Heimdal
article featured image

Contents:

Sensitive 3CX data was exposed when a third-party vendor of the well-known Voice over Internet Protocol (VoIP) communications service 3CX left an open server. Even though the corporation had lately been the target of North Korean hackers, the problem slipped the company’s radar.

The Cybernews research team recently discovered open Elasticsearch (distributed search and analytics engine) and Kibana (data visualization and exploration tool) instances belonging to a third-party vendor of 3CX.

The finding suggests that the way 3CX deals with cyberattacks is insufficient since exposed instances were not detected. Meanwhile, skilled attackers could use the data to get back into 3CX networks.

Cybernews Researchers (Source)

What 3CX Data Was Exposed as a Result?

Attackers might have utilized the information from the exposed instances to snoop on 3CX clients or set up more extensive, sophisticated attacks. The disclosed open instances were:

  • License keys;
  • Call metadata, including time, state, duration, phone number, and email;
  • Encoded database strings.

Attackers can use call metadata to create a detailed portrait of the behavior of the callers, inferring who phoned whom and for how long. They might be able to draw conclusions about what was discussed during the calls with further details.

Researchers also claim that call metadata can reveal internal company information or even the health of an organization.

A separate set of issues arises when software licensing keys are made public. Attackers can utilize exposed keys to use 3CX software without paying for it because they guarantee that the software is purchased legally.

In some situations, enabling software enables user-device data synchronization. Attackers might then gain access to user data by simply installing the program and utilizing a valid license key.

However, exposing database connection strings poses the biggest danger. Connection strings serve as a set of directions for a program to find the database. They often instruct the software on how to access the database, its type, and where it is located.

Exposed database connection strings can be exploited in several ways. For example, attackers could use the leaked data to connect to the resource without permission and proceed to read, copy, modify, or delete data stored within that resource,

Cybernews Researchers (Source)

The Safety Measures of 3CX

3CX has been the victim of a cascading supply chain attack in recent months. Cybersecurity researchers concluded that attackers first distributed malware via software from Trading Technologies, which when affected 3CX software.

Even if the company had to evaluate its security posture due to the recent incident it had, the exposed Kibana and Elasticsearch instances went under the radar. Reportedly, the exposed data was accessible since March 30th, 2022, months before the supply chain attack occurred.

3CX published a seven-step security action plan after dealing with the cascading supply chain attack that outlined critical steps to take in order to prevent similar leaks, such as the need to strengthen network security, conduct pen tests, and establish a new department for network operations and security.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE