Update 16:20 30/03/2023: Additional information relating to the vulnerable Mac version of the 3CX desktop app has been provided by security researchers. Updates to this alert have been added below.

Executive Summary

A digitally signed and malicious version of the 3CX Voice over Internet Protocol (VoIP) desktop client is reportedly being used as part of an ongoing hacking campaign confirmed against windows devices and believed to be targeting Mac devices. It is believed that this the campaign involves nation state actors.

Update: The campaign has now been confirmed to be exploiting Mac devices.

Technical Summary

Earlier this week, CrowdStrike observed unexpected malicious activity which originated from a legitimately signed 3CXDesktopApp. The attack starts as soon as the MSI installer is downloaded and launched from 3CX’s website or the application is updated.  The application itself is not malicious, however, when downloaded and installed, a malicious dll (ffmpeg.dll) is sideloaded which then extracts an encrypted payload from another dll (d3dcompiler_47.dd) and executes it. The malicious activity performed includes communication with attacker controller infrastructure, further payload deployment and hands-on-keyboard attacks, which is when threat actors stop using automated scripts and manually log in to an infected system to execute commands.

Update: For mac devices, the application bypassed Apple’s approval checks and was notarized, meaning it had been marked as safe by Apple and would not be blocked. The application uses libgffmpeg.dylib and attempts to connect to a command and control server. No more information on the specifics of the malcious content is known at current.

What’s the risk to me or my business?

According to 3CX, versions 18.12.407 & 18.12.416 are vulnerable to this attack and should be uninstalled. Organisations using the vulnerable versions of the 3CX desktop application are at a significant risk of data compromise.

Update: In an update to their advisory, for Mac users, the following versions are now confirmed as vulnerable: 18.11.1213, 18.12.402, 18.12.407 & 18.12.416.

Indicators of compromise (IoCs)

Crowdstrike has noted the following domains are in use by the attackers:

• akamaicontainer.com

• akamaitechcloudservices.com

• azuredeploystore.com

• azureonlinecloud.com

• azureonlinestorage.com

• dunamistrd.com

• glcloudservice.com

• journalide.org

• msedgepackageinfo.com

• msstorageazure.com

• msstorageboxes.com

• officeaddons.com

• officestoragebox.com

• pbxcloudeservices.com

• pbxphonenetwork.com

• pbxsources.com

• qwepoi123098.com

• sbmsa.wiki

• sourceslabs.com

• visualstudiofactory.com

• zacharryblogs.com

What can I do?

A new desktop application is being worked on at current by 3CX, however it is not yet available. As such, it is recommended that the web application is used, and the vulnerable versions are uninstalled. Organisations should check for any activity involving the above IoCs. Additionally, organisations may benefit from identifying and monitoring the presence of ffmpeg.dll and d3dcompiler.dll on Windows devices as only a select number of anti-virus vendors have marked these as malicious.

Update: In addition to the above, Organisations may also benefit from identifying and monitoring the presence of libgffmpeg.dylib for Mac devices running vulnerable versions, as only a select number of anti-virus vendors have marked these as malicious. Due to the ongoing investigation, Black Arrow will update this post as soon as new information is identified.

The advisory from 3CX can be found here: https://www.3cx.com/blog/news/desktopapp-security-alert/

VirusTotal results for the ffmpeg.dll and d3dcompiler_47.dll can be found here: https://www.virustotal.com/gui/file/7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896

https://www.virustotal.com/gui/file/11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03

Various cyber security vendors have provided a breakdown of attacks, including indicators of compromise and actions they have taken:

https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/

https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/

 https://www.trendmicro.com/en_gb/research/23/c/information-on-attacks-involving-3cx-desktop-app.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Cyber Advisory – 20,000 HP Servers Have Their Management Interface Exposed to the Internet

Executive Summary

Integrated Lights Out (iLO) is a low-level management interface on Hewlett-Packard (HP) servers, intended for out-of-band or outside-of-operating system access. The service is most used by IT staff managing the device for remote support operations, such as powering the system off, updating firmware or viewing the display via the network. Despite a recent and serious bug dubbed ‘iLOBleed’, approximately 24,000 iLO devices are still exposed to the internet and searchable with Google.

What’s the risk to me or my business?

HP servers are very common in business settings and remain the popular choice globally. Most of these servers come with iLO pre-installed, which makes them a lucrative target to attackers when vulnerable, particularly given their low-level access. In combination with vulnerabilities like ‘iLOBleed’, remotely exposing iLO to the web presents a low hanging fruit that may be too attractive to pass up.

What can I do?

Check with your IT team or MSP to ensure that you aren’t exposing anything to the web that shouldn’t be there, even beyond iLO. Misconfigurations or services such as Universal Plug and Play (UPNP) can expose devices without your knowledge, leaving you open to attack where the exposed systems are vulnerable.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Black Arrow Cyber Advisory – Java Log4Shell Vulnerability – The Maximum Severity Christmas Humbug

Executive Summary

Log4Shell, a critical zero-day actively exploited in the wild, has been found after a series of Minecraft servers fell victim. The bug impacts Java, an almost ubiquitous software that’s found in billions of devices across the globe, from the enterprise to the home. In an extremely rare but warranted move, Log4Shell has been given a 10 out of 10 on the Common Vulnerability Scoring System (CVSS) scale, owing to its ability to be remotely executed and the potential for pandemic level damage. 

What’s the risk to my business?

Java report their use on billions of devices, from computers, printers, routers and mobile phones to cash machines, ticket machines and credit card readers – the list is endless. The likelihood of a device running Java in your environment somewhere is high.

What can I do?

Discuss with your Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. Equally, keeping devices at home or elsewhere up to date is an important step to mitigation, both for your professional and private life.

Technical Summary

The bug, tracked as CVE-2021-44228, was first discovered when a remote-code attack compromised a series of Minecraft servers, one of the most popular Java-based games of all time. The source of the bug was Log4J, a logging utility used by millions of applets across billions of devices. Using the vulnerability, threat actors can craft a request to force the applet to interpret a log as a URL, which is then fetched and executed with full privileges. The exploit can be triggered inside text using “${}”, allowing for their injection in commonly logged attributes like user agents.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

The Microsoft Threat Intelligence Center (MSTIC) have reported increased activity from state-sponsored threat actors, with a particular focus on NOBELIUM. NOBELIUM, a Russian-backed group, have emerged as a prominent threat due to their choice of target – managed IT service providers (MSPs). The activity, observed across the United States and Europe, seeks to exploit the trust and delegated administrative privileges used to manage clients. Much like the SolarWinds compromise of 2020, this new threat shares all the hallmarks of NOBELIUM’s “compromise-one-compromise-many” approach.

What’s the risk to my business?

Delegated admin privileges – allowing MSPs administrative control of your estate for support purposes – presents as an attractive target to bad actors, particularly as the MSPs will often hold the keys to multiple businesses. Should attackers compromise an account with these delegated privileges, access to the managed estates underneath becomes trivial.

What can I do?

Revoking administrative privileges is not realistic as part of a managed service. While the requirement remains, businesses are recommended to gain visibility and understand why and where these accounts might exist for their managed estate. Where these relationships do exist, businesses should look to review the effectiveness of controls and the security practices on any accounts with delegated admin access.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Black Arrow Threat Alert - GriftHorse Malware Saddles 10 Million Android Users with Sophisticated Billing Malware

Over 10 million Android users have been infected by a particularly lucrative form of malware. Distributed through Google Play, more than 200 apps have been found to contain GriftHorse, a sophisticated trojan used to secretly bill for premium “services”.

Victims have been recorded in 70 countries, with GriftHorse netting its implementers hundreds of millions of euros since it came on scene. The malware was first detected by Zimperium, a mobile security researcher, who stated that GriftHorse was “one of the most widespread campaigns” they’d seen in 2021.

So, how does it work? With names like “Handy Translator Pro” and “Call Recorder Pro”, users are enticed to download the apps, before being bombarded with pop-ups. These pop-ups appear and re-appear with alarming frequency, until the user finally relents.

In a complex move, users are then directed to a custom page based on their location, both for believability and to adapt and outmaneuver anti-virus. Once successful, the device is signed up for a premium text message service, adding a hefty chunk to the victim’s phone bill every month.

A full list of compromised apps and associated URLs can be found here https://pastebin.com/cqRVtsSp

Black Arrow Cyber Threat Alert - Thursday 23 September 2021 - Nagios Management Software Vulnerabilities and VMWare vCenter Bug Allows for Remote Code Execution

1. Nagios Management Software Vulnerabilities Disclosed, Could be Chained to Perform Remote Code Execution

1.1 Executive Board Summary

What is Nagios?

Nagios is a market leading IT monitoring software, used by such prominent businesses as Air BnB and Paypal. Nagios provides a centralised platform to allow both businesses and IT support providers to keep tabs on systems and services remotely.

What’s the risk to my business?

Given the attractive nature of Nagios to an attacker – a central resource with connections to potentially everything in the network – it could be severe. If you or your managed IT provider use Nagios, attackers may be able to remotely conduct attacks without requiring authentication – effectively bypassing your security.

What can I do?

Contact your IT department or provider to determine whether your systems are monitored by Nagios. A patch has been issued that your technical teams can implement straight away. See our technical summary for more details.

1.2 Technical Summary for Network Defenders

11 new security vulnerabilities have been disclosed for the Nagios network management platform. Of note is the potential to “chain” these attacks together to perform Remote Code Execution (RCE), theoretically allowing for pre-authenticated access and privilege escalation at the highest level.

Who is affected?

Anyone using Nagios XI, Nagios XI Switch Wizard, Nagios XI Docker Wizard or Nagios XI Watchguard.

What can I do?

These issues have been designated and fixed in Nagios XI 5.8.5 and above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI Watchguard 1.4.8 or above.

IT teams are advised to perform the necessary patches as soon as is practicable.

What’s the risk?

Consumers may be aware of the harm caused during the Solarwinds and Kaseya round of vulnerabilities, with the latter causing major disruption as a potential supply chain attack.

Solutions such as Nagios and Kaseya, while they undoubtedly provide IT teams with an efficient and broad toolset to support their network stack, offer attackers near unprecedented access if successfully breached. Given the wide scope network integration these toolkits the risk remains high for vulnerabilities in this software sector.

2. Black Arrow Threat Alert: Critical VMWare vCenter Bug Allows for Remote Code Execution by Anyone on the Network

VMWare – a server hosting platform widely used in the Island by businesses and IT providers alike – have disclosed a bug in their vCenter management service dubbed as requiring attention “right now”.

2.2 Executive Board Summary

What is VMWare vCenter?

vCenter is a major component of the VMWare virtualisation ecosystem, used in managing virtual machines and servers. Nearly all businesses of reasonable size will utilise virtualisation to some extent – the act of running multiple servers on a single physical box. If you use a computer on a business network, you’ve probably got VMWare.

What’s the risk to my business?

If you are one of the many local firms using VMWare, high. VMWare have designated this bug as critical, as it allows for malicious files to be uploaded remotely – the most dangerous type of vulnerability. Attackers could craft these files to gain access to sensitive data, or as a springboard for another type of attack like ransomware.

What can I do?

Contact your IT department or IT provider to determine whether your systems are vulnerable. A patch has already been issued, so all up-to-date services will be protected. See our technical summary for more details.

2.3 Technical Summary For Network Defenders

A new vulnerability has been discovered in vCenter server. The bug allows for anyone with network access to vCenter via port 443 – locally or via remote connection – to arbitrarily abuse the file upload service to insert malicious content. The bug falls under the “Remote Code Execution” category for vulnerabilities and is deemed highly critical as such.

What versions are affected?

VMWare advise that the bug impacts all current releases of vCenter Server – 6.5, 6.7 and 7.0.

What can I do?

Perform an initial check to determine if you are running on an affected version of vCenter Server. VMWare notes that organisations that have recently updated to version 7.0 Update 2c may not be impacted – though it is still recommended to run patches.

VMWare recommend immediate patching on any affected systems, where at all possible. A workaround has also been released, involving modification to a text file on the affected server and restarting services, though it should be noted this is only a temporary fix.

What’s the risk?

Industry resources report that threat actors have already begun scanning for this vulnerability since its release. In equal measure, the vulnerability allows for anyone with local network access to the affected server – i.e. staff member or third party contractor – to carry out the attack.

Given the severity and potential benefit to attackers, activity is expected to increase over the following weeks.