TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

3CX VoIP Software Compromise & Supply Chain Threats | Huntress

2023-03-30 · Read original ↗

ATT&CK techniques detected

14 predictions
T1055.001Dynamic-link Library Injection
91%
“. massive kudos to our security researcher and resident binary ninja matthew brennan for this deep - dive! this backdoored ffmpeg. dll primarily acts as loader for the d3dcompiler _ 47. dll file. right from the dll entrypoint, it eventually enters a new function ( that we have re…”
T1486Data Encrypted for Impact
89%
“as much information as possible to the community. from 3cx ’ s recently released notification, the currently known affected 3cx desktopapp versions are 18. 12. 407 and 18. 12. 416 for windows and 18. 11. 1213, 18. 12. 402, 18. 12. 407 and 18. 12. 416 for mac. impact at the time o…”
T1195.002Compromise Software Supply Chain
88%
“3cx voip software compromise & supply chain threats | huntress the 3cx voip desktop application has been compromised to deliver malware via legitimate 3cx updates. huntress has been investigating this incident and working to validate and assess the current supply chain threat to …”
T1574Hijack Execution Flow
66%
“partners, we decided not to automatically isolate 3cx hosts, in the event it could result in taking phone communication systems offline. we strongly urge you to remove the software if at all possible, as 3cx has promised a non - malicious update in the near future. analysis & inv…”
T1195.002Compromise Software Supply Chain
66%
“as much information as possible to the community. from 3cx ’ s recently released notification, the currently known affected 3cx desktopapp versions are 18. 12. 407 and 18. 12. 416 for windows and 18. 11. 1213, 18. 12. 402, 18. 12. 407 and 18. 12. 416 for mac. impact at the time o…”
T1055.001Dynamic-link Library Injection
65%
“that can be used to check locations / versions of 3cx to run against the hashes and see if they ' re bad to be run in an rmm. windows defender is currently detecting this attack chain with the threat name trojan : win64 / samscissors. for detection efforts, huntress has observed …”
T1055.001Dynamic-link Library Injection
63%
“##b ( 2bsg # @ c7. according to other threat intelligence, this static key is known to be attributed to dprk threat actors. following calls to virtualprotect to prepare this payload, we could extract the decrypted shellcode for further examination. digging further within ghidra, …”
T1071.001Web Protocols
55%
“it originally referenced https [ : ] / / msedgeupdate [. ] net / windows the https [ : ] / / github [. ] com / iconstorages / images repository hosting these c2 server endpoints has been taken offline. while this may hinder the execution of hosts updating to the current malicious…”
T1195.002Compromise Software Supply Chain
52%
“partners, we decided not to automatically isolate 3cx hosts, in the event it could result in taking phone communication systems offline. we strongly urge you to remove the software if at all possible, as 3cx has promised a non - malicious update in the near future. analysis & inv…”
T1195.001Compromise Software Dependencies and Development Tools
46%
“3cx voip software compromise & supply chain threats | huntress the 3cx voip desktop application has been compromised to deliver malware via legitimate 3cx updates. huntress has been investigating this incident and working to validate and assess the current supply chain threat to …”
T1071Application Layer Protocol
40%
“partners, we decided not to automatically isolate 3cx hosts, in the event it could result in taking phone communication systems offline. we strongly urge you to remove the software if at all possible, as 3cx has promised a non - malicious update in the near future. analysis & inv…”
T1195Supply Chain Compromise
38%
“3cx voip software compromise & supply chain threats | huntress the 3cx voip desktop application has been compromised to deliver malware via legitimate 3cx updates. huntress has been investigating this incident and working to validate and assess the current supply chain threat to …”
T1190Exploit Public-Facing Application
37%
“3cx voip software compromise & supply chain threats | huntress the 3cx voip desktop application has been compromised to deliver malware via legitimate 3cx updates. huntress has been investigating this incident and working to validate and assess the current supply chain threat to …”
T1530Data from Cloud Storage
36%
“/ v2 / storagehttps [ : ] / / akamaitechcloudservices [. ] com / v2 / storagehttps [ : ] / / azureonlinestorage [. ] com / azure / storagehttps [ : ] / / msedgepackageinfo [. ] com / microsoft - edgehttps [ : ] / / glcloudservice [. ] com / v1 / consolehttps [ : ] / / pbxsources …”

Summary

The 3CX VoIP Desktop Application has been compromised to deliver malware via legitimate 3CX updates. Huntress has been investigating this incident and working to validate and assess the current supply chain threat to the security community.