Cybersecurity threat researchers from SentinelLabs, Crowdstrike, and Check Point have discovered an ongoing supply chain attack targeting the 3CX desktop app, which is used by over 12 million daily users worldwide. Approximately 1,000 organizations may be affected according to researchers who found linked GitHub repositories used by the threat group dating back to December 2022 and February 2022.
The Cybersecurity & Infrastructure Security Agency (CISA) has also confirmed the supply chain attack, and linked to appropriate vendor research.
Among 3CX’s notable customers are Pepsi, McDonalds, Toyota, Chevron, and the National Health System of England. Over 600,000 enterprise companies use 3CX.
According to a statement from the 3CX CEO Nick Galea, Mandiant has been hired to “review the incident in full.”
The infected installer file is 3CXDesktopApp, a popular voice and video conferencing software product categorized as a Private Automatic Branch Exchange (PABX) platform.
The 3CXDesktopApp is available for Windows, macOS, Linux and mobile. At this time, activity has been observed on both Windows and macOS, according to Crowdstrike.
While SentinelLabs did not directly attribute the attack to a specific group, it stated that the tactics, techniques and procedures (TTP) resembles the hacking group the United States government has named the Lazarus Group, a state-sponsored threat actor with ties to the North Korean government. But definitive attribution remains “inconclusive”, and thus, they have paused attributing the attack. SentinelLabs has named the attack on 3CX software as “SmoothOperator” in the meantime.
Crowdstrike’s cyber threat research team has attributed the supply chain attack to “Labyrinth Chollima”, its name for the Lazarus Group, however.
The attack began when the attackers compromised a third-party software library that was used by 3CX. This allowed the attackers to insert malicious code into the 3CX desktop app. The malicious code was then distributed to 3CX customers through the company’s website and update servers.
When a victim installed the malicious 3CX desktop app, the malware would be installed on the victim’s computer. The malware would then communicate with the attacker’s command and control server, allowing the attacker to steal data from the victim’s computer.
The threat of this attack is critical, as according to researchers, “in addition to monitoring an organization’s communications, actors can modify call routing or broker connections into voice services from the outside,” the SentinelLabs team said.
SentinelLabs, Crowdstrike, Check Point release 3CX “SmoothOperator” Detection and Mitigation
Customers that have Crowdstrike Falcon deployed in their environment will be able to quickly locate 3CXDesktopApp installations and mitigate the attack. Crowdstrike has released indicators of compromise and guidance on how to respond on their dedicated blog to this attack.
SentinelLabs has similarly posted indicators of compromise and recommendations on their dedicated “SmoothOperator” blog post. “For SentinelOne customers, no action is needed. We’ve provided technical indicators to benefit all potential victims in hunting for the SmoothOperator campaign,” the company has announced.
Check Point ThreatCloud and Horizon XDR/XPR customers also remain protected, with ThreatCloud providing indicator of compromise data points deployed to all of Check Point’s portfolio.
“All software vulnerabilities and attack signatures that are found by CPR or seen in the wild, such as the Trojanized version of the original 3CXDesktopApp are immediately fed to ThreatCloud, the brain behind all of Check Point’s products, which propagates the appropriate protections throughout Check Point’s products,” the company’s blog post announced.
3CX supply chain attack likely largest since SolarWinds
The 3CX supply chain attack is a reminder of the dangers of supply chain attacks. Supply chain attacks are becoming increasingly common, and they can be very difficult to defend against. Organizations need to be aware of the risks of supply chain attacks and take steps to protect themselves.
The last time the U.S. faced a supply chain attack of this magnitude was in 2020 when Russia-linked hackers compromised SolarWinds, affecting at least nine US federal agencies and approximately 100 companies.
In response to the attack, 3CX released a security update that removes the malicious code from the 3CX desktop app. 3CX also recommends that customers update their 3CX desktop app to the latest version if 3CX servers are self-hosted or on-premise.
3CX also strongly recommends that customers avoid using the Electron app “unless absolutely essential,” and use PWA instead.
CISA also recommends organizations hunt for the provided indicators of compromise on their networks linked by each vendor above.
