3CX desktop app compromised, abused in supply chain attack
3CX customers noticed that several threat detection platforms began flagging and blocking the UC vendor's desktop application last week due to malicious activity in the executable.
Unified communications vendor 3CX confirmed that its desktop app was compromised by an advanced persistent threat group in complex supply chain attack.
3CX issued a security advisory Thursday morning from CISO Pierre Jourdan alerting customers that several versions of its Electron Windows app contained a "security issue." The affected versions include Electron Windows App 18.12.407 and 18.12.416 from Update 7 as well as Electron Mac app versions 18.11.1213, 18.12.402, 18.12.407 and 18.12.416.
According to the advisory, 3CX's development environment was not directly breached. Instead the company added a third-party software library to its app that was apparently compromised.
"The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT. We're still researching the matter to be able to provide a more in-depth response later today," Jourdan said.
3CX has more than 600,000 customers worldwide and 12 million users, according to the company's website.
Issues with 3CX's software first emerged Wednesday when CrowdStrike reported malicious activity with 3CXDesktopApp.exe, the signed executable for the vendor's soft phone application. "The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike wrote in a blog post. It added that the campaign was connected to North Korean state-sponsored hacking group Labyrinth Chollima, also known as Lazarus Group or APT 38.
CrowdStrike said its Falcon threat detection platform identified and blocked the malicious activity in the 3CXDesktopApp, and its researchers contacted 3CX.
On Wednesday evening SentinelOne also published research on the supply chain attacks and revealed that it observed a spike in behavioral detections of the 3CXDesktopApp.exe starting on March 22. SentinelOne's platform automatically detected and blocked the Trojanized executable for about a week.
During that time some 3CX customers noticed that SentinelOne had flagged and uninstalled their 3CX desktop apps because of suspicious activity and voiced concerns on 3CX's user forum. However, forum moderators appeared to dismiss the issue to an error on SentinelOne's part and advised customers to contact the endpoint security vendor to resolve the problem.
It's unclear if 3CX's security team investigated these reports prior to the publication of CrowdStrike's blog post Wednesday morning. 3CX did not respond to requests for comment at press time.
Meanwhile, other threat detection and antimalware platforms also flagged 3CX's desktop app for potentially malicious activity, including Sophos and ESET.
According to SentinelOne's report, the Trojanized 3CX desktop app is the first part of a multi-stage attack chain targeting both Windows and Mac users. Once installed, the desktop app pulls malicious files from a GitHub repository and then finally downloads a previously undetected info-stealer that collects system information and browser data.
"PBX software makes an attractive supply chain target for actors; in addition to monitoring an organization's communications, actors can modify call routing or broker connections into voice services from the outside," SentinelOne researchers wrote in the blog post.
In a follow-up advisory on Thursday afternoon, Nick Galea, CEO, CTO and founder of 3CX, said the company hired Google subsidiary Mandiant to investigate the attacks. Galea also recommended that customers immediately uninstall the app on Windows and Mac client devices, while customers running self-hosted instances should update to version 18.12.422.
Cloud customers do not need to take action. But Galea noted that 3CX plans to update the servers overnight with a new version of the Electron app, which may cause brief disruptions in service. "We recommend that you DO NOT install or deploy the Electron App," Galea wrote in the latest advisory. "This update is only to ensure that the trojan has been removed from the 3CX Server where Desktop Apps are stored and in case any users decide to deploy the app anyway."