Threat hunters have identified an active supply chain attack that is targeting businesses using a desktop app distributed by video conferencing software firm 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a few cases, hands-on-keyboard activity. CrowdStrike believes that the attack is the work of a North Korean hacker group.
The 3CXDesktopApp is a desktop software available for Windows, macOS, Linux and mobile. It is used by 3CX customers to make calls, view the status of colleagues, chat, schedule a video conference and check voicemails. CrowdStrike has warned 3CX customers to immediately start hunting for signs of infections. 3CX has not yet publicly acknowledged the issue but CrowdStrike has been in touch with them to share its findings.
The issue has been reported on the 3CX users forums where customers have mentioned warnings from CrowdStrike and SentinelOne anti-malware products about command execution and code injection attacks targeting the 3CX product. This is a developing story and updates will be available as new information becomes available.
In summary, threat hunters have identified an active supply chain attack targeting businesses using 3CXDesktopApp. The malicious activity includes beaconing to actor-controlled infrastructure and deployment of second-stage payloads. CrowdStrike believes the attack is the work of a North Korean hacker group and has warned 3CX customers to immediately start hunting for signs of infections. 3CX has not publicly acknowledged the issue but has been in touch with CrowdStrike to share its findings.
Key Points:
- Threat hunters have identified an active supply chain attack targeting businesses using 3CXDesktopApp
- The malicious activity includes beaconing to actor-controlled infrastructure and deployment of second-stage payloads
- CrowdStrike believes the attack is the work of a North Korean hacker group
- 3CX customers have been warned to start hunting for signs of infections
- 3CX has not yet publicly acknowledged the issue but has been in touch with CrowdStrike to share its findings