Lazarus Assault Via 3CX Exposes Need to Rethink Security

When North Korean threat actors the Lazarus Group exploited a legitimate update to the 3CXDesktopApp—a softphone application from 3CX—security professionals didn’t initially pick up on the import of the activity and tactics that signaled the attack.

In fact, according to CrowdStrike, which discovered the attack, even experienced security professionals pooh-poohed detections as false positives. And the malicious update was whitelisted by some popular AV tools. Big mistake. The resulting malicious activity quickly spread to companies around the world and a second-stage payload, called Gopuram, soon followed.

AWS Builder Community Hub

“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike noted in a blog post.

In an update, the security researchers explained that “the MSI will drop three files, with the primary fulcrum being the compromised binary ffmpeg.dll.”

Once it is active, “the HTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7, 2023 campaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH CHOLLIMA,” CrowdStrike said.

In the days since the CrowdStrike discovery, Kaspersky researchers, who have been tracking Gopuram since 2020, explained how the attack is executed:

  • The infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been Trojanized.
  • The malicious installation package contains an infected dll library that decrypts a shellcode from the d3dcompiler_47.dll library’s overlay and executes it.
  • The decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is removed).
  • The payload connects to one of the C2 servers, downloads an infostealer and starts it.
  • The infostealer collects system information and browser history, then sends it to the C2 server.

On closer inspection, once Kaspersky researchers discovered Gopuram infections, they were able to attribute the 3CX campaign to Lazarus with a medium-to-high degree of confidence.

Researchers now believe that the threat actors may have exploited a 10-year-old vulnerability, CVE-2013-3900, for which Microsoft had provided a patch.

“The two notable takeaways here are the CEO of 3CX who suggested that it’s a false positive when several researchers have identified the flaw, and that the supply chain attack apparently relies, in part, on a vulnerability that’s a decade old,” said Mike Parkin, senior technical engineer, Vulcan Cyber. “In the first case, when reputable researchers are pointing out an issue, it’s better to own the error than to try and duck blame. In the second, assuming CVE-2013-3900 is in play, it begs the question of exactly how a ten-year-old vulnerability could still exist.”

Some of the usual assumptions about security practices may not hold true. “The unfortunate reality of the situation is that trust boundaries inevitably form over time, especially around things like patch management. An assumption is made that patching software fixes security issues. However, it is this assumed trust that is being exploited during supply chain attacks,” said Marcus Peterson, senior consultant, OffSec pen testing at Coalfire.

“The last thing we can afford to do in our industry is to make assumptions. Extending a trust boundary to third-party vendors is demonstrably risky and, as a result, organizations get blindsided by a critical security incident such as in this case with the 3CX attack,” said Peterson. “These risky trust relationships are at the very core of the problem here. Trust relationships must be continuously scrutinized and reevaluated. Until we shift this attitude, we will continue to see adversarial groups leverage supply chain attacks. Because if we’re honest, it is an extremely effective strategy.”

There are other lessons, too. “This attack is a reminder that sophisticated attackers can often weave together several techniques—3CX code tampering and an OS vulnerability—to achieve great results. No security update should ever be ‘opt-in,’ they should be installed by default,” said John Bambenek, principal threat hunter at Netenrich.

In comparison to some of the other high-profile supply chain attacks, this one may prove harder to resolve. “This is a more complex situation to remediate than the SUNBURST hack because of how the 3CX client is distributed through a vast number of resellers and the wide variety of organizations using it,” said Viakoo CEO Bud Broomhead. “Expect this to be one where the threat actors will have an open window of vulnerability for months, depending on how urgently organizations patch both Windows and the 3CX client.”

There’s evidence that, in this case, the attacks may have worked a little too well. “The results here were that the attack seemed to exceed even the attacker’s expectations, so they were not able to fully utilize their footholds across the internet to their maximum extent,” said Bambenek.

The attacks, too, have broader implications. “The recent compromise of 3CX highlights the ongoing risk that supply-side attacks pose to companies and the public at large,” said Kyle Hankins, managing principal, application security at Coalfire.

“Use of any piece of software represents an ongoing level of trust—not only in the vendor, but in all software used by that vendor,” said Hankins. “In incidents such as this one, it can be challenging to determine which components of the application have been changed, much less how those dependencies were compromised.”

Incidents like the 3CX campaign underscore a need for procedural changes to engineering, Hankins contended. “These incidents shed light on necessary procedural changes to engineering processes. Five years ago I’d have never expected to see an executive order referencing a software bill of materials (SBOM), for example, but in May of 2021 that’s exactly what we received,” he explained.

“Unfortunately, in a modern development environment, tracking every dependency in a piece of software is nontrivial—it will require a significant shift in how we think about software engineering processes to realize it on an industry-wide scale,” said Hankins. “In the meanwhile, we can expect to see more cases such as this one, as well as a significant investment required by companies looking to mitigate this risk with tooling, training, and process changes.

The current attack also highlights realities about the supply chain. “This most recent supply chain attack brings a new dimension compared to other ones; how distant the manufacturer and end user are in these transactions,” said Broomhead. “This makes it harder for an organization to push cybersecurity requirements to the manufacturer; of course, it depends on the reseller or distributor how effective they can be in pushing these requirements to 3CX, but it adds another layer to organizations having more control over their supply chain.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 185 posts and counting.See all posts by teri-robinson