3CX admits supply chain attack

clock • 2 min read
3CX admits supply chain attack

Trojanised version of the 3CX desktop VoIP app observed communicating with C2 servers

Communications app maker 3CX on Thursday acknowledged that its Windows VoIP app "includes a security issue" and has been the subject of a software supply chain attack, amid reports from cybersecurity researchers about an active campaign using the app to target 3CX customers.

"This appears to have been a targeted attack from an advanced persistent threat, perhaps even state sponsored, that ran a complex supply chain attack" using the Windows version of the app, 3CX chief information security officer Pierre Jourdan wrote in a post Thursday.

"We apologise profusely for what occurred and we will do everything in our power to make up for this error," he wrote.

On Wednesday, researchers from CrowdStrike, Sophos and SentinelOne published blog posts detailing their findings on an attack that appears to have compromised the 3CX desktop app, disclosing that they've observed malicious activity originating from a trojanised version of the desktop VoIP app from 3CX.

The attack has involved utilising a code-signing certificate to provide the software's trojanised binaries with legitimacy, according to researchers.

Notable past software supply chain compromises have included the widely felt attacks on SolarWinds, Kaseya and Codecov.

3CX reports on its website that it has more than 600,000 customers, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald's, Coca-Cola, NHS, Toyota, BMW and Honda.

In the 3CX post, Jourdan wrote that the problem appears to be in one of the bundled libraries that it compiled into its Windows app via the open-source version control system Git. The company is still researching the issue, he said.

The "majority" of domains that were contacted by the compromised library have been taken down at this point, and a GitHub repository that listed the libraries has been shut down as well, according to Jourdan.

According to Sophos researchers, the affected 3CX application "has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers."

Sophos said it has only confirmed that Windows is affected, while CrowdStrike researchers wrote that malicious activity has been detected on macOS as well as Windows.

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," the CrowdStrike researchers wrote.

SentinelOne researchers, which dubbed the campaign "SmoothOperator," disclosed that they observed a "spike in behavioural detections of the 3CXDesktopApp" starting on March 22.

"The trojanised 3CXDesktopApp is the first stage in a multi-stage attack chain," the researchers wrote in the SentinelOne post.

This article first appeared in CRN.

Related Topics

More on Threats and Risks

Russian threat group stealing government emails via Zimbra flaw
Threats and Risks

Russian threat group stealing government emails via Zimbra flaw

Winter Vivern seen targeting entities in European governments that support Ukraine in the war

John Leonard
John Leonard
clock 31 March 2023 • 2 min read
'AI doom' letter sparks a backlash
Threats and Risks

'AI doom' letter sparks a backlash

Musk-signed moratorium appeal adds to AI hype, aims at the wrong targets and is signed by many of those causing the problems, say opponents

John Leonard
John Leonard
clock 30 March 2023 • 4 min read
Google reveals spyware campaigns exploiting security holes in Android, iOS
Threats and Risks

Google: Spyware campaigns exploiting security holes in Android, iOS

Highly targeted campaigns are a reminder that 'the commercial spyware industry continues to thrive,' researchers warn

Dev Kundaliya
clock 30 March 2023 • 4 min read