3CX admits supply chain attack
Trojanised version of the 3CX desktop VoIP app observed communicating with C2 servers
Communications app maker 3CX on Thursday acknowledged that its Windows VoIP app "includes a security issue" and has been the subject of a software supply chain attack, amid reports from cybersecurity researchers about an active campaign using the app to target 3CX customers.
"This appears to have been a targeted attack from an advanced persistent threat, perhaps even state sponsored, that ran a complex supply chain attack" using the Windows version of the app, 3CX chief information security officer Pierre Jourdan wrote in a post Thursday.
"We apologise profusely for what occurred and we will do everything in our power to make up for this error," he wrote.
On Wednesday, researchers from CrowdStrike, Sophos and SentinelOne published blog posts detailing their findings on an attack that appears to have compromised the 3CX desktop app, disclosing that they've observed malicious activity originating from a trojanised version of the desktop VoIP app from 3CX.
The attack has involved utilising a code-signing certificate to provide the software's trojanised binaries with legitimacy, according to researchers.
Notable past software supply chain compromises have included the widely felt attacks on SolarWinds, Kaseya and Codecov.
3CX reports on its website that it has more than 600,000 customers, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald's, Coca-Cola, NHS, Toyota, BMW and Honda.
In the 3CX post, Jourdan wrote that the problem appears to be in one of the bundled libraries that it compiled into its Windows app via the open-source version control system Git. The company is still researching the issue, he said.
The "majority" of domains that were contacted by the compromised library have been taken down at this point, and a GitHub repository that listed the libraries has been shut down as well, according to Jourdan.
According to Sophos researchers, the affected 3CX application "has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers."
Sophos said it has only confirmed that Windows is affected, while CrowdStrike researchers wrote that malicious activity has been detected on macOS as well as Windows.
"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," the CrowdStrike researchers wrote.
SentinelOne researchers, which dubbed the campaign "SmoothOperator," disclosed that they observed a "spike in behavioural detections of the 3CXDesktopApp" starting on March 22.
"The trojanised 3CXDesktopApp is the first stage in a multi-stage attack chain," the researchers wrote in the SentinelOne post.
This article first appeared in CRN.