Cyber Tip Tuesday 4.11.23. Today we look at what happened with 3CX the last couple weeks in Layman's terms.
3CX’s Desktop Application (3CXDesktopApp) was exploited with what is called in the industry as a “Supply Chain Attack”. A Supply Chain Attack is basically when a larger organization is unknowingly hit with an attack in their software or process that is trusted by their customers. So the customer then downloads the trusted software which then leaks a malware in the customer’s environment. Think of it as a restaurant receiving salmonella contaminated lettuce from a farm and then serving it up to customers causing a sickness outbreak. The restaurant didn’t do anything besides trust the farm selling the lettuce.
With the 3CXDesktopApp, cyber attackers were able to penetrate 3CX, insert their trojan into the 3CX Windows/macOS desktop application update. From there, 3CX customers downloaded the application and installed it; accepting all the trustworthy source warnings since 3CX seems like a trusted provider.
Windows DLLs and EXEs are used to allow applications to run properly. In this case the threat actors were able to modify one of the more popular DLL that Windows uses. The DLL then downloaded additional information stealing malware to the computers. Since this DLL was now ‘trusted’, it wasn’t being blocked by endpoint protection solutions. The equivalent was accomplished within the macOS.
This attack appears to have been active for about a month before SentinelOne and CrowdStrike were able to detect the malware and inform 3CX. The attack was designed to harvest and steal system information and sensitive data stored in web browsers. Kaspersky is reporting that though the attack was wide-spread, the threat actors were specifically focused on stealing information from cryptocurrency companies. It is unclear how many endpoints were affected though, so the thieving of information can’t be considered isolated to that environment. Sophos is attributing the attack to a North Korean cybercrime group known as Lazarus Group. This is based on the code used matching previous Lazarus attacks. CrowdStrike believes it was the North Korean state sponsored actor knowns as Labyrinth Chollima (which is a subset of Lazarus).
If your organization uses 3CX, you should check for the following versions being installed (Windows 18.12.407, 18.12.416 macOS 18.11.1213, 18.12.402, 18.12.407, 18.12.416). These should be uninstalled immediately, scan your environment using endpoint protection, and then strongly consider the 3CX PWA or install the Legacy App. The latest version of the Windows/macOS App has yet to be approved.
3CX has yet to discover or reveal how their environment was penetrated and software exploited but they have contracted the 3rd party organization, Mandiant, to investigate the exploitation.
Users need to be diligent when it comes to protecting themselves as even trusted sources sometimes can't be trusted. #cybertiptuesday #protectyourself #supplychainattack
Commentaires