A recent breach of 3CX, a leading VoIP provider used by many businesses, has the potential to be another widespread supply chain attack comparable to the SolarWinds and Kaseya incidents.
3CX has some 600,000 clients worldwide, and counts some very large companies (and government entities) among them. However, the available evidence thus far points to North Korea’s Lazarus group as the perpetrators, and they appear to be keeping to their usual focus: stealing cryptocurrency from whomever holds large amounts of it.
Full reach of breach unknown as North Korean state-backed hackers become leading suspects
3CX first issued an advisory about the supply chain attack to resellers in early April, directing customers to change over from the desktop app to the less commonly used “progressive web app.” This caused some issues as the web app does not have the full range of features, something that 3CX says it is addressing.
Several major threat analysis groups have noted that the attacker used a backdoor called “Gopuram” that has been previously deployed by Lazarus, North Korea’s state-sponsored hacking team. CrowdStrike believes that a branch of Lazarus called “Labyrinth Collima” is behind the attack. The contention is further supported by the attackers seeming to hone in on 3CX clients that might be holding cryptocurrency.
It is unknown exactly how many downstream clients have been breached by the supply chain attack at this point. The company estimates it has about 240,000 clients that are vulnerable by way of internet-connected VoIP systems, and that it has confirmed 2,700 infected binaries. These have largely been in Europe to this point. The complete breach window is also not yet known, as security researchers with BlackBerry note that there are signs of compromise that go back as far as October of last year.
Open source component of 3CX software targeted in supply chain attack
The supply chain attack traces back to an unspecified open source component used in 3CX systems. The vulnerability allowed the attackers to insert malware into legitimate software updates (signed with valid 3CX certificates) that are then passed on to clients. This is similar to the SolarWinds attack, which saw many clients breached but ultimately only few targeted for follow-up by the Russian state-backed threat actors that are thought responsible.
The malware has been inserted in updates from version 18.12.407 for Windows and and 18.11.1213 for MacOS, which were issued on March 3. The response has left some 3CX customers cold, as the company took some time to begin handling the supply chain attack responsibly. Its initial breach notification stated that an outside security firm had alerted it to an issue, but that customers should not be concerned as the software had been cleared with VirusTotal. Decision-makers at 3CX were apparently then sat down at some point by CrowdStrike, who explained that that was not a sufficient means of evaluating the threat and that the attackers had likely already compromised numerous clients. A week later the breach notification was revised to its present state.
The breach window is thus at least a few weeks, and possibly several months if evidence of it beginning in 2022 holds up. If the latter scenario is true, the slow detection might have been owed to the APT group being very selective about the clients it compromised (again likely seeking those holding cryptocurrency).
Clients would also not necessarily have been compromised by the malicious software updates automatically, as they hinge on a configuration setting in Windows being in a certain state. The issue has been documented for 10 years now, but end users must opt-in to patching it out of the system as it has the potential to cause problems with legitimate signature verification processes. Additionally, some that had patched it previously would have had the patch removed when they upgraded to Windows 11. MacOS systems reportedly were compromised via a different process.