3CX admits supply chain attack

clock • 2 min read
3CX admits supply chain attack

Trojanised version of the 3CX desktop VoIP app observed communicating with C2 servers

Communications app maker 3CX on Thursday acknowledged that its Windows VoIP app "includes a security issue" and has been the subject of a software supply chain attack, amid reports from cybersecurity researchers about an active campaign using the app to target 3CX customers.

"This appears to have been a targeted attack from an advanced persistent threat, perhaps even state sponsored, that ran a complex supply chain attack" using the Windows version of the app, 3CX chief information security officer Pierre Jourdan wrote in a post Thursday.

"We apologise profusely for what occurred and we will do everything in our power to make up for this error," he wrote.

On Wednesday, researchers from CrowdStrike, Sophos and SentinelOne published blog posts detailing their findings on an attack that appears to have compromised the 3CX desktop app, disclosing that they've observed malicious activity originating from a trojanised version of the desktop VoIP app from 3CX.

The attack has involved utilising a code-signing certificate to provide the software's trojanised binaries with legitimacy, according to researchers.

Notable past software supply chain compromises have included the widely felt attacks on SolarWinds, Kaseya and Codecov.

3CX reports on its website that it has more than 600,000 customers, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald's, Coca-Cola, NHS, Toyota, BMW and Honda.

In the 3CX post, Jourdan wrote that the problem appears to be in one of the bundled libraries that it compiled into its Windows app via the open-source version control system Git. The company is still researching the issue, he said.

The "majority" of domains that were contacted by the compromised library have been taken down at this point, and a GitHub repository that listed the libraries has been shut down as well, according to Jourdan.

According to Sophos researchers, the affected 3CX application "has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers."

Sophos said it has only confirmed that Windows is affected, while CrowdStrike researchers wrote that malicious activity has been detected on macOS as well as Windows.

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," the CrowdStrike researchers wrote.

SentinelOne researchers, which dubbed the campaign "SmoothOperator," disclosed that they observed a "spike in behavioural detections of the 3CXDesktopApp" starting on March 22.

"The trojanised 3CXDesktopApp is the first stage in a multi-stage attack chain," the researchers wrote in the SentinelOne post.

This article first appeared in CRN.

You may also like
Bank of America admits data breach after supply chain hack


Customer info exposed

clock 13 February 2024 • 2 min read
Downtime for defenders means party time for attackers


Adversaries do not keep to a typical working schedule

clock 30 November 2023 • 1 min read
UK and South Korea unite against surging North Korean-linked threats


Advisory emphasises ‘critical concern’

clock 24 November 2023 • 1 min read
Most read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Threats and Risks

Hackers launch brute-force attacks on business VPNs and more

Hackers launch brute-force attacks on business VPNs and more

The attacks rely on trial-and-error attempts to crack login credentials

clock 18 April 2024 • 2 min read
Palo Alto Networks patches 'critical' vulnerability under active exploitation

Palo Alto Networks patches 'critical' vulnerability under active exploitation

Volexity says a ‘spike in exploitation’ is likely

Kyle Alspach
clock 16 April 2024 • 2 min read
CISA issues emergency order on Microsoft breach by Russian hackers

CISA issues emergency order on Microsoft breach by Russian hackers

Affected bodies must take immediate action, agency says

Kyle Alspach
clock 12 April 2024 • 2 min read