According to experts from various cybersecurity firms, a threat actor is currently actively using a compromised desktop communications app from 3CX to target 3CX clients. The compromised app was infected by malicious code in a software supply chain attack. According to analysts from various security organizations, hackers working for the North Korean government launched a significant supply chain attack against 3CX customers running Windows and macOS. 3CX is a popular desktop client for audio and video chatting.

With “600,000+ customers,” including American Express, Mercedes-Benz, and Price Waterhouse Cooper, the app offers both VoIP and PBX services. The exploit affected the software build infrastructure used to produce and distribute Windows and macOS versions of the program. The attackers’ ability to take over the software build system allowed them to cover up malware inside 3CX apps that were digitally signed with the company’s official signing key. According to macOS security expert Patrick Wardle, Apple also notarized the macOS version, demonstrating that it examined the software and found no dangerous behavior.

Researchers from CrowdStrike, Sophos, and SentinelOne said that they had seen malicious behavior coming from a trojanized version of the desktop VoIP app from 3CX in blog posts revealing their findings on an attack that appeared to have compromised the 3CX desktop app. Researchers claim that the attack entailed using a code-signing certificate to give the software’s trojanized binaries validity.

Source

• https://thehackernews.com/2023/03/3cx-desktop-app-targeted-in-supply.html
• https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
• https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/

Recently

Twitter takes down leaked source code