3CX DesktopApp compromised by supply chain attack
3CX
is
working
on
a
software
update
for
its
3CX
DesktopApp,
after
multiple
security
researchers
alerted
the
company
of
an
active
supply
chain
attack
in
it.
3CX
is
working
on
a
software
update
for
its
3CX
DesktopApp,
after
multiple
security
researchers
alerted
the
company
of
an
active
supply
chain
attack
in
it.
The
update
will
be
released
in
the
next
few
hours;
meanwhile
the
company
urges
customers
to
use
its
PWA
(progressive
web
application)
client
instead.
“As
many
of
you
have
noticed
the
3CX
DesktopApp
has
a
malware
in
it.
It
affects
the
Windows
Electron
client
for
customers
running
update
7,”
Nick
Galea,
CEO
at
3CX
said
in
a
security
alert
on
Thursday.
As
an
immediate
response,
the
company
advised
users
to
uninstall
and
reinstall
the
app.
3CX
is
a
Voice
Over
Internet
Protocol
(VoIP)
IPBX
software
development
company.
The
3CX
DesktopApp
allows
users
to
make
calls,
chat,
video
conference,
and
check
voicemail
using
their
desktop.
The
company
has
over
600,000
customers
and
12
million
users
in
190
countries.
American
Express,
BMW,
Honda,
Ikea,
Pepsi,
and
Toyota
are
some
of
its
customers.
Security
researchers
at
Sophos,
Crowdstrike,
and
SentinelOne
alerted
the
company
on
Wednesday
about
the
ongoing
attack.
Supply
chain
attacked
Researchers
observed
malicious
activity
originating
from
a
trojanized
version
of
the
3CX
DesktopApp.
“The
software
is
a
digitally
signed
version
of
the
softphone
desktop
client
for
Windows
and
is
packaged
with
a
malicious
payload,”
Sophos
said
in
its
blog
post.
The
application
has
been
abused
by
the
threat
actor
to
add
an
installer
that
communicates
with
various
command-and-control
servers,
Sophos
said.
The
threat
actor
registered
a
massive
attack
infrastructure
in
February
2022,
according
to
SentinelOne
which
is
tracking
the
attack
under
the
name
SmoothOperator,
adding,
“but
we
don’t
yet
see
obvious
connections
to
existing
threat
clusters.”
Researchers
said
it
is
a
chain
attack
that
in
its
first
stage
takes
advantage
of
the
DLL
side-loading
technique
to
load
a
malicious
DLL
that’s
designed
to
retrieve
an
icon
file
payload.
“The
trojanized
3CXDesktopApp
is
the
first
stage
in
a
multi-stage
attack
chain
that
pulls
ICO
files
appended
with
base64
data
from
GitHub
and
ultimately
leads
to
a
3rd
stage
infostealer
DLL
still
being
analyzed
as
of
the
time
of
writing,”
SentinelOne
said.
Similarly,
Crowdstrike,
found
that
the
malicious
activity
includes
beaconing
to
actor-controlled
infrastructure,
deployment
of
second-stage
payloads,
and,
in
a
small
number
of
cases,
hands-on-keyboard
activity.
Sophos
notes
that
the
DLL
side
loading
is
designed
in
such
a
way
that
the
users
will
not
realize
any
difference
while
using
the
application.
The
information
stealer
can
gather
system
information
and
sensitive
data
stored
in
Google
Chrome,
Microsoft
Edge,
Brave,
and
Mozilla
Firefox
browsers.
“PBX
software
makes
an
attractive
supply
chain
target
for
actors;
in
addition
to
monitoring
an
organization’s
communications,
actors
can
modify
call
routing
or
broker
connections
into
voice
services
from
the
outside,”
SentinelOne
said.
Windows
version
infected
While
versions
of
the
application
run
on
Windows,
Linux,
Android,
and
MacOS,
the
company
and
security
researchers
SentinelOne
and
Sophos
agree
that
only
the
Windows
version
has
been
infected.
Crowdstrike,
on
the
other
hand,
claims
that
the
MacOS
version
has
also
been
infected.
CrowdStrike
also
attributes
the
attack
to
nation-state
threat
actor
Labyrinth
Chollima.
Labyrinth
Chollima
is
a
prolific
North-Korean
threat
actor
known
to
be
a
subset
of
Lazarus
group.
About Author
