• btc = $56 901.00 2 377.49 (4.36 %)

  • eth = $3 262.61 87.61 (2.76 %)

  • ton = $2.17 0.03 (1.49 %)

  • btc = $56 901.00 2 377.49 (4.36 %)

  • eth = $3 262.61 87.61 (2.76 %)

  • ton = $2.17 0.03 (1.49 %)

31 Mar, 2023
2 min time to read

Several security companies have raised concerns about an ongoing supply chain attack that employs a modified version of 3CX's popular voice and video calling software client to target customers further down the supply chain.

3CX is a software-based phone system used by over 600,000 organizations worldwide, including major companies like American Express, BMW, McDonald's, and the UK's National Health Service. The company claims to have more than 12 million daily users globally. However, cybersecurity researchers from CrowdStrike, Sophos, and SentinelOne have recently discovered a SolarWinds-style attack, named "Smooth Operator" by SentinelOne, that involves the use of trojanized 3CXDesktopApp installers to install infostealer malware inside corporate networks.

The malware is capable of stealing data and stored credentials from user profiles in Google Chrome, Microsoft Edge, Brave, and Firefox. Other malicious activities include beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and "hands-on-keyboard activity" in a small number of cases, as per CrowdStrike. The Windows and macOS versions of the compromised VoIP app are being targeted, while the Linux, iOS, and Android versions are currently unaffected.

The security researchers observed the first indications of malicious activity on March 22 and discovered that some organizations were attempting to install a trojanized version of the 3CX desktop app that had been signed with a valid digital certificate. Apple security expert Patrick Wardle confirmed that the malware had been notarized by Apple, indicating that the company had checked it for malware and found none. The 3CX CISO, Pierre Jourdan, confirmed that the company is aware of the "security issue" affecting its Windows and MacBook applications, which appears to be a "targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored" hacker. CrowdStrike suspects that North Korean threat actor Labyrinth Chollima, a subgroup of the notorious Lazarus Group, is responsible for the supply-chain attack.

As a temporary solution, 3CX is advising its customers to uninstall the app and reinstall it, or alternatively use its PWA client. "In the meantime, we apologize profusely for what occurred, and we will do everything in our power to make up for this error," Jourdan said. However, the extent of the damage caused by the 3CX supply-chain attack remains unknown. Shodan.io, a site that maps internet-connected devices, reveals that there are currently more than 240,000 publicly exposed 3CX phone management systems.