3CX Supply Chain Attack: A Sophisticated Cybersecurity Incident

-

The world of cybersecurity has been shaken again, as 3CX, a leading enterprise communications software maker, confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack. This incident has raised concerns about the security of supply chains and the risks involved with third-party dependencies. In this blog post, we'll explore the details of the 3CX supply chain attack and what you can do to protect yourself.

  • What is the 3CX Supply Chain Attack?

The 3CX supply chain attack involved a compromise of the software build pipeline to distribute Windows and macOS versions of the app package, or alternatively, the poisoning of an upstream dependency. The attack was discovered on or around March 22, 2023, and it's currently unknown how extensive it is. The attackers used a sophisticated technique called DLL side-loading to load a rogue library called "ffmpeg.dll" that's designed to read encrypted shellcode from another DLL called "d3dcompiler_47.dll."

  • How Does the Attack Work?

The DLL side-loading technique allowed the attackers to access a GitHub repository to retrieve an ICO file containing URLs hosting the final-stage payload, an information stealer (dubbed ICONIC Stealer or SUDDENICON) capable of harvesting system information and sensitive data stored in web browsers. The shellcode utilized in the attack is a byte-to-byte match to prior samples seen in incidents exclusively attributed to the Lazarus Group, a North Korea-aligned state-sponsored actor. The macOS attack chain bypassed Apple's notarization checks to download an unknown payload from a command-and-control (C2) server that's currently unresponsive.

  • Who's Behind the Attack?

Cybersecurity firm CrowdStrike has attributed the attack with high confidence to Labyrinth Chollima (aka Nickel Academy), a North Korea-aligned state-sponsored actor. This group has been active since at least 2009 and typically targets crypto and financial organizations to generate revenue. They're likely affiliated with Bureau 121 of the DPRK's Reconnaissance General Bureau (RGB) and primarily conduct espionage operations and revenue generation schemes.

  • What's the Impact of the Attack?

The 3CX supply chain attack has raised concerns about the security of supply chains and the risks involved with third-party dependencies. The attack has compromised the security and privacy of users' systems and data, and it may have far-reaching consequences. As of now, the scale of the attack is unknown, and it's unclear how many users have been affected. The incident highlights the need for companies to implement robust security measures to protect themselves and their customers from such attacks.

  • What Can You Do to Protect Yourself?

If you're a user of 3CX's desktop app for Windows or macOS, you need to take action to protect yourself. 3CX is urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422. If you're using the 3CX Hosted or StartUP versions, you don't need to update your servers as they will be updated automatically. It's also essential to implement additional security measures, such as antivirus software, firewalls, and intrusion detection systems, to protect your systems and data from future attacks.

  • Conclusion

The 3CX supply chain attack is a significant cybersecurity incident that highlights the risks involved with third-party dependencies and the need for companies to implement robust security measures. As cyber threats Continue threats continue to evolve and become more sophisticated, with supply chain attacks being one of the latest tactics used by threat actors. Supply chain attacks target the software supply chain, seeking to infiltrate and exploit vulnerabilities within the development process.

In the latest incident, enterprise communications software maker 3CX fell victim to a supply chain attack affecting multiple versions of its desktop app for Windows and macOS. The attack is believed to have taken place in March 2023, with preparations starting as early as February 2022.

The scale of the attack is currently unknown, but evidence suggests that it involved the compromise of 3CX's software build pipeline or the poisoning of an upstream dependency. The attack leveraged a technique called DLL side-loading to load a rogue library that could read encrypted shellcode from another DLL.

The Windows version of the attack utilized an information stealer called ICONIC Stealer or SUDDENICON, capable of harvesting system information and sensitive data stored in web browsers. The macOS version bypassed Apple's notarization checks and downloaded an unknown payload from an unresponsive command-and-control server.

The attack has been attributed with high confidence to Labyrinth Chollima (aka Nickel Academy), a North Korea-aligned state-sponsored actor. Labyrinth Chollima is a subset of the Lazarus Group, which has been active since at least 2009 and primarily conducts espionage operations and revenue generation schemes.

To address the attack, 3CX has engaged the services of Google-owned Mandiant to review the incident. It has also urged customers of self-hosted and on-premise versions of the software to update to the latest version, and it will automatically update its Hosted and StartUP users' servers.

As supply chain attacks continue to increase in frequency and complexity, it is essential for organizations to prioritize their cybersecurity measures. They should take proactive steps to secure their software development processes, regularly audit their supply chain, and implement strong security controls and protocols to detect and respond to potential breaches. By doing so, organizations can better protect themselves from the ever-evolving threat landscape.

Comments

Post a Comment

Popular posts from this blog

Most Important Linux commands that Nobody Teaches You

-
Image
Linux is a powerful operating system with a vast array of tools and utilities available to users. These tools make Linux an attractive option for system administrators, developers, and power users who require a flexible and customizable environment. In this article, we will look at some essential Linux tools and utilities that can help you manage your system more efficiently. Rsync Rsync is a popular command-line utility that is used for file synchronization and data backup. It allows users to copy files and directories to a destination, similar to the cp command, but with some added features. One of the key benefits of using Rsync is that it allows you to copy files to remote locations, making it an excellent choice for backup purposes. Example usage : $ rsync -vap --ignore-existing <source_file> <destination_file> Key flags: v = verbose r = recursive p = preserve permissions g = group o = owner a = archive --progress = progress bar Mkpasswd Mkpasswd is a simple but useful
Read more

Unleashing Bug Bounty Success: Subdomain Enumeration, Content Discovery, and Vulnerability Scanning Approach

-
Image
Subdomain Enumeration  Subdomain enumeration is a critical aspect of robust cybersecurity practices. By employing effective tools and techniques, professionals can enhance their ability to identify potential vulnerabilities and uncover valuable information. In this article, we will explore recommended tools and methodologies for subdomain enumeration to optimize your security efforts. Knockpy, an exceptional subdomain enumeration tool, provides valuable insights into response codes and server details. To leverage its capabilities, execute the following command using Python3: python3 knockpy example.com While encountering response codes such as 404 or 403 may initially appear discouraging, it is crucial to thoroughly investigate these subdomains. Hidden within these seemingly unremarkable sites, valuable discoveries may await. For comprehensive subdomain enumeration, we highly recommend the utilization of "assetfinder." This powerful tool can be executed using the following co
Read more

Enhance Your Bug Bounty Journey with the Tools and Binaries of Bughunt3r Virtual Machine

-
Bug bounty hunting requires a comprehensive toolkit to uncover vulnerabilities and secure web applications. In this blog post, we will explore the top 20 tools and binaries that can supercharge your bug bounty efforts. These powerful tools cover a wide range of functionalities, from web vulnerability scanning to subdomain enumeration and source code analysis. We will focus on how these tools can be leveraged to optimize your bug bounty workflow, with specific examples targeting the domain *.example.com. Let's dive in! A virtual machine (.ova) file where almost all bug bounty tools are installed; specially burpsuite pro with license :) OS: Kali-Linux Version: 2022.1 Download link: https://drive.google.com/file/d/1Tkj3jKOvL7M08zG5JGVoqhZh50VMyM3X/view File size: 6 GB Installed top 20 tools and binaries [1]burpsuite professional [2]zaproxy [3]crlfuzz [4]ffuf [5]kite [6]dalfox [7]nuclei [8]rustscan [9]sqlmap [10]nmap [11]waybackurls [12]subfinder [13]xsstrike [14]nosqlmap [15]gitdu
Read more