AS2 - 3CX Desktop
3CX is a VOIP software company with more than 600000 customers. In April 2023, the company was subject to an attack that infected their 3CX desktop software with malware. It is suspected to be a nation state attack carried out by North Korea. The attack was faciltiated by attacking the supply chain of a trading software company, Trading Technoloigies.
Techniques:
Impact
T0191 - Malicious Code In Artifacts
The attackers trojanized the softare X_TRADER. The software was digitally signed by "Trading Technologies" which strongly suggests that the firm's supply chain was breached.
T0191 page
Initial Access
T0153 - Compromised Developer Workstation
A 3CX employee desktop is infected with the trojanized X_TRADER software. There is evidence that the vendor site was compromised and infected with an exploit kit that distributed the trojanized software
T0153 page
T0113 - Compromised User Account
Attackers harvested user credentials from infected machines
T0113 page
T0137 - Weak Authentication Methods
Attackers connected to the company VPN using credentials, as a second factor authentication was not enabled.
T0137 page
Defense Evasion
T0176 - Misconfigured Security Measures
The EDR (if it existed) didn't detect malware on the desktop. The build system was not hardened (network/application). Code scanning tools didn't exist/were not configured correctly/nobody looked into the results.
T0176 page
T0146 - Misconfigured Audit Logs Settings
Access and changes to the build system and content should have been logged and alerted upon.
T0146 page
Credential Access
T0184 - Harvesting Sensitive Information From Files
3CX used to save their application password unencrypted/unhashed in the file system. It is not clear if that was used as part of this attack, but the fact is that they released a new client that resolves this issue.
T0184 page
Lateral Movement
T0131 - Overprivileged User Account
The compromised user had access to the entire network and the build system.
T0131 page
Impact
T0191 - Malicious Code In Artifacts
The attacker infected the 3CX software with a backdoor.
T0191 page
Campaign Links:
LEGEND
Trading Technologies
3CX