Here is what you should know about 3CX supply chain attack

Here is what you should know about 3CX supply chain attack

3CX is a global VOIP software provider that has established itself as a business communications leader since 2005 with more than 600000 customers in 190 countries. They are a trusted communications solution provider for big names such as Honda, BMW, McDonald’s, and Mercedes.

You must be wondering why we are talking about 3CX. Recently, they have gained worldwide attention after having experienced a supply chain attack linked to their software.

It has put into question the data of millions of its customers who have installed their compromised software. Many experts have compared this attack with dangerous attacks like the SolarWinds attack.  What makes a supply chain attack dangerous is that compromise of one system can have a domino effect on the rest, causing disruptions on a massive scale.

It is an ongoing attack, meaning the attackers will not stop until they snoop, alter, and steal the data of more than 12 million daily users worldwide. The company finds a way to treat their software and find a solution that ceases the attack from compromising other users.

Our experts have analyzed this situation and have come up with some observations. Through our blog, we will try to understand how the attack was carried out and the vulnerabilities exploited.

What happened and how?

As per the intel and analysis of researchers worldwide, 3CX’s VOIP(Voice Over Internet Protocol) desktop client was compromised using malware that was used to eavesdrop on the customers using them. Many experts have speculated that a North Korean group that goes by the name of Labyrinth Chollima is behind the attack.

The installation and update packages delivered to the clients were compromised. As per our security experts, “3CX’s updater.exe runs in the background invoking ffmpeg.dll that further invoked secondary payload d3dcompiler.dll. It is a decrypted payload that is silent in the system for 7 days before it makes a connection to C2 URLs and uploads the payload.“

The following are some of the malicious hashes that were discovered by our security analysts and threat researchers:

MSI: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868

ffmpeg.dll: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896

SHA256: dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc

Operating System: Windows

Installer SHA256: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868

File Name: 3cxdesktopapp-18.12.407.msi

SHA256: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405

Operating System: Windows

Installer SHA256: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983

File Name: 3cxdesktopapp-18.12.416.msi

SHA256: 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61

Operating System: macOS

Installer SHA256: 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290

File Name: 3CXDesktopApp-18.11.1213.dmg

SHA256: b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb

Operating System: macOS

Installer SHA256: e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec

File Name: 3cxdesktopapp-latest.dmg

The attackers made further access to the following GitHub link and beaconed the eavesdropped data to the following links indicating malicious intent:

• akamaicontainer[.]com  
• akamaitechcloudservices[.]com  
• azuredeploystore[.]com  
• azureonlinecloud[.]com  
• azureonlinestorage[.]com  
• dunamistrd[.]com  
• glcloudservice[.]com  
• journalide[.]org  
• msedgepackageinfo[.]com  
• msstorageazure[.]com  
• msstorageboxes[.]com  
• officeaddons[.]com  
• officestoragebox[.]com  
• pbxcloudeservices[.]com  
• pbxphonenetwork[.]com  
• pbxsources[.]com  
• qwepoi123098[.]com  
• sbmsa[.]wiki  
• sourceslabs[.]com  
• visualstudiofactory[.]com  
• zacharryblogs[.]com

The attackers have established a mechanism where they still have access to the compromised networks of millions of customers who have installed the software.

Source: Matthew Brennan, Huntress

Text 

3CXDesktopApp.exe Updates

Updater.exe spawns, downloads trojanized updates

Backdoored ffmpeg.dll is invoked, retrieves & extracts secondary payload from d3dcompiler_47.dll

Decrypted d3dcompiler_47.dll payload unravels another PE file

Final payload waits for 7 days until finally reaching out to Github to decrypt C2 URLS and begin to communicate

C2 URLS

https[:]//msedge[.]com/Windows https[:]//akamaitechcloud services [.]com/v2/storage https://azureonlinestorage[.]com/azure/storage https[:]//msedgepackageinfo[.]com/microsoft-edge https://glcloudservice[.]com/v1/console https[:]//pbxsources [.]com/exchange https[:]//msstorageazure[.]com/window https://officestoragebox[.]com/api/session https[:]//visualstudiofactory[.]com/workload https[:]//azuredeploystore[.]com/cloud/services https[:]//msstorageboxes[.]com/office https://officeaddons [.]com/technologies https[:]//sourceslabs [.]com/downloads https[:]//zacharryblogs [.]com/feed https[:]//pbxcloudeservices [.]com/phonesystem https[:]//pbxphonenetwork [.]com/voip https[:]//www[.]3cx[.]com/blog/event-trainings/

What measures were taken by 3CX?

Pierre Jourdan, the CISO of 3CX had posted a blog on 30th March stating the compromise of Electron Windows App shipped in the Update 8 with version numbers 18.12.407 and 18.12.416 and the Electron Mac App with version numbers 18.11.1213 shipped with update 6 and 18.12.402, 18.12.407 and 18.12.416 with update 7. 

As per his blog, it is an Advanced Persistent Threat in response to this, 3CX has taken down domains with compromised libraries along with the github repository. They are currently working on a new version of the windows app and have suggested the users to use PWA app instead of the compromised Electron app.

Our action plan for 3CX attack

The following is the action plan we prepared for our clients against the 3CX attack: 

• Our Threat Lab immediately identified and implemented detection rules and capabilities specific to the 3CX attack on our platform for quick detection
• We engaged in proactive and retrospective threat hunting to scan the environment for malicious actors specific to the 3CX attack and apply threat intel against all the historical data to check whether their environment has already been compromised. 

To sum it up

The 3CX attack is perhaps the biggest supply chain attack that has taken place, even greater than the Solar Winds attack, given how big 3CX’s customer base is.

With around 12 million daily users across 120 countries, the company must immediately take measures to secure their data and isolate its network from perpetrators who still have access to the network. In response to the 3CX attack, SharkStriker had come up with their own plan of action for our clients to safeguard them against the attackers.