Încălcarea 3CX se extinde pe măsură ce atacatorii cibernetici abandonează ușa din spatele etapei a doua

The threat actor — believed to be the Lazarus Group — that recently compromised 3CX’s VoIP desktop application to distribute information-stealing software to the company’s customers has also dropped a second-stage backdoor on systems belonging to a small number of them.

The backdoor, called “Gopuram,” contains multiple modules that the threat actors can use to exfiltrate data; install additional malware; start, stop, and delete services; and interact directly with victim systems. Researchers from Kaspersky spotted the malware on a handful of systems running compromised versions of 3CX DesktopApp.

Între timp, unii cercetători în securitate spun acum că analiza lor arată că actorii amenințărilor ar putea fi exploatat o vulnerabilitate Windows veche de 10 ani (CVE-2013-3900).

Gopuram: Ușa din spate cunoscută legată de Lazăr

Kaspersky a identificat Gopuram ca ușă din spate a urmărit cel puțin din 2020, când compania a găsit-o instalată pe un sistem aparținând unei companii de criptomonede din Asia de Sud-Est. Cercetătorii de la acea vreme au descoperit ușa din spate instalată pe un sistem alături de o altă ușă din spate numită AppleJeus, atribuită North Korea’s prolific Lazarus Group.

In a blog post on April 3, Kaspersky concluded that the attack on 3CX was, therefore, also very likely the work of the same outfit. “The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence,” Kaspersky said.

Kaspersky researcher Georgy Kucherin says the purpose of the backdoor is to conduct cyber espionage. “Gopuram is a second-stage payload dropped by the attackers” to spy on target organizations, he says.

Kaspersky’s discovery of second-stage malware adds another wrinkle to the attack on 3CX, a provider of videoconferencing, PBX, and business communication app for Windows, macOS, and Linux systems. The company has claimed that some 600,000 organizations worldwide — with more than 12 million daily users — currently use its 3CX DesktopApp.

Un compromis major în lanțul de aprovizionare

Pe 30 martie, CEO-ul 3CX Nick Galea și CISO Pierre Jourdan au confirmat acest lucru atacatorii au compromis anumite versiuni de Windows și macOS a software-ului pentru a distribui malware. Dezvăluirea a venit după ce mai mulți furnizori de securitate au raportat că au observat activități suspecte asociate cu actualizări legitime și semnate ale binarului 3CX DesktopApp.

Their investigations showed that a threat actor — now identified as the Lazarus Group — had compromised two dynamic link libraries (DLLs) in the application’s installation package added malicious code to them. The weaponized apps ended on user systems via automatic updates from 3CX and also via manual updates.

Once on a system, the signed 3CX DesktopApp executes the malicious installer, which then initiates a series of steps that ends with an information-stealing malware getting installed on the compromised system. Multiple security researchers have noted that only an attacker with a high level of access to 3CX’s development or build environment would have been able to introduce malicious code to the DLLs and get away unnoticed. 

3CX l-a angajat pe Mandiant să investigheze incidentul și a spus că va publica mai multe detalii despre ceea ce s-a întâmplat exact odată ce va avea toate detaliile.

Atacatorii au exploatat un defect Windows de 10 ani

Lazarus Group a folosit, de asemenea, o eroare veche de 10 ani pentru a adăuga cod rău intenționat la un DLL Microsoft fără a invalida semnătura. 

In its 2103 vulnerability disclosure, Microsoft had described the flaw as giving attackers a way to add malicious code to a signed executable without invalidating the signature. The company’s update for the issue changed how binaries signed with Windows Authenticode are verified. Basically, the update ensured that if someone made changes to an already signed binary, Windows would no longer recognize the binary as signed.

In announcing the update back then, Microsoft also made it an opt-in update, meaning users didn’t have to apply the update if they had concerns about the stricter signature verification causing problems in situations where they might have made custom changes to installers. 

“Microsoft was reluctant, for a time, to make this patch official,” says Jon Clay, vice president of threat intelligence at Trend Micro. “What is being abused by this vulnerability, in essence, is a scratch-pad space at the end of the file. Think of it like a cookie flag that many applications have been allowed to use, like some Internet browsers.”

Brigid O’Gorman, senior intelligence analyst with Symantec’s Threat Hunter team, says the company’s researchers did see the 3CX attackers appending data to the end of a signed Microsoft DLL. “It worth noting that what gets added to the file is encrypted data that needs something else to turn it into malicious code,” O’Gorman says. In this case, the 3CX application sideloads the ffmpeg.dll file, which reads the data appended to the end of the file and then decrypts it into code that calls out to an external command-and-control (C2) server, she notes.

“I think the best advice for organizations at the moment would be to apply Microsoft’s patch for CVE-2013-3900 if they have not already done so,” O’Gorman says.

Notably, organizations that might have patched the vulnerability when Microsoft first issued an update for it would need to do so again if they have Windows 11. That’s because the newer OS undid the effect of the patch, Kucherin and other researchers say.

“CVE-2013-3900 was used by the second-stage DLL in an attempt to hide from security applications that only check against a digital signature for validity,” Clay says. Patching would help security products flag the file for analysis, he notes.

Microsoft nu a răspuns imediat unei solicitări Dark Reading de informații cu privire la decizia sa de a face CVE-2013-3900 o actualizare opt-in; atenuări; sau dacă instalarea Windows 11 derulează înapoi efectele patch-ului.

• Distribuție de conținut bazat pe SEO și PR. Amplifică-te astăzi.
• Platoblockchain. Web3 Metaverse Intelligence. Cunoștințe amplificate. Accesați Aici.
• Sursa: https://www.darkreading.com/attacks-breaches/3cx-breach-cyberattackers-second-stage-backdoor