3CX Supply Chain Attack: what happened?

Popular software-based PBX phone system 3CX was recently targeted by a cybercriminal group, and infected with malware to steal information from users’ devices.

3CX is used by over 600,000 companies worldwide, and the supply chain attack has caused a significant stir, and drawn comparisons to other large breaches like the Kaseya and SolarWinds attacks.

The incident

In late March, a digitally authenticated and compromised edition of the 3CX Voice Over Internet Protocol (VOIP) Desktop software was used to target the firm's clientele. The supply chain compromise allowed malicious actors to conduct multi-stage attacks against the software, potentially enabling activity such as malware installation against affected users.

Security researcher Sophos released an alert stating that the attackers were targeting both Windows and macOS users of the 3CX app. Andriod and iOS versions of the software are not reported to be affected.

“The most common post-exploitation activity observed to date is the spawning of an interactive command shell,” Sophos said in an advisory issued via its Managed Detection and Response service.

While the Australian Cyber Security Centre (ACSC) has released alerts warning of an active state-sponsored intrusion campaign targeting 3CXDesktopApp users, it has not received any reports of Australian organisations being targeted in the campaign.

Affected software

3CX advised Windows Update 7 version numbers:

  • 12.407
  • 12.416

And Electron Mac App version numbers:

  • 11.1213
  • 12.402
  • 12.407
  • 12.416

Were all affected by the attack.

Sophos stated the most common post-exploitation event observed following the initial attack is the presence of an infostealer targeting the browsers on a compromised system.

Threat identification

Sophos MDR identified malicious activity directed at its customers that was stemming from 3CXDesktopApp, and observed the campaign leveraging a public file storage to host encoded malware. After news of the compromise began to spread, the repository was taken down.

The attack revolved around a DLL sideloading scenario with a number of components involved. This ensured customers were able to use the 3CX desktop app without noticing anything unusual. Sophos identified three components:

  • exe, the clean loader
  • dll, a DLL with an appended encrypted payload
  • dll, a Trojanized loader

The cybercriminal group was revealed to be North Korean threat actors tracked as Lazarus Group. They replaced two DLLs used by the Windows desktop app with malicious versions that would download malware to devices.

3CX response

3CX notified partners and customers of the attack on March 30, and has provided them with updates as investigations into the incident continued. The company also released a public security incident report on April 1. 3CX urged users to avoid using the Electron App unless absolutely necessary, while another Electron App was rebuilt from the ground up with a new signed certificate to replace the affected version.

Following the announcement, 3CX extended all paid subscriptions expiry by three months, and offered free commercial one-year 4SC PRO subscriptions to their partners.

3CX appointed US cybersecurity firm Mandiant to fully investigate the incident, and are releasing regular updates via their blog.

Risk mitigation

3CX advises that its users:

  • Uninstall the 3CX Electron Desktop App from all Windows and Mac devices.
  • Continue AV scans and EDR solutions in your organisation’s networks for any potential malware.
  • Switch to using the PWA Web Client App instead of the Desktop App.
Sophos MDR blocked the malicious domains for its clients, and published detections:

Static detections:

  • Troj/Loader-AF (Trojanized ffmpeg.dll)
  • Troj/Mdrop-JTQ (installers)
  • Troj/Steal-DLG
  • OSX/Mdrop-JTR (installers)
  • OSX/Loader-AG (Trojanized libffmpeg.dylib)

Reputation detection:

  • Mal/Generic-R / Mal/Generic-S (d3dcompiler with appended shellcode)

Memory detection:

  • Mem/Loader-AH

Defend your systems and networks before it’s too late

As an advanced cyber security threat detection and response service, Sophos constantly monitors network devices for malicious activity and reports any unusual or suspicious activity to your organisation. Proactive threat hunting, detection, and elimination are provided by an expert security team who – as seen in the 3CX cyber-attack – are quick to discover and respond to even the most advanced threats.

Essential Tech is a leading Sophos MDR provider, and can advise you further about arming your organisation with this advanced security solution. Talk to them today and ensure you won’t get caught out in the event of an unexpected incident.

Got any Questions?

We listen and learn to understand your business challenges, so we can deliver effective solutions that meet your specific business needs. Speak with an expert now!

Request Quote

Cloud or On-Premise PBX: Which Is Right For You? by Essential Tech Brisbane

Cloud or On-Premise PBX: Which Is Right For You? When you upgrade your office phone system to a modern VoIP... Read article

The Beginner’s Guide to Sophos - Essential Tech

The Beginner’s Guide to Sophos In this digital age of more connected devices, cloud services, and mobile apps, cybercrime is also on the rise. In response to these... Read article

Why We Adore Sophos MTR (and You Should as Well!)

Why we love Sophos MTR (and you should too!) Today’s cyber threat landscape is more complex than ever. Cyber-attacks are evolving at a rapid pace, and with new attack... Read article