3CX Supply Chain Compromise Leads to ICONIC Incident
Contents
3CX Supply Chain Compromise Leads to ICONIC Incident
March 30, 2023
On Wednesday, March 29, 2023, Volexity became aware of a supply chain compromise by a suspected North Korean threat actor, which Volexity tracks as UTA0040*. Endpoints with the 3CX Desktop application installed received a malicious update of this software that was signed by 3CX and downloaded from their servers. This was part of the default automatic update process and would result in information-stealing malware being installed on the victim’s host. It is possible that additional malicious activity may have taken place if the threat actor deemed the endpoint to be of sufficient interest.
3CX is a phone system company and claims to have more than 600,000 customers and 12 million users, including world-renowned brands. They have posted an update on their website acknowledging the compromise, though it should be noted the information in this post should not be deemed conclusive or entirely …
March 30, 2023
On Wednesday, March 29, 2023, Volexity became aware of a supply chain compromise by a suspected North Korean threat actor, which Volexity tracks as UTA0040*. Endpoints with the 3CX Desktop application installed received a malicious update of this software that was signed by 3CX and downloaded from their servers. This was part of the default automatic update process and would result in information-stealing malware being installed on the victim’s host. It is possible that additional malicious activity may have taken place if the threat actor deemed the endpoint to be of sufficient interest.
3CX is a phone system company and claims to have more than 600,000 customers and 12 million users, including world-renowned brands. They have posted an update on their website acknowledging the compromise, though it should be noted the information in this post should not be deemed conclusive or entirely …
IoC
0d890267ec8d6d2aaf43eaca727c1fbba6acd16e
0eeb1c0133eb4d571178b2d9d14ce3e9
11ae67704ea0b930b2cc966e6d07f8b898f1a7d2
11bc82a9bd8297bd0823bce5d6202082
31d775ab577f3cc88991d90e9ae58501dbe1f0da
3992dbe9e0b23e0d4ca487faffeb004bcfe9ecc8
3a2138cd38ff2cef246f122a97d3c8f85ab6fc94
3b3e778b647371262120a523eb873c20bb82beaf
3dc840d32ce86cebf657b17cef62814646ba8e98
3df119f322c5182bdbea4ab364eec8a0e23d888b
57a9f3d5d1592a0769886493f566930d8f32a0fc
59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
64ab912d0af35c01355430d85dd4181f25e88838
660ea9b8205fbd2da59fefd26ae5115c
74bc2d0b6680faa1a5a76b27e5479cbc
769383fc65d1386dd141c960c9970114547da0c2
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
7faea2b01796b80d180399040bb69835
8377fb40c76aa3ba3efae3d284fa51aa7748e010
894e7d4ffd764bb458809c7f0643694b036ead30
89827af650640c7042077be64dc643230d1f7482
8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423
96910a3dbc194a7bf9a452afe8a35eceb904b6e4
9c943baad621654cc0a0495262b6175276a0a9fb
a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
ad37112b302c5193e60f6f6f49f4df668f5d3eb9
b1dee3ebcffad01a51ff31ff495fef1d40fdfaa0
b5de30a83084d6f27d902b96dd12e15c77d1f90b
bf939c9c261d27ee7bb92325cc588624fca75429
bfecb8ce89a312d2ef4afc64a63847ae11c6f69e
caa77bcd0a1a6629ba1f3ce8d1fc5451d83d0352
d5101c3b86d973a848ab7ed79cd11e5a
e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
f533bea1c0558f73f6a3930343c16945fb75b20f
f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952
ffccc3a29d1582989430e9b6c6d2bff1e3a3bb14
http://akamaitechcloudservices.com/v2/fileapi
http://azuredeploystore.com/cloud/images
http://azureonlinestorage.com/google/storage
http://glcloudservice.com/v1/status
http://msedgepackageinfo.com/ms-webview
http://msedgeupdate.net
http://msstorageazure.com/analysis
http://msstorageboxes.com/xbox
http://officeaddons.com/quality
http://officestoragebox.com/api/biosync
http://pbxcloudeservices.com/network
http://pbxphonenetwork.com
http://pbxphonenetwork.com/phone
http://pbxsources.com/queue
http://protected.com
http://protected.me
http://sourceslabs.com/status
http://visualstudiofactory.com/groupcore
http://zacharryblogs.com/xmlquery
https://akamaitechcloudservices.com/v2/storage
https://azuredeploystore.com/cloud/services
https://azureonlinestorage.com/azure/storage
https://github.com/IconStorages/images/
https://glcloudservice.com/v1/console
https://msedgepackageinfo.com/microsoft-edge
https://msedgeupdate.net/Windows
https://msstorageazure.com/window
https://msstorageboxes.com/office
https://officeaddons.com/technologies
https://officestoragebox.com/api/session
https://pbxcloudeservices.com/phonesystem
https://pbxphonenetwork.com/voip
https://pbxsources.com/exchange
https://sourceslabs.com/downloads
0eeb1c0133eb4d571178b2d9d14ce3e9
11ae67704ea0b930b2cc966e6d07f8b898f1a7d2
11bc82a9bd8297bd0823bce5d6202082
31d775ab577f3cc88991d90e9ae58501dbe1f0da
3992dbe9e0b23e0d4ca487faffeb004bcfe9ecc8
3a2138cd38ff2cef246f122a97d3c8f85ab6fc94
3b3e778b647371262120a523eb873c20bb82beaf
3dc840d32ce86cebf657b17cef62814646ba8e98
3df119f322c5182bdbea4ab364eec8a0e23d888b
57a9f3d5d1592a0769886493f566930d8f32a0fc
59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
64ab912d0af35c01355430d85dd4181f25e88838
660ea9b8205fbd2da59fefd26ae5115c
74bc2d0b6680faa1a5a76b27e5479cbc
769383fc65d1386dd141c960c9970114547da0c2
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
7faea2b01796b80d180399040bb69835
8377fb40c76aa3ba3efae3d284fa51aa7748e010
894e7d4ffd764bb458809c7f0643694b036ead30
89827af650640c7042077be64dc643230d1f7482
8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423
96910a3dbc194a7bf9a452afe8a35eceb904b6e4
9c943baad621654cc0a0495262b6175276a0a9fb
a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
ad37112b302c5193e60f6f6f49f4df668f5d3eb9
b1dee3ebcffad01a51ff31ff495fef1d40fdfaa0
b5de30a83084d6f27d902b96dd12e15c77d1f90b
bf939c9c261d27ee7bb92325cc588624fca75429
bfecb8ce89a312d2ef4afc64a63847ae11c6f69e
caa77bcd0a1a6629ba1f3ce8d1fc5451d83d0352
d5101c3b86d973a848ab7ed79cd11e5a
e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
f533bea1c0558f73f6a3930343c16945fb75b20f
f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952
ffccc3a29d1582989430e9b6c6d2bff1e3a3bb14
http://akamaitechcloudservices.com/v2/fileapi
http://azuredeploystore.com/cloud/images
http://azureonlinestorage.com/google/storage
http://glcloudservice.com/v1/status
http://msedgepackageinfo.com/ms-webview
http://msedgeupdate.net
http://msstorageazure.com/analysis
http://msstorageboxes.com/xbox
http://officeaddons.com/quality
http://officestoragebox.com/api/biosync
http://pbxcloudeservices.com/network
http://pbxphonenetwork.com
http://pbxphonenetwork.com/phone
http://pbxsources.com/queue
http://protected.com
http://protected.me
http://sourceslabs.com/status
http://visualstudiofactory.com/groupcore
http://zacharryblogs.com/xmlquery
https://akamaitechcloudservices.com/v2/storage
https://azuredeploystore.com/cloud/services
https://azureonlinestorage.com/azure/storage
https://github.com/IconStorages/images/
https://glcloudservice.com/v1/console
https://msedgepackageinfo.com/microsoft-edge
https://msedgeupdate.net/Windows
https://msstorageazure.com/window
https://msstorageboxes.com/office
https://officeaddons.com/technologies
https://officestoragebox.com/api/session
https://pbxcloudeservices.com/phonesystem
https://pbxphonenetwork.com/voip
https://pbxsources.com/exchange
https://sourceslabs.com/downloads