Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App

CrowdStrike threat intelligence team warns about unexpected malicious activity from a legitimate, signed version of the 3CXDesktopApp.

Threat hunters at CrowdStrike and SentinelOne are tracking what is believed to be an active supply chain attack hitting businesses using a desktop app distributed by video conferencing software firm 3CX.

CrowdStrike’s threat intelligence team sounded the alarm on Wednesday after observing unexpected malicious activity from a legitimate, signed version of the 3CXDesktopApp.

“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” the company warned.

“At time of writing, activity has been observed on both Windows and macOS,” CrowdStrike said.

The 3CXDesktopApp, available for Windows, macOS, Linux and mobile, is used by 3CX customers to make calls, view the status of colleagues, chat, schedule a video conference and check voicemails from the desktop software.

CrowdStrike believes the attacks are the work of a North Korean government hacker group and urged 3CX customers to immediately start hunting for signs of infections.

3CX has not yet publicly acknowledged the issue, but CrowdStrike says it has been in touch with the VOIP software company to share its findings.

Advertisement. Scroll to continue reading.

On the 3CX user forums, customers are reporting warnings from both CrowdStrike and SentinelOne anti-malware products about command execution and code injection attacks targeting the 3CX product.

UPDATE: Additional information has come to light. 3CX has confirmed being targeted in a supply chain attack and researchers have found a Mac version of the malware.

Editor’s Note: This is a developing story.  We will provide updates as new information becomes available.

Related: Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April

Related: Mandiant Catches Another North Korean Gov Hacker Group

Related: Supply Chain Attack Targets Customer Engagement Firm Comm100

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Supply Chain Security

Endor Labs has introduced an OWASP-style listing of the most important or impactful risks inherent in the use of open source software (OSS).

Supply Chain Security

A new report found that 98% of organizations have a relationship with a third party that has been breached, while more than 50% have...

Cybersecurity Funding

Software supply chain security management startup Lineaje raises $7 million in a seed funding round led by Tenable Ventures.

Application Security

Enterprise communication and collaboration platform Slack has informed customers that hackers have stolen some of its private source code repositories, but claims impact is...