Massive 3CX Breach - The Attack Turned Out to Be Much Bigger

An investigation into the incident revealed that what happened to 3CX was not a direct attack on the company but a cyber hack by another company responsible for automating exchange trading. Now the best cybersecurity minds are trying to figure out how such a blatant incident occurred and how to prevent similar attacks in the future.

3CX Hack Synopsis or What Preceded the Attack

3CX is one of the world's largest developers of VOIP solutions for large corporations. The company's software is used all over the world. According to the latest figures, 3CX provides services to more than 600,000 companies worldwide with daily usage of 12 million people. Among the largest 3CX customers are automobile concerns BMW, Honda, Toyota, Mercedes, fast food chain McDonald's, grocery giant Coca-Cola, American Express Bank, Ikea, and others.

In March 2023, analysts from CrowdStrike and SentinelOne observed typical 3CX VoIP application activity. It was noted that the activity started after downloading the application from the website or updating the installed version. At the same time, many users began to report that their antivirus software flagged the 3CX client application as malicious.

This is what SentinelOne analysts wrote in their report:

• Behavioral detections prevented these trojanized installers from running and led to immediate default quarantine.
• The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.
• The compromise includes a code signing certificate used to sign the trojanized binaries.
• Our investigation into the threat actor behind this supply chain is ongoing. The threat actor has registered a sprawling set of infrastructure starting as early as February 2022, but we don’t yet see obvious connections to existing threat clusters.

According to one version, the North Korean hacker group Labyrinth Collima was behind the attack, although there is no conclusive evidence yet. In addition, as it turned out later, the attack on the company itself resulted from hacking into the supply chain of Trading Technologies.

3CX Hack: How They Pulled off the Biggest Cyberattack of 2023

Mandiant experts, who participated in the investigation of the 3CX Breach at the request of 3CX, established the sequence of introduction of malicious files into the software of the company's products. According to them, the process was launched after the X_Trader program file infected with the Trojan virus was installed on the personal computer of one of the 3CX staff. Thanks to this, hackers installed a backdoor for communication codes used by the company in Chrome, Firefox, and Edge browsers. 

Analysts also found that the malicious version of X_Trader was available for download in early 2022, and the hack happened in late 2021. The investigation could not determine how the malicious file ended on a 3CX employee's computer.

3CX Breach and the Implications for Businesses and Users

A cyberattack where the compromise of one supply chain was used as a springboard to attack another company was unprecedented. Mandiant CTO Charles Carmacal stated that this was their first time analyzing and investigating such activity. Noting, however, that Trading Technologies did not hire them as investigators for the initial attack. Trading Technologies, in turn, justified that they stopped supporting X_Trader in 2020 and, therefore, cannot be responsible for preventing such an incident. However, it should be noted that X_Trader was available for download until 2022. A company spokesman said that as 3CX is not a customer of Trading Technologies, any hacking of the X_Trader application would not affect its current software. 

There are no visible consequences of the hackers' 3CX Hack by compromising supply chains. Analysts are at odds with what the hackers were trying to achieve. One version speaks of an attempt to steal cryptocurrency. We can talk about it thanks to a report from Kaspersky Labs, which noted that several clients of 3CX attacked by the malicious application are related to cryptocurrency. All of them are based in West Asia. The report also says that although hackers managed to infiltrate many client networks, they sent the second-level malware only to a few, which may indicate a particular focus on specific businesses.

How 3CX Breach is Dangerous in the Long Term

Mandiant analysts point out that they conducted their investigation only with 3CX, while in the risk group may be other companies that have been compromised. Still, the process has not yet been launched, and they simply do not know about it.