Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
3CX Desktop Client Under Supply Chain AttackNorth Korean Hackers Poisoned User Interface Library File
Suspected North Korean hackers trojanized a voice and video calling desktop client used by major multinational companies.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The supply chain attack on software made by Florida-based 3CX, dubbed "SmoothOperator" by SentinelOne, appears to be the labor of more than a year. The threat actor behind it registered "a sprawling set of infrastructure starting as early as February 2022," the threat intel firm said.
Indicators that hackers planted an info stealer into installers for several recent Windows and Mac versions of 3CX Desktop Application began accumulating March 22 but exploded overnight.
CrowdStrike said the threat actor is a group it identifies as "Labyrinth Chollima," a cyberespionage group generally also known as Lazarus Group.
3CX CEO Nick Galea took to the company blog Thursday to acknowledge the problem and promise an automatic update for remote host users and another app "rebuilt from the ground up with a new signed certificate" in the coming days. An update pushed out today "is considered to be secure but there is no guarantee," he added. Clients in the meantime should avoid using the app, he wrote.
The company said it is "trusted by 600,000+ companies" that add up to more than 12 million daily users in companies that include Toyota, Mercedes-Benz, Coca-Cola and McDonalds. Britain's National Health Service is also a customer.
3CX CISO Pierre Jourdan said command-and-control domains used by the compromised apps mostly went offline overnight - and that the threat group behind them was selective about who to infect with the next stage of malware. "The vast majority of systems, although they had the files dormant, were in fact never infected," he said.
Analysis from WithSecure shows the Windows version "requires an external connection to a GitHub repository that has since been removed. This means it is likely that without threat actor intervention, current infection chains will fail," said Tim West, head of threat intelligence.
The vulnerability traces to a poisoned Electron software library file. Electron is an open-source framework for user interfaces. Hackers took pains to ensure the trojanized version of 3CX works normally as it should. They injected malicious code into the Electron branch of the source code rather than attempting to modify 3CX's proprietary code, wrote Sophos analyst Paul Ducklin.
"Loosely speaking, the bigger your app, the more ways there are for it to go wrong," he added.