Categories Blog Here is what you should know about 3CX supply chain attack Post author By Vinith Sengunthar Post date April 4, 2023 No Comments on Here is what you should know about 3CX supply chain attack Home » Blog » Here is what you should know about 3CX supply chain attack Here is what you should know about 3CX supply chain attack 3CX is a global VOIP software provider that has established itself as a business communications leader since 2005 with more than 600000 customers in 190 countries. They are a trusted communications solution provider for big names such as Honda, BMW, McDonald’s, and Mercedes. You must be wondering why we are talking about 3CX. Recently, they have gained worldwide attention after having experienced a supply chain attack linked to their software. It has put into question the data of millions of its customers who have installed their compromised software. Many experts have compared this attack with dangerous attacks like the SolarWinds attack. What makes a supply chain attack dangerous is that compromise of one system can have a domino effect on the rest, causing disruptions on a massive scale. It is an ongoing attack, meaning the attackers will not stop until they snoop, alter, and steal the data of more than 12 million daily users worldwide. The company finds a way to treat their software and find a solution that ceases the attack from compromising other users. Our experts have analyzed this situation and have come up with some observations. Through our blog, we will try to understand how the attack was carried out and the vulnerabilities exploited. What happened and how? As per the intel and analysis of researchers worldwide, 3CX’s VOIP(Voice Over Internet Protocol) desktop client was compromised using malware that was used to eavesdrop on the customers using them. Many experts have speculated that a North Korean group that goes by the name of Labyrinth Chollima is behind the attack. The installation and update packages delivered to the clients were compromised. As per our security experts, “3CX’s updater.exe runs in the background invoking ffmpeg.dll that further invoked secondary payload d3dcompiler.dll. It is a decrypted payload that is silent in the system for 7 days before it makes a connection to C2 URLs and uploads the payload.“ The following are some of the malicious hashes that were discovered by our security analysts and threat researchers: MSI: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 ffmpeg.dll: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 SHA256: dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc Operating System: Windows Installer SHA256: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 File Name: 3cxdesktopapp-18.12.407.msi SHA256: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 Operating System: Windows Installer SHA256: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 File Name: 3cxdesktopapp-18.12.416.msi SHA256: 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 Operating System: macOS Installer SHA256: 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 File Name: 3CXDesktopApp-18.11.1213.dmg SHA256: b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb Operating System: macOS Installer SHA256: e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec File Name: 3cxdesktopapp-latest.dmg The attackers made further access to the following GitHub link and beaconed the eavesdropped data to the following links indicating malicious intent: akamaicontainer[.]com akamaitechcloudservices[.]com azuredeploystore[.]com azureonlinecloud[.]com azureonlinestorage[.]com dunamistrd[.]com glcloudservice[.]com journalide[.]org msedgepackageinfo[.]com msstorageazure[.]com msstorageboxes[.]com officeaddons[.]com officestoragebox[.]com pbxcloudeservices[.]com pbxphonenetwork[.]com pbxsources[.]com qwepoi123098[.]com sbmsa[.]wiki sourceslabs[.]com visualstudiofactory[.]com zacharryblogs[.]com The attackers have established a mechanism where they still have access to the compromised networks of millions of customers who have installed the software. Source: Matthew Brennan, Huntress Text 3CXDesktopApp.exe Updates Updater.exe spawns, downloads trojanized updates Backdoored ffmpeg.dll is invoked, retrieves & extracts secondary payload from d3dcompiler_47.dll Decrypted d3dcompiler_47.dll payload unravels another PE file Final payload waits for 7 days until finally reaching out to Github to decrypt C2 URLS and begin to communicate C2 URLS https[:]//msedge[.]com/Windows https[:]//akamaitechcloud services [.]com/v2/storage https://azureonlinestorage[.]com/azure/storage https[:]//msedgepackageinfo[.]com/microsoft-edge https://glcloudservice[.]com/v1/console https[:]//pbxsources [.]com/exchange https[:]//msstorageazure[.]com/window https://officestoragebox[.]com/api/session https[:]//visualstudiofactory[.]com/workload https[:]//azuredeploystore[.]com/cloud/services https[:]//msstorageboxes[.]com/office https://officeaddons [.]com/technologies https[:]//sourceslabs [.]com/downloads https[:]//zacharryblogs [.]com/feed https[:]//pbxcloudeservices [.]com/phonesystem https[:]//pbxphonenetwork [.]com/voip https[:]//www[.]3cx[.]com/blog/event-trainings/ What measures were taken by 3CX? Pierre Jourdan, the CISO of 3CX had posted a blog on 30th March stating the compromise of Electron Windows App shipped in the Update 8 with version numbers 18.12.407 and 18.12.416 and the Electron Mac App with version numbers 18.11.1213 shipped with update 6 and 18.12.402, 18.12.407 and 18.12.416 with update 7. As per his blog, it is an Advanced Persistent Threat in response to this, 3CX has taken down domains with compromised libraries along with the github repository. They are currently working on a new version of the windows app and have suggested the users to use PWA app instead of the compromised Electron app. Our action plan for 3CX attack The following is the action plan we prepared for our clients against the 3CX attack: Our Threat Lab immediately identified and implemented detection rules and capabilities specific to the 3CX attack on our platform for quick detection We engaged in proactive and retrospective threat hunting to scan the environment for malicious actors specific to the 3CX attack and apply threat intel against all the historical data to check whether their environment has already been compromised. To sum it up The 3CX attack is perhaps the biggest supply chain attack that has taken place, even greater than the Solar Winds attack, given how big 3CX’s customer base is. With around 12 million daily users across 120 countries, the company must immediately take measures to secure their data and isolate its network from perpetrators who still have access to the network. In response to the 3CX attack, SharkStriker had come up with their own plan of action for our clients to safeguard them against the attackers. SearchSearch Recent News SharkStriker Wins the “SIEM Innovation of the Year” award at the 7th CyberSecurity Breakthrough awardOctober 6, 2023 SharkStriker joins the league of the world’s Top 250 MSSPs, again! September 27, 2023 STRIEGO by SharkStriker: A holistic cybersecurity platform launched September 20, 2023 SharkStriker launches a data center in South AfricaAugust 31, 2023 Russian APT group Midnight Blizzard targets more than 40 companies globally using Microsoft TeamsAugust 16, 2023 On-Demand Webinars Know which cyber insurance will fetch you the maximum ROI for your business.July 19, 2023 Charter business growth in cybersecurity services market in 2023May 19, 2023 Live Attack Simulation: Exploring Microsoft Exchange from a Hacker’s POVApril 21, 2023 Affordable enterprise security for SMBsMarch 10, 2023 Turbocharging solutions through cybersecurity -as-a-service USAFebruary 13, 2023 Services Experience end-to-end managementof statutory and regulatory compliancethrough our dedicated service for compliance Explore More > Latest Post AllBlog Load More Blog Webinar News Guides Videos Data Sheet Services ← Cybersecurity at a higher altitude: taking a closer look at cybersecurity in aviation in 2023 → Top 7 Challenges for CISOs in 2023 Leave a Reply Cancel replyYour email address will not be published. Required fields are marked *Comment * Name * Email * Website Save my name, email, and website in this browser for the next time I comment.