Multiple security companies are sounding the alarm Active Supply Chain Attack Using Trojanized Version of 3CX Widely used audio and video call client Target downstream customers.
3CX is the developer of software-based phone systems used by over 600,000 organizations worldwide, including American Express, BMW, McDonald’s and the UK’s National Health Service. The company claims to have over 12 million daily users worldwide.
Researchers at cybersecurity firms CrowdStrike, Sophos, and SentinelOne on Wednesday launched a SolarWinds-style attack (by SentinelOne We have published a blog post detailing what we call the “Smooth Operator”.
This malware can collect system information and steal data and stored credentials. google chrome, Microsoft Edge, Brave, and Firefox user profiles. According to CrowdStrike, other observed malicious activity includes beaconing to actor-controlled infrastructure, deploying second-stage payloads, and in a few cases, “keyboard activity.”
Security researchers report that attackers are targeting both Windows and macOS versions of compromised VoIP apps. Linux, iOS, and Android versions do not appear to be affected at this time.
SentinelOne researchers said they first saw signs of malicious activity on March 22 and immediately investigated the anomaly. It turned out that some organizations were trying to install a trojanized version of his 3CX desktop app signed with a valid digital certificate. Apple security expert Patrick Wardle found This means Apple has notarized the malware.
3CX CISO Pierre Jourdan said Thursday that the company is aware of a “security issue” affecting Windows and MacBook applications.
Jourdan said it appeared to be a “targeted attack with advanced persistent threats and possibly state-sponsored” hackers. CrowdStrike suggests that North Korean attacker Labyrinth Chollima, a subgroup of the infamous Lazarus Group, is behind his supply chain attacks.
As a workaround, 3CX is urging customers to uninstall and reinstall the app, or use the PWA client instead. “In the meantime, we sincerely apologize for what happened and will do everything in our power to make up for this mistake,” Jordan said.
There are still many unknowns about the 3CX supply chain attack, including the number of organizations that may have been compromised. More than 240,000 of his 3CX phone management systems are currently published, according to his Shodan.io, a site that maps internet-connected devices.
