Scada Hacker
Web Designer, Industrial infosec stuff, Chaotic coder.
Business communication solutions provider 3CX has fallen victim to a supply chain attack, with hackers compromising the Windows and Mac versions of its 3CXDesktopApp application, which is used by over 600,000 companies globally.
Security experts suggest that the attackers, possibly a North Korean state-sponsored threat actor, had access to the company's systems for several months before the breach was detected. The campaign, dubbed SmoothOperator, may have impacted thousands of users, with malware designed to harvest data from compromised systems, including browser data. Huntress has detected over 2,700 instances of malicious 3CXDesktopApp binaries, and cybersecurity firm Todyl believes the attackers were in the early stages of information gathering.
3CX initially claimed that only the Windows app was impacted, but later confirmed the Mac version was also affected. The company has recommended customers uninstall the Electron app for Mac and Windows and use the web app version until a clean app is developed.
The firm originally claimed that an FFmpeg multimedia library was compromised, rather than 3CX itself. However, FFmpeg denied these claims, and ReversingLabs found that the malicious FFmpeg files were signed with a legitimate certificate issued to 3CX, indicating the compromise of the repository from which the Electron application binaries were fetched during the build process.
Evidence collected suggests that the hackers had access to 3CX systems for months before the attack was discovered, and many 3CX customers have criticized the way the firm handled the incident. Initially, the company insisted that the malware detections were false positives, and some users claimed they were instructed by 3CX staff to pay for a support ticket to get help in addressing the issue.
Several cybersecurity firms, including Huntress, Reversing Labs, Volexity, and Todyl, have published blog posts, advisories, and tools to help organizations that may have been affected by the 3CX supply chain attack. Symantec, ReliaQuest, CrowdStrike, Rapid7, Trend Micro, Sophos, and SentinelOne have also published IoCs and information that can be useful to their own customers.