An ongoing supply chain attack has led to the compromise of 3CX VoIP software installations, leading to the installation of trojanized malware onto the 3CX desktop app to deploy further malicious activities on clients leveraging the vulnerable app.
“We regret to inform our partners and customers that our Electron Windows App shipped in Update 7… includes a security issue,” 3CX CISO Pierre Jourdan said in a statement. “Anti-virus vendors have flagged the executable 3CXDesktopApp.exe and in many cases uninstalled it.”
“The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT,” he continued. “We’re still researching the matter to be able to provide a more in depth response later today.”
The CEO and CISO for 3CX urged network defenders to immediately uninstall the desktop client. The company is currently working on an update to remediate the issue and recommended customers use the PWA app instead as they work on issuing a new certificate for the app.
According to Shodan.io, a site that maps internet-connected devices, there are currently more than 242,519 publicly exposed 3CX phone management systems.
Currently, 3CX DesktopApp versions 18.12.407 and 18.12.416 for Windows and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 are also impacted.
The company determined that the domains contacted by the compromised library have already been reported and the majority were taken down March 29. Jourdan said that “a GitHub repository which listed them has also been shut down, effectively rendering it harmless.”
CrowdStrike’s Falcon OverWatch said its team detected “unexpected malicious activity” that stemmed from a legitimate, signed binary. The activity included “beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.”
The founder of the Objective-See Foundation, Patrick Wardle, reverse-engineered the ongoing attack with “a simple triage” and found “xor loops, timing checks, dynamically resolved APIs, and string obfuscations.”
In short, “static analysis is going to be painful, and thus not recommended!” Wardle warned. “Continued static analysis appears to show the malware expects to download a 2nd-stage payload. This appears to be saved as ‘UpdateAgent’ in the Application Support/3CX Desktop App/ directory.”
Wardle provides a step-by-step analysis of his efforts to reverse engineer the threat, with technical specs and his findings.
Early attribution indicators point to North Korea
While it’s not possible to make a definitive attribution, the ongoing consensus is that the attack was launched by a nation-state threat actor with ties to North Korea.
“The HTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7, 2023 campaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH CHOLLIMA,” according to CrowdStrike researchers. The post includes full technical details on the likely threat actor.
Jourdan added that it appears to be a targeted attack by an advanced persistent threat (APT) and possibly state sponsored.
The “complex supply chain attack” appears to have “picked who would be downloading the next stages of their malware,” Jourdan explained. “The vast majority of systems, although they had the files dormant, were in fact never infected.”
CrowdStrike posted an advisory to Reddit, and within 30 minutes, Huntress received a “support request from a concerned partner” and launched defensive measures to protect the attack vector. Entities leveraging Falcon Overwatch’s behavior-based indicators of attack should ensure prevention policies are properly configured to catch “suspicious processes.”
Within the Huntress partner base, more than 2,595 incident reports have already been sent out “where the 3CXDesktopApp.exe binary matches known malicious hashes and was signed by 3CX on March 13, 2023.”
The Falcon OverWatch Reddit post also includes hunting tactics, atomic indicators, and IOCs, as well as support links.
CrowdStrike said it will continue to update the post, given the ongoing situation. The latest update Thursday morning shows there’s a “sleep function in the weaponized binary.” The function is currently unclear. But “dynamic analysis defense evasion is a likely motive.”
The Cybersecurity and Infrastructure Security Agency has already issued an alert, which includes links to support remediation.
