3CX is currently developing a software update for their desktop application as several cybersecurity vendors have raised concerns about a possible active supply chain attack. These attackers are using digitally signed and modified installers of the widely used voice and video conferencing software to target their victims. Customers located further along the supply chain.
SentinelOne researchers have stated that the initial step in a complex attack process involves altering the 3CX desktop app with a Trojan virus. The following stages consist of accessing ICO files with attached Base64 information from GitHub and culminating in a third-step data-stealing DLL.
The security company is monitoring an activity called SmoothOperator, where the perpetrator reportedly established a significant attack infrastructure in February 2022. There are clues that the assault possibly started about March 22, 2023.
The 3CXDesktopApp, which is owned by the company 3CX, states that it has over 600,000 clients and 12 million users in 190 different countries. Some of these users include notable companies such as American Express, BMW, Honda, Ikea, Pepsi, and Toyota among others.
Although the 3CX PBX client is compatible with various platforms, it has been noted through telemetry data that the only instances of attacks thus far have been limited to the Windows Electron client (versions 18.12.407 and 18.12.416) and versions of the PBX phone system for macOS.
To put it briefly, the infection process utilizes DLL side-loading method to load a harmful DLL named ffmpeg.dll. This DLL is programmed to fetch a payload consisting of an icon file (ICO). The GitHub repository that contained this file has been removed.
The end result is a type of spyware that can collect important data stored on Google Chrome, Microsoft Edge, Brave and Mozilla Firefox web browsers, as well as information about the computer system itself.
As per Patrick Wardle, a security researcher, the macOS sample is a file of size 381 MB, and it contains a legitimate signature while also being notarized by Apple. Because of this, the operating system will not prevent it from being executed.
The harmful application that is comparable to the Windows version contains a Mach-O binary called libffmpeg.dylib, which is intended to connect to an external server known as pbxsources[.]com in order to acquire and run an executable file named UpdateAgent. As of now, the server is not functioning.
Huntress stated that there are presently 242519 3CX phone management systems that are open to the public. Symantec, which is owned by Broadcom, stated in its own warning that the information obtained by this malware most likely permitted the perpetrators to determine whether or not the target was suitable for additional attacks.
According to Trend Micro, the extensive utilization and significance of a particular software in an organization's communication system makes it susceptible to significant harm from threat actors who can monitor or redirect both internal and external communication.
With great confidence, the cybersecurity company CrowdStrike has identified the perpetrator behind the attack as a nation-state actor from North Korea that goes by the name of Labyrinth Chollima (also known as Nickel Academy). This group is a subset of the well-known Lazarus Group.
According to CrowdStrike, the harmful behavior consists of sending signals to structures run by attackers, setting up additional attacks, and occasionally conducting direct attacks themselves.
According to a recent forum post made by Nick Galea, the CEO of 3CX, their company is currently working on releasing a new build within the next few hours. He also specified that Android and iOS versions are not affected by this issue. Galea mentioned that this problem occurred due to an infected upstream library that they utilize, but did not provide any further information regarding the matter.
The company is recommending to its customers to either uninstall and reinstall the app, or use the PWA client as a solution.
3CX stated in a subsequent update that the problem seems to involve a bundled library which was integrated into the Windows Electron application through git, and that they are continuing to investigate the issue.