3CX Issues Security Alert for Desktop App Following Supply Chain Attack Concerns

March 30, 2023

CyberCrime, Data Breaches

3CX, a leading provider of business communication solutions, has issued a security alert regarding its desktop application. The company has warned users that a vulnerability has been identified in the application’s security protocols, which could potentially be exploited by cybercriminals to gain unauthorized access to user data.

The vulnerability affects the 3CX desktop application for Windows, which is used by thousands of businesses worldwide to manage their communications. The application is used to make calls, send messages, and access voicemail, among other functions. The incident first came to light when 3CX customers reported suspicious behavior on the company’s forum. Users noted that various cybersecurity products had flagged and even removed the 3CXDesktopApp, an enterprise voice and video conferencing software, due to abnormal behavior. Initial suggestions that the detections were false positives were quickly dismissed when cybersecurity firms, including CrowdStrike, SentinelOne, and Sophos, confirmed that the 3CX software had indeed been compromised.

The attack, dubbed “Smooth Operator” by SentinelOne, involved the delivery of trojanized 3CXDesktopApp installers, with the malware being signed with a code signing certificate. The primary goal of the malware appears to be the deployment of an information stealer. The supply chain attack also involved pulling files from a GitHub repository, which has since been shut down.

Trojanized installers for #3CX PBX software are the beginning of the SmoothOperator campaign, a multi-stage attack chain delivering infostealer malware at scale.https://t.co/mF2Y9Jcjn1
— SentinelLabs (@LabsSentinel) March 29, 2023

CrowdStrike Intelligence also has assessed that there is suspected nation-state involvement by the threat actor LABYRINTH CHOLLIM, a notorious group known for its advanced cyber-espionage campaigns. Customers of CrowdStrike Intelligence received alerts regarding this active intrusion.
As part of its response, CrowdStrike has offered recommendations to customers to mitigate the impact of the intrusion campaign. These recommendations include locating the presence of 3CXDesktopApp software in their environment using specific queries provided by CrowdStrike. According to CrowdStrike’s investigation, the malicious activity consists of beaconing to infrastructure under the control of threat actors, deployment of second-stage payloads, and in some instances, direct interaction with compromised systems. What’s particularly alarming is that the malicious activity was initiated from a genuine, signed binary of 3CXDesktopApp, making it more probable for traditional security measures to overlook the software.

🚨 CrowdStrike Falcon Platform detects and prevents active intrusion campaign targeting 3CXDesktopApp customers.
Learn more: https://t.co/6cP6iVr7OH
— CrowdStrike (@CrowdStrike) March 29, 2023

3CX has acknowledged the security breach and has instructed customers to uninstall the affected application and use the PWA client until a new Windows app is developed. The company has launched an investigation into the security issue, specifically related to its Electron Windows App shipped in Update 7, with version numbers 18.12.407 and 18.12.416. 3CXDesktopApp is used by over 600,000 companies worldwide, including major brands such as Coca Cola, Ikea, PwC, and several carmakers, airlines, and hotel chains.

The incident has raised concerns about the security of supply chains in the software industry, and businesses are advised to remain vigilant.

Jane Leok Contributor

News

Related posts