Potentially ‘Massive’ Attack
The supply chain compromise of a widely used VoIP phone system vendor, 3CX, has led to attacks against numerous customers and prompted comparisons to some of the largest breaches in recent memory — including the 2020 attack on SolarWinds and the 2021 breach of Kaseya. And it could end up being an even bigger supply chain attack than SolarWinds, given that 3CX reports having more than 600,000 customers, double the number of SolarWinds customers at the time of the attack on that company.
At the same time, the 3CX attack — which was first caught earlier this week by threat hunters at CrowdStrike — was discovered much sooner than the attack against SolarWinds, taking only weeks to be caught instead of months, said Adam Meyers, head of intelligence at CrowdStrike, in an interview with CRN. “This gives you some sense that some of us are stepping up and catching these things in a much faster cadence,” Meyers said.
[Related: 3CX Supply Chain Attack: Big Questions Remain ]
Both the Windows and macOS versions of the 3CX app are affected, executives from 3CX acknowledged Thursday. Reports from researchers at numerous security vendors since Wednesday have pointed to an active campaign using a compromised version of the 3CX app to target the company’s customers. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.
Researchers from CrowdStrike, Sophos and SentinelOne disclosed that they’ve observed malicious activity originating from a trojanized version of the desktop VoIP app from 3CX. CRN has reached out to 3CX for comment.
Researchers from CrowdStrike have attributed the attack to a group working on behalf of the North Korean government.
Ultimately, “this has the potential to be a massive supply chain attack, likened well enough to the SolarWinds incident or the Kaseya VSA ransomware attack in years past,” wrote John Hammond, senior security researcher at Huntress, in a post Thursday.
Like with the SolarWinds breach, the 3CX attack poses a major concern because “the attacker needs to only carry off one successful attack to get their bad code somewhere, and then thousands of people download that bad code,” said Christopher Budd, senior manager of threat research at Sophos, an interview with CRN Thursday. “If I wanted to compromise 100 companies, my choices are to carry out 100 attacks — or figure out where those 100 companies are going to get [an application] and download it, and carry off one attack, and get them to download it for me.”
What follows are the eight biggest things you need to know about the 3CX supply chain attack.
Timeline And Tactics
Researchers have observed multiple stages in the 3CX attack, which included facilitating what’s known as “command-and-control” communication to a number of external servers.
CrowdStrike has observed activity that suggests the compromise of the 3CX Windows app occurred as far back as March 8, Meyers said, which would mean the attack continued for less than a month before being discovered. In the SolarWinds attack, by contrast, researchers believe that attackers went unnoticed for an estimated nine months in 2020, only being discovered in December of that year. CrowdStrike determined that the attack was real — and that the indicators of the attack were not a false positive — and engaged 3CX about it, Meyers told CRN. “It shows the reason why you have to have human threat hunters involved in this stuff — automation can’t answer all these questions alone,” he said.
A malicious implant inside of two dynamic link library (DLL) files used by the 3CX app was the first stage of the attack. The second-stage payload deployed by the attackers is still being analyzed, but the goal of it was to allow the threat actor to profile the system and understand what was on it, Meyers said.
What Software Is Affected?
3CX executives said the compromised software was found in Update 7, version numbers 18.12.407 and 18.12.416, of its Windows desktop app. The macOS app — versions 18.11.1213, 18.12.402, 18.12.407 and 18.12.416 are affected, as well, according to 3CX.
“The 3CX download available on the official public website had included malware,” Huntress’ Hammond wrote in his post. Additionally, “installations already deployed will update, and ultimately pull down this malware that includes a backdoored DLL file, ffmpeg.dll and an anomalous d3dcompiler_47.dll.”
The fact that both Windows and macOS versions of the 3CX app were impacted is notable, according to Meyers. It “shows that this threat actor had thought through the capabilities on both Windows and Mac,” which is fairly uncommon, he said.