Popular software-based PBX phone system 3CX was recently targeted by a cybercriminal group, and infected with malware to steal information from users’ devices.
3CX is used by over 600,000 companies worldwide, and the supply chain attack has caused a significant stir, and drawn comparisons to other large breaches like the Kaseya and SolarWinds attacks.
In late March, a digitally authenticated and compromised edition of the 3CX Voice Over Internet Protocol (VOIP) Desktop software was used to target the firm's clientele. The supply chain compromise allowed malicious actors to conduct multi-stage attacks against the software, potentially enabling activity such as malware installation against affected users.
Security researcher Sophos released an alert stating that the attackers were targeting both Windows and macOS users of the 3CX app. Andriod and iOS versions of the software are not reported to be affected.
“The most common post-exploitation activity observed to date is the spawning of an interactive command shell,” Sophos said in an advisory issued via its Managed Detection and Response service.
While the Australian Cyber Security Centre (ACSC) has released alerts warning of an active state-sponsored intrusion campaign targeting 3CXDesktopApp users, it has not received any reports of Australian organisations being targeted in the campaign.
3CX advised Windows Update 7 version numbers:
And Electron Mac App version numbers:
Were all affected by the attack.
Sophos stated the most common post-exploitation event observed following the initial attack is the presence of an infostealer targeting the browsers on a compromised system.
Sophos MDR identified malicious activity directed at its customers that was stemming from 3CXDesktopApp, and observed the campaign leveraging a public file storage to host encoded malware. After news of the compromise began to spread, the repository was taken down.
The attack revolved around a DLL sideloading scenario with a number of components involved. This ensured customers were able to use the 3CX desktop app without noticing anything unusual. Sophos identified three components:
The cybercriminal group was revealed to be North Korean threat actors tracked as Lazarus Group. They replaced two DLLs used by the Windows desktop app with malicious versions that would download malware to devices.
3CX notified partners and customers of the attack on March 30, and has provided them with updates as investigations into the incident continued. The company also released a public security incident report on April 1. 3CX urged users to avoid using the Electron App unless absolutely necessary, while another Electron App was rebuilt from the ground up with a new signed certificate to replace the affected version.
Following the announcement, 3CX extended all paid subscriptions expiry by three months, and offered free commercial one-year 4SC PRO subscriptions to their partners.
3CX appointed US cybersecurity firm Mandiant to fully investigate the incident, and are releasing regular updates via their blog.
3CX advises that its users:
Static detections:
Reputation detection:
Memory detection:
As an advanced cyber security threat detection and response service, Sophos constantly monitors network devices for malicious activity and reports any unusual or suspicious activity to your organisation. Proactive threat hunting, detection, and elimination are provided by an expert security team who – as seen in the 3CX cyber-attack – are quick to discover and respond to even the most advanced threats.
Essential Tech is a leading Sophos MDR provider, and can advise you further about arming your organisation with this advanced security solution. Talk to them today and ensure you won’t get caught out in the event of an unexpected incident.