After cyber intruders managed to plant malicious code in a supply chain attack on 3CX’s widely used VoIP software, Mandiant’s IT security experts are now coming to the first conclusions of their investigation. The forensic analysis of the network and the products is still ongoing, the manufacturer explains.
Client Analysis: Attackers likely to be from North Korea
So far, IT security companies have assumed North Korean attackers with connections to the Lazarus cybergang. Mandiant also sees the culprit in the isolated dictatorship, but calls the criminal organization UNC4736. As 3CX explains in a blog post, Mandiant’s investigation found that Windows systems running 3CX software were infected with the malware Taxhaul, also known as TxRLoader.
Inside, in turn, lies shellcode encrypted with real cryptography for each infection with individual keys. The shellcode is a complex downloader that Mandiant calls Coldcat. Taxhaul achieves persistence through so-called DLL sideloading – the DLL is hidden in the legitimate search path with a name of another “real” DLL and loaded in its place.
The macOS malware is a backdoor that Mandiant calls Simplesea. The analysis of the pest is still ongoing. It is written in C and supports backdoor commands for executing shell commands, file transfer, executing files, file management and configuration updates. Simplesea even provides a connection test for IP and port numbers. On first launch, the malware creates a bot ID from the process ID and sends it on connections to the Command and Control (C&C) server. The message content when communicating with the C&C is encrypted with the stream cipher A5 – which belongs to the GSM mobile radio standard.
In the blog post, 3CX lists a YARA rule designed to detect taxhaul malware. The company also warns that the rule should first be evaluated in a test environment so that no false alarms are triggered. Further indications of an infection (Indicators of Compromise, IOCs) is contacting the command and control server
Alternative: Progressive Web App (PWA)
To the best of our knowledge, 3CX’s Progressive Web App (PWA) was not infected or infectious. Therefore, the manufacturer recommends using them. In another blog post, 3CX also explains that the update currently undergoing quality assurance is a comprehensive security release. Web passwords are now hashed and not stored in plain text – previously they were protected from unauthorized access by requiring administrator rights, but the developers have now corrected the problem complained about in CVE-2021-45491 as a “bad practice”.
However, 3CX clearly restricts that this only applies to the web client login. “For backwards compatibility, we will not hash the SIP authentication ID and password, SIP trunk and gateway passwords, or tunnel passwords. If hacked, these credentials can only be used to gain access to calls in the PBX. These user credentials cannot be used to log into the PBX. In future builds, we will also hash these passwords,” the manufacturer writes.
At the end of March, it was announced that 3CX was the victim of a supply chain attack that resulted in the company’s VoIP software distributing malicious code. The next day, the BSI increased the warning level to “3 / Orange”, “the IT threat situation is business-critical. Massive impairment of regular operations”, while 3CX initially dismissed and reassured that the vast majority of the affected systems “were actually never infected”. Last week, Kaspersky observed isolated installations of the Gopuram backdoor – around ten systems were singled out for it with almost surgical precision, especially at companies in the crypto industry.