- Disable User
- Posts
- 3CX Supply Chain Attack - just a phone call away
Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.
In this week's edition:
🔗 3CX Supply Chain Attack - just a phone call away
❔ Disable User Explains: Supply Chain Attack
🔥 the quick and dirty
Reading time: 02:32
3CX Supply Chain Attack - just a phone call away
We weren’t fully recovered from the Outlook zero-day from 2 weeks ago and there it is: another big security incident.
Well “big”. If you’re not use 3CX there’s not much going on.
But for sysadmins managing major enterprises, or multiple customer MSP’s, it’s been a tough few weeks.
So let’s all take a moment of silence for our brothers and sisters trying to keep up with all the patches, zero-days and other crazy exploits that have been going around lately.
Well, now that we have that out of the way. THE DETAILS.
3CX, a software company that focuses on Voice Over IP software was hit a rather nasty Supply Chain Attack.
Their softphone desktop app named “3CXDesktopApp” has fallen victim to a Trojan injection.
This means that the original installer was compromised to install not only the app, but also malicious files.
The repository where the official files are hosted was compromised, making it possible for hackers to inject their infected files in the official installer.
This is very dangerous, as the user is completely unaware that this is happening. They are simply downloading a know installer, from the correct source.
So how does this Trojan work exactly?
When the 3CX app is installed or updated to a certain version, it downloads the original files + infected files.
The malicious files stay hidden and inactive until triggered.
This trigger can be anything. Either a certain date/time, a user action, or a trigger from outside. It’s still not entirely clear what the trigger in this case is.
Once the trigger is fired, an outside connection is set-up. This gives the hacker acces to the infected system. This inside-to-outside connection that is being set-up is called a Beacon.
Help, my company is using 3CX - what do we do?
Check if your company is using any of these versions;
Windows - 18.12.407 and 18.12.416
MacOS - 18.11.1213, 18.12.402, 18.12.407 and 18.12.416
If you are, check your Virusscanners, Firewalls, SIEM/SOAR, … for alerts or abnormalities.
Although these are the only ones reported to be infected, I’d take no chances:
Uninstall any 3CX desktopclient version and instruct users to use the web client.
3CX is regaining control and building a new version. I’m unaware when this will be released, but my guess is soon.
And please, if there is a Cybersecurity Patron Saint out there, no more incidents now. At least for a month.
That’s not asking too much now, is it?
Supply Chain Attack
A type of (cyber) attack that focuses on gaining access to a company through a trusted third party vendor. Often by using Trojan horse in software, or physical components.
For “example”: hiding malicious files in a trusted installer for an application that is used by millions of companies worldwide. In the hopes of gaining access to the internal systems of a big company.
The quick and dirty
Introducing Microsoft Security Copilot: Empowering defenders at the speed of AI - I was going to do a piece about this, but 3CX got in the way. Next week! Check out the demo on YouTube though, I’m impressed
Millions of Pen Tests Show Companies' Security Postures Are Getting Worse - not the trend I was hoping for. Good read though
ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation - not me asking ChatGPT the most personal questions.
Meme of the week
This only hits if you’re 30+
