A very commonly used VoIP telephony system has been compromised via trojans snuck in through an open source component, and the supply chain attack puts over half a million global businesses at risk. This includes some of the world’s biggest companies and organizations: American Express, Toyota, McDonalds and the UK’S NHS among them.
The trojans were apparently added to software updates in early March of this year and impact all versions of the software released since then, for both Windows and MacOS. These updates come directly from the company and appear legitimate, but contain malware that establishes a backdoor into the system that allows for surreptitious data theft and the creation of a remote command shell that could theoretically give the attacker total control.
Supply chain attack targets open source elements
As happened with the infamous SUNBURST supply chain attack, the hackers have managed to penetrate software updates at their source and are passing malware that is signed with a valid 3CX certificate. The MacOS version is additionally notarized by Apple, which will allow it to bypass automated defenses included in the more recent versions of the operating system.
The malware is in all updates from build 18.12.407 for Windows and and 18.11.1213 for MacOS, or those that were released on March 3. It is not yet known exactly which open source component was compromised.
3CX goes beyond simply linking up phone handsets via internet connections, also offering a variety of other software products usually bundled with service plans: video conferencing software, live chat, and mobile apps for Android and iOS among other options. This provides the hackers with ample opportunity to range across networks once the supply chain attack gains its foothold.
The issue has been exacerbated by the fact that 3CX initially dismissed reports of suspicious activity as false positives. The first indications of the supply chain attack were messages posted in various places around the internet about suspicious network activity that seemed to originate from the telephony software. CEO Nick Galea first responded with a statement that the company had been alerted by security firm SentinelOne but had cleared their software with VirusTotal and did not believe there was a compromise. It was a week after this statement that 3CX finally acknowledged that there was in fact a breach, after the company was briefed by Crowdstrike on the details.
All of this seems to have given the hackers nearly a full month to exploit the supply chain attack before the public was made aware. While 3CX shares some blame for the response, further investigation by Kaspersky reveals that Microsoft is also involved. The bug that the attackers exploited is a known flaw that has been present in Windows for 10 years now. It was patched long ago, but has always been an “opt-in” patch due to the fact that it could cause conflicts with some legitimate signature verification. A problem that organizations might commonly encounter is that if the opt-in was done under Windows 10, it would not be preserved after updating to Windows 11 and would have to be manually addressed again.
3CX customers still dealing with fallout
The path to remediation for customers has not been easy thus far. 3CX’s first advisory was for customers to switch from the desktop app to its progressive web app (PWA), which lacks some key features. 3CX says that it is working to add those features to the PWA. All customers have had three months added to their subscriptions free of charge, but it is unclear how many will want to continue with the service after this experience. End users also noted that the initial breach notification was only provided to the company’s resellers, with it going out to everyone some time later.
There is further bad news attached to the attack. Both CrowdStrike and Kaspersky believe that attackers affiliated with Lazarus Group, the North Korean state-backed hacking team infamous for stealing cryptocurrency, are the culprits. This is based on the use of a backdoor called “Gopuram” that the APT group was previously observed using in attacks on crypto companies, among other traces of evidence. CrowdStrike has attributed the attack to “Labyrinth Collima,” a subset of Lazarus.
The total victim count is still being determined as investigations into the supply chain attack continue. The company has about 240,000 clients that have internet-connected phone systems, and says that it has seen 2,700 compromised binaries in the wild thus far. Security researchers with BlackBerry say that compromised systems are heavily concentrated in Europe, especially Italy and Germany. BlackBerry also believes that the breach window may be much longer than just the month of March; the researchers say they see signs of initial action from as early as October 2022. An online tool is available at “checkmyoperator.com” that can help organizations determine if they have been breached by this particular attack.