Several security companies have sounded the alarm about it an active supply chain attack using a trojanized version of 3CX popular client for voice and video calls focus on downstream customers.
3CX is the developer of a software-based telephone system used by more than 600,000 organizations worldwide, including American Express, BMW, McDonald’s and the UK National Health Service. The company claims to have more than 12 million daily users around the world.
Researchers from cybersecurity firms CrowdStrike, Sophos and SentinelOne published blog posts on Wednesday describing a SolarWinds-style attack — dubbed “Smooth Operator” by SentinelOne — delivering trojanized 3CXDesktopApp installers to install infostealer malware inside corporate networks.
This malware is capable of collecting system information and stealing data and stored credentials Google Chrome, Microsoft Edge, Brave and Firefox user profiles. Other observed malicious activities include beaconing to actor-controlled infrastructure, the deployment of secondary payloads, and, in a small number of cases, “hands-on-keyboard activity,” according to CrowdStrike.
Security researchers report that attackers are targeting both the Windows and macOS versions of the compromised VoIP app. At the moment it seems that the Linux, iOS and Android versions are not affected.
SentinelOne researchers said they first saw indications of malicious activity on March 22 and immediately investigated the anomalies, leading to the discovery that some organizations attempted to install a trojanized version of the 3CX desktop app signed with a valid digital certificate . Also Apple security expert Patrick Wardle found it that Apple had legalized the malware, meaning the company checked it for malware and none were detected.
3CX CISOPierre Jourdan said on Thursday that the company is aware of a “security issue” affecting its Windows and MacBook applications.
Jourdan notes that this appears to have been a “targeted attack by an Advanced Persistent Threat, perhaps even state-sponsored” hacker. CrowdStrike suggests that North Korean threat actor Labyrinth Chollima, a subgroup of the infamous Lazarus Group, is behind the supply chain attack.
As a workaround, the 3CX company is urging its customers to uninstall and reinstall the app, or use the PWA client. “In the meantime, we apologize for what happened and we will do everything we can to make up for this mistake,” said Jourdan.
There are many things we don’t yet know about the 3CX supply chain attack, including how many organizations may have been compromised. According to Shodan.io, a site that maps internet-connected devices, there are currently more than 240,000 publicly disclosed 3CX phone management systems.