3CX Supply Chain Attack: 8 Biggest Things To Know

We break down what you need to know about the compromise of widely used phone system software from 3CX, which is being likened to the attacks on SolarWinds and Kaseya.

Potentially ‘Massive’ Attack

The supply chain compromise of a widely used VoIP phone system vendor, 3CX, has led to attacks against numerous customers and prompted comparisons to some of the largest breaches in recent memory — including the 2020 attack on SolarWinds and the 2021 breach of Kaseya. And it could end up being an even bigger supply chain attack than SolarWinds, given that 3CX reports having more than 600,000 customers, double the number of SolarWinds customers at the time of the attack on that company.

At the same time, the 3CX attack — which was first caught earlier this week by threat hunters at CrowdStrike — was discovered much sooner than the attack against SolarWinds, taking only weeks to be caught instead of months, said Adam Meyers, head of intelligence at CrowdStrike, in an interview with CRN. “This gives you some sense that some of us are stepping up and catching these things in a much faster cadence,” Meyers said.

[Related: 3CX Supply Chain Attack: Big Questions Remain ]

Both the Windows and macOS versions of the 3CX app are affected, executives from 3CX acknowledged Thursday. Reports from researchers at numerous security vendors since Wednesday have pointed to an active campaign using a compromised version of the 3CX app to target the company’s customers. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.

Researchers from CrowdStrike, Sophos and SentinelOne disclosed that they’ve observed malicious activity originating from a trojanized version of the desktop VoIP app from 3CX. CRN has reached out to 3CX for comment.

Researchers from CrowdStrike have attributed the attack to a group working on behalf of the North Korean government.

Ultimately, “this has the potential to be a massive supply chain attack, likened well enough to the SolarWinds incident or the Kaseya VSA ransomware attack in years past,” wrote John Hammond, senior security researcher at Huntress, in a post Thursday.

Like with the SolarWinds breach, the 3CX attack poses a major concern because “the attacker needs to only carry off one successful attack to get their bad code somewhere, and then thousands of people download that bad code,” said Christopher Budd, senior manager of threat research at Sophos, an interview with CRN Thursday. “If I wanted to compromise 100 companies, my choices are to carry out 100 attacks — or figure out where those 100 companies are going to get [an application] and download it, and carry off one attack, and get them to download it for me.”

What follows are the eight biggest things you need to know about the 3CX supply chain attack.

Timeline And Tactics

Researchers have observed multiple stages in the 3CX attack, which included facilitating what’s known as “command-and-control” communication to a number of external servers.

CrowdStrike has observed activity that suggests the compromise of the 3CX Windows app occurred as far back as March 8, Meyers said, which would mean the attack continued for less than a month before being discovered. In the SolarWinds attack, by contrast, researchers believe that attackers went unnoticed for an estimated nine months in 2020, only being discovered in December of that year. CrowdStrike determined that the attack was real — and that the indicators of the attack were not a false positive — and engaged 3CX about it, Meyers told CRN. “It shows the reason why you have to have human threat hunters involved in this stuff — automation can’t answer all these questions alone,” he said.

A malicious implant inside of two dynamic link library (DLL) files used by the 3CX app was the first stage of the attack. The second-stage payload deployed by the attackers is still being analyzed, but the goal of it was to allow the threat actor to profile the system and understand what was on it, Meyers said.

What Software Is Affected?

3CX executives said the compromised software was found in Update 7, version numbers 18.12.407 and 18.12.416, of its Windows desktop app. The macOS app — versions 18.11.1213, 18.12.402, 18.12.407 and 18.12.416 are affected, as well, according to 3CX.

“The 3CX download available on the official public website had included malware,” Huntress’ Hammond wrote in his post. Additionally, “installations already deployed will update, and ultimately pull down this malware that includes a backdoored DLL file, ffmpeg.dll and an anomalous d3dcompiler_47.dll.”

The fact that both Windows and macOS versions of the 3CX app were impacted is notable, according to Meyers. It “shows that this threat actor had thought through the capabilities on both Windows and Mac,” which is fairly uncommon, he said.

Compromised Code

Attackers used a “fairly sophisticated attack technique” to insert the malicious code into the DLL files that the 3CX desktop app relies upon, Sophos’ Budd said. The attack technique is known as DLL sideloading, and has existed for more than a decade, he said. One analogy would be that if you hire a contractor to do work on your house, the DLL file would equate to a nefarious subcontractor who is now unknowingly able to access your home and snoop around in it, Budd said.

The threat actors in this attack were even sneakier in one respect, however, because they carried out an extra step that ensured that the 3CX software would still function normally, according to Budd. “If you downloaded the compromised application and you’re using it, it’s working just fine. You can’t tell anything is wrong with it,” he said.

The attack has also involved utilizing a code-signing certificate to provide the software’s trojanized binaries with legitimacy, according to security researchers.

What Customers Should Do

The recommendation from 3CX executives is to uninstall the desktop 3CX client. “Step one is getting the malicious code off of your systems,” Sophos’ Budd said.

That’s not necessarily enough, however, given that the attackers have now potentially had access to a customer’s network for an unknown amount of time. “Where it gets trickier — and we saw this with SolarWinds, for instance — is that with attacks like this, attackers want to maintain what we call persistence,” Budd said. For particularly important targets, the attackers may have implemented a method for them to be able to continue gaining access to the network, even if their initial route of access is removed with the 3CX software updates.

“I’ve got the bad version out I’ve got the bad DLL out — but have the attackers had access to my network and have they done anything to maintain persistence on their own? And if so, what [did they do]?” Budd said. “In incident response, that’s almost the hand-to-hand combat stage.”

How Did The Attackers Get In?

So far, while 3CX executives have acknowledged the attack and pledged to release a new version of the app soon, the company has not yet said how the attackers initially managed to get into its software supply chain, Budd said. There are two most likely scenarios, however. One is that the attackers somehow compromised the download server, and substituted their malicious version of the software for the legitimate version, Budd said. Another likely possible scenario is what occurred with the SolarWinds attack, in which some part of the development environment or development process used by 3CX was compromised, prior to the posting of the software on the download site, according to Budd.

“Everyone in the community will be looking for more information on how this happened — how the bad bits got to the download site. And based on what happened, what they are going to do to address whatever weakness, or functional or operational vulnerability, was exploited,” he said.

Do Hackers Still Have Access?

It’s possible the hackers behind the attack on 3CX and its customers may still be able to compromise additional updates by the vendor to the app, according to a security researcher from Huntress. In a post Thursday, 3CX Chief Information Security Officer Pierre Jourdan wrote that the company is “working on a new Windows App that does not have the issue.” However, it’s not certain that the threat actor’s access to the 3CX supply chain has been severed, wrote John Hammond, senior security researcher at Huntress, in a post Thursday.

“It is not yet clear whether or not adversaries still have access to the 3CX supply chain in order to poison future updates,” Hammond wrote. “Perhaps this may change the tradecraft we see in the coming days.”

Customer Reassessments

Given that it’s unclear whether attackers may still have access to the 3CX supply chain — and because it revealed severe issues in the company’s cyber defenses — the attack raises questions about the risks of continuing to use 3CX as a vendor.

Ultimately, “everyone who is a customer will and should engage in a new risk assessment of this vendor — based on what’s happened, what information is released, what steps they’ve taken — and make a new risk-reward determination,” Sophos’ Budd told CRN.

Doing this type of risk assessment based on security is also the right approach when it comes to any new product that is being considered for usage, Budd said.

“You are relying on on the security and the quality of your vendor when you add them to your network,” he said. “People should be making a, ‘Do I trust this vendor?’ risk assessment every time they’re installing something new.”

Who Is Behind The Attack?

Currently, the consensus in the security community is that hackers working for North Korea’s government were behind the 3CX attack. CrowdStrike has attributed the attack to a North Korea-affiliated group that it calls Labyrinth Chollima, Meyers said. That attribution is based on the use of certain technology, infrastructure, installation techniques and command-and-control techniques previously associated with the group, according to Meyers.

The evidence pointing to North Korea is significant because “you don’t typically hear about [the country] in the same breath as supply chain attacks,” Meyers said. Still, while many tend to write off North Korea as a threat due to its stature overall, “North Korea is extremely confident and capable” when it comes to malicious cyber activity, he said. “The reality is that they’ve been looking at cyber capabilities since the ‘90s,” he said. “They train and recruit down to the middle school level inside of North Korea. They are very capable threat actors, who also engage in revenue generation for the regime to pay for missiles and nuclear testing and things like that, because they’ve been cut off from the broader global economy. And so they have to find other ways to be able to do that.”