News is breaking about a software supply chain attack on the 3CX voice and video conferencing software. 3CX, the company behind 3CXDesktopApp, states to have more than 600,000 customers and 12 million users in 190 countries. Notable names include American Express, BMW, Honda, Ikea, Pepsi, and Toyota.
Experts believe the supply chain attack, which was maliciously sideloaded, targets downstream customers by installing popular phone and video conferencing software that has been digitally authenticated and modified.
Known Details
Cybersecurity vendors have identified an active supply chain attack on the 3CX Desktop App, a voice and video conferencing software used by millions. SentinelOne researchers are tracking the malicious activity under the name SmoothOperator, which began as early as February 2022, with the attack possibly commencing around March 22, 2023.
The trojanized 3CX desktop app serves as the first stage of a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub, ultimately leading to a third-stage infostealer DLL. The attack affects the Windows Electron client (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system.
The final payload is an information stealer capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers. The macOS sample carries a valid signature and is notarized by Apple, allowing it to run without the operating system blocking it.
Huntress reported 242,519 publicly exposed 3CX phone management systems. Symantec said the information gathered could allow attackers to gauge if the victim was a candidate for further compromise. CrowdStrike attributed the attack with high confidence to North Korean nation-state actor Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the Lazarus Group.
3CX CEO Nick Galea stated the company is working on a new build and advises customers to uninstall the app and reinstall it or use the PWA client as a workaround. The Android and iOS versions are not affected.
3CX is urgently working to release a software update in response to the SmoothOperator supply chain attack that targets millions of users. The affected 3CX Desktop App is popular for voice and video conferencing, with over 600,000 customers and 12 million users worldwide, including American Express, BMW, Honda, Ikea, Pepsi, and Toyota.
The attack exploits the DLL side-loading technique, and telemetry data reveals the attacks are limited to Windows Electron (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system. The GitHub repository hosting the malicious files has been taken down.
The final payload can steal sensitive data from popular browsers, including Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox. CrowdStrike has attributed the attack to a North Korean nation-state actor known as Labyrinth Chollima, a sub-cluster within the Lazarus Group.
As a temporary solution, 3CX has urged customers to uninstall and reinstall the affected app or use the PWA client while the company works on a new build. Android and iOS versions remain unaffected. Further updates on the situation will be provided as new information emerges.
Expert Comments
Tyler Farrar, CISO, Exabeam
“Any adversary, regardless of whether it is a novice or the work of nation-state actors like the Lazarus Group, is going to go for the path of least resistance to meet their end goal. Weaknesses in the supply chain are one of the simplest, yet most successful, ways to do that. In the case of 3CX, the threat actors were likely not going after the company itself, but the data from its 12 million global customers. Rather than attempt to attack each of the customers individually, the adversaries figured it would be easier to break through 3CX — and they were correct.
Unfortunately, attacks like these are going to become more and more common and I anticipate software supply chain attacks to be the No.1 threat vector of 2023. As a result, I encourage organizations to create a thorough vendor risk management plan to vet third parties and require accountability to remain vigilant, and potentially stop devastating consequences when third-parties are compromised.”
Anand Reservatti, CTO and co-founder, Lineaje
“The 3CX VOIP ‘Trojanizing’ the software supply chain attack is the latest proof point of why companies need to know ‘what’s in their software?’
Companies are still suffering from the fallout of SolarWinds, and now another software supply chain attack is playing out and putting millions of software producers and consumers at risk. The 3CX CEO today asked customers to uninstall the application, but for those who might have missed the notification or who don’t know what’s in their software bill of materials (SBOM) risk destroying their brand and business.
It is critical to understand that not all software is created equal. The 3CX attack was caused when the Electron Windows App got compromised due to an upstream library. It is clear that 3CX has not deployed any tools to accurately discover and manage their software supply chain. So, in order to protect the software supply chain you have to shift to the “left of the shift-left mentality.” Because the software itself is malicious and not straight malware, vulnerability and malware scans fall short as well.
This type of attack is particularly challenging for technologies such as vulnerability and malware scans or CI/CD to detect. You need a solution that can do the following:
1) Discover software components and creating entire genealogy-including all transitive dependencies
2) Establish integrity throughout the supply chain without relying on any external tooling and their assertion
3) Evaluate inherent risk by determining examining each component of the software
4) Remediate inherent risks strategically in order to address the most critical components based on the genealogy
Knowing what’s in your software comes only by knowing what’s in your software supply chain. It’s why it is critical to work with solutions that can attest to the integrity of your software supply chain of all software built and bought. With more details surfacing including possible ties to a nation-state hacking group, it is essential for software producers and consumers to be able to attest to what exactly is in their software to prevent devastating consequences.”
Kayla Underkoffler, Lead Security Technologist, HackerOne
“Cybersecurity professionals already face an uphill battle as defenders; our 2022 Attack Resistance Report found that about one-third of respondents monitor less than 75% of their attack surface, and almost 20% believe that over half of their attack surface is unknown or not observable. The complexity of attack surface monitoring compounds as attackers take the fight to a more granular level by targeting supply chain vulnerabilities.
And unfortunately, that’s exactly what we’re seeing. Malicious actors now strive to embed themselves more deeply within the enterprise tech stack because cybercriminals understand the potential impact of accessing the most sensitive areas of an organization’s network. This can be done through critical dependencies within the software supply chain or a seemingly unchecked corner of the environment.
That’s why it’s critical organizations understand what’s in their environment and how that software interacts with their critical business processes. It’s no longer enough to just document components and dependencies once in the development lifecycle and be done. Today, organizations must proactively consider new solutions to prevent attacks.
An example of tools in use today for active monitoring of software include IBM’s recently developed SBOM Utility and License Scanner: two open-source tools that facilitate and standardize SBOM policies for organizations. These help build a living, breathing inventory of what’s in use in an organization’s current environment so organizations can respond quickly to software supply chain disruptions. Ethical hackers are also proven to be creative resources, skilled at identifying open source and software supply chain vulnerabilities, as well as undiscovered assets that may impact an organization’s software supply chain.”
