3CX PBX Compromised: What You Need To Know
Recently, there was a supply chain attack on the 3CX unified communications platform, similar to the SolarWinds attack. The attackers inserted malicious code into a software update that many users downloaded. 3CX has reportedly pulled the update after being compromised.
If you or someone you know uses this system, it is important to take the necessary precautions immediately and/or contact ATC’s Super Support Team (SST) to discuss your specific situation/environment. While 3CX is not a supplier within ATC’s portfolio of leading UCaaS providers, our SST team can surely assist. We can also help you transition into a new solution that is better suited for you.
What makes the 3CX attack so devastating is the exploitation of a 10-year-old Microsoft vulnerability (CVE-2013-3900) that makes executables appear to be legitimately signed by Microsoft while, in fact, they are being used to distribute malware. This is not the first time this vulnerability has been exploited.*
The same tactic was used in the Zloader infection campaign earlier this year. In the 3CX case, the two “signed” malicious DLLs were used to connect to a C&C (Command and Control) server and ultimately connect to a GitHub repository and download an information-stealing malware that targets sensitive data users type into their browser.*
To protect your network, it is recommended to have a good EDR solution in place to detect and stop the execution of the malware. Be sure to check the EDR logs for suspicious or malicious activity. It is also important to quickly identify the devices in your organization that have the 3CX software installed and uninstall it, and as a precaution, consider re-imaging these devices.
OVERVIEW
Supply chain attacks are one of the top concerns for any organization as they exploit the inherited trust between organizations. Recent examples of similar attacks include SolarWinds and Kaseya. On March 29th, a new supply chain attack was identified targeting 3CX, a VoIP/UCaaS developer, with North Korean nation-state actors as the likely perpetrators.*
What Happened?
On March 22nd, security companies were made aware of a supply chain attack impacting the voice and video 3CX desktop application. The application for both Windows (versions 18.12.407 and 18.12.416) and MAC (versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416) devices were compromised and included a trojan with malicious content.
Supply Chain Attacks
A Supply Chain Attack aims to infiltrate and compromise a targeted organization’s security by using vulnerabilities found in third-party connections. Once the attacker is able to infiltrate the “weak link,” they can now use the back door to gain access to the target organization’s systems. For example, with 3CX, malicious code was injected into a digitally signed and trojanized version of the desktop client.
What Should 3CX Clients Do?
Organizations using the desktop versions listed above are highly encouraged to uninstall the desktop application until a verified security update is released. Temporarily, 3CX recommends migrating to the Progressive Web Application (PWA) deployment. In addition, users should reset their credentials.
*Italic content above provided by ATC provider CATO Networks. It can be referenced here.