On Thursday, Enterprise communications software maker 3CX confirmed that a supply chain attack affects multiple versions of its desktop app for Windows and macOS.
The version numbers include 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS.
The company said it’s engaging the services of Google-owned Mandiant to review the incident. In the interim, it’s urging its customers of self-hosted and on-premise software versions to update to version 18.12.422.
A long-running conspiracy finally unveiled
In a recent blog post, 3CX CEO Nick Galea assured users that Hosted and StartUP users need not update their servers manually as they will be automatically updated overnight.
3CX Hosted and Startup users do not need to update their servers as we will be updating them night automatically,” 3CX CEO Nick Galea wrote.
“Servers will be restarted, and the new Electron App MSI/DMG will be installed on the server.”
However, a supply chain attack has affected the company’s Windows and macOS versions of the app package. The attack could have occurred via a compromise of 3CX’s software build pipeline or by poisoning an upstream dependency.
Currently, the extent of the episode is unknown. A post on the 3CX forum revealed that the earliest signs of suspicious activity were detected on or around March 22, 2023. According to sources, preparations for the sophisticated attack began in February 2022.
Uncovering Windows attack technique: DLL side-loading exploits
The recent security breach in 3CX’s app revealed a new DLL side-loading attack technique. The attackers used this method to load a malicious library named “ffmpeg.dll” through another DLL called “d3dcompiler_47.dll,” which reads encrypted shell code. Despite initial false alarms, this incident highlights the importance of vigilance in detecting and addressing potential security threats.
Lazarus group attack targets 3CX desktop app using unobtrusive libraries
According to cybersecurity firm Sophos, a recent attack on 3CXDesktopApp involved a Lazarus Group shellcode that matched previous incidents.
The attack utilized an ICO file to access URLs hosting a data-stealing malware called ICONIC Stealer. Interestingly, the malware used two specific DLLs – FFmpeg and d3dcompiler_47 are typically found in the Electron runtime and are unlikely to raise suspicion.
Reversing Labs researcher Karlo Zanki noted, “The choice of these two DLLs…was no accident.” The attack highlights the sophistication and stealth of the Lazarus Group’s tactics.
Labyrinth Chollima launches trojanized 3CX applications
Security researchers have discovered a new attack chain that targets macOS and allows the download of an unknown payload from a command-and-control server. This attack is believed to be the work of
- Labyrinth Chollima, a North Korea-aligned state-sponsored actor and a subset of the Lazarus Group.
Volexity, tracking the activity under the cluster UTA0040, noted that
- the macOS version bypasses Apple’s notarization checks and
- stores a list of C2 servers in a file encoded with a single-byte XOR key.
CrowdStrike, which has attributed the attack to Labyrinth Chollima with high confidence, reported that the trojanized 3CX applications invoke a variant of ArcfeedLoader, malware uniquely attributed to the group.
This attack targets a wide range of organizations across various verticals without any discernible pattern, making it difficult to predict and prevent.
Google blocks 3CX MSI installers due to an old security certificate
3CX, a VoIP software provider, is facing restrictions on downloads of its MSI installers due to an old security certificate. In an update on Friday, the company noted that Google had prohibited the downloads through its Chrome web browser, and several antivirus engines were blocking software signed with the old certificate.
The affected installers include:
- SBC for Windows,
- the Windows desktop app, and
- Call Flow Designer.
Although some customers have reported being able to download the latest version through Chrome, 3CX is taking steps to rectify the situation by creating new MSI installers with a new certificate and a build server.
However, this process is expected to take at least eight hours. Meanwhile, the company urges customers to use the web app (PWA) version instead.
Conclusion
In conclusion, the recent events surrounding 3CX highlight the importance of maintaining up-to-date security certificates and the potential consequences of neglecting this aspect. The restrictions on downloads of MSI installers through Google’s Chrome web browser and software blocking by several antivirus engines have caused significant inconvenience to customers.
However, 3CX’s swift response in creating new MSI installers with a new certificate and build server is a positive step towards rectifying the situation. In the meantime, the company’s encouragement of its customers to use the web app (PWA) version is a helpful alternative.
All organizations need to prioritize security measures and ensure that their software is always up-to-date to avoid similar incidents in the future.
PureVPN
April 3, 2023
3 years ago
