3CX Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/3cx/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 26 Apr 2023 15:21:24 +0000 en-US hourly 1 https://wordpress.org/?v=88254 200474804 Supply Chain Attack Leads to 3CX Hack and Other Supply Chain Attacks https://gridinsoft.com/blogs/supply-chain-attack-3cx/ https://gridinsoft.com/blogs/supply-chain-attack-3cx/#respond Tue, 25 Apr 2023 15:06:05 +0000 https://gridinsoft.com/blogs/?p=14386 An investigation into a supply chain attack that hit 3CX last month found that the incident was caused by another supply chain compromise. First, the attackers targeted Trading Technologies, which automates stock trading, and distributed trojanized versions of its software. Let me remind you that the FBI warned about the increase of supply chains attacks,… Continue reading Supply Chain Attack Leads to 3CX Hack and Other Supply Chain Attacks

The post Supply Chain Attack Leads to 3CX Hack and Other Supply Chain Attacks appeared first on Gridinsoft Blog.

]]>

An investigation into a supply chain attack that hit 3CX last month found that the incident was caused by another supply chain compromise.

First, the attackers targeted Trading Technologies, which automates stock trading, and distributed trojanized versions of its software.

Let me remind you that the FBI warned about the increase of supply chains attacks, and the media, for example, wrote that the whole country of Vietnam suffered from a complex supply chain attack.

3CX is a developer of VoIP solutions whose 3CX Phone System is used by more than 600,000 companies worldwide, with more than 12,000,000 daily users. The company’s client list includes such giants as American Express, Coca-Cola, McDonald’s, BMW, Honda, AirFrance, NHS, Toyota, Mercedes-Benz, IKEA and HollidayInn.

Let me remind you that the attack on 3CX took place at the end of March 2023. An Electron-based desktop client, 3CXDesktopApp, was compromised and used to distribute malware to the company’s customers.

Unfortunately, it took 3CX representatives more than a week to respond to numerous customer reports that its software suddenly became malware, although experts from several large information security companies reported this at once, including CrowdStrike, ESET, Palo Alto Networks, SentinelOne and SonicWall.

When the fact of compromise had already become obvious, the head of 3CX said that the ffmpeg binary file used by the 3CX desktop client could serve as the initial penetration vector. However, FFmpeg denied these allegations.

As a result, 3CX advised its customers to remove the malicious desktop client from all Windows and macOS devices and immediately switch to the Web Client App, a progressive web application (PWA) that provides similar functionality.

As it became known now, the attack on 3CX occurred as a result of a compromise of another supply chain. Mandiant experts, who helped 3CX investigate the incident, said that it all started when a trojanized X_Trader installer from Trading Technologies was downloaded and installed on the personal computer of a 3CX employee.

This led to the deployment of a modular VEILEDSIGNAL backdoor designed to execute shellcode, inject the communication module into Chrome, Firefox, and Edge processes, and then self-destruct.

As a result, the group, which the researchers track under the identifier UNC4736, stole corporate credentials from the employee’s device and used them to side-travel the 3CX network, eventually compromising the build environments for Windows and macOS.

In a Windows environment, the attackers deployed the TAXHAUL launcher and the COLDCAT loader, which gained a foothold in the system by intercepting the DLL for IKEEXT and working with LocalSystem privileges. The macOS environment was compromised by the POOLRAT backdoor using LaunchDaemons as a persistence mechanism.reads the report.

That is, the initial compromise of the Trading Technologies website took place more than a year ago: the malicious version of X_Trader, equipped with the VEILEDSIGNAL backdoor, was available for download at the beginning of 2022, and the hack itself happened at the end of 2021. At the same time, it is not entirely clear where exactly the 3CX employee found the trojanized version of X_Trader in 2023.

supply chain attack 3CX

According to experts, the UNC4736 group is associated with the financially motivated Lazarus hacker group from North Korea. Based on infrastructure duplication, the analysts also linked UNC4736 to two other APT43 clusters tracked as UNC3782 and UNC4469.

We determined that UNC4736 is associated with the same North Korean operators based on an analysis of the trojanized X_TRADER application, which was distributed through a hacked site previously mentioned in the Google Threat Analysis Group blog (www.tradingtechnologies[.] com ). This is the first time we have found concrete evidence that an attack on a software supply chain has led to another attack on another software supply chain.Mandiant researchers told Bleeping Computer.

Worse, Mandiant believes that the incident could have affected a number of organizations that are simply not aware of the hack yet.

The post Supply Chain Attack Leads to 3CX Hack and Other Supply Chain Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/supply-chain-attack-3cx/feed/ 0 14386
3CX Phone System is Struck With Chain Supply Attack https://gridinsoft.com/blogs/3cx-chain-supply-attack/ https://gridinsoft.com/blogs/3cx-chain-supply-attack/#respond Thu, 30 Mar 2023 16:55:18 +0000 https://gridinsoft.com/blogs/?p=13995 3CX Phone System, a desktop app for business phone communication, fell victim to a supply chain attack. Recent updates deliver a forged version of the application that makes it possible to install stealer malware. The actual payload is getting delivered in a 3-stage manner, which makes it harder to track. What is the 3CX Phone… Continue reading 3CX Phone System is Struck With Chain Supply Attack

The post 3CX Phone System is Struck With Chain Supply Attack appeared first on Gridinsoft Blog.

]]>
3CX Phone System, a desktop app for business phone communication, fell victim to a supply chain attack. Recent updates deliver a forged version of the application that makes it possible to install stealer malware. The actual payload is getting delivered in a 3-stage manner, which makes it harder to track.

What is the 3CX Phone System?

3CX Phone System is a software phone communication program developed by an eponymous company. It provides VoIP communication with a connection to PSTN. All of the operations are served in the cloud, which makes it convenient for use even in small companies. As of the beginning of 2023, the company boasted 12+ million customers in over 600,000 companies around the world. The company provides services to the world’s most-known names, such as Toyota, BMW, Avira, McDonald’s, Boss, Hilton, and IKEA.

Being a company with such success and so notable clients is always a serious responsibility, both image- and cash-worthy. That requires corresponding attention to all the elements of your infrastructure and personnel – to avoid any risks related to security breaches. Supply chain management must be even more diligent in security questions, as consequently linked single-purpose elements are often prone to break. And that is what happened to 3CX.

What is the 3CX supply chain attack about?

Supply chain attacks suppose hacker integration at a certain stage of the supply chain. The researchers who examined the case yet did not find a certain place where the breach could have happened. From what is known now, it is clear that hackers managed to forge the installer and force it doing what they want. That clue points to the fact that crooks made their way to the installer’s source code, as it has no problems with certificates and signatures. The attack itself resembles the SolarWinds hack that happened back in 2020.

After launching the installer, an unsuspecting user will see the routine installation procedure. However, in the background, the binary file will connect to a GitHub repository to get an ICO file. That is actually a second-stage payload, which contains data encoded with base64. Short research shows that this data is a set of shell codes, which execution calls for the next step. They force the system to connect to the C2 and pull the third-stage payload.

Malware logs
Network logs that display dubious behaviour of a new update

Third stage – the final one – is a DLL file, a classic form of the vast majority of modern malware. After retrieving the library, one of the shellcodes makes it run. It seems to be an infostealer that grabs web browser data from an infected system, particularly browsing history. Malware aims for a pretty short list of browsers – Chrome, Edge, Firefox and Brave. Such behaviour is different from common spyware and stealers, thus the malware is most likely a brand new one, possibly created specifically for this attack. Threat researchers from SentinelOne, who were the first to detect dubious activity, coined it SmoothOperator.

3CX spyware data collection
Stealer code responsible of data extraction

Is the 3CX attack dangerous?

As any other spyware attack, it is. Despite the less-than-usual amount of data collected by the detected stealer, the potential scale of this attack is tremendous. We already mentioned the number of 3CX users worldwide – and imagine how many potential victims may be among them. Yes, not all users have installed the infested update, and some of them were saved by anti-malware software. But it is possible that they are in the minority.

Given that ignoring the updates is not a very good practice, the only way to protect against such a breach is by using a superb security tool. Its superiority should be defined not only by detection capabilities and amount of functions but also by the zero-trust policy. Regular anti-malware programs generally rely on the trustiness of a program, and will likely ignore malignant activity around a signed installation binary. Zero-trust one, on the other hand, treats any file as potentially hazardous and applies all kinds of checkups to ensure that it is secure.

The post 3CX Phone System is Struck With Chain Supply Attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/3cx-chain-supply-attack/feed/ 0 13995