Two security firms have found what they believe to be a supply chain attack on communications software maker 3CX – and the vendor’s boss is advising users to switch to the progressive web app until the 3CX desktop client is updated.
3CX started as a vendor of PBX software, and evolved to offer voice, video, and collaborationware. The biz claims it has more than 12 million daily users, and is or has been used by more than 600,000 organizations. Its customers are said to include the NHS in the UK, American Express, Coca Cola, and MIT.
It still sells VoIP systems, and it’s exactly those that appear to have fallen victim to a supply chain attack. The comms company serves a broad variety of industries and lists customers including Mercedes Benz, McDonalds, BMW, Holiday Inn, the NHS, American Express, Coca-Cola and Air France.
3CX CEO Nick Galea confirmed the attack and added some details and recommendations for customers. “As many of you have noticed the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7. It was reported to us yesterday night and we are working on an update to the DesktopApp which we will release in the coming hours,” said Galea.
“We strongly recommend using our PWA client instead. It really does 99 percent of the client app and is fully web based and this type of thing can never happen. Only thing you don’t have is hotkeys and BLF. But in light of what happened yesterday we are going to address BLF immediately and hotkeys if we can,” said Galea, adding: “So please use PWA for the moment until we release a new build. And consider using PWA instead of Electron.”
SentinelOne said it detected unusual activity last week, but behavioral detections prevented trojanized installers from running and triggered a quarantine.
“The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing,” said SentinelOne.
The Mountain View cybersecurity biz said the DLL appears to “interface with browser data in an attempt to enable future operations as the attackers sift through the mass of infected downstream customers.”
The malware gathers information from Chrome, Edge, Brave and Firefox, including browser history, data from the place table in Firefox and Chrome history tables.
The biz issued a takedown request for the repository. Crowdstrike spotted similar activity on both Windows and MacS when it observed “unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp.”
“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” summarized the Austin-based security outfit.
Crowdstrike said it suspects the attack is the work of North Korea’s Labyrinth Chollima, a subset of Lazarus. The group primarily conducts espionage operations aimed at US and South Korea militaries.
On the company’s forums, customers reported suspicious activity, long lists of files and directories affected and shell scripts to start the cleanup.
Supply chain attacks have been a growing threat since 2020’s Solar Wind incident. The 3CX attack is the most prominent since Solar Winds, and the Kaseya crisis that followed.
“This problem is not going away — it’s just going to get bigger,” Mandiant’s Eric Scales told The Reg earlier this month of supply chain attacks. ®