The attackers who pulled off the supply chain attack against 3CX may have been preparing for the operation as early as February 2022 by registering some of the domains used as C2 infrastructure in the attack.
The first indicators of the attack that compromised several versions of the 3CX Windows and macOS apps emerged last week when security researchers began seeing malicious activity coming from the legitimate signed 3CX binaries. Investigations by researchers at SentinelOne, CrowdStrike, and Sophos, among others, found that at least two versions of the Windows app and four versions of the macOS app had been compromised and some organizations that had downloaded the affected apps were then infected with second-stage infostealer malware.
Researchers have connected the attack to a group that CrowdStrike calls Labyrinth Chollima, which overlaps with the Lazarus Group, a high-line attack team associated with the North Korean government. The attackers were able to compromise the update mechanism for the 3CX Windows and macOS apps and then push malicious code. Only the desktop apps are affected, not the web version.
“The infection chain consists of several stages and involves sideloading DLLs along with a seven-day sleep cycle before the malware attempts to retrieve additional malicious artifacts from a now-removed GitHub repository for the Windows based infection. The GitHub repository hosted a series of icon files with encrypted data appended to the end of the files. These encrypted strings, once decrypted, contained the C2 domains for additional malicious artifacts,” an analysis by Cisco Talos released Thursday says.
“The MacOS version used a hard coded C2 domain. These second-stage payloads are information stealers that attempt to obtain system information and the latest browsing history records, indicating this information may be used as a filtering mechanism to identify and discard some victims while maintaining unauthorized access to others.”
The attack against 3CX is the most recent example of well-researched and executed supply chain attacks against software suppliers. The attack on SolarWinds in late 2020 is the best-known and perhaps most damaging such attack, and the intrusion at Kaseya a few months later was quite serious, as well. In the case of 3CX, the extent of the intrusion and the downstream effects likely won’t be known for some time, as the attack is still quite recent and investigators from Mandiant are in the early stages of determining what exactly happened. Supply chain attacks, while difficult to pull off, can be quite effective for attackers, especially if they go undetected for a lengthy period of time.
“It’s very juicy and enticing and it’s the most bang for your buck, but there’s a difficulty in pulling it off."
“It’s very juicy and enticing and it’s the most bang for your buck, but there’s a difficulty in pulling it off. The very front of this campaign is fuzzy, but the infrastructure was set up months ago,” said John Hammond, a senior security researcher at Huntress, who has been investigating the 3CX intrusion.
Researchers with Cisco Talos also saw indications that the 3CX attackers began their preparations for the intrusion more than a year ago.
“Based on Cisco Talos investigation, it appears the infrastructure that supported this attack was being prepared as early as February 2022 when the domains were first registered. A second cluster of activity happened toward the end of 2022 when the GitHub repository was created, along with a few other domains. The sbmsa[.]wiki domain was also created on Feb. 9, 2023, which was found to be used by the second stage of the MacOS version,” the Talos analysis says.
3CX says that is has more than 600,00 customers, but there’s no indication how many of those organizations use the compromised Windows or macOS apps or how many of them were actually compromised with the second stage payload. Nick Galea, the CEO and CTO of 3CX, said Thursday that the company plans to have new versions of the affected apps ready soon.
“In a day or two from now, we will have another Electron App rebuilt from the ground up with a new signed certificate. This is expected to be completely secure. We are still working to decipher the full extent of the attack and we promise full transparency as soon as we are clear on everything. We don’t want to jump the gun and make wrong assumptions,” Galea said.