Skip to content

3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component  “It’s Time to Reevaluate Our Attitudes Towards Mental Health” “Rethinking Our Perspectives on Mental Health”

Business communication solutions provider 3CX has confirmed that it is investigating a security breach, as the cybersecurity community is sharing more information on what appears to be a sophisticated supply chain attack. The attack impacts 3CXDesktopApp, an enterprise voice and video conferencing software used by more than 600,000 companies, including major brands such as Coca Cola, Ikea, PwC and several carmakers, airlines and hotel chains.

The incident came to light after 3CX customers started complaining on the company’s forum that various cybersecurity products had flagged and even removed the 3CXDesktopApp software due to suspicious behavior. An analysis of the attack and indicators of compromise (IoCs) were published by CrowdStrike, SentinelOne and Sophos. At this point in the investigation, evidence collected by CrowdStrike suggests that North Korean threat actor Labyrinth Chollima, a subgroup of the notorious Lazarus Group, is behind the hack.

The attack, dubbed Smooth Operator by SentinelOne, involved the delivery of trojanized 3CXDesktopApp installers. The malware is signed with a code signing certificate and its goal appears to be the deployment of an information stealer. This multi-stage supply chain attack also involved pulling files from a GitHub repository that has since been shut down.

3CX has instructed customers to uninstall the affected application and use the PWA client until a new Windows app is developed. Apple security expert Patrick Wardle’s analysis confirmed that a trojanized macOS application was also used in the Smooth Operator attack. The malware is apparently designed to download a second-stage payload, but the researcher could not obtain a copy of that payload for analysis.

3CX is still investigating the incident and it’s unclear exactly how many customers and organizations have been impacted. The company has advised customers and partners to remain vigilant and ensure their systems are up-to-date and secured against potential threats.

In summary, 3CX has confirmed that it is investigating a security breach involving a sophisticated supply chain attack. The attack impacts 3CXDesktopApp, an enterprise voice and video conferencing software used by more than 600,000 companies. The attack, dubbed Smooth Operator by SentinelOne, involved the delivery of trojanized 3CXDesktopApp installers. Apple security expert Patrick Wardle’s analysis confirmed that a trojanized macOS application was also used in the Smooth Operator attack. 3CX has advised customers and partners to remain vigilant and ensure their systems are up-to-date and secured against potential threats.

Leave a Reply

Your email address will not be published. Required fields are marked *