3CX Double Software Supply Chain Hack

Background

The supplier in this example is 3CX, a software business that produces a popular VOIP software phone system. These 3CX software phones are extremely popular, and according to 3CX, they serve over 600,000 enterprises worldwide and more than 12 million customers daily. Among their clients are dozens of well-known corporate enterprises.

Mandiant revealed that it had identified patient zero in the massive hacking operation that affected a major portion of 3CX’s 600,000 clients. According to Mandiant, the same hackers who penetrated 3CX hacked a 3CX employee’s PC in an earlier software-supply-chain attack that hijacked an application of the financial software firm Trading Technologies leading to a double supply chain attack. The hacker group known as Kimsuky, Emerald Sleet, or Velvet Chollima is commonly suspected of working for the North Korean government.

Analysis

Both the Electron Windows App (versions 18.12.407 and 18.12.416) and the Electron Mac App (versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416) are affected by the trojanized binary. Users who installed an update (Update 7) or a new instance of these versions may be affected. Shodan lists about a quarter-million publicly exposed 3CX management systems as of March 30.

Upon installing either the entire software (through MSI) or the update (Update 7), the software will load ffmpeg.dll, which will then sideload d3dcompiler_47.dll. Then, ffmpeg.dll is utilized to extract and decrypt the second-stage malware from d3dcompiler_47.dll. That second-stage malware named SUDDENICON is encrypted with RC4 and a static key of “3jB(2bsG#@c7,” which several organizations have identified as a common static key used in previous malware linked to North Korean (DPRK) state-sponsored threat actors.

The second stage malware will then wait seven days before attempting to download one of sixteen Windows icon files (.ICO) from a publicly accessible (but now inactive) GitHub repository. A base64 string is attached to the end of these fully working icon files, providing the virus with the URI for its C2 server. On December 7, 2022, at least one of the icons was originally published to GitHub. The macOS version does not retrieve its C2 server from GitHub. Instead, a list of C2 servers is encoded using a single byte XOR key and placed in the file.

The final malware stage will be downloaded to the target PC after connecting to the C2 server specified in the .ICO file. This last step is a brand-new, never-before-seen Infostealer. The Infostealer collects basic system information as well as browsing data from the Chrome, Edge, Brave, and Firefox browsers.

Double Supply Chain Attack

According to the newest Mandiant findings, the hackers obtained access to 3CX’s network in 2022 when one of the company’s workers installed Trading Technologies’ X_TRADER futures trading software on their personal computers. This program had been trojanized with a backdoor known as VEILEDSIGNAL as part of a distinct software supply-chain attack, according to Mandiant.

Trading Technologies shut down the X_TRADER software in 2020, however, it was still accessible for download from the company’s website in 2022. The trojanized version was digitally signed with a Trading Technologies certificate that was supposed to expire in October 2022. The VEILEDSIGNAL backdoor allowed the attackers to get administrator-level access to the 3CX employee’s computer and steal his business credentials. They utilized those credentials to get to the company’s network through VPN two days after the attack and began harvesting other credentials and moving laterally around the network. To maintain continuous network connectivity, they implemented an open-source program called the Fast Reverse Proxy (FRP) during this procedure.

“Eventually, the attacker was able to compromise both the Windows and macOS build environments,” according to the Mandiant incident responders. “On the Windows build environment, the attacker installed a TAXHAUL launcher and a COLDCAT downloader, which persisted by performing DLL side-loading via the IKEEXT service and ran with LocalSystem privileges.” The POOLRAT backdoor was installed on the macOS build server and used Launch Daemons as a persistence mechanism.”

While this may be the first proven incidence of a supply-chain attack leading to another, security researchers have been warning about the possibility for years, and there have been suspicions that it has occurred previously.

Detecting 3CX Attack

• Look for 3CXDesktopApp DLL loading events (ffmpeg.dll and d3dcompiler_47.dll are known to be trojanized, but additional yet unknown DLL names should be considered)
• Look for DNS events generated by 3CXDesktopApp; the payload currently links to github.com, but any other cloud-based service should be considered as being misused by the threat actor for the same purpose.
• Keep an eye out for hands-on attacker activity; simple reconnaissance commands issued by 3CXDesktopApp should be visible in process creation telemetry, as should files created by 3CXDesktopApp in file creation telemetry.

Recommendations

• Investigate all systems thoroughly to ascertain the scope and extent of the attack, including identifying all affected systems and data.
• Conduct regular supply chain security audits to ensure that all third-party software and components are reliable and secure.
  Regularly monitor your network for any abnormal activity or behavior that could indicate a security compromise, such as unauthorized access attempts or data exfiltration.
• To stay updated about emerging threats and vulnerabilities, keep up with the latest threat intelligence and security headlines. This will assist in proactively mitigating risks and responding rapidly in the event of an attack.
• It is advised that linked devices, such as PCs, laptops, and mobile devices, use a reputable antivirus and internet security software package.