3CX Confirms Embedded Malware in Desktop Applications, Impacting Thousands of Companies
3CX, an enterprise communications software solutions manufacturer, has confirmed that various versions of its desktop application for Windows and macOS are affected by an active supply-chain attack, potentially impacting thousands of companies. 3CX has a client base of approximately 600,000 companies and the impacted versions currently include 18.12.407 and 18.12.416 for Windows as well as 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS. Nick Galea, 3CX's founder and chief executive, confirmed that the desktop application is embedded with malware and Pierre Jourdan, 3CX's chief information security officer, detailed that the attack "appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware." Various cybersecurity companies have published reports on the attack, and some researchers have noted code that "exactly matches" malware historically identified in attacks by the notorious North Korean threat actor Lazarus Group (while CrowdStrike specifically cites a sub-cluster known as Labyrinth Chollima). This situation has the potential for further damage, such as mass attacks, including widespread exfiltration of data. It should also be noted that any money generated from this ongoing supply-chain attack has the potential to be funding the North Korean government. 3CX users are urged to update their self-hosted and on-premises versions of the software to version 18.12.422 to mitigate the risk of exploitation. CTIX analysts will continue to monitor the repercussions of the 3CX compromise and report all updates as they become available. Additional technical information of this attack as well as indicators of compromise (IOCs) can be reviewed in the reports linked below.
- The Record: 3CX Supply-Chain Attack Initial Article & Updated Article
- The Hacker News: 3CX Supply-Chain Attack Article
- 3CX: Nick Galea's Statement & Pierre Jourdan's Statement
- Reports: SentinelOne, Sophos, & CrowdStrike
Threat Actor Activity
Threat Profile: APT43
Threat actors from the North Korean APT43 group have come into light after security researchers unveiled new shifts in targeting and operational changes. Active since 2018, APT43 operates in support of North Korean interests and has recently been targeting government entities, manufacturing, educational institutions, and business services throughout the United States, Japan, and South Korea. Previously motivated by cyberespionage, APT43 has begun shifting to more financially motivated attacks through several cryptocurrency laundering schemes. Additionally, APT43 actors lean on their sophisticated social engineering attacks as a primary point of compromise for their operations, more often utilizing fake online personas to gain trust and persuade users to download custom malicious payloads. Malware utilized by APT43 includes custom built in-house scripts alongside variants of “Pencildown”, “Venombite”, “Pendown”, and the “Hangman” backdoor. During some operations conducted around the COVID-19 pandemic, APT43 actors were rumored to have utilized custom malware from the Lazarus hacking group. APT43 continues to evolve as a threat organization and is becoming more of an asset to the Kimsuky family of actors. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
- Mandiant: APT43 Article
- CyWare: APT43 Article
Critical Flaw in Microsoft Azure Could Allow Unauthenticated Remote Code Execution
Microsoft has patched a critical vulnerability in an Azure inspection tool that could be exploited by unauthenticated threat actors to conduct remote code execution (RCE). The flaw, tracked as CVE-2023-23383, exists in Azure Service Fabric Explorer (SFX) and has been dubbed "Super FabriXss", an homage to the "FabriXss" vulnerability patched in October 2022 by Microsoft. Azure SFX is a "distributed systems platform" that streamlines the ability to package, deploy, and manage microservices and containers, as well as assist with development and management of cloud applications. The vulnerability is a reflected cross-site scripting (XSS) flaw that gives unauthenticated attackers the ability to upload malicious scripts to trusted websites, compromising any unsuspecting victims who visit the site. The vulnerability received a CVSS score of 8.2/10, significantly higher than the original FabriXss flaw which had a CVSS of 6.2/10. This is due to the fact that the attacker can achieve full RCE without the prior need to authenticate as an administrative user. If successfully exploited, attackers would be able to launch follow-on attacks like dropping malware, as well as take complete control of affected systems. This vulnerability has been patched, and CTIX analysts urge users to ensure that they are running the most recent secure version of the platform.
- The Record: CVE-2023-23383 Article
- The Hacker News: CVE-2023-23383 Article
- Microsoft: CVE-2023-23383 Advisory
Honorable Mention / Emerging Technology
Experts Push to Slow Artificial Intelligence Research and Development
An open letter released by Future of Life institute has called on all artificial intelligence (AI) labs to immediately pause the training of powerful AI systems for at least six (6) months. The letter has been signed by experts in the field, influential researchers, leaders, and top executives, including Elon Musk and Steve Wozniak. It’s believed that the necessary planning, management, and care has not taken place in the development of AI, a powerful technology that not even the creators are fully able to understand, predict, or control. A reckless and naïve attitude has the potential to foster uncontrolled job automation, AI powered cyberattacks, and the relentless spread of disinformation and deepfakes. The letter addresses these growing concerns and potential risks that AI poses to human civilization, highlighting that the next few months of AI development will fundamentally dictate the course of history and our fate as a species. The objective of the letter isn’t intended to totally halt AI. Instead, researchers and developers should use this period of AI down-time to come together and formulate standardized safety protocols, build strict oversight, and heighten confidence to ensure that this emerging technological advancement can be used for the greater benefit and flourishment of human civilization rather than its demise.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.