A supply chain attack campaign is underway, targeting customers of the 3CX desktop app, a voice and video conferencing application used by thousands of companies across the globe, researchers said Wednesday. North Korea-linked threat actors are suspected in the attack.
CrowdStrike observed “unexpected malicious activity from a legitimate signed binary,” in the 3CX desktop app, starting Wednesday. The observed behavior included beaconing to infrastructure controlled by a threat actor, the deployment of second stage payloads, and in a small number of cases hands-on-keyboard activity.
The app is available on Windows, macOS, Linux and mobile, however CrowdStrike says activity has so far been observed on Windows and macOS. Other researchers have not been able to confirm activity on macOS.
CrowdStrike researchers said the attack is connected to a threat actor known as Labyrinth Chollima, a group linked to the Democratic People's Republic of Korea, which has been active since at least 2009.
The Cybersecurity and Infrastructure Security Agency confirmed it is aware of reports the phone app has been trojanized and is urging organizations to review information provided by CrowdStrike and SentinelOne and hunt for indicators of compromise.
3CX technology is used by more than 600,000 corporate customers globally and has more than 12 million active daily users. Its customers include major firms like PepsiCo, the U.K.'s National Health Service, Best Western and Air France, according to the 3CX website.
Shodan data indicates more than 242,000 publicly exposed 3CX phone management systems, according to Huntress.
The cybersecurity firm has sent out 2,595 incident reports where the 3CXDesktopApp.exe binary matches known malicious hashes and was signed by 3CX on March 13.
3CX confirmed an advanced persistent threat actor is behind a targeted attack that is impacting its Windows Electron app running update 7, CEO Nick Galea said in an alert Thursday.
Galea suggested customers uninstall then reinstall the app, adding the company plans to do an analysis and will issue a report later Thursday.
Researchers from Sophos said the attack revolved around DLL sideloading, which allowed the attack to develop without being noticed by customers.
SentinelOne researchers said they began to see a spike in behavioral detections starting on March 22.