Dive Brief:

• 3CX restored its Windows Electron app, making progress in its ongoing recovery from a recent supply chain attack, CEO Nick Galea said in a forum post on Tuesday. 
• The company, which provides an app for business calling, messaging and video conferencing, has only seen “a handful of cases” where malware used in the attack has actually been triggered, according to Galea. 3CX has thus far not seen any additional outbound malicious activity since removing infected files from the systems, Galea said.
• 3CX is making changes to its security procedures and practices to prevent such an attack from happening in the future, Galea said.

Dive Insight:

CrowdStrike researchers detected malicious activity late last month associated with 3CX, including beaconing to infrastructure controlled by an outside threat actor. Researchers also reported deployment of second-stage payloads and hands-on-keyboard activity.

CrowdStrike attributed the supply chain attacks to state-linked organizations connected to a Labyrinth Chollima, an advanced persistent threat actor linked to the Democratic People’s Republic of Korea. 

Other researchers have linked the attacks to related actors, however federal officials have not publicly made any attributions. 

According to 3CX, the company has more than 600,000 business customers worldwide and there are more than 12 million active daily users.  

Huntress reported more than 242,000 publicly exposed 3CX versions that are visible on Shodan. The apparent planning of this attack dates back months as Huntress researchers noted that registration of network infrastructure dates back to February 2022.  

3CX previously confirmed that both the Windows and macOS versions of the application were affected by the attack. CrowdStrike had originally reported activity involving both Windows and macOS versions.