3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor
The threat actor — believed to be the Lazarus Group — that recently compromised 3CX’s VoIP desktop application to distribute information-stealing software to the company’s customers has also dropped a second-stage backdoor on systems belonging to a small number of them.
The backdoor, called “Gopuram,” contains multiple modules that the threat actors can use to exfiltrate data; install additional malware; start, stop, and delete services; and interact directly with victim systems. Researchers from Kaspersky spotted the malware on a handful of systems running compromised versions of 3CX DesktopApp.
Meanwhile, some security researchers now say that their analysis shows the threat actors may have exploited a 10-year-old Windows vulnerability (CVE-2013-3900).
Gopuram: Known Backdoor Linked to Lazarus
Kaspersky identified Gopuram as a backdoor it has been tracking since at least 2020 when the company found it installed on a system belonging to a cryptocurrency company in Southeast Asia. The researchers at that time found the backdoor installed on a system alongside another backdoor called AppleJeus, attributed to North Korea’s prolific Lazarus Group.
In a blog post on April 3, Kaspersky concluded that the attack on 3CX was, therefore, also very likely the work of the same outfit. “The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence,” Kaspersky said.
Kaspersky researcher Georgy Kucherin says the purpose of the backdoor is to conduct cyber espionage. “Gopuram is a second-stage payload dropped by the attackers” to spy on target organizations, he says.
Kaspersky’s discovery of second-stage malware adds another wrinkle to the attack on 3CX, a provider of videoconferencing, PBX, and business communication app for Windows, macOS, and Linux systems. The company has claimed that some 600,000 organizations worldwide — with more than 12 million daily users — currently use its 3CX DesktopApp.
A Major Supply Chain Compromise
On March 30, 3CX CEO Nick Galea and CISO Pierre Jourdan confirmed that attackers had compromised certain Windows and macOS versions of the software to distribute malware. The disclosure came after several security vendors reported observing suspicious activity associated with legitimate, signed updates of the 3CX DesktopApp binary.
Their investigations showed that a threat actor — now identified as the Lazarus Group — had compromised two dynamic link libraries (DLLs) in the application’s installation package added malicious code to them. The weaponized apps ended on user systems via automatic updates from 3CX and also via manual updates.
Once on a system, the signed 3CX DesktopApp executes the malicious installer, which then initiates a series of steps that ends with an information-stealing malware getting installed on the compromised system. Multiple security researchers have noted that only an attacker with a high level of access to 3CX’s development or build environment would have been able to introduce malicious code to the DLLs and get away unnoticed.
3CX has hired Mandiant to investigate the incident and has said it will release more details of what exactly transpired once it has all the details.
Attackers Exploited a 10-Year-Old Windows Flaw
Lazarus Group also apparently used a 10-year-old bug to add malicious code to a Microsoft DLL without invalidating the signature.
In its 2103 vulnerability disclosure, Microsoft had described the flaw as giving attackers a way to add malicious code to a signed executable without invalidating the signature. The company’s update for the issue changed how binaries signed with Windows Authenticode are verified. Basically, the update ensured that if someone made changes to an already signed binary, Windows would no longer recognize the binary as signed.
In announcing the update back then, Microsoft also made it an opt-in update, meaning users didn’t have to apply the update if they had concerns about the stricter signature verification causing problems in situations where they might have made custom changes to installers.
“Microsoft was reluctant, for a time, to make this patch official,” says Jon Clay, vice president of threat intelligence at Trend Micro. “What is being abused by this vulnerability, in essence, is a scratch-pad space at the end of the file. Think of it like a cookie flag that many applications have been allowed to use, like some Internet browsers.”
Brigid O’Gorman, senior intelligence analyst with Symantec’s Threat Hunter team, says the company’s researchers did see the 3CX attackers appending data to the end of a signed Microsoft DLL. “It worth noting that what gets added to the file is encrypted data that needs something else to turn it into malicious code,” O’Gorman says. In this case, the 3CX application sideloads the ffmpeg.dll file, which reads the data appended to the end of the file and then decrypts it into code that calls out to an external command-and-control (C2) server, she notes.
“I think the best advice for organizations at the moment would be to apply Microsoft’s patch for CVE-2013-3900 if they have not already done so,” O’Gorman says.
Notably, organizations that might have patched the vulnerability when Microsoft first issued an update for it would need to do so again if they have Windows 11. That’s because the newer OS undid the effect of the patch, Kucherin and other researchers say.
“CVE-2013-3900 was used by the second-stage DLL in an attempt to hide from security applications that only check against a digital signature for validity,” Clay says. Patching would help security products flag the file for analysis, he notes.
Microsoft did not respond immediately to a Dark Reading request for information around its decision to make CVE-2013-3900 an opt-in update; mitigations; or whether installing Windows 11 rolls back the effects of the patch.
Read More HERE