The source of the 3CX supply chain attack remains unclear as the unified communications provider has seemingly backtracked on claims it made last week.
3CX confirmed a supply chain attack on March 30 via a blog post written by company CISO Pierre Jourdan. He wrote that multiple versions of the company's Electron Windows App were impacted by malicious code that appeared to have been the result of "a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack."
The CISO said that the attack vector appeared to be "one of the bundled libraries that we compiled into the Windows Electron App via GIT." In a post on 3CX's customer forum published the same day, CEO Nick Galea wrote that the breach occurred "because of an upstream library we use became infected."
A March 29 CrowdStrike research blog claimed the central point of compromise was ffmpeg.dll, a binary file referencing popular multimedia framework FFmpeg, with correlating reports coming from other security vendors. CrowdStrike added that "the HTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7, 2023 campaign attributed with high confidence to DPRK-nexus threat actor [Lazarus Group]."
Though 3CX did not initially reference FFmpeg directly, Galea and Jourdan's posts suggested that FFmpeg was the source of the supply chain attack, not 3CX. FFmpeg published a tweet Thursday rebutting reports that it had suffered a supply chain attack, as FFmpeg "only provides source code" -- not compiled DLL files.
There have been several incorrect reports that FFmpeg has been involved in the distribution of malware.— FFmpeg (@FFmpeg) March 30, 2023
FFmpeg only provides source code and the source code has not been compromised. Any "ffmpeg.dll" that has been compromised is the responsibility of the vendor.
3CX appeared to have backtracked on these claims. A security update from Galea on Monday no longer mentioned a bundled or upstream library as the cause of the attack.
"We regret to inform you that our company has become victim to an attack on our product and the larger supply chain," Galea wrote. "With Mandiant by our side, we're conducting a full investigation. This includes a thorough security review of our Web Client and PWA App [Progressive Web App] where Mandiant engineers are validating the entire source code of our web app and Electron App for any vulnerabilities."
Additionally, Galea responded via Twitter to malware source code repository VX-Underground's tweet about the supply chain attack. Galea replied that he wasn't blaming a third-party library.
No I never stated that. We said that the compiled FFMPEG DLL in our product had the trojan inserted in it and we are trying to find out how this happened and working with our security response team Mandiant in ascertaining that.— Nick Galea (@NickGalea3cx) March 31, 2023
"It was not an official statement," Galea wrote. "It was a brief first message telling our customers/partners at 6 am in the morning on our forum with very scant information at hand saying [a] 'Houston we have a problem' type message. I am not blaming Houston. I apologize for any confusion."
3CX has not responded to TechTarget Editorial's request for comment at press time.
UPDATE 4/11: In a blog post Tuesday, Jourdan shared the results of Mandiant's initial incident response investigation. Mandiant assessed with "high confidence" that the threat actor behind the attack is affiliated with the North Korean government.
Jourdan also detailed the malware used in the attack. In addition to the "Taxhaul" or "TxRLoader" malware executed on "targeted 3CX systems" using Windows, Mandiant identified a MacOS backdoor, referred to as "Simplesea," that is distinct from Windows malware. Jourdan included a YARA rule for Taxhaul in the post.
The post did not include information about how the supply chain attack occurred, and 3CX did not immediately respond to TechTarget Editorial's request for comment.
Alexander Culafi is a writer, journalist and podcaster based in Boston.