A supply chain attack on enterprise phone company #3CX (VoIP/PBX software provider with more than 600,000 customers and 12 million daily users) may have compromised thousands of business networks. Many companies and end users are reporting that a vulnerability in the widely used 3CXDesktopApp is being exploited in a supply chain campaign. 3CX is a widely used software program that uses internet for PHONE CALLS (& video conferencing) rather than copper lines. This is the best example of widespread #supplychainrisk we have seen since SolarWinds (~18K affected) in 2020 and Kaseya (~1.5K) in 2021.
Why is this SO Critical
Demonstrates rise in supply chain attacks using legitimate services and lack of integration between security/supporting services. In this case saying 3CX application update files have been compromised. The malware was found reading from a GitHub repository that had seemingly legitimate icon files, but which contained encrypted data. When the trusted and legitimate services such as GitHub are compromised, it compromises the whole eco system. Most organizations treat these as False Positive and automatically allow network / service access without proper checks. These alerts are usually ignored until something major happens (Ransomware, DDOS or other attacks).
Who’s behind this:
Threat group is tied to the North Korean government compromised the 3CX software build system and used the control to push Trojanized versions of the company’s DesktopApp programs for Windows and macOS. The malware causes infected machines to beacon to actor-controlled servers and, depending on unknown criteria, the deployment of second-stage payloads to specific targets. In a few cases, the attackers carried out “hands-on-keyboard activity” on infected machines, meaning the attackers manually ran commands on them.