The popular communication software business 3CX has admitted a supply-chain attack, potentially affecting its customers too. As the attackers trojanized the legit app version, deleting the 3CX Desktop App remains the only working fix for now. The exact impact of this incident on other firms currently remains unclear; however, investigations are underway.
3CX Supply-Chain Attack Impacts Numerous Businesses
Recently, 3CX disclosed a severe cyberattack that risks the security of its customers. 3CX admitted the presence of malware in its software, following a supply-chain attack, and urged the customers to simply uninstall the app until the matter receives a fix.
3CX is a popular PBX provider serving a huge customer base globally. Its support for Windows and Linux systems alike makes it feasible for various businesses to integrate 3CX in CRMs.
A community alert from the firm’s CEO, Nick Galea, on 3CX forums revealed that the threat actors potentially infected the 3CX desktop app with a malware, affecting the Windows Electron client. As the firm investigated the matter, it advised the customers to use the Progressive Web App (PWA) client instead which remained immune to this attack.
Diving deep into what happened
While it initially seemed like an abrupt disclosure following a sudden attack, SentinelOne elaborated that they could detect the threat even early. According to their post, they decided to investigate the matter after the SentinelOne app started blocking malicious threats with the 3CX desktop app. Some users even shared their complaints on 3CX forums following these alerts. Yet 3CX officials didn’t acknowledge the matter.
As the incident gained traction and the investigations progressed more, it turned out that the threat actors potentially exploited an already-known Windows vulnerability to infect the 3CX app. Analyzing the matter revealed the presence of a malicious DLL in the app, which downloaded further malware, like infostealers, on the target device.
Sophos, in its own post, also explained the incident, hinting at the potential abuse of ffmpeg.dll for the DLL sideloading attack, The researchers also attribute the attack to the Lazarus Group. Whereas CrowdStrike, in its own analysis, mentioned LABYRINTH CHOLLIMA as the threat actor behind the attack.
Ironically, the said Windows vulnerability, despite numerous exploits and a working fix available for a decade, still threatens numerous systems. That’s because, as Bleeping Computer elaborated, the patch for this bug remains available as an “opt-in” feature only, requiring manual configuration. Thus, the probability of blanket immunity to this vulnerability exploit remains very low.
What Next?
For now, Galea advises 3CX users to abandon the desktop app for the PWA client until the matter gets resolved. Meanwhile, 3CX has hired Mandiant for investigating the matter.
Let us know your thoughts in the comments.