Here is what you should know about 3CX supply chain attack
04 Apr 2023
3CX is a global VOIP software provider that has established itself as a business communications leader since 2005 with more than 600000 customers in 190 countries. They are a trusted communications solution provider for big names such as Honda, BMW, McDonald’s, and Mercedes.
You must be wondering why we are talking about 3CX. Recently, they have gained worldwide attention after having experienced a supply chain attack linked to their software.
It has put into question the data of millions of its customers who have installed their compromised software. Many experts have compared this attack with dangerous attacks like the SolarWinds attack. What makes a supply chain attack dangerous is that compromise of one system can have a domino effect on the rest, causing disruptions on a massive scale.
It is an ongoing attack, meaning the attackers will not stop until they snoop, alter, and steal the data of more than 12 million daily users worldwide. The company finds a way to treat their software and find a solution that ceases the attack from compromising other users.
Our experts have analyzed this situation and have come up with some observations. Through our blog, we will try to understand how the attack was carried out and the vulnerabilities exploited.
What happened and how?
As per the intel and analysis of researchers worldwide, 3CX’s VOIP(Voice Over Internet Protocol) desktop client was compromised using malware that was used to eavesdrop on the customers using them. Many experts have speculated that a North Korean group that goes by the name of Labyrinth Chollima is behind the attack.
The installation and update packages delivered to the clients were compromised. As per our security experts, “3CX’s updater.exe runs in the background invoking ffmpeg.dll that further invoked secondary payload d3dcompiler.dll. It is a decrypted payload that is silent in the system for 7 days before it makes a connection to C2 URLs and uploads the payload.“
The following are some of the malicious hashes that were discovered by our security analysts and threat researchers:
MSI: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
ffmpeg.dll: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
SHA256: dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
Operating System: Windows
Installer SHA256: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
File Name: 3cxdesktopapp-18.12.407.msi
SHA256: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
Operating System: Windows
Installer SHA256: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
File Name: 3cxdesktopapp-18.12.416.msi
SHA256: 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
Operating System: macOS
Installer SHA256: 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
File Name: 3CXDesktopApp-18.11.1213.dmg
SHA256: b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
Operating System: macOS
Installer SHA256: e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
File Name: 3cxdesktopapp-latest.dmg
The attackers made further access to the following GitHub link and beaconed the eavesdropped data to the following links indicating malicious intent:
- akamaicontainer[.]com
- akamaitechcloudservices[.]com
- azuredeploystore[.]com
- azureonlinecloud[.]com
- azureonlinestorage[.]com
- dunamistrd[.]com
- glcloudservice[.]com
- journalide[.]org
- msedgepackageinfo[.]com
- msstorageazure[.]com
- msstorageboxes[.]com
- officeaddons[.]com
- officestoragebox[.]com
- pbxcloudeservices[.]com
- pbxphonenetwork[.]com
- pbxsources[.]com
- qwepoi123098[.]com
- sbmsa[.]wiki
- sourceslabs[.]com
- visualstudiofactory[.]com
- zacharryblogs[.]com
The attackers have established a mechanism where they still have access to the compromised networks of millions of customers who have installed the software.
Source: Matthew Brennan, Huntress
Text
3CXDesktopApp.exe Updates
Updater.exe spawns, downloads trojanized updates
Backdoored ffmpeg.dll is invoked, retrieves & extracts secondary payload from d3dcompiler_47.dll
Decrypted d3dcompiler_47.dll payload unravels another PE file
Final payload waits for 7 days until finally reaching out to Github to decrypt C2 URLS and begin to communicate
C2 URLS
https[:]//msedge[.]com/Windows https[:]//akamaitechcloud services [.]com/v2/storage https://azureonlinestorage[.]com/azure/storage https[:]//msedgepackageinfo[.]com/microsoft-edge https://glcloudservice[.]com/v1/console https[:]//pbxsources [.]com/exchange https[:]//msstorageazure[.]com/window https://officestoragebox[.]com/api/session https[:]//visualstudiofactory[.]com/workload https[:]//azuredeploystore[.]com/cloud/services https[:]//msstorageboxes[.]com/office https://officeaddons [.]com/technologies https[:]//sourceslabs [.]com/downloads https[:]//zacharryblogs [.]com/feed https[:]//pbxcloudeservices [.]com/phonesystem https[:]//pbxphonenetwork [.]com/voip https[:]//www[.]3cx[.]com/blog/event-trainings/
What measures were taken by 3CX?
Pierre Jourdan, the CISO of 3CX had posted a blog on 30th March stating the compromise of Electron Windows App shipped in the Update 8 with version numbers 18.12.407 and 18.12.416 and the Electron Mac App with version numbers 18.11.1213 shipped with update 6 and 18.12.402, 18.12.407 and 18.12.416 with update 7.
As per his blog, it is an Advanced Persistent Threat in response to this, 3CX has taken down domains with compromised libraries along with the github repository. They are currently working on a new version of the windows app and have suggested the users to use PWA app instead of the compromised Electron app.
Our action plan for 3CX attack
The following is the action plan we prepared for our clients against the 3CX attack:
- Our Threat Lab immediately identified and implemented detection rules and capabilities specific to the 3CX attack on our platform for quick detection
- We engaged in proactive and retrospective threat hunting to scan the environment for malicious actors specific to the 3CX attack and apply threat intel against all the historical data to check whether their environment has already been compromised.
To sum it up
The 3CX attack is perhaps the biggest supply chain attack that has taken place, even greater than the Solar Winds attack, given how big 3CX’s customer base is.
With around 12 million daily users across 120 countries, the company must immediately take measures to secure their data and isolate its network from perpetrators who still have access to the network. In response to the 3CX attack, SharkStriker had come up with their own plan of action for our clients to safeguard them against the attackers.