Last month, multiple cyber security companies reported malicious activity of a trojanised version of the 3CX Desktop App that clients were using to make VoIP calls. The desktop applications for both Windows and macOS were compromised with malicious code that enabled the attackers to download and run code on all machines where the app was installed.
It’s now been reported that the compromise actually began in 2022, when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise. This software was a tampered installer for X_TRADER, a software package provided by Trading Technologies.
New Report Details
The company hired an incident response firm, Mandiant, who released a report earlier this week confirming that 3CX was involved in a double supply chain compromise.
“In late March, 2023, a software supply chain compromise spread malware via a trojanized version of 3CX’s legitimate software that was available to download from their website…
“Mandiant Consulting’s investigation of the 3CX supply chain compromise has uncovered the initial intrusion vector: a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER…
“The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise. It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.
“Research on UNC4736 activity suggests that it is most likely linked to financially motivated North Korean threat actors. Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea’s interests.”
3CX has more than 600,000 customers and 12 million global users.
What to Do if You’re a 3CX Customer
We recommend that all 3CX customers who use the desktop application immediately:
1. Find and terminate all running 3CX processes on Windows, macOS, Linux, and mobile systems.
2. Find and remove all instances of the 3CX Desktop App on Windows, macOS, Linux, and mobile systems.
3. Use the 3CX web application/Web App (PWA) instead of the desktop application for now.
4. Use an EDR solution to identify existing indicators of compromise (IoC’s) associated with 3CX using YARA rules or file hashes.
At 3B Data Security, we have extensive experience and expertise gained from conducting a wide variety of incident response and data breach investigations ranging in size and complexity.
With our support and guidance, we can effectively investigate the incident and determine how the attackers have been able to exploit your environment. With this knowledge, we can then advise you on proactive measures to put in place to prevent an incident like this from occurring again.