Days after the supply chain compromise of communications software maker 3CX came to light, plenty of important questions remain about the far-reaching attack, which has drawn comparisons to some of the largest breaches to date such as the SolarWinds and Kaseya attacks.
One of the biggest unanswered questions is not about 3CX itself, however.
It’s about the company’s massive base of customers, and how those who installed the tainted software could end up being impacted in the attack.
That’s the nature of software supply chain breaches, and why they are so alarming: compromise one and you can (potentially) compromise many.
According to 3CX, its customer set totals more than 600,000 organizations.
Nick Galea, founder and chief executive of 3CX, told CyberScoop it’s probable that hundreds of thousands of customers actually downloaded the malicious version of the vendor’s VoIP phone system software.
For priority targets, the attackers may have put in place a mechanism for maintaining access into the victim’s network, even if their initial route of access is removed with 3CX software updates.
Impact on customers
The attack resembles the 2020 supply chain breach of SolarWinds in a number of key respects.
And if the pattern holds, details about compromised end customers of 3CX could be emerging soon.
"Are other companies going to come out of the woodwork and say, ‘Hey, we were affected by this?’ I think so,” John Hammond, senior security researcher at cybersecurity vendor Huntress said.
At the same time, the impact from the 3CX attack might be constrained by other factors.
For instance, while 3CX’s more than 600,000 customers is double the number of SolarWinds customers at the time of the supply chain breach of that company, the current attack was caught much faster.
3CX has indicated that the macOS version of its app may have been compromised as far back as January, but Galea told CyberScoop that it has just a few thousand users, a fraction of the user base for the Windows version.
The 3CXDesktopApp for Windows, on the other hand, appears to have been compromised in the vicinity of March 8.
This means attackers were caught within weeks, Adam Meyers, head of intelligence at CrowdStrike said.
CrowdStrike threat hunters were the first to determine that the detection of malicious activity coming from the 3CX app was not a false positive, and the company publicly disclosed details about the attack in a post.
In the attack on SolarWinds and its customers, by contrast, researchers believe that attackers went unnoticed for at least nine months in 2020, only being discovered in December of that year.
With the 3CX attack being caught in less than a month, “this gives you some sense that some of us are stepping up and catching these things in a much faster cadence,” Meyers said.
All of which means the attacker in the campaign had far less time to stealthily carry out its activities, such as establishing footholds in the most-valuable networks belonging to 3CX customers.
Info-stealing attackers' goal
As of this writing, definitive details about the final stage of the 3CX attack haven’t been shared, but there are indications that its ultimate purpose was to deploy information-stealing malware.
That’s according to researchers at companies including Huntress, Volexity and Cyble.
“While this could be leveraged for harvesting items such as stored passwords, access tokens and similar information, current analysis indicates this information theft focuses on gathering browsing history,” Joe Slowik, threat intelligence manager at Huntress said.
Given the fact that many researchers have attributed the 3CX supply chain attack to a nation-state threat actor — specifically, a group working for North Korea — espionage makes a lot more sense as the goal for the attack, as opposed to other possible motives such as ransomware, Hammond told CRN.
Rather than going for a quick payday with ransomware, the threat actor may have wanted to use its access to eavesdrop on 3CX’s customers and slowly gather valuable intel, he said.
Major customers listed by 3CX include McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.
CrowdStrike has attributed the attack to a North Korea-affiliated group that it calls Labyrinth Chollima.
How did the attackers get in?
Other major open questions involve 3CX itself.
As of this writing, the vendor hasn’t specified how attackers initially managed to get into its software supply chain.
The answer on that question is of interest not just to curious security researchers, but potentially also for the countless organizations that leverage open-source libraries in their software development process.
A statement by 3CX — that the security issue “appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT” — does seem to point toward an open-source library as a possible culprit.
Many in the security community, Hammond said, are now asking 3CX, “‘hey, can you please share that intel?"
"Can we help the community the best that we can with that knowledge and transparency?’”
What 3CX did say is that it has hired Mandiant, owned by Google Cloud, “to review this incident in full.'
Does the attacker still have access?
Along with knowing how the attacker got in, it’s also critical to know whether the attacker may still have access to 3CX environments, given the fact that the vendor is continuing to release updated versions of its software in the wake of the attack.
Johannes Ullrich, dean of research for the SANS Technology Institute, said in a webcast that we “absolutely” do not know the definitive answer on this yet.
“3CX kind of admitted that much, because they said they rebuilt what they consider a ‘safe’ version of the Electron application." Ullrich said.
"But they also said that they’re not going to publish it as-is — they’re going to send it to Mandiant first, and Mandiant is going to [review it],” Ullrich said.
Galea wrote that “the rebuilt Electron Windows App with the new certificate has been sent to Mandiant to check whether it is secure."
"It will take some time before we can distribute it 100 per cent safely. We need several days, probably more,” he said.
Ultimately, Ullrich said that when an organisation experiences a compromised network, like 3CX has here, “it’s really hard to recover from this.”
Update April 4: Article amended, as American Express is not a 3CX client and does not use their software.