Security News > 2023 > April > 3CX compromise: More details about the breach, new PWA app released
3CX has released an interim report about Mandiant's findings related to the compromise the company suffered last month, which resulted in a supply chain attack targeting cryptocurrency companies.
The attackers infected targeted 3CX systems with TAXHAUL malware, which decrypts and executes shellcode containee in a file with a name and location aimed to make it to blend into standard Windows installations.
"On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware. DLL side-loading triggered infected systems to execute the attacker's malware within the context of legitimate Microsoft Windows binaries, reducing the likelihood of malware detection. The persistence mechanism also ensures the attacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system over the internet," Pierre Jourdan, the company's CISO, explained.
The DLL file used for sideloading was signed by Microsoft and the signature was not invalidated once the file was modified because the attackers exploited CVE-2013-3900.
CEO Nick Galea has announced a security update of the progressive web app version of the 3CX software, which allows users to use 3CX from any browser.
The new version will hash all web passwords in the system.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-12-11 | CVE-2013-3900 | Improper Verification of Cryptographic Signature vulnerability in Microsoft products Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. | 8.8 |