On March 31, 2023, enterprise communications software maker 3CX confirmed that multiple versions of its desktop app for Windows and macOS were affected by a supply chain attack. Evidence suggests that the campaign could have started as early as February 2022 and involved the distribution of a rogue library referred to as \”ffmpeg.dll\” in the Windows version, which was designed to read encrypted shellcode from another DLL called \”d3dcompiler_47.dll.\” The macOS attack chain bypassed Apple’s notarization checks to download an unknown payload from a command-and-control (C2) server. Cybersecurity firm CrowdStrike has attributed the attack with high confidence to Labyrinth Chollima, a North Korea-aligned state-sponsored actor.
3CX has urged its customers of self-hosted and on-premise versions of the software to update to version 18.12.422 and is engaging the services of Google-owned Mandiant to review the incident. The scale of the attack is currently unknown, but the initial alert flagging a potential security problem in the app was treated as a \”false positive\” owing to the fact that none of the antivirus engines on VirusTotal labeled it as suspicious or malware.
The attack highlights the importance of keeping software up to date and using multi-layer security solutions to protect against supply-chain attacks. It is also essential to implement security controls to detect suspicious or malicious activity on the network, as well as regularly review the security status of all components of the system.
In conclusion, the 3CX supply-chain attack is a reminder of the need for organizations to remain vigilant and update their software regularly to protect against such threats. Organizations should also take measures to detect malicious activity, review the security status of their systems, and employ multi-layer security solutions to protect against supply-chain attacks.