- 3CX has retained incident response firm Mandiant to investigate a supply chain attack that researchers attribute to an advanced persistent threat actor linked to North Korea.
- The company informed customers Thursday about a severe security issue that was found in an update of its Electron Windows app. The issue was also found in several versions of its Electron Mac app. 3CX provides business phone, video conferencing and messaging applications to more than 600,000 corporate customers worldwide.
- Google invalidated the company’s software security certificate, according to an updated blog post from 3CX CEO Nick Galea. Microsoft software installer desktop app files released by 3CX on Thursday can no longer be downloaded using Google Chrome and several antivirus vendors are blocking software that uses the old certificate, Galea said Friday.
CrowdStrike picked up unexpected malicious activity from a legitimate signed binary in the 3CX desktop app, the security firm said. This included beaconing to infrastructure controlled by an outside threat actor, hands-on-keyboard activity and deployment of second-stage payloads.
CrowdStrike researchers attributed the attacks to a threat actor called Labyrinth Chollima, which is a prolific advanced persistent threat linked to the Democratic People’s Republic of Korea.
Researchers from Palo Alto Networks Unit 42 said as of Thursday the desktop app on the developer’s website was installing the application with two malicious libraries. The libraries will run shellcode to install a backdoor into targeted systems, allowing additional malware to be loaded onto victim machines.
Palo Alto Networks was able to fingerprint more than 247,000 distinct IP addresses in 199 countries using potentially vulnerable 3CX applications, according to Jen Miller-Osborn, director of threat intelligence at Unit 42.
Palo Alto Networks said telemetry picked up activity involving the 3CX desktop app process trying to run shellcode in 127 customer systems. The company observed 5,796 of these events across 1,832 unique systems between March 9-30.
“It is possible we are in the early days of a supply chain attack as the software is widely used around the globe,” Miller-Osborn said via email.