Do you use comms software from 3CX? What to do next after biz hit in supply chain attack

Two security firms have found what they believe to be a supply chain attack on communications software maker 3CX – and the vendor's boss is advising users to switch to the progressive web app until the 3CX desktop client is updated.

3CX started as a vendor of PBX software, and evolved to offer voice, video, and collaborationware.

It still sells VoIP systems, and it’s exactly those that appear to have fallen victim to a supply chain attack. The communications biz serves a broad variety of industries and lists customers including Mercedes Benz, McDonalds, BMW, Holiday Inn, the NHS, American Express, Coca-Cola and Air France. The biz claims it has more than 12 million daily users, and is or has been used by more than 600,000 organizations.

As many of you have noticed, the 3CX DesktopApp has a malware in it

3CX CEO Nick Galea today confirmed the infection, about a week after users started seeing signs of potentially suspicious activity in their 3CX desktop clients. Galea also shared some details and recommendations for customers.

“As many of you have noticed, the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7. It was reported to us yesterday night and we are working on an update to the DesktopApp which we will release in the coming hours,” the CEO said.

“We strongly recommend using our PWA client instead. It really does 99 percent of the client app and is fully web based and this type of thing can never happen. Only thing you don't have is hotkeys and BLF. But in light of what happened yesterday we are going to address BLF immediately and hotkeys if we can,” Galea continued, adding: “So please use PWA for the moment until we release a new build. And consider using PWA instead of Electron.”

SentinelOne said it detected unusual activity last week, but behavioral detections prevented trojanized installers from running and triggered a quarantine.

“The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing,” said SentinelOne.

The Mountain View cybersecurity biz said the DLL appears to “interface with browser data in an attempt to enable future operations as the attackers sift through the mass of infected downstream customers.”

The malware gathers information from Chrome, Edge, Brave and Firefox, including browser history, data from the place table in Firefox and Chrome history tables.

• Have we learned anything from SolarWinds supply chain attacks?
• Warning on SolarWinds-like supply-chain attacks: 'They're just getting bigger'
• Ukrainian cuffed, faces extradition to US for allegedly orchestrating Kaseya ransomware infection
• US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack

The biz issued a takedown request for the repository. Crowdstrike spotted similar activity on both Windows and Macs when it observed “unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp.”

“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” summarized the Austin-based security outfit.

Crowdstrike said it suspects the attack is the work of North Korea’s Labyrinth Chollima, a subset of Lazarus. The group primarily conducts espionage operations aimed at US and South Korea militaries.

On the software maker's forums, customers reported suspicious activity, long lists of files and directories affected, and shell scripts to perform a cleanup.

Those forum posts date back to March 22, with folks at the time warning of evidence from their antivirus protection that the desktop client had been infected; we're only hearing confirmation now from 3CX.

Supply chain attacks have been a growing threat since 2020’s Solar Wind incident. The 3CX attack is the most prominent since Solar Winds, and the Kaseya crisis that followed.

"This problem is not going away — it's just going to get bigger,” Mandiant's Eric Scales told The Reg earlier this month of supply chain attacks. ®