As the cybersecurity community shares additional details on what seems to be a sophisticated supply chain attack, business communication solutions provider 3CX has stated that it is looking into a security incident. The business voice and video conferencing software 3CXDesktopApp appears to be affected by the attack. According to 3CX’s website, more than 600,000 companies employ its products, including well-known corporations like Coca-Cola, Ikea, PwC, and several automakers, airlines, and hotel chains.
Customers of 3CX began to complain on the company’s forum that different cybersecurity tools had started flagging and even uninstalling the 3CXDesktopApp software due to suspicious behavior, which is how the matter came to light. The 3CX product was hacked, despite early speculation that the detections were false positives from several cybersecurity organizations on Wednesday. By CrowdStrike, SentinelOne, and Sophos, a study of the attack and indications of compromise (IoCs) were released. Evidence gathered by CrowdStrike at this investigation stage points to the North Korean threat actor Labyrinth Chollima, an infamous Lazarus Group division responsible for the breach.
SentinelOne’s Smooth Operator attack involves the distribution of trojanized 3CXDesktopApp installations. The malware looks to be deployed as an information thief, signed with a code signing certificate. Additionally, data was pulled from a GitHub repository that has since been closed as part of this multi-stage supply chain attack. Late on Wednesday, 3CX sent a security alert telling clients and partners that it has begun looking into a “security issue” involving their Electron Windows App distributed with Update 7, notably versions 18.12.407 and 18.12.416.
“The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT,” said Pierre Jourdan, CISO at 3CX. “Worth mentioning – this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected,” added the CISO.
Customers have been advised by the company to uninstall the affected application and switch to the PWA client until a new Windows app is created. Jourdan said the attackers’ GitHub repository was removed, making the hacked library unusable. Both 3CX and SentinelOne stated that they could not confirm whether or not the Mac installer is likewise trojanized. SentinelOne’s response is limited to the Mac installation. But according to CrowdStrike, both Windows and macOS computers exhibited activity. Patrick Wardle, an authority on Apple security, received a sample from CrowdStrike and employed it to do an analysis that established the employment of a trojanized macOS application in the Smooth Operator attack.
The researcher discovered that Apple had notarized the malware, proving that the tech giant had examined it for dangerous components but had not discovered any. Wardle’s investigation appears to have prompted Apple to act, as users are now being cautioned not to install the malicious program. The over 400 Mb size of the Mac application made it more challenging to examine, but Wardle was able to confirm suspicious activity. Although the researcher could not secure a copy of the second-stage payload for examination, the malware is designed to download it. Wardle has also distributed IoCs to aid security software in finding the malware’s macOS edition.