness and Train your users/employees IMMEDIATELY.
