Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App

CrowdStrike threat intelligence team warns about unexpected malicious activity from a legitimate, signed version of the 3CXDesktopApp.

Threat hunters at CrowdStrike and SentinelOne are tracking what is believed to be an active supply chain attack hitting businesses using a desktop app distributed by video conferencing software firm 3CX.

CrowdStrike’s threat intelligence team sounded the alarm on Wednesday after observing unexpected malicious activity from a legitimate, signed version of the 3CXDesktopApp.

“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” the company warned.

“At time of writing, activity has been observed on both Windows and macOS,” CrowdStrike said.

The 3CXDesktopApp, available for Windows, macOS, Linux and mobile, is used by 3CX customers to make calls, view the status of colleagues, chat, schedule a video conference and check voicemails from the desktop software.

CrowdStrike believes the attacks are the work of a North Korean government hacker group and urged 3CX customers to immediately start hunting for signs of infections.

3CX has not yet publicly acknowledged the issue, but CrowdStrike says it has been in touch with the VOIP software company to share its findings.

On the 3CX user forums, customers are reporting warnings from both CrowdStrike and SentinelOne anti-malware products about command execution and code injection attacks targeting the 3CX product.

Advertisement. Scroll to continue reading.

UPDATE: Additional information has come to light. 3CX has confirmed being targeted in a supply chain attack and researchers have found a Mac version of the malware.

Editor’s Note: This is a developing story.  We will provide updates as new information becomes available.

Related: Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April

Related: Mandiant Catches Another North Korean Gov Hacker Group

Related: Supply Chain Attack Targets Customer Engagement Firm Comm100

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.