3CX compromise: More details about the breach, new PWA app released

3CX has released an interim report about Mandiant’s findings related to the compromise the company suffered last month, which resulted in a supply chain attack targeting cryptocurrency companies.

They discovered that:

• The attackers infected targeted 3CX systems with TAXHAUL (aka “TxRLoader”) malware, which decrypts and executes shellcode containee in a file with a name and location aimed to make it to blend into standard Windows installations
• The executed shellcode is the COLDCAT downloader
• They also found SIMPLESEA – a macOS backdoor – with command execution, file transfer, file execution, file management, and configuration updating capabilities

“On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware. DLL side-loading triggered infected systems to execute the attacker’s malware within the context of legitimate Microsoft Windows binaries, reducing the likelihood of malware detection. The persistence mechanism also ensures the attacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system over the internet,” Pierre Jourdan, the company’s CISO, explained.

“The malware was named C:\Windows\system32\wlbsctrl.dll to mimic the legitimate Windows binary of the same name. The DLL was loaded by the legitimate Windows service IKEEXT through the legitimate Windows binary svchost.exe.”

Mandiant still attributes the activity to a threat actor with a North Korean nexus.

As noted before, the DLL file used for sideloading was signed by Microsoft and the signature was not invalidated once the file was modified because the attackers exploited CVE-2013-3900. (Microsoft republished the vulnerability on Tuesday, but the fix is still optional.)

A new 3CX PWA version

CEO Nick Galea has announced a security update of the progressive web app (PWA) version of the 3CX software, which allows users to use 3CX from any browser.

The new version will hash all web passwords in the system.

“It doesn’t mean [the passwords] were completely insecure before. You still needed admin rights to access them. But it’s not good practice and it’s been the subject of CVE-2021-45491,” he said.

“Although we’ll be releasing a new version of the DesktopApp soon, we still believe for network management reasons it’s good to use the PWA app where possible. All users that use a deskphone or an Android/iOS app for the actual calling should use the PWA client.”

The company will also be removing the password for the web client and the configuration file from welcome emails, and will provide the option of restricting access to the Admin section in the web client by IP address.