Enterprise phone company 3CX has seen the exploitation of a vulnerability in their 3CXDesktop App, potentially compromising thousands of business networks.
3CX supply chain attacks.
Many companies’ research units are reporting that a vulnerability in the widely used 3CXDesktopApp is being exploited in a supply chain campaign that may prove as significant as, for example, the Sunburst incident that affected, most famously, Solarwinds, but the supply chains of other products as well. SentinelOne, Sophos, and CrowdStrike have all made public reports about the intrusion, with 3CX itself issuing its own warning yesterday morning.
Thousands of business networks potentially compromised.
A supply chain attack on enterprise phone company 3CX may have compromised thousands of business networks, the Record reported yesterday. The company, which Bleeping Computer says provides services to companies like American Express, Coca-Cola, McDonald's, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and the UK's National Health Service, confirmed yesterday that its desktop app had contained malware. The desktop app, TechCrunch reports, is used for voice and video calls. Chief executive of 3CX, Nick Galea, initially noted surprise in a Twitter thread that the compromise was not reported by SentinelOne sooner, but SentinelOne’s Juan Andres Guerrero-Saade noted the issue’s presence in 3CX’s support forums as far back as March 22nd.
Jossef Harush, Head of Software Supply Chain Security, Checkmarx, notes a rise in supply chain attacks using legitimate services, saying, "From what we know so far, the 3CX application update files are what have been compromised. The malware was found reading from a GitHub repository that had seemingly legitimate icon files, but which contained encrypted data. As we also saw in this incident– there’s a rise in supply chain attackers using legitimate services such as GitHub to stay under the radar. This is particularly alarming because many companies are often automatically allowing network access to such services as legitimate, and such services do not undergo any content vetting."
A possible state-sponsored attack, with a Mac component.
Security Week reports that 3CX chief information security officer, Pierre Jourdan, said there were grounds to suspect that the incident was the work of a state-sponsored advanced persistent threat (APT). He said, “The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT. Worth mentioning – this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected.” Cybersecurity firm Huntress has confirmed and reported almost 2,800 intrusions within their partner base. CrowdStrike has confirmed activity on both Windows and macOS, and found the malware to be notarized by Apple, which the outlet says “indicates that the tech giant checked it for malicious elements and failed to find any.” However, that seems to no longer be the case, as users are now seeing a warning before the installation of the app. The approximately 400MB Mac application was confirmed by Wardle to contain suspicious activity, the outlet reports. TechCrunch notes that Linux, iOS, and Android versions of the app still appear unaffected at this time.
CISA issues warning after exploitation comes to light, and companies provide recommendations and mitigations.
CISA, the US Cybersecurity and Infrastructure Security Agency, issued a terse warning yesterday morning: “CISA is aware of open-source reports describing a supply chain attack against 3CX software and their customers. According to the reports, 3CXDesktopApp — a voice and video conferencing app — was trojanized, potentially leading to multi-staged attacks against users employing the vulnerable app.” CISA advises users to scan for indicators of compromise (IOCs). The forum update from 3CX’s Galea recommends uninstalling the app, and using the Progressive Web App (PWA) in its place, Trend Micro reported yesterday. Symantec offers a technical analysis of the malware, and continues to update their blog with IOCs.
Expert insights on the 3CX attack and how to move forward.
Former director of operations at the NSA and Vice President of Intelligence at [redacted], Adam Flatley, acknowledges that a good posture assumes the worst case scenario, and plans for it:
“When you look at it from a practical defender's standpoint, software supply chain attacks are nearly impossible to prevent. The amount of work that would go into truly preventing attacks like these is untenable for almost every organization out there. This is why a good security posture will not only focus on prevention, but also assumes that a breach will happen at some point no matter how good the defenses are. Organizations need to be properly instrumented to detect follow-on activity, so even if a bad actor gets into a network via a software supply chain attack, they can be quickly detected and effectively mitigated. Prevent the preventable, detect and respond quickly to the unpreventable, exercise your incident response plan regularly to keep it fresh, and always do an after action review to learn and grow.”
Lorri Janssen-Anessi, Director, External Cyber Assessments at BlueVoyant, emphasizes continuous monitoring of systems to quickly address abnormalities:
"The supply chain attack on business phone provider 3CX is clear evidence that threat actors will continue to scan, identify, and exploit vulnerabilities as they are identified. The understanding of the scale and impact of this compromise is still developing, but the recommendation is to act now to protect yourself and your organization against the potential increasing severity of this attack.
"Follow the guidance by 3CX, government agencies, and others as it is presented and remediate immediately. The current 3CX recommendation is to uninstall the app containing malware and to switch to a different app.
"Initial indications suggest that this may have been orchestrated by an Advanced Persistent Threat (APT), a stealthy threat actor, often state-sponsored. From our experience at BlueVoyant, every vulnerability, emerging threat, or zero-day should be addressed immediately, regardless of the responsible organization, APT or otherwise. Time is of the essence when these attacks and vulnerabilities are announced.
"In addition to quick patching or protocol changes, a best practice to avoid negative impacts from incidents like this is to continuously monitor both your internal and external ecosystems. This monitoring enables a baseline so that when unexpected activities occur within your network, you can quickly address any abnormalities, and your security team can take steps to investigate and remediate them. You should also be aware of which third parties you are using and what their impact is on business operations. BlueVoyant has increasingly observed cyber criminals targeting vendors, suppliers, and other third parties, as they may have weaker security and be a route to compromise a target organization."
Tyler Farrar, CISO at Exabeam, highlights the fact that 3CX was not the target, rather a means to the true targets, the customer base:
"Any adversary, regardless of whether it is a novice or the work of nation-state actors like the Lazarus Group, is going to go for the path of least resistance to meet their end goal. Weaknesses in the supply chain are one of the simplest, yet most successful, ways to do that. In the case of 3CX, the threat actors were likely not going after the company itself, but the data from its 12 million global customers. Rather than attempt to attack each of the customers individually, the adversaries figured it would be easier to break through 3CX — and they were correct.
"Unfortunately, attacks like these are going to become more and more common and I anticipate software supply chain attacks to be the No.1 threat vector of 2023. As a result, I encourage organizations to create a thorough vendor risk management plan to vet third parties and require accountability to remain vigilant, and potentially stop devastating consequences when third-parties are compromised."
Anand Reservatti, CTO and co-founder at Lineaje, emphasizes the importance of understanding what is in the software your business uses, and understanding your greater software supply chain:
“The 3CX VOIP ‘Trojanizing’ the software supply chain attack is the latest proof point of why companies need to know ‘what’s in their software?’
"It is critical to understand that not all software is created equal. The 3CX attack was caused when the Electron Windows App got compromised due to an upstream library. It is clear that 3CX has not deployed any tools to accurately discover and manage their software supply chain. So, in order to protect the software supply chain you have to shift to the “left of the shift-left mentality.” Because the software itself is malicious and not straight malware, vulnerability and malware scans fall short as well.
"This type of attack is particularly challenging for technologies such as vulnerability and malware scans or CI/CD to detect. You need a solution that can do the following:
"1) Discover software components and creating entire genealogy-including all transitive dependencies
"2) Establish integrity throughout the supply chain without relying on any external tooling and their assertion
"3) Evaluate inherent risk by determining examining each component of the software
"4) Remediate inherent risks strategically in order to address the most critical components based on the genealogy
"Knowing what’s in your software comes only by knowing what’s in your software supply chain. It’s why it is critical to work with solutions that can attest to the integrity of your software supply chain of all software built and bought. With more details surfacing including possible ties to a nation-state hacking group, it is essential for software producers and consumers to be able to attest to what exactly is in their software to prevent devastating consequences.”
Kayla Underkoffler, Lead Security Technologist at HackerOne, highlights the need for an understanding of what is in their cyber environment and acknowledges some tools available for active software monitoring:
"It’s critical organizations understand what’s in their environment and how that software interacts with their critical business processes. It’s no longer enough to just document components and dependencies once in the development lifecycle and be done. Today, organizations must proactively consider new solutions to prevent attacks.
"An example of tools in use today for active monitoring of software include IBM’s recently developed SBOM Utility and License Scanner: two open-source tools that facilitate and standardize SBOM policies for organizations. These help build a living, breathing inventory of what’s in use in an organization’s current environment so organizations can respond quickly to software supply chain disruptions. Ethical hackers are also proven to be creative resources, skilled at identifying open source and software supply chain vulnerabilities, as well as undiscovered assets that may impact an organization’s software supply chains.”
(Added, 7:00 PM, March 31st, 2023. Michael Covington, PhD, VP of Portfolio Strategy at Jamf, wrote to point out that the incident should dispel any lingering sense that any operating system is threat-free:
"No operating system is immune to threats. It may be a surprise to some, but we are used to seeing malware on macOS. However, the majority of samples observed in the wild have managed to bypass Apple’s device protections either through the use of social engineering techniques or the exploitation of vulnerabilities in applications already installed on the device.
"What is unique about the situation with 3CXDesktopApp, the app by company 3CX which claims its products are used by more than 600,000 companies, is that the developer’s build process was compromised and produced signed code containing malicious components, thus allowing the malware to masquerade as a legitimate app and to be distributed as part of the typical app update process, putting all current customers at risk. The trust gained by appearing as the legitimate app was so convincing that some 3CX forum posts suggested the alerts from various endpoint security products were false positives.
"Jamf’s own analysis shows macOS clients communicating with infrastructure associated with the malware attack. We are advising our customers to immediately remove impacted apps, ensure new installations are blocked and immediately implement blocks on outbound connections to the known-bad domains.”)