30 March 2023

Thousands of companies targeted in 3CX supply chain attack


Thousands of companies targeted in 3CX supply chain attack

Multiple cybersecurity firms are warning about an ongoing supply chain attack involving a trojanized version of 3CXDesktopApp used to spread a malicious payload.

3CX is a software-based private branch exchange (PBX) based on the SIP (Session Initiation Protocol) standard. It enables extensions to make calls via the public switched telephone network (PSTN) or via Voice over Internet Protocol (VoIP) services. The 3CXDesktopApp is available for Windows, macOS, Linux and mobile.

The system is used by more than 600,000 companies worldwide, including high-profile organizations such as Toyota, BMW, Coca-Cola, IKEA, McDonald’s, American Express, Turkish Airlines, NHS, and others.

According to reports from Sophos, CrowdStrike, and SentinelOne, the threat actor has been observed targeting Windows and macOS users of the compromised 3CX app.

“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike noted.

According to SentinelOne researchers, the trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub and ultimately leads to the download of a third-stage infostealer DLL.

“The attack revolves around a DLL sideloading scenario, one with a remarkable number of components involved. This is likely to ensure that customers were able to use the 3CX desktop package without noticing anything unusual about the affected package,” Sophos explained.

Both Sophos and CrowdStrike believe that a nation-state actor may be behind this campaign. While Sophos has not identified a possible culprit, CrowdStrike researchers suspect that a North Korean state-sponsored hacker group they track as Labyrinth Collima (aka Lazarus Group, APT38, UNC4034, and Zinc) is responsible for this attack.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024