A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack. 3CX is a VoIP IPBX software development company whose 3CX Phone System is used by more than 600,000 companies worldwide and has over 12 million daily users.
The company’s customer list includes a long list of high-profile companies and organizations like American Express, Coca-Cola, McDonald’s, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and the UK’s National Health Service (who published an alert on Thursday).
According to alerts from security researchers from Sophos and CrowdStrike, the attackers are targeting both Windows and macOS users of the compromised 3CX softphone app.
“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike’s threat intel team said, as reported by bleepingcomputer.com.
“The most common post-exploitation activity observed to date is the spawning of an interactive command shell,” Sophos added in an advisory issued via its Managed Detection and Response service.
While CrowdStrike suspects a North Korean state-backed hacking group it tracks as Labyrinth Collima is behind this attack, Sophos’ researchers say they “cannot verify this attribution with high confidence.”
Labyrinth Collima activity is known to overlap with other threat actors tracked as Lazarus Group by Kaspersky, Covellite by Dragos, UNC4034 by Mandiant, Zinc by Microsoft, and Nickel Academy by Secureworks.
“CrowdStrike has an in-depth analytic process when it comes to naming conventions of adversaries,” the company told BleepingComputerr via email. “LABYRINTH CHOLLIMA is a subset of what has been described as Lazarus Group, which includes other DPRK-nexus adversaries, including SILENT CHOLLIMA and STARDUST CHOLLIMA.”
This new malware is capable of harvesting system info and stealing data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles.
“At this time, we cannot confirm that the Mac installer is similarly trojanized. Our ongoing investigation includes additional applications like the Chrome extension that could also be used to stage attacks,” SentinelOne said.
Michael White, Director of solution strategy, Synopsys Software Integrity Group, said: “This is, unfortunately, a recurrence of an issue we have seen many times before, and most likely will see again in future. Organisations must protect their software development environments and delivery pipelines and ensure that all supporting infrastructure is closely guarded.
“The good news is that the wider industry as well as government initiatives driven by groups such as NIST and CISA have already proposed a suite of countermeasure techniques which can be adopted such as SLSA and the guidance found within the NIST SSDF.
White said that over time, organisations will find themselves increasingly being asked for assurances including evidence from their end users that software is developed in suitably secured environments and security best practices are followed.
“I predict we will also see the rise of a chief product security officer as a new and critical role at many organisations, and likely similar software supply chain initiatives emerge across large enterprises to help avoid and protect against these kinds of risk.”
