Cyber Criminals compromise 3CX desktop app in a supply chain attack

3CX

A compromised and digitally signed version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is allegedly being exploited in an ongoing supply chain attack against the company's customers.

3CX is a major VoIP IPBX software development company with a vast customer base, including high-profile clients from various industries. This wide reach makes it an attractive target for threat actors seeking to compromise a large number of organizations.

The 3CX Phone System is utilized by over 600,000 companies globally, with more than 12 million daily users. High-profile clients include American Express, Coca-Cola, McDonald's, BMW, Honda, AirFrance, NHS, Toyota, Mercedes-Benz, IKEA, and Holiday Inn.

Security researchers from Critical Path Security, Sophos and CrowdStrike have issued alerts, stating that the attackers are targeting both Windows and macOS users of the compromised 3CX softphone application.

Security researchers have raised concerns about attackers targeting both Windows and macOS users of the compromised 3CX softphone application. The malicious activity observed includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and in a few instances, hands-on-keyboard activity. The most common post-exploitation activity observed is the spawning of an interactive command shell.

While CrowdStrike believes the North Korean state-backed hacking group they track as Labyrinth Chollima is responsible for this attack, Sophos' researchers have stated they "cannot verify this attribution with high confidence."

Labyrinth Chollima's activities are known to overlap with other threat actors such as Lazarus Group (tracked by Kaspersky), Covellite (Dragos), UNC4034 (Mandiant), Zinc (Microsoft), and Nickel Academy (Secureworks).

On Thursday morning, 3CX CEO Nick Galea confirmed in a forum post that the 3CX Desktop application had been compromised and contained malware. Consequently, Galea advised all customers to uninstall the desktop app and transition to the PWA client as an alternative.

Galea wrote in the 3CX forums, "As many of you have noticed, the 3CX DesktopApp contains malware. It affects the Windows Electron client for customers running update 7. We received a report on this issue last night, and we are currently working on an update for the DesktopApp, which we will release in the coming hours."

He continued, "The best approach is to uninstall the app (if you are using Windows Defender, it will do this automatically for you, unfortunately) and then reinstall it."

Galea also mentioned that a comprehensive report would be issued later in the day, and for now, the focus was on releasing the update.

In a separate forum post, Galea revealed that the desktop app had been compromised after an upstream library utilized by the application became infected. However, 3CX has not yet disclosed which library was involved or whether this led to the compromise of their developer environment.

Critical Path Security has issued updates to the threat intelligence feeds containing the artifacts associated with this attack. Those can be downloaded at the following address:

https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds