3CX: Stopped by the guard

3CX: Stopped by the Guard

By Peter
April 3, 2023

A hack often comes from an unexpected source at a random time. Therefore, you must prepare for it and know what steps to take.

In late March 2023, 3CX, a developer of VoIP telephony software, was hit by a supply chain attack. The official desktop client distributed malware because the libraries used were compromised. Infected workstations of users of the 3CX VoIP client were the result. How could this hack happen, and how could SecurityHive protect its customers from it without taking extra measures?

What is a supply chain attack?

Every organization depends on other parties. These can be suppliers from whom you purchase a service or product and customers who buy services or goods from you. A chain is created in which parties depend on each other.

Supply Chain

When a problem occurs at one of the parties in the chain, and it can no longer perform its function, the chain is broken. The desired process can no longer be followed. A simple example of this is the "cheese hack" in 2021. A logistics company was hacked, and it could no longer drive its routes (efficiently), resulting in a shortage of cheese in supermarkets. The supermarket was not hacked but had become a victim of this attack.

3CX fell victim to a similar attack. They were not initially hacked, but they did experience the consequences. In a supply chain attack, an organization can fulfill different roles. It can be the target of the attack, but it can also be a medium to spread the virus and reach and hack others.

How did this manifest itself in 3CX?

How does 3CX work?

3CX is a well-known VoIP telephony solution with over 600,000 customers worldwide, including Coca-Cola, McDonald's, BMW, and IKEA. This solution enables telephone traffic and manages it intelligently with a call center. It is likely that you use your telephone device to call others via 3CX or a similar solution.

In addition to a physical telephone device, 3CX has a mobile application, a workstation application (Windows/macOS), and a web application for your browser.

How is the software built?

In this hack, the desktop application for both Windows and macOS was infected. When software is developed, open-source libraries are often used. These are pieces of code that can be reused and maintained by parties and volunteers. The advantage of this is that not everyone has to think of and maintain the same code again, but it also allows for transparency in building software.

3CX also uses several libraries in its software. One of these libraries was hacked and compiled into the 3CX desktop application. When this version was downloaded or pushed, the infected software was installed.

Workstation infection

When the infected update was started, an infected DLL was used to download icons hosted in a GitHub project. These icons contained base64 encoded values. These values were used to download the final malware, which could extract system information and information (credentials) from browsers such as Chrome, Edge, Brave, and Firefox.

How did SecurityHive prevent further infection?

Flow DNS calls

When downloading the malware, contact was made with various domain names where the malware was hosted. Some of these domain names are: akamaicontainer[.]com, azureonlinecloud[.]com, and msstorageazure[.]com. These domain names are designed not to stand out among the other traffic and try to inspire trust by using the names Akamai, Azure, and MS (Microsoft).

Preventing & securing contact

DNS is an essential component of the internet. Through DNS, we can connect to servers without remembering the IP address of each device. DNS also allows us to quickly attach a server with a different IP address to the same name.

In this attack, DNS was used to download malware, create trust, and enable new servers to be added without modifying the code.

SecurityHive has a solution called DNS Guard. With this DNS Security solution, all DNS traffic is monitored and filtered, both in the office and for employees who work from home or on the go. During this 3CX attack, DNS Guard was able to secure infected systems almost immediately by blocking DNS traffic to the involved domain names. This prevented the final malware from being downloaded and communication with the attacker's command & control system from occurring.

After the traffic was blocked, all customers who periodically scanned their environment for vulnerabilities with Vulnerability Management were contacted if they were running an infected version of 3CX. This allowed them to remove the root cause themselves.

Explanation of threat intelligence feed

The SecurityHive DNS Security solution includes various forms of protection. In addition to blocking categories such as ransomware, advertising, tracking, and pornography, it also includes a Threat Intelligence feed.

This feed receives real-time updates on threats on the internet. The feed is linked to various sources and can quickly respond to new developments in the cyber domain. This allowed SecurityHive to promptly secure its customers, even before a system administrator could act.

Getting started with a DNS Security solution is straightforward and can even be done without installation. Learn more about DNS Guard and try it out by clicking down below.

Protect your network using DNS Guard within 5 minutes