Business communication solutions provider 3CX recently experienced a supply chain attack that impacted its VoIP IPBX software, which is used by over 600,000 companies worldwide.
The attack was discovered on March 22nd after cybersecurity firms began flagging the 3CXDesktopApp for malicious behavior. The attackers compromised the Windows and Mac versions of the application, leading to many 3CX customers downloading a trojanized version of the app.
The company has advised customers to uninstall the Electron app for Mac and Windows and use the web app (PWA) version until a clean app is developed. The malware delivered by the attackers was designed to harvest data from compromised systems, including browser data.
Evidence collected so far suggests that the attackers had access to 3CX systems for months before the attack was discovered. Incident response firm Volexity analyzed the infrastructure used in the supply chain attack and found that the hackers had access to 3CX systems since at least December 2022, possibly even as early as November 2022.
The attackers' goal was to harvest data from compromised systems, including browser data, for future malicious activity, including extortion and leveraging collected credentials.
According to Huntress, more than 240,000 3CX phone management systems are exposed to the internet, and the company has detected over 2,700 instances of malicious 3CXDesktopApp binaries.
As for who was behind the attack, cybersecurity firm CrowdStrike has attributed the attack to a threat actor known as Labyrinth Chollima, which is a subset of the state-sponsored North Korean hacking group Lazarus. Lazarus has gained notoriety over the last few years with some high-profile incidents, including targeting cryptocurrency and blockchain organizations, as well as the energy sector in the U.S., Canada, and Japan.
In an interview with CyberScoop, 3CX CEO Nick Galea discussed the incident:
"Because of the way VOIP apps work, it wouldn't be the first time [we got flagged]. It happens quite frequently—so I have to be honest we didn't take it that seriously. We did upload it to a site called VirusTotal to check... and none of the anti-virus engines flagged us of having a virus, so we just left it at that.
Then we gave it much more, let's say importance, which we should have done before we fully understand now. It's just we didn't understand before the severity of it. We have a security team, we do our own pentesting, we've got software scanners, we got a CSO of course. Nonetheless, they outsmarted us."
The attack on 3CX is believed to be sophisticated, but there were clear indicators that could have tipped off 3CX to the breach before customer systems were affected. Many 3CX customers are unhappy with the way the company has handled the incident. Initially, the company insisted that the malware detections were false positives, and some users claimed they were instructed by 3CX staff to pay for a support ticket to get help in addressing the issue.
You can see some of the customer reactions to the company's handling of the incident on this 3CX community thread. Some of the comments read like this:
"You are kidding, right? 'We uploaded it to virustotal.com'? Is there no dedicated security incident team at 3CX because it is too expensive? Denying the problem and pointing at the manufacturers of security software until the evidence is clear paints a horrible picture. And giving the impression that a third party is to blame only reinforces that impression. I don't know who gave you the advice to report this, but the advice was wrong."
The supply chain attack on 3CX exposed the vulnerabilities of many businesses worldwide that rely on the company's communication solutions, highlighting the need to take supply chain security seriously. It also emphasizes the importance of prompt and transparent communication in the face of a security incident, as well as proactive efforts to address potential vulnerabilities.
Follow SecureWorld News for more stories related to cybersecurity.
