A Popular desktop software 3CX was compromised by threat actors because of a software supply chain attack that was delivered to millions of their customers through software updates, which also leads to massive cyber attacks.
In this blog we will see how this supply chain attack happened, and how it was spotted, we will also see how this malicious attack could have been stopped by analyzing a single point of failure.
We will also see an in-depth analysis of this attack to understand how adversaries operated inside the organization.
What is 3CX?
3CX is a widely used desktop VOIP application. It’s used by many customers and organizations worldwide.
As of 2023 over 1815 companies use the 3CX unified communication tool. An attack that infects their core software will create a huge impact on the cybersecurity of organizations around the world.
As of now, according to Shodan, approximately 239,884 3CX management systems are exposed to the internet from around the world.
When it all started?
On March 29, 2023, Falcon OverWatch, a cybersecurity firm, reported detecting unexpected malicious activity originating from 3CXDesktopApp, a legitimate soft phone application developed by 3CX, on March 29, 2023.
The malicious behavior included signals sent to infrastructure controlled by malicious actors, execution of second-stage payloads, and hands-on keyboard activity. Crowdstrike Falcon prevented any misuse of infected 3CX desktop applications.
Customers affected by hands-on-keyboard activity were notified by OverWatch, and Falcon Complete reached out to customers using the software. The malicious activity was observed on Windows and macOS platforms, although the 3CXDesktopApp is accessible on various platforms, including Linux and mobile.
The Intelligence Team at CrowdStrike is collaborating with 3CX in response to the incident, and there are indications of the involvement of the LABYRINTH CHOLLIMA threat actor, with suspected ties to a nation-state.
What happened next?
In March 2023, Mandiant responded to a security breach that affected the 3CX Desktop App software. Upon investigation, it was discovered that the initial vector of compromise for 3CX’s network was malicious software that was downloaded from the Trading Technologies website. This represents the first known case of a software supply chain attack leading to another such attack.
The 3CX Desktop App software is an enterprise communication platform that supports video, chat, and voice calls. The malware was spread via a compromised version of 3CX Desktop app, which can be downloaded from 3CX official website also. Versions 18.12.416 and earlier of the 3CX DesktopApp were identified as containing malicious code that executed a downloader called SUDDENICON.
Stage 2 of the hack
Stage 2 in cyber attack is what happened when a victim runs or installs malicious software inside their system. Let’s see what happened after installing the infected 3CX tool.
The downloader received encrypted icon files hosted on GitHub, which provided additional command and control servers. The decrypted command and control server then downloaded a data miner known as IconicStealer, which is capable of stealing browser information. This activity has been tracked by Mandiant under the name UNC4736, which is suspected to be a North Korean nexus cluster of activity.
Mandiant found that the initial way hackers got into the system was through a fake installer of software called X_TRADER. This allowed them to put a malicious program called VEILEDSIGNAL into the system. Even though X_TRADER was not being used anymore, it could still be downloaded from Trading Technologies’ website in 2022. The hackers signed their malicious software with the same digital signature as the legitimate software but it was set to expire in October 2022.
The fake installer had a file called Setup.exe that installed two bad pieces of code and one harmless piece. One of the bad codes was loaded using the harmless piece. The loaded bad codes then used SIGFLIP and DAVESHELL to decrypt and load another bad program into memory. SIGFLIP used a technique called RC4 stream-cipher to decrypt the bad program, and it looked for the code sequence “FEEDFACE” to find another piece of bad code (in this case, DAVESHELL) during the decryption process.
Mandiant found out that a bad guy used some tools called SIGFLIP and DAVESHELL to take control of a program called VEILEDSIGNAL and some other modules. The bad guy could tell VEILEDSIGNAL to do a few things, like send data or stop running. They used another tool to sneak into the computer’s memory and hide themselves.
The investigator company also noticed that the bad guy used similar methods to attack two different programs, X_TRADER and 3CXDesktopApp. They used a secret key, SIGFLIP, DAVESHELL, and a code word “__tutma” to encrypt the data they stole.
To move around the computer network and do more damage, the bad guy used a tool called Fast Reverse Proxy, which they got from the internet. They also put a file called MsMpEng.exe in a specific folder on the computer. Mandiant found out that the bad guy took over the way 3CX builds their software.
During the attack, the malicious actor used a publicly available tool Fast Reverse Proxy to move around the network of 3CX, they used this tool for lateral movement. The file MsMpEng.exe was dropped in C:\Windows\System32. Mandiant was able to reconstruct the attacker’s steps and discovered that the attacker had compromised the 3CX build environment.
What went wrong?
This hack could have been prevented if the Trading Company’s website of X_TRADER software had been fully patched. The second point of failure is the endpoint device (Windows machine) of a 3CX employee who installed the malicious version of the software. Some security flaws that contributed to the hack are:
- Vulnerable X_TRADER company website which let the malware author infect their website and backdoor their program
- Malicious use of open source security tools. If we track down the hack there are many methods used by the hacker which tell us the threat actor used these open source tools to complete his task and move around the network of 3CX employees.
- Weak security of 3CX endpoint devices. It clearly shows that the endpoint devices of the employee couldn’t stop the backdoor version of the 3CX app. This shows organizations still need a strong threat intelligence and user awareness program.
How this attack could have been stopped :
This cyber attack tells us there were many flaws that lead to this cyber attack. Let’s see the prevented measure that could have stopped this attack
- Multi-factor authentication (MFA) could have been enabled to prevent the initial intrusion into the Trading Technologies infrastructure via stolen credentials.
- The Trading Technologies software could have been digitally signed with a certificate that had a shorter validity period, making it more difficult for attackers to sign malicious software with a valid certificate.
- The Trading Technologies software could have been made unavailable for download once it was no longer in use, reducing the attack surface.
- Security controls, such as antivirus and intrusion detection and prevention systems, could have detected and blocked the malicious software before it was able to execute and compromise the environment.
- Code reviews and static analysis could have been conducted on the software supply chain to detect and prevent the insertion of malicious code.
- Access controls could have been implemented to limit lateral movement within the network, making it more difficult for the attacker to move throughout the environment.
- Regular security assessments and vulnerability scans could have been conducted to identify and remediate weaknesses in the environment.
- Employee security awareness training could have been provided to prevent the initial compromise via social engineering tactics such as phishing attacks.
Kratikal provides cybersecurity solutions that can help organizations defend against different kinds of cyber attacks, especially those targeting web applications. Their techniques and tools include vulnerability assessments, penetration testing, and security audits. As a CERT-In Empanelled organization, Kratikal can help businesses discover and fix security issues before hackers can take advantage of them.