Skip to main content
close search
site logo
Dive Brief

3CX retains Mandiant to investigate supply chain attack with global reach

Published March 31, 2023
David Jones's headshot
Reporter
Teacher Giving Computer Science Lecture to Diverse Multiethnic Group of Female and Male Students in Dark College Room.
gorodenkoff via Getty Images

Dive Brief:

  • 3CX has retained incident response firm Mandiant to investigate a supply chain attack that researchers attribute to an advanced persistent threat actor linked to North Korea.  
  • The company informed customers Thursday about a severe security issue that was found in an update of its Electron Windows app. The issue was also found in several versions of its Electron Mac app. 3CX provides business phone, video conferencing and messaging applications to more than 600,000 corporate customers worldwide.
  • Google invalidated the company’s software security certificate, according to an updated blog post from 3CX CEO Nick Galea. Microsoft software installer desktop app files released by 3CX on Thursday can no longer be downloaded using Google Chrome and several antivirus vendors are blocking software that uses the old certificate, Galea said Friday.

Dive Insight:

CrowdStrike picked up unexpected malicious activity from a legitimate signed binary in the 3CX desktop app, the security firm said. This included beaconing to infrastructure controlled by an outside threat actor, hands-on-keyboard activity and deployment of second-stage payloads. 

CrowdStrike researchers attributed the attacks to a threat actor called Labyrinth Chollima, which is a prolific advanced persistent threat linked to the Democratic People’s Republic of Korea. 

Researchers from Palo Alto Networks Unit 42 said as of Thursday the desktop app on the developer’s website was installing the application with two malicious libraries. The libraries will run shellcode to install a backdoor into targeted systems, allowing additional malware to be loaded onto victim machines. 

Palo Alto Networks was able to fingerprint more than 247,000 distinct IP addresses in 199 countries using potentially vulnerable 3CX applications, according to Jen Miller-Osborn, director of threat intelligence at Unit 42.

Palo Alto Networks said telemetry picked up activity involving the 3CX desktop app process trying to run shellcode in 127 customer systems. The company observed 5,796 of these events across 1,832 unique systems between March 9-30.

“It is possible we are in the early days of a supply chain attack as the software is widely used around the globe,” Miller-Osborn said via email.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell