The 3CX desktop app is being utilized with a digitally signed and trojanized version by an ongoing supply chain attack to target the customers of the business. 3CX is a software development company that specializes in VoIP IPBX, and its 3CX Phone System has more than 12 million daily users and is employed by over 600,000 companies worldwide.
On Wednesday, various cybersecurity firms warned that the official Windows desktop application for the commonly used 3CX softphone solution had been tampered with by suspected state-sponsored threat actors.
CrowdStrike said it had observed “unexpected harmful behavior” emerging from a valid, signed binary, the 3CXDesktopApp softphone. Beaconing to actor-controlled infrastructure, launching second-stage payloads, and occasionally “hands-on” keyboard work were all involved in this activity. It claimed to have observed this behavior on systems running macOS and Windows.
How Does The 3CX Desktop App Work?
The 3CX Desktop App is a software application developed by 3CX, a leading provider of unified communication solutions. The app is designed to provide users with access to various communication features, such as voice and video calls, instant messaging, and presence information, all from a single platform.
The app is available for Windows, macOS, Linux, Android, and iOS versions of the app, a Chrome extension, and the PWA (progressive web app) version and can be used in conjunction with a 3CX phone system or as a standalone communication platform. It is made to be easy to use and provides a unified interface for managing all communication channels.
3CX DesktopApp is developed by 3CX, a leading provider of unified communication solutions with a vast customer base of over 600,000 and 12 million users across 190 countries. Among its impressive list of clientele are globally recognized brands such as American Express, BMW, Honda, Ikea, Pepsi, and Toyota, to name a few.
Activities Observed On MacOS And Windows Systems
Cybersecurity firms CrowdStrike and Sophos independently detected a developing incident and brought attention to it through their telemetry. CrowdStrike discovered “unexpected malicious activity” originating from a legitimate, signed binary file, specifically the 3CXDesktopApp softphone.
This activity involved beaconing to infrastructure controlled by the threat actors, distributing second-stage payloads, and sometimes performing “hands-on” keyboard activity. This activity was observed on both macOS and Windows systems.
Sophos reported similar activity, although it was limited to Windows environments. It has evidence that the threat actors are employing a public cloud storage service to host their encoded malware.
Sophos’s vice president of managed threat response, Mat Gangwer, stated that his company was the first to identify the malicious activity linked to a supply chain attack on the 3CXDesktopApp that impacted its customers after searching for the reported activity on March 29.
According to 3CX Chief Information Security Officer (CISO) Pierre Jourdan, the Windows version of the 3CX client app based on the Electron framework has been infected with malware. As a result, Jourdan has advised users to temporarily uninstall the app and use the Progressive Web Application (PWA) version instead until a clean version can be released.
However, researchers from Trend Micro and Crowdstrike have also discovered that the macOS versions of the 3CX desktop app have been compromised. Specifically, the following files have been identified as trojanized:
● 3cxdesktopapp-18.12.407.msi (Windows)
● 3cxdesktopapp-18.12.416.msi (Windows)
● 3CXDesktopApp-18.11.1213.dmg (macOS)
● 3cxdesktopapp-latest.dmg (macOS)
Customers are urged to locate and remove these files as a precautionary measure until 3CX completes its investigation and releases a clean version. Companies such as Sophos, SentinelOne, Trend Micro, and Crowdstrike have provided customers with indicators of compromise that can be used to identify any evidence of settlement on their systems.
What Is 3CX Doing?
According to CrowdStrike, the attack has been linked to a North Korean group known as Labyrinth Chollima, which shares some similarities with the infamous Lazarus APT. However, Sophos has not yet attributed the attack at the time of writing.
On March 30, 3CX’s Chief Information Security Officer Pierre Jourdan confirmed that version numbers 18.12.407 and 18.12.416 of the Electron Windows App’s update 7 contained a security issue that triggered antivirus programs. The issue appears to be related to a compromised library compiled into Electron via Git, and a more extensive investigation is currently underway.
Jourdan stated, The majority of the domains contacted by this corrupted library have already been reported and pulled down. These were also included in a Github repository that has since been deleted, leaving it useless. Even while the files remained inactive on most PCs, they were never actually infected. This looks to have been a targeted attack by an APT, possibly even one that was state-sponsored, that used a sophisticated supply chain attack to select the users who would download the subsequent stages of their malware.
It is hoped that 3CX’s investigation will soon uncover the exact moment when their legitimate apps were replaced with trojanized ones and shed light on how their delivery infrastructure was compromised. Meanwhile, Customers who could be impacted should note that the malicious applications were discovered to have communicated.
It was discovered that multiple C2 servers retrieved a second-stage payload from a public GitHub repository and downloaded information-stealing malware with the ability to acquire system information and access login credentials and data saved in user profiles on Chrome, Edge, Brave, and Firefox web browsers. According to Crowdstrike researchers, there was evidence of hands-on-keyboard activity following these incidents in a few instances.
3CX is developing a new version of the Electron Windows App and will issue new certificates. In the meantime, Jourdan suggests that customers consider using their web-based PWA service. He also apologized for the incident and promised to do everything in their power to make up for the mistake.
In conclusion, cybersecurity firms have warned of a supply chain attack using a targeting customer of the business, trojanized 3CX Voice Over Internet Protocol (VoIP) desktop client was used. The attack was observed on both Windows and macOS systems, with several cybersecurity companies providing customers with indicators of compromise to identify any evidence of compromise on their systems.
While 3CX’s investigation is ongoing, customers who could be impacted should note that the malicious applications have communicated with multiple C2 servers, retrieved a second-stage payload from a public GitHub repository, and downloaded information-stealing malware. Therefore, it is crucial for users to temporarily uninstall the app and use the Progressive Web Application (PWA) version until a clean version can be released.
The 3CX incident demonstrates how sophisticated threat actors, believed on this occasion to be nation-state hackers, are abusing open source ecosystems like GitHub to host seemingly benign files. In this case, icons, which in fact contain malware. The names of the repo, “IconStorages”, and format of files raise no obvious red flags either, and were initially cleared by most antivirus products.
“Any system that’s open to the public (i.e. open source) is also open to adversaries, which is why we need novel solutions to safeguard the open source repos and ecosystem before they can be leveraged by advanced persistent threat actors to conduct supply chain attacks. With software supply chain attacks increasing by 742% over the past three years, there is an immediate need for drastic action to turn the tide against malicious actors such as those responsible for the attack on 3CX