Connect with us

Hi, what are you looking for?


Malware & Threats

Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months

Several cybersecurity companies have published blog posts, advisories and tools to help organizations that may have been hit by the 3CX supply chain attack.

3CX supply chain attack

3CX Supply Chain Hack: Information and Tools for Defenders

Google-owned cybersecurity firm Mandiant has been called in to investigate the supply chain attack that hit business communication solutions provider 3CX, as evidence suggests that the attackers had access to the company’s systems for several months before the breach was detected.

3CX’s VoIP IPBX software is used by more than 600,000 companies worldwide, including dozens of major brands. 

The incident came to light on March 22, after the products of several major cybersecurity firms started flagging 3CXDesktopApp for malicious behavior. An investigation revealed that hackers — possibly a North Korean state-sponsored threat actor — compromised the Windows and Mac versions of the application, leading to many 3CX customers downloading a trojanized version of the app. 

The campaign, dubbed SmoothOperator, could impact thousands or even hundreds of thousands of users. 

According to threat detection and response firm Huntress, there are more than 240,000 3CX phone management systems that are exposed to the internet. The company has detected over 2,700 instances of malicious 3CXDesktopApp binaries.

The malware delivered by the attackers was apparently designed to harvest data from compromised systems, including browser data. 

Advertisement. Scroll to continue reading.

However, cybersecurity company Todyl believes “the campaign was in the early, information gathering stage when identified, with the threat group setting up for future malicious activity including extortion and leveraging collected credentials from browsers”.  

While 3CX initially claimed that only the Windows app was impacted, it has now confirmed that the Mac version of the app is also affected. The company has advised customers to uninstall the Electron app for Mac and Windows and use the web app (PWA) version until a clean app is developed. 

The company initially suggested that an FFmpeg multimedia library was actually compromised rather than 3CX itself. However, FFmpeg has denied these claims and ReversingLabs noted that the malicious FFmpeg files were signed with a legitimate certificate issued to 3CX. 

“Our analysis of the malicious update points either to a compromise of the 3CX development pipeline that resulted in malicious code being added during the build, or the possibility of a malicious dependency being served by a package repository,” ReversingLabs said, noting that its researchers believe the incident was caused by “the compromise of the repository from which the Electron application binaries were fetched during the build process”.

[ Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions ]

Evidence collected to date suggests that the attackers had access to 3CX systems for months before the attack was discovered. 

Incident response firm Volexity has analyzed the infrastructure used in the supply chain attack and found that the hackers likely had access to 3CX systems since at least December 2022, possibly even as early as November 2022. 

3CX criticized for how it handled the incident

Many 3CX customers are unhappy with the way the company has handled the incident. It initially insisted that the malware detections were false positives, and some users claimed they were instructed by 3CX staff to pay for a support ticket to get help in addressing the issue. 

3CX CEO Nick Galea said the company initially thought this was a false positive after none of the antivirus engines on VirusTotal flagged the file as being suspicious or malware. However, some customers believe the firm should have done more to check the file than just uploading it to VirusTotal. 

Galea told CyberScoop in an interview that they should have acted sooner, but argued that false positives happen “quite frequently” due to the way VoIP apps work, which is why the antimalware detections were not initially taken seriously. 

However, ReversingLabs noted, “The attack on 3CX — though sophisticated — had clear indicators that could have tipped off 3CX to the breach before customer systems were affected.”

Kevin Beaumont, a reputable security researcher, has criticized the company for how it handles security issues in general. The expert noted that last year he deleted some tweets describing a potentially serious 3CX vulnerability after the vendor “took little responsibility, didn’t fix it, and started arguing on Twitter basically.” 

Resources for defenders

Several cybersecurity companies have published blog posts, advisories and tools to help organizations that may have been hit by the 3CX supply chain attack:

3CX official security notifications

Online tool for helping users determine if they are affected by the attack

Huntress blog post with analysis of the attack, Yara rules for detecting malicious files, and a script that detects compromised 3CX instances

Reversing Labs blog post with IoCs and analysis of how the 3CX application was compromised

Volexity analysis with details on a possible timeline and a detailed technical description of each attack stage.

Todyl malware analysis 

CISA alert advising organizations to hunt for IoCs

Blog posts containing IoCs and information that can be useful to their own customers have also been published by Fortinet, BlackBerry, Symantec, ReliaQuest, CrowdStrike, Rapid7, Trend Micro, Sophos and SentinelOne

Related: Over 250 US News Websites Deliver Malware via Supply Chain Attack

Related: Hundreds Infected With ‘Wasp’ Stealer in Ongoing Supply Chain Attack

Related: Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...