In the meantime, 3CX recommends that users uninstall any current version and switch to the unaffected 3CX Progressive Web App (PWA) version of its software. RemediationģCX is currently working on an update to patch the malicious code. A successfully authenticated attacker can then upload a file that overwrites a 3CX service binary, leading to Remote Code Execution. The vulnerability allows an unauthorized user to read arbitrary files on the server, leading to cleartext credential disclosure. Scans were aimed at CVE-2022-28005, a vulnerability for 3CX Phone System Management Console. While probably unrelated to this supply chain attack, On March 23rd and 25th, we detected suspicious scanning activity on our honeypot instances based in the United States. The Infostealer grabs standard system info and browsing history from Chrome, Edge, Brave, and Firefox browsers. This final stage is a novel, previously unseen Infostealer. ICO file, the final malware stage will be downloaded to the victim system. Instead, a list of C2 servers is stored in the file encoded with a single byte XOR key.Īfter connecting to the C2 server defined in the. At least one of the icons was originally uploaded to GitHub on 7.Dec.2022. The macOS version does not use GitHub to retrieve its C2 server. These fully functional icon files have a base64 string appended to the end of the file which provides the malware with the URI for its C2 server. The second stage malware will then wait seven days before attempting to download one of sixteen Windows icon files (.ICO) from a public GitHub repository (already taken down). That second stage malware is encrypted using RC4 with a static key of " which many organizations have pointed to as a common static key used in other malware attributed to North Korean (DPRK) state sponsored threat actors. ffmpeg.dll is then used to extract and decrypt the second stage malware from d3dcompiler_47.dll. Upon installing either the full software (via MSI) or the update (Update 7), the software will load ffmpeg.dll which, in turn, will sideload d3dcompiler_47.dll. Attack Chainįigure 2: 3CX Desktop App infection flow on Windows based system The full attack results in an Infostealer strain of malware on the victim system via a trojanized DLL. As of March 30, Shodan shows close to a quarter of a million publicly exposed 3CX management systems.įigure 1: Shodan results for publicly exposed 3CX management systems Users that either installed an update (Update 7) or installed a fresh instance of these versions may be affected. Their client list contains dozens of highly recognizable corporate entities. These 3CX software phones are very popular and by 3CX’s own count they service over 600,000 companies globally and more than 12 million users daily. In this case, the supplier is 3CX, a software company that makes a very popular VOIP software phone system. Trustwave is diligently monitoring the situation for exposure and associated attacks and will provide updates here as we have them. With one single compromise of the supplier, dozens and potentially hundreds of organizations may fall in turn. It is similar to the other high-profile supply chain attacks like SolarWinds in that rather than targeting a single organization, the criminals target a popular service or software provided to many large organizations. On March 29, a massive supply chain compromise in 3CX software resulted in malware being installed globally across multiple industries.
0 Comments
Leave a Reply. |