3CX created the desktop phone app 3CXDesktopApp and now finds itself in the middle of a supply chain attack. As a recognized company in the softphone space, 3CX provides services to many large companies including Honda, Coca-Cola, BMW, Holiday Inn among others, according to the testimonials on their website. This week though, they disclosed an attack involving a malicious version of their application making its way onto their customer’s computers. Here’s a quick overview of the attack.
The Attack
A comprised version of 3CXDesktopApp comes with a malicious library. When run with the installation of 3CXDesktopApp the library will attempt to download files from the GitHub repository https://github[.]com/IconStorages/images. This repo consists of icon files with a base64 encoded command at the end. When translated, this command will download an infostealer and run it. The infostealer will query browser history and system details to report back. In some cases, but not all, researchers have found the malware will communicate with other servers. Whether or not it does likely has to do with what was found on the compromised computer.
At this time, we can no longer access https://github[.]com/IconStorages/images but the initial payload with the malicious code libraries may still have a backup method to compromise devices in the future.
Odd Timing
The timing and communication surrounding these events lead to confusing outcomes for the victims. Here’s what you need to know about timing of the supply chain attack.
- The creation of https://github[.]com/IconStorages/images indicates this attack was planned at least three months ago.
- On March 22 SentinelOne saw the first indicators of bad behavior from the app. Users started asking question on the 3CX forum, but these questions didn’t seem to go anywhere initially.
- March 29th multiple vendors identified the Windows and Mac version of 3CXDesktopApp as malware. SentinelOne also released a post about the compromised software.
- Finally on March 30th, CEO Nick Galea posted, “It is true” replying to questions on if 3CXDesktopApp has malware in it. He also said, “For the record we contacted SentinelOne for more information but never received it. We are issuing a new build as we speak, we apologize for the inconvenience.” indicating a severe communication issue between 3CX and SentinelOne.
The Compromise
According the CISO, Pierre Jourdan, “The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT.” Many apps use the Electron environment and no other apps that use it have known compromises like this one. They later pointed to ffmpeg as the source of the intrusion, an accusation which ffmpeg themselves have refuted.
For now, 3CX asks that you use the web-based app and not the desktop application. In the same 3CX thread as before, Galea suggests that they may not go back to the desktop app: “Please use the PWA for now and quite frankly I suggest [you keeping on] using it. I don’t even know why we promote both and we will review this.”
Conclusion
Supply chain attacks like this one usually come from nation-state actors, but not always. This attack may have come from a North Korean-sponsored group Labyrinth Collima, which makes up part of the larger group Lazarus according to reports from BleepingComputer.
If you are a WatchGuard Endpoint customer, you are protected. We have confirmed that all the artifacts related to this supply chain attack are currently detected as malicious by WatchGuard EDR and EPDR, including malicious DLLs, malicious MSI installers, and domains. In addition, the DNSWatchGO app and the Firebox DNSWatch service will block all compromised domains related to the attack.
Many Endpoint products used to just trust a software package if it was signed with a trusted certificate, but these days we need stronger protections that apply all the time, such as behavioral detection and advanced machine learning. Many users in the 3CX forums initially dismissed the alerts provided by their AV software as false positives, thinking their software was safe. Don’t blindly ignore these warnings. If you see an alert from your local antivirus don’t dismiss it without investigating first.
IOCs
| URL | github[.]com/IconStorages/images |
| cliego.garcia@proton[.]me | |
| philip.je@proton[.]me | |
| SHA-1 | cad1120d91b812acafef7175f949dd1b09c6c21a |
| SHA-1 | bf939c9c261d27ee7bb92325cc588624fca75429 |
| SHA-1 | 20d554a80d759c50d6537dd7097fed84dd258b3e |
| SHA-1 | 769383fc65d1386dd141c960c9970114547da0c2 |
| SHA-1 | 3dc840d32ce86cebf657b17cef62814646ba8e98 |
| SHA-1 | 9e9a5f8d86356796162cee881c843cde9eaedfb3 |
| URI | https://glcloudservice[.]com/v1/console |
| URI | https://pbxsources[.]com/exchange |
| URI | https://msstorageazure[.]com/window |
| URI | https://officestoragebox[.]com/api/session |
| URI | https://visualstudiofactory[.]com/workload |
| URI | https://azuredeploystore[.]com/cloud/services |
| URI | https://msstorageboxes[.]com/office |
| URI | https://officeaddons[.]com/technologies |
| URI | https://sourceslabs[.]com/downloads |
| URI | https://zacharryblogs[.]com/feed |
| URI | https://pbxcloudeservices[.]com/phonesystem |
| URI | https://pbxphonenetwork[.]com/voip |
| URI | https://msedgeupdate[.]net/Windows |
| URI | https://sbmsa[.]wiki/blog/_insert |