Multiple security firms have sounded the alarm about an active supply chain attack that’s using a trojanized version of 3CX’s widely-used voice and video-calling client to target downstream customers.
3CX is the developer of a software-based phone system used by more than 600,000 organizations worldwide, including American Express, BMW, McDonald’s and the U.K.’s National Health Service. The company claims to have more than 12 million daily users around the world.
Researchers from cybersecurity companies CrowdStrike, Sophos and SentinelOne on Wednesday published blog posts detailing a SolarWinds-style attack – dubbed “Smooth Operator” by SentinelOne – that involves the delivery of trojanized 3CXDesktopApp installers to install infostealer malware inside corporate networks.
This malware is capable of harvesting system information and stealing data and stored credentials from Google Chrome, Microsoft Edge, Brave, and Firefox user profiles. Other observed malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, “hands-on-keyboard activity,” according to CrowdStrike.
Security researchers report that attackers are targeting both the Windows and macOS versions of the compromised VoIP app. At present, it appears the Linux, iOS and Android versions are unaffected.
Researchers at SentinelOne said they first saw indications of malicious activity on March 22 and immediately investigated the anomalies, which led to the discovery that some organizations were trying to install a trojanized version of the 3CX desktop app that had been signed with a valid digital certificate. Apple security expert Patrick Wardle also found that Apple had notarized the malware, which means that the company checked it for malware and none was detected.
3CX CISO Pierre Jourdan said on Thursday that the company is aware of a “security issue” impacting its Windows and MacBook applications.
Jourdan notes that this appears to have been a “targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored” hacker. CrowdStrike suggests that North Korean threat actor Labyrinth Chollima, a subgroup of the notorious Lazarus Group, is behind the supply-chain attack.
As a workaround, 3CX company is urging its customers to uninstall the app and install it again, or alternatively use its PWA client. “In the meantime we apologize profusely for what occurred and we will do everything in our power to make up for this error,” Jourdan said.
There are a lot of things we don’t yet know about the 3CX supply-chain attack, including how many organizations have potentially been compromised. According to Shodan.io, a site that maps internet-connected devices, there are currently more than 240,000 publicly exposed 3CX phone management systems.