Multiple security firms have raised the alarm about an active supply chain attack that is targeting downstream customers with a trojanized version of 3CX’s widely used voice and video-calling client.
3CX created a software-based phone system that is used by over 600,000 organizations worldwide, including American Express, BMW, McDonald’s, and the United Kingdom’s National Health Service. The company claims to have over 12 million daily users worldwide.
CrowdStrike, Sophos, and SentinelOne researchers published blog posts on Wednesday detailing a SolarWinds-style attack dubbed “Smooth Operator” by SentinelOne that involves the delivery of trojanized 3CXDesktopApp installers to install infostealer malware inside corporate networks.
This malware is capable of stealing data and stored credentials from Google Chrome, Microsoft Edge, Brave, and Firefox user profiles. Other malicious activity observed by CrowdStrike includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a few cases, “hands-on-keyboard activity.”
According to security researchers, attackers are targeting both the Windows and macOS versions of the compromised VoIP app. For the time being, it appears that the Linux, iOS, and Android versions are unaffected.
SentinelOne researchers stated that they first noticed suspicious activity on March 22 and immediately investigated the anomalies, which led to the discovery that some organizations were attempting to install a trojanized version of the 3CX desktop app that had been signed with a valid digital certificate. Patrick Wardle, an Apple security expert, discovered that Apple had notarized the malware, which means that the company checked it for malware and found none.
The CISO of 3CX According to Pierre Jourdan, the company is aware of a “security issue” affecting its Windows and MacBook applications.
Jourdan notes that this appears to have been a “targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored” hacker. CrowdStrike suggests that North Korean threat actor Labyrinth Chollima, a subgroup of the notorious Lazarus Group, is behind the supply-chain attack.
As a workaround, 3CX company is urging its customers to uninstall the app and install it again, or alternatively use its PWA client. “In the meantime we apologize profusely for what occurred and we will do everything in our power to make up for this error,” Jourdan said.
There are many unknowns about the 3CX supply-chain attack, including how many organizations may have been compromised. There are currently over 240,000 publicly exposed 3CX phone management systems, according to Shodan.io, a site that maps internet-connected devices.