Exploiting ancient vulnerabilities: How did the 3CX supply chain attack occur and what can we learn from it?

Featured Post

Exploiting ancient vulnerabilities: How did the 3CX supply chain attack occur and what can we learn from it?

On March 29th, North-Korean linked threat-actors targeted 3CX, a VoIP IPX developer, exploiting a 10-year-old vulnerability (CVE-2013-3900) that made executables appear to be legitimately signed by Microsoft when, in fact, they were being used to distribute malware. 

The 3CX attack is just the latest in a series of high-profile supply chain attacks over the past year. The SolarWinds attack compromised the Orion system, affecting thousands of organizations, and the Kaseya VSA attack that was used to deliver REvil ransomware also to thousands of organizations and is considered one of the largest security breaches of the 21st century.

Nor will those attacks be the last on the supply chain. While supply chains increase efficiency and collaboration while decreasing overhead costs, they pose a significant danger to all those involved. A chain is only as strong as its weakest link. Overall supply chain attacks increased by more than 600% in 2022..

How did the attack occur?

The 3CX phone system is used by more than 600,000 companies worldwide, with approximately 12 million daily users. As such, any attack on an organization of this size has far reaching consequences. 

The attack started on the 29th of March, when a large number of endpoint detection and response (EDR) providers and antivirus solutions began alerting to a signal warning for a legitimate 3CXDesktopApp.exe binary, which was signed. What wasn’t known at the time was that attackers had exploited a 10-year-old Microsoft vulnerability, which made executable appear to be legitimately signed, when in fact, they’re being used to distribute malware. In fact, two signed malicious DLLs were used to connect to a command-and-control server and then to the GitHub repository. 

Consequently, the 3CX download that was available on the website was infected with malware, meaning that any systems that already installed this version would automatically undergo an update that downloaded the malware onto the affected machines. Due to the nature of the attack involving a multi-stage process and a seven-day delay before the download takes place, it was possible for attackers to evade detection by security systems that monitor for suspicious activity, giving the attackers the opportunity to move laterally across systems and networks. Ultimately, the malware was able to gather system data and take control of login credentials stored in user profiles on web browsers. Following the attack, it was found that there had been 240,000 publicly exposed instances of this application, highlighting the extent of the damage this kind of supply chain causes. 

What can organizations do to remediate supply-chain attacks?

The first thing organizations should do to limit their exposure is for them to block all domains and IPs associated with this type of campaign. Once detected, organizations must mitigate and prevent the attack along its entire path. This can only be done by leveraging the private cloud backbone in which each point of presence (PoP) has the entire security stack sharing and contextualizing data for each network flow. 

In the case of the 3CX attack, it could be mitigated using multiple choke points, which included the following steps:

  • Tagging and blocking malicious domains. Enabling the firewall rule for blocking malicious domains as default.
  • Intrusion Prevention System (IPS). Adding payload servers to the domain blocklist, which should be complementary to the firewall rules and not dependent on them being enabled.
  • Anti-malware. Blocking all 3CX associated trojans.
  • Managed detection and response (MDR). Having an MDR team that continues to monitor customer systems for any suspicious activities.

Going forward, organizations should continue to monitor their networks for signs of similar attacks, in order to identify them in the early stages. 

How can organizations protect themselves in the future?

The SolarWinds attack, in particular, highlighted the need for organizations to improve their security, both internally and externally. The more that organizations rely on third-party providers, the more vital it becomes they not only look at the entire picture but also establish a new system of trust with new tools and practices that ensure robust security. Unfortunately, this could take years to fully achieve, in which case there are other steps organizations can take more immediately in order to protect themselves and all the links in their supply chain.

Security vetting: There are already regulatory frameworks in place that require third-party risk testing or other standards that vendors must comply with, which automatically improve their security posture. Otherwise, organizations should be vetting third-parties that they work with, to ensure their security is compatible with their standards and avoid vulnerabilities or gaps. 

Implement ZTNA: Zero trust network access (ZTNA) enables organizations to restrict access at a granular level. Essentially it approaches authorization with a basis of not inherently trusting that a user will have access. As a result it controls who and what can gain access to applications and services both in the cloud and on-premises, based on who is explicitly allowed. This approach tightens overall network security and can limit lateral movement in the event that a breach does occur – thus reducing the risk of a supply chain attack.

Implementing secure access service edge (SASE): SASE greatly improves an organization’s security posture by establishing a baseline of normal network behavior. This creates a more proactive approach to security and threat detection and it makes it easier to detect, contain and prevent any breaches. SASE provides visibility into all network activity from all edges. As a result, a defender has multiple chokepoint for each element of the attack cycle. When combined with with converged security capabilities, SASE allows organizations to better detect, mitigate and prevent threats.

Educate staff: Making sure that staff are briefed on how to behave when It comes to malicious emails or suspicious behaviors is a significant part of protecting the entire organization. It may seem insignificant, however if staff are aware of the tell-tale signs of an incident, they are more likely to be able to identify and alert them before it gets out of hand. 

Despite the damage caused by past supply-chain attacks, these types of incidents have allowed other organizations to learn from past mistakes and strengthen their own security systems. When it comes to a supply chain, each link must ensure their security is robust, for their sake and for the other parties involved. When working with third-parties, organizations must make sure to vet their security to make sure they are compatible and won’t allow for any gaps that could lead to lateral movement. Ultimately, while these attacks aren’t as common as ‘ordinary’ ransomware attacks, they can lead to a higher volume of damage and consequences, as the results aren’t always visible at first. By implementing the right security solutions and following best practices, organizations and their employees should be able to strengthen their defenses and reduce the chances of a successful attack on their supply chain.