3CX Supply Chain Attack — Here’s What We Know So Far

Enterprise communications software maker 3CX confirmed on Thursday that several versions of its desktop apps for Windows and macOS were affected by the supply chain attack.

Version number included 18.12.407 and 18.12.416 for windows and 18.11.1213, 18.12.402, 18.12.407 and 18.12.416 for macOS. This issue has been assigned a CVE identifier CVE-2023-29059.

The company said it was engaging Google’s Mandiant service to review the incident. In the interim, it was urging its customers from self-hosted and on-premises versions of the software to update to version 18.12.422.

“3CX Hosted and StartUP users do not need to update their servers as we will update them at night automatically,” 3CX CEO Nick Galea said in a blog post. “Server will be restarted and new Electron MSI/DMG App will be installed on server.”

The evidence available so far points to compromising the 3CX software build pipeline to distribute Windows and macOS versions of the application package, or alternatively, poisoning upstream dependencies. The scale of the attack is currently unknown.

telemetry data shared by Fortinet demonstrated that the geographic spread of victim machines calling known actor-controlled infrastructure primarily includes Italy, Germany, Austria, the US, South Africa, Australia, Switzerland, the Netherlands, Canada, and the United Kingdom

The earliest period of potentially hazardous activity is said to have been detected on or around March 22, 2023, according to a post on the 3CX forumsalthough preparations for the advanced campaign begin no later than February 2022.

3CX said That early warning flagged a potential security issue in its app last week being treated as a “false positive” due to the fact that none of the antivirus engines on VirusTotal labeled it as suspicious or malware.

That Windows version attack takes advantage of a technique called DLL sideloading to load a malicious library known as “ffmpeg.dll” designed to read encrypted shell code from another DLL called “d3dcompiler_47.dll.”

SUDDENICON downloads a new executable

This involves accessing the GitHub repository to fetching ICO files contains a URL hosting the final stage payload, an information stealer (dubbed Iconic Thief or SUDDENICON) is capable of harvesting system information and sensitive data stored in web browsers.

British cybersecurity vendor Sophos show that shellcode used in the attack were “byte-to-byte matches” with previous samples seen in incidents exclusively attributed to the Lazarus Group.

“The choice of these two DLLs – ffmpeg and d3dcompiler_47 – by the threat actor behind this attack is not accidental,” ReversingLabs security researcher Karlo Zanki said.

“The target in question, 3CXDesktopApp, is built on the open source Electron framework. Both libraries in question typically ship with the Electron runtime and, therefore, are unlikely to arouse suspicion in a customer environment.”

The macOS attack chain, in the same vein, bypasses Apple’s notary check to download an unknown payload from a currently unresponsive command-and-control (C2) server.

“The macOS version doesn’t use GitHub to fetch its C2 server,” Volexity said, which tracks activity under the UTA0040 cluster. “In contrast, the C2 server list is stored in a file encoded with a single-byte XOR key, 0x7A.”

Cybersecurity company CrowdStrike, in its own advisory, attributed the attack with high confidence to Labyrinth Chollima (aka Nickel Academy), a state-sponsored actor who sided with North Korea.

“The activity, which targeted multiple organizations across multiple verticals without a clear pattern, has been linked to the Chollima Labyrinth based on the observed network infrastructure uniquely associated with that adversary, similar installation techniques, and reused RC4 keys,” Adam Meyers, senior vice president intelligence at CrowdStrike, told The Hacker News.

“A trojanized 3CX application spawned a variant of ArcfeedLoader, malware uniquely associated with Labyrinth Chollima.”

Labyrinth Chollima, per the Texas-based company, is part of the Lazarus Group, which is also Silent Chollima (aka Andariel or Nickel Hyatt) and Stardust Chollima (aka BlueNoroff or Nickel Gladstone).

The threat actor “has been active since at least 2009 and usually tries to generate revenue by targeting crypto and financial organizations,” Meyers said, adding it was “likely affiliated with Bureau 121 of the DPRK General Reconnaissance Bureau (RGB) and primarily conduct espionage operations and income-generating schemes.”

Google Chrome is blocking the latest MSI 3CX installer

3CX, in a renew shared on Friday, said Google banned the download of MSI installer files via its Chrome web browser. Also note that the antivirus engines of some companies block any software signed with old security certificates.

The following MSI installers have been blocked: SBC for Windows, the Windows desktop app, and Call Flow Designer. However, there are indications that the restriction may have been lifted due to some customers report can download the latest version (18.12.422) via Chrome.

In response, the company said it was creating a new MSI installer with a new certificate and a new build server, a process that is expected to take at least eight hours. It further encourages its customers to use the web application version (PWA).