Customers of 3CX, a unified communications technology supplier, are being targeted by a North Korea-linked advanced persistent threat (APT) actor in a supply chain attack spreading via a compromised update to one of its products.
The developing incident was initially flagged independently by cyber security firms CrowdStrike and Sophos after being spotted in their telemetry.
CrowdStrike said it had observed “unexpected malicious activity” emanating from a legitimate, signed binary, the 3CXDesktopApp softphone. This activity included beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and in some instances, “hands-on” keyboard activity. It said it had seen this activity on both Windows and macOS systems.
Sophos, meanwhile, reported similar activity, albeit confined by its reckoning to Windows environments. It added that it has evidence the threat actors behind it are using a public cloud storage service to host their encoded malware.
Mat Gangwer, vice-president of managed threat response at Sophos, said: “Sophos first identified malicious activity stemming from a seeming supply chain attack against the 3CXDesktopApp and affecting our customers after hunting for the reported activity on 29 March.
“3CX is a widely used, legitimate business phone system used worldwide,” he told Computer Weekly in emailed comments. “The attackers have managed to manipulate the application to add an installer which uses DLL [Dynamic Link Library] sideloading to ultimately retrieve a malicious, encoded payload. The tactics and techniques are not novel, they are similar to DLL sideloading activity we’ve reported on previously. We’ve identified three of the crucial components to this DLL sideloading scenario embedded into the vendor’s package.”
“We will be continuing to provide rolling updates as this situation unfolds,” said Gangwer. “In the meantime, Sophos has blocked the malicious activity by publishing the following protection: Troj/Loader-AF, blocked the list of known C2 domains associated with the threat, and will continue to add to that list in the IoC file on our GitHub. We also recommend that users check 3CX’s blog for any official communications from the company.”
CrowdStrike additionally said it was able to link the attack to a North Korean group it tracks as Labyrinth Chollima, which has some overlap with the notorious Lazarus APT. Sophos has not made an attribution at the time of writing.
In a statement issued on Thursday 30 March, 3CX chief information security officer Pierre Jourdan confirmed that update 7, version numbers 18.12.407 and 18.12.416 of its Electron Windows App included a “security issue” that has triggered antivirus programmes. The issue appears to be with one of the bundled libraries compiled into Electron via Git. A more extensive probe is currently underway.
“The domains contacted by this compromised library have already been reported, with the majority taken down overnight,” he said. “A Github repository which listed them has also been shut down, effectively rendering it harmless.
“This appears to have been a targeted attack from an APT, perhaps even state-sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected.”
3CX is currently working on a new version of the Electron Windows App and will be issuing new certificates for it. For now, said Jourdan, customers may wish to consider using its web-based PWA service instead.
“In the meantime, we apologise profusely for what occurred and we will do everything in our power to make up for this error,” he said.
Founded in Cyprus in 2005 as a supplier of IP PBX technology, 3CX boasts more than 12 million users at approximately 600,000 customers. Its customer roster includes multinational enterprises including Air France, American Express, Carlsberg, Coca-Cola, Hilton, Honda, Ikea, PwC, Renault and Toyota, although it’s not currently known which customers may have been impacted, and none of the above have made any statement on the incident.