The 3CX Supply Chain Attack – Exploiting an Ancient Vulnerability

Listen to post:
Getting your Trinity Audio player ready...

Supply chain attacks are one of the top concerns for any organization as they exploit (no pun intended) the inherited trust between organizations. Recent examples of similar attacks include SolarWinds and Kaseya. On March 29th, a new supply chain attack was identified targeting 3CX, a VoIP IPXS developer, with North Korean nation-state actors as the likely perpetrators.

What makes the 3CX attack so devastating is the exploitation of a 10-year-old Microsoft vulnerability (CVE-2013-3900) that makes executables appear to be legitimately signed by Microsoft while, in fact, they are being used to distribute malware. This is not the first time this vulnerability has been exploited; earlier this year, the same tactic was used in the Zloader infection campaign. In the 3CX case, the two “signed” malicious DLLs were used to connect to a C&C (Command and Control) server and ultimately connect to a GitHub repository and download an information stealing malware that targets sensitive data users type into their browser.

Cato Networks SASE Threat Research Report H2/2022 | Download the Report

The Cato Networks security group responded to this threat immediately. Customers whose systems were communicating with the second-stage payload server were contacted and informed of which devices were compromised. All domains and IPs associated with the campaign were blocked to limit any exposure to this threat.

Cato’s approach to such threats is one of multiple choke points, ensuring the threat is detected, mitigated, and prevented along its entire attack path. This can only be done by leveraging the private cloud backbone in which each PoP has the entire security stack sharing and contextualizing data for each network flow. Cato’s mitigation of the 3CX threat includes:

  • Malicious domains are tagged as such and are blocked. The firewall rule for blocking malicious domains is enabled by default.
  • IPS (Intrusion Prevention System) – Payload servers were added to the domain blocklist, this is complimentary to the firewall rules and is not dependent on them being enabled.
  • Anti-malware – All 3CX associated trojans are blocked
  • MDR (Managed Detection and Response) – the MDR team continues to monitor customer systems for any suspicious activities.

Cato Networks security group will continue to monitor this threat as it develops.  For a detailed technical analysis of the attack see Cyble’s blog.

Related Topics