 Tom here from Lawrence Systems and the 3CX VoIP desktop app has been compromised to deliver malware via updates from 3CX. So yes, this is a supply chain attack. Next, currently known as of March 30th, 2023 as of the making of this video, but there could be more news later. But currently known affected versions are 18.12.407 and 18.12416. If you have those installed on your system, or you're an IT person like ourselves and you're managing IT for companies, please remove them now. Don't keep watching this video. If you've already done that part, great, let's continue. Now this being a supply chain attack, we're not exactly sure of the how. Right now, we're dealing with more the what got delivered and what happened. This is really interesting because it's taken a lot of community and I've been watching kind of on the sidelines, I'm friends with many of the people at Huntress and watching all the not just Huntress, of course, but all the other people collaborate. Matter of fact, this was sounded off as an alarm by the people over at Crowdstrike. Crowdstrike sharing their details, then more and more companies sent a one having a write up on this Huntress having a write up. And matter of fact, I'm going to be citing the hunt straight up because they did a good job of listing all the other write ups in there. And you know, I know John Hammond and many of you maybe follow him on YouTube, great security researcher. If you didn't know, he also works for Huntress and he's the one that wrote the blog post. And we're going to dive into kind of taking this apart. One of the tricky parts about this and why so much community effort is needed is just because you have one of these infected versions, we're going to talk about the mechanisms on there. It appears to be a very targeted attack. So having the version that has the potential for the compromise does not necessarily mean the compromise itself was activated. It was probably only activated for certain targeted individuals. This goes back to the SolarWinds attack. A lot of people didn't want to take the time to really understand what happened with the SolarWinds attack, but it's very similar. Even though they delivered the payload or the infected system, I should say, to all these different SolarWinds partners, only very specific partners was it actually activated on. So you could actually have this in your environment, but it was never activated from a second stage. And that's appearing to be what this is here. So just because you have it, maybe you weren't the target, but we don't know that is still kind of speculative. We don't see it activated everywhere. So at least that's knowledge they have, we're just not sure at who it was activated at. And that's probably what had CrowdStrike tripping the alarm going, Hey, we seen it. So it took the action of it, not just the install of it. And I believe the install date was 322, 2023 for these versions. And then the activation or when we started seeing the indicators of compromise or at least CrowdStrike specifically called them out was on 329 of 2023. So there's actually kind of a seven day dwell here. And this is kind of the tricky part, because if you think about how a VoIP desktop app works, it's going to integrate deeply with the system, make a lot of calls to other things like calls to the actual servers, but also maybe integrate with other services on the desktop. So it itself can very much look malicious. And then that's a really tricky part from a security standpoint is it is an app that's going to have a lot of privileges to talk to a lot of different things internally and externally. And deciding if those things that it usually does are malicious is very tricky. So let's run over to here to the right up and kind of walk you through the steps that this goes through. Because I think it's very interesting and that blog post is kind of being actively updated. Now they have a whole timeline here. So the 1140 AM EDT on March 29th, Hunter received an inbound support request from a partner concerned with a new advisory and discussion on Reddit. This is the post that was from CrowdStrike. So CrowdStrike posted this right on Reddit, they got the news out there, they're sharing this information. This is an important component is security does not happen in a silo or just by any one individual and CrowdStrike, hey, they sound the alarm awesome. This sends a lot of security researchers going, let's start digging into this, let's start taking this apart and analysis. And when you see the complexities of the analysis, this is where it takes a lot of people to put this together, because there's a lot of components that go into compiling a piece of software. So on March 29th, numerous CDR providers and Antivirus Solutions began triggering and flag on a legitimate sign binary from 3cx desktop app. This application had begun an update process that ultimately led to malicious behavior and command and control communications to numerous external servers. Unfortunately, in the early time of this community's investigation, there was confusion of whether or not this was a legitimate alert. This is one of those things where false positives happen a lot. And they're constantly being researched by people and whether or not they're actually false is so hard to determine because it looks suspicious. But as I said, this is an app that has a lot of hooks into things because it needs to to get its job done as a desktop application. So it actually started a little bit beforehand and it looks like some people had flagged it as not malicious. There's a few forum posts I'd seen on this. I'm not a 3cx user. So I didn't have to make that decision. And I don't, you know, fault the people who said this doesn't appear to be doing anything because at the time it technically wasn't. And this is what's talked about how it actually gets the full payload in there. The 3cx download available on the official public website had included malware installations already deployed will update and ultimately pull down this malware that includes a backdoor DLL and an anomalous D3D compiler. And this is that mechanism. So we have the desktop update updater. Backdoor is invoked retrieves payload. So it's actually not from but was triggered from that 3cx install. So 3cx has a binary that has an extra call out to do something else. This is how we know what 3cx was compromised here. But the payload's not in the actual download. It's an evasion technique that they're using where when they realize it's on somewhere and then they say, Hey, go ahead and grab that secondary payload. So you're adding something to an already downloaded binary. This is just from an evasion standpoint, really interesting. So C2 command and control service. Here's a list of them. And this is where people say, Well, won't these next gen firewall solve my problem? Well, Azure online storage.com. Is that legit? Actually, it's not. But we know that now would a tool that knew this registered domain. And you're probably thinking, Well, Tom, newly registered domain shouldn't be called out to really these were registered a while ago. Some of these are actually being registered. I believe I didn't check the date on every one of them, but a couple of them weren't quite old. And they, when there's a lot of careful planning and attack, this is something that's done. So these look like somewhat pbxsources.com, gcloudservice.com. If you're watching from a firewall standpoint, this question comes up a lot, you know, firewalls, they can block what's known, but if these are new attacks and unknown, you know, you're going to have a hard time blocking them. And it's really interesting. One of these callouts was actually the three CXCOM blog slash event trainings makes you wonder if something was there as well. Once again, we're trying to reverse a lot of this, where I should say security researchers are. So the how is still going to be long time coming probably to really get this sorted out massive kudos to our security researcher and resident binary ninja, Matthew Brennan. So once again, there's a deep dive here, talking about the different pieces that are in here, the back door FFM big DLL acts as a primary loader for this file right from DML entry point. It enters a new function that we have renamed MW main function for our reverse engineering purposes. And they walk you through each little component on here. And this is what's important is to want to really highlight the complexities of doing this. I have a feeling John Hammond being the fun YouTube presenter that he is will probably be doing at some point in the future, a deeper dive into this because this is his write up on his channel. And he's better at using things like this. I I'm a casual observer in awe of their skills. This is not goes a little outside of where my skill set is of reverse engineering binaries. But I love reading these write ups because I understand them from the concept part of once you've reversed it, okay, this is how it's doing it. They go through each piece of the component. They went through all of this. We'll scroll down a little further. Here's those domains again that they elicit. And John actually reached out to GitHub, because the report of this GitHub earlier today and what John did was report that yeah, some of these are malicious hosted over in GitHub. Once again, you asked about the firewall where people always ask about the firewall, I should say, GitHub's a legitimate place, you're going to pull things from. So someone compromises the GitHub and then uses it as a delivery mechanism, your firewall is not going to flag that or your sim tool may note. Yeah, they went to GitHub. But you know how many things go to GitHub every day to grab something. And if this was legit, prior to it's being compromised, there's no reason to actually flag it until we know. We'll scroll down here. There's a few other things. Huntress has a way to detect it, as has many other people will just kind of jump down to the bottom here. This will be ongoing for a while. So attribution, while definitive attribution is not yet clear current consensus across the security communities, this attack was performed by a DPRK nation state actor. I found that really interesting because generally attribution is something really hard to do and just not done in the early days of an event like this. CrowdStrike came right out and set it in their very first report. We think this is DPRK. So that's definitely interesting. The latest recommendations from 36 co is to uninstall a desktop client. They're preparing for new releases and update three TX desktop to be made available. Huntress assistants fully aware of this ferdy assistant. We realize our efforts are just one pebble in the pond. With that said, our goal is to always keep partners safe and as much as we can to help the broader, small and mid-sized community. Matter of fact, Huntress has a free sign up if you want to scan your system for it. They're offering this. So if you not a Huntress partner at all, you can actually test this out for free. Pretty cool. And once again, resources and references, I expect this to grow. So as of the time of the video, here's a list of them. I think they did a great job here. CrowdStrike's original post. And I've got this link down below as well. CrowdStrike's formal blog post, a company called Total. They're reporting on this, set in the ones reporting, set in the one calls this smooth operator. I thought it was a cool name. Hats off to them for the naming at that. Thought it was neat. Discussion of three CX4 in public. Bulletin board. There are several posts and forums in there. The CEO first official notification. We'll talk about that in a moment. Nextron systems, Sigma and Yara rules. Actually check those out. That's a pretty cool thing if you want to play with it. Alienbolt pulse. Actually, subscribe to Alienbolt. It's great for getting some of these security updates. Kevin Bowman's commentary, Patrick Wardle's commentary on the Mac variant, because yes, this appears to be a Mac variant in there as well. And they're going to go through more of the attacks, compromises, hashes you can look for. Now, let's talk a little bit about the three CX posts, because this is the one part where I think we deviate from a win with the security community to a fail on three CX's part of not really getting the news out there soon enough in my opinion. You know, link to this down below, but threat alerts from Sentinel one per desktop update initiated from desktop client. This actually is on March 22nd of 2023. Anyone else seeing this issue with other AV vendors, I'm glad this is all public because, you know, there's a lot of discussion back and forth. You can read this is where people, the end users, so to speak, of three CX are going, why is this getting flagged? This is interesting. So they're seeing these notices, but then we fast forward a little bit here. And there's a lot of confusion in here because three CX to not get ahead of this at all. And this forum has just been kind of interesting because CrowdStrike sounds the alarm, but then there's people still saying, well, they're my three CF rep didn't really tell me to install this. So there wasn't a response right away. And I get some companies may for legal reasons want to remain silent for a little while until their legal department clears what should be said. But it's really, you should at least say, yes, we know it's compromised, uninstall the app. That is a pretty simple thing they could have said, but didn't say there is some statements from the CEO. And thank you for all those supporting in these difficult times, you know, the usual stuff. I don't know, I don't feel the response was very fast enough. I'll leave that really up to you because that's more of an opinion on my part here. Either way, the actions are still the same. You should be uninstalling this. And I'm really looking forward to figuring out what actually happened. Because as we secure things more and more from the front end, we talk all the time about better 2FA mechanisms, good password hygiene, et cetera. And the harder you make it to get in, the attackers have to go to different areas. I talked the other day about session token sealing when they can get on your computer and copy session tokens so they can just be you bypassing all that heavy security on that front end. And this is the same thing with supply chain attacks are one of the ultimate hard to defend against things until we get things like better software bill of materials, SBOM, if you're not familiar with it, where we understand everything that's in there, we understand the sources of it, where it can be examined faster as opposed to waiting for John Hammond or other security researchers to reverse engineer everything. If there were really good manifests, and this is one of my big advocates for being an open source advocate, you have better manifests generally an open source of what went into building something the source is listed. This gives you a really good understanding of where things came from. And then you can start hunting it all down and go, all right, I know this came from here, this came from here, this repository, let's check out these different repositories. Oh, look, this one had a recent poll request that looks suspicious. This is something we just really need in the industry, because these attacks are not going to go away. They're going to keep being there. There's a lot of dependencies when you build software and understanding all those dependencies is what ultimately is going to help us have a more secure future. But for now, that's it. Keep checking and probably refreshed at Hunter's blog post. I will list as many links as I can down below in the description, which will then copy over to my forum as well. So you can kind of go in there if you want to have any discussions on it. But hey, this is a breaking, interesting event. If you're thinking about gaining a security, we could use some more people that are good at reverse engineering things and understanding this better. So hopefully this piques your interest a little a little bit and thanks.