Security News > 2023 > April > 3CX compromise: More details about the breach, new PWA app released
3CX has released an interim report about Mandiant's findings related to the compromise the company suffered last month, which resulted in a supply chain attack targeting cryptocurrency companies.
The attackers infected targeted 3CX systems with TAXHAUL malware, which decrypts and executes shellcode containee in a file with a name and location aimed to make it to blend into standard Windows installations.
"On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware. DLL side-loading triggered infected systems to execute the attacker's malware within the context of legitimate Microsoft Windows binaries, reducing the likelihood of malware detection. The persistence mechanism also ensures the attacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system over the internet," Pierre Jourdan, the company's CISO, explained.
The DLL file used for sideloading was signed by Microsoft and the signature was not invalidated once the file was modified because the attackers exploited CVE-2013-3900.
CEO Nick Galea has announced a security update of the progressive web app version of the 3CX software, which allows users to use 3CX from any browser.
The new version will hash all web passwords in the system.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2013-12-11 | CVE-2013-3900 | Improper Input Validation vulnerability in Microsoft products The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka "WinVerifyTrust Signature Validation Vulnerability." | 0.0 |