Supply chain attack on 3CX affects millions of users

April 14, 2023 - TuxCare PR Team

Two security companies have detected a supply chain attack on 3CX, a popular communication software provider.

The malware has infected the Windows Electron client, but only for customers who have updated to version 7. The attack was first noticed over a week ago. SentinelOne, a security company, discovered the 3CX DesktopApp malware and stated that it is just the first stage of a multi-stage attack.

The malware takes ICO files that have base64 data appended to them from Github and moves on to the third stage, where it leads to an infostealer DLL. The DLL is being analyzed to determine its interface with browser data so that attackers can sift through the infected downstream customers’ mass and execute future operations. Since the affected software is a desktop client, users are advised to use the progressive web app instead of the client until it is updated.

3CX CEO Nick Galea confirmed the infection and issued recommendations for customers to use the PWA client instead of the affected desktop client. The company claims to have more than 12 million daily users and serves a broad variety of industries, including major companies such as Mercedes Benz, McDonald’s, BMW, Holiday Inn, the NHS, American Express, Coca-Cola, and Air France.

Crowdstrike also spotted similar activity on both Windows and Macs, and it suspects that the attack is the work of North Korea’s Labyrinth Chollima, a subset of Lazarus. The group primarily conducts espionage operations aimed at US and South Korea militaries.

3CX customers have reported suspicious activity, long lists of files and directories affected, and shell scripts to perform a cleanup. These forum posts date back to March 22, with folks warning of an intrusion. Supply chain attacks have been a growing threat since the Solar Wind incident in 2020. The 3CX attack is the most prominent since Solar Winds, and the Kaseya crisis that followed.

The 3CX desktop client malware gathers information from Chrome, Edge, Brave, and Firefox, including browser history, data from the place table in Firefox, and Chrome history tables. It is crucial to note that supply chain attacks can happen to any company and can affect millions of users.

In response to the attack, 3CX is working on an update to the DesktopApp, which they will release in the coming hours. The company is also addressing BLF immediately and hotkeys if possible. Until the new build is released, 3CX strongly recommends using the PWA client instead of the affected Electron client.

The sources for this piece include an article in TheRegister.

Summary