Skip to main content
close search
site logo

Supply chain attack against 3CX communications app could impact thousands

Researchers warn a state-linked actor has launched malicious activity against a voice application widely used by major corporate customers.

Published March 30, 2023
David Jones's headshot
Reporter
Abstract planet made up of squares.
Gegham Qalajyan via Getty Images

A supply chain attack campaign is underway, targeting customers of the 3CX desktop app, a voice and video conferencing application used by thousands of companies across the globe, researchers said Wednesday. North Korea-linked threat actors are suspected in the attack. 

CrowdStrike observed “unexpected malicious activity from a legitimate signed binary,” in the 3CX desktop app, starting Wednesday. The observed behavior included beaconing to infrastructure controlled by a threat actor, the deployment of second stage payloads, and in a small number of cases hands-on-keyboard activity. 

The app is available on Windows, macOS, Linux and mobile, however CrowdStrike says activity has so far been observed on Windows and macOS. Other researchers have not been able to confirm activity on macOS.

CrowdStrike researchers said the attack is connected to a threat actor known as Labyrinth Chollima, a group linked to the Democratic People's Republic of Korea, which has been active since at least 2009. 

The Cybersecurity and Infrastructure Security Agency confirmed it is aware of reports the phone app has been trojanized and is urging organizations to review information provided by CrowdStrike and SentinelOne and hunt for indicators of compromise. 

3CX technology is used by more than 600,000 corporate customers globally and has more than 12 million active daily users. Its customers include major firms like PepsiCo, the U.K.'s National Health Service, Best Western and Air France, according to the 3CX website.

Shodan data indicates more than 242,000 publicly exposed 3CX phone management systems, according to Huntress

The cybersecurity firm has sent out 2,595 incident reports where the 3CXDesktopApp.exe binary matches known malicious hashes and was signed by 3CX on March 13.  

3CX confirmed an advanced persistent threat actor is behind a targeted attack that is impacting its Windows Electron app running update 7, CEO Nick Galea said in an alert Thursday.

Galea suggested customers uninstall then reinstall the app, adding the company plans to do an analysis and will issue a report later Thursday.

Researchers from Sophos said the attack revolved around DLL sideloading, which allowed the attack to develop without being noticed by customers. 

SentinelOne researchers said they began to see a spike in behavioral detections starting on March 22.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell