3CX supply chain attack
Write-up
This page provides technical details on the 3CX supply chain attack. This page is updated as the Hunt & Hackett security analysts discover new insights.
If you have any questions, please contact us using our 24/7 Incident Response Hotline:
What is the 3CX supply chain attack?
CrowdStrike reported[1] on 29 March 2023 about an attack targeting at least Windows and MacOS. In their publication they shared indicators contained legitimately used software leveraged for the attack. Malicious activity followed from the execution of the (signed) softphone application 3CXDesktopApp. The vulnerability applies to (at least) the Update 7, version numbers 18.12.407 & 18.12.416 for Windows and 18.11.1213 for MacOS. CrowdStrike reported on activity including:
- Beaconing to actor-controlled infrastructure;
- Deployment of second-stage payloads;
- And hands-on-keyboard activity.
The application can be used on Windows, MacOS, Linux and mobile. This does not necessarily mean all those platforms are impacted, however it is advised to check for the presence of indicators in your environment. CrowdStrike believes there is suspected nation-state involvement by the threat actor LABYRINTH CHOLLIMA (aka APT38 or Lazarus Group). LABYRINTH CHOLLIMA is one of the most prolific Democratic People’s Republic of Korea (DPRK) adversaries and has been active at least since 2009. CrowdStrike assesses this adversary is likely affiliated with Bureau 121 of the DPRK’s Reconnaissance General Bureau (RGB) and primarily conducts espionage operations aimed at amongst other the U.S. and Republic of Korea (RoK) militaries.
What is a supply chain attack?
A supply chain attack is a type of cyber attack that targets the software, hardware, or services provided by a third-party vendor or supplier to gain unauthorized access to an organization's systems or data. As we have seen before with for instance the SolarWinds[2] attack in 2020. In this type of attack, the attacker exploits vulnerabilities or weaknesses in the supply chain to gain access to an organization's network or sensitive information.
For example, an attacker may compromise a software vendor's update server and distribute malware to the vendor's customers, including the targeted organization. The malware would then be able to execute on the targeted organization's systems, giving the attacker access to sensitive data or control over the systems.
Supply chain attacks are becoming increasingly common and can be difficult to detect (and therefor go unnoticed for a long time) and mitigate, as they often target trusted vendors and use legitimate channels to deliver malware or other malicious payloads. Organizations can reduce their risk of supply chain attacks by implementing security measures such as vendor risk management, vulnerability management, and threat intelligence gathering.
What if you are a Hunt & Hackett MDR customer?
Following the publication, Hunt & Hackett has created detection coverage based on the known IOCs at the time of writing. These IOCs can be found in a later section of this write-up. For our customers we performed a threat hunt in the night of the 30th between 01:00-05:00 and informed the customers who have possibly been impacted by this attack. Do note that this is an unfolding situation and an emerging threat. Hunt & Hackett will continue to monitor the situation and verify whether our customers might have been impacted, if new findings come to light. If there are potential significant changes which might impact your organization, we will as soon as possible contact you for context and next steps.
What if you are not a Hunt & Hackett MDR customer?
For those who do not have Managed Detection & Response provided by Hunt & Hackett there are different things you can do to determine whether you might have been impacted.
Prevention – make sure that the malicious update cannot be downloaded/ distributed internally
It could be the case that your organization has not downloaded the malicious version of 3CX yet. Before you continue with the next steps and in order to avoid that other systems continue to download the malicious version you want to check whether this is true for your 3CX server and also inform your users to not download the software from the website. Therefore, if applicable remove the affected update from 3CX Server, wait until a confirmed clean version is available and use the PWA app[3] as recommended by 3CX in the meantime:- 12.407 (Windows);
- 12.416 (Windows);
- 11.1213 (MacOS).
Detection – Verify presence of vulnerable software in your infrastructure
First, check if specific files are available on the system, which are known malicious binaries of 3CX, as also outlined Table 1. Hunt & Hackett created queries for both Windows and MacOS to check for the presence of the application. If the application is found on one or more of your systems, it’s important to find out which version of the application is running. If it is one of the below mentioned version, we advise to quarantine the asset and start an investigation into possible compromise of the asset and lateral movement of the adversary:- 12.407 (Windows);
- 12.416 (Windows);
- 11.1213 (MacOS).
Windows
| # Check for a running process Get-WmiObject -Class Win32_Process -Filter "Name='3CXDesktopApp.exe'" | Select-Object Name, ProcessId, CommandLine # Check for the program installation Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '3CX Desktop App' } # Check for the Programs folder Test-Path -Path C:\Users\*\appdata\local\programs\3cxdesktopapp\ |
MacOS
|
# Check for the application folder # Check for the application file |
Second, check whether systems have been beaconing to the known Command & Control domain names. You can do this by verifying in i.e. your firewall logging, whether the domains have been contacted by systems in your infrastructure. If there are hits, we recommend you to zoom in on these systems and check for the presence of 3CX software as well as the known malicious binaries/ versions of the software. You can do this by performing the earlier mentioned steps. If it is one of the known malicious versions, we advise to quarantine the asset and start an investigation into possible compromise of the asset and lateral movement.
Response – if you have hits on the indicators of compromise
When traces are observed of the known malicious binaries, or systems beaconing to the command of controller servers, it is important to verify whether abnormal activity has taken place on the system. Therefore we would like to recommend you to look into potential lateral movement. In order to do so, you can search for anomalous connections and logins from, on or to oter systems from the impacted machine. If you do not feel comfortable by performing this step yourself, please feel free to reach out to Hunt & Hackett (cert@huntandhackett.com, or +31702220000), or your preferred IR partner.
Mitigation/ remediation – in case you have been impacted
After concluding that you have been impacted, but no lateral movement has taken place, or any other adversary activity, we would like to recommend the following:
- Since the malicious version of 3CX contains info stealing functionality it important for the affected systems to:
- Reset credentials, especially credentials that are stored in a browser
- Revoke session(s) (cookies)
- Roll out a new installation of the OS on the affected machines, so that staff can continue to work safely on the systems. If this is not possible, due to time constrains, or any other important reason, please clean the systems by removing all of the malicious files from the update location and wait for a confirmed clean version of 3CX.
Indicators of Compromise
The below list, contains an overview of the malicious domains used by LABYRINTH CHOLLIMA as known at this moment in time:
| akamaicontainer[.]com akamaitechcloudservices[.]com azuredeploystore[.]com azureonlinecloud[.]com azureonlinestorage[.]com convieneonline[.]com dunamistrd[.]com glcloudservice[.]com journalide[.]org msedgepackageinfo[.]com msstorageazure[.]com msstorageboxes[.]com |
officeaddons[.]com officestoragebox[.]com oilycargo[.]com pbxcloudeservices[.]com pbxphonenetwork[.]com pbxsources[.]com qwepoi123098[.]com Soyoungjun[.]com sbmsa[.]wiki sourceslabs[.]com visualstudiofactory[.]com zacharryblogs[.]com |
On Windows, the 3CXDesktopApp.exe connects to raw.githubusercontent.com, likely to retrieve payload or commands.
The below list, contains an overview of the hashes of the malicious binaries used by LABYRINTH CHOLLIMA as known at this moment in time:
| SHA256 hash | Confidence level | Platform | Installer hash | Filename |
| dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc | High | Windows | aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 | 3cxdesktopapp-18.12.407.msi |
| fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 | High | Windows | 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 | 3cxdesktopapp-18.12.416.msi |
| 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 | High | MacOS | 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 | 3CXDesktopApp-18.11.1213.dmg |
| b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb | High | MacOS | e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec | 3cxdesktopapp-latest.dmg |
| 6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59 | High | MacOS | /Users/<username>/Library/Application Support/3CX Desktop App/UpdateAgent | |
| aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973 | High | Windows | ffmpeg.dll | |
| 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 | High | Windows | ffmpeg.dll | |
| c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 | High | Windows | ffmpeg.dll | |
|
11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 |
Windows |
d3dcompiler_47.dll C:\Config.Msi\<random 8 char hex>.rbf |
Table 1 - Overview of hashes which corresponds with malicious binaries.
References
How can we help?
Hunt & Hackett can help you to control your risk:
- Monitor for intrusions using our Managed Detection & Response (MDR) service.
- Assess if the vulnerability has already been exploited using our Threat Hunting (TH) service.
- If an attack is successful, we can help you to investigate and get back to business as quickly as possible via our Incident Response (IR) service.
- Assess your cyber security threats, controls and risks using our Security Program Gap Assessment (SPGA) service.
