Breach, Channel partners, Content

Supply Chain Cyberattack: 3CX VoIP Client Compromised

Search Hacked warning on laptop Concept of privacy data being hacked and breached from internet technology threat. 3d renderring.

Cybercriminals have compromised the 3CX desktop application and are using the app to launch supply chain attacks, Sophos, SentinelOne and CrowdStrike have indicated in separate reports. They are targeting 3CX softphone app users across Windows and macOS devices in these attacks.

3CX delivers Voice over Internet Protocol (VoIP) software used by more than 600,000 companies worldwide, BleepingComputer indicated. The company's customers include American Express, BMW and Coca-Cola.

Cybersecurity Companies Provide Insights into the 3CX Supply Chain Attacks

On March 22, 2023, 3CX users shared details about potential false-positive detections of 3CXDesktopApp by their endpoint security agents, Sophos reported. From here, Sophos Managed Detection and Response (MDR) detected malicious activity against its users and coming from 3CXDesktopApp on March 29.

SentinelOne saw a spike in behavioral detections of 3CXDesktopApp on March 22, the company noted. Since that time, SentinelOne has been detecting and blocking malicious activity involving 3CXDesktopApp and investigating the activity.

Meanwhile, CrowdStrike observed unexpected malicious activity from 3CXDesktopApp on March 29. This activity included beaconing to actor-controlled infrastructure, deployment of second-stage payloads and hands-on-keyboard activity.

The cybercriminals behind the 3CX supply chain attacks remain unknown. CrowdStrike noted that Labyrinth Chollima, a North Korean state-backed hacking group, may have caused the attacks. On March 29, CrowdStrike attributed the intrusion campaign targeting 3CX to Labyrinth Chollima "with high confidence."

3CX Issues a Security Alert

On March 30, 3CX notified its customers and partners about a security issue affecting its Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416. 3CX has taken down its compromised domains and is developing a new Windows app that addresses the security issue.

3CX will provide its customers and partners with ongoing updates regarding the security issue and is planning to release a full report about the problem on March 30. At this time, 3CX is encouraging its customers and partners to download its PWA app, which "is completely web based and does 95% of what the electron app does," the company stated.

Supply Chain Attacks on the Rise

Previously, technology research firm Gartner predicted there would be an increase in digital supply chain cyberattacks in 2023. Furthermore, there has been a 742% increase in software supply chain attacks dating back to 2020, according to supply chain management software company Sonatype.

Ultimately, cybercriminals look poised to continue to target open-source repositories and ecosystems to launch supply chain attacks, Sonatype Staff Security Researcher Ax Sharma told MSSP Alert. As such, there is an immediate need for organizations to explore solutions to combat supply chain attacks, Sharma added.

MSSPs can help organizations prepare for and protect against supply chain attacks. They can develop and launch security services to safeguard their customers' supply chain data and systems. Also, they can offer tips and recommendations to help their customers optimize their security posture.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.