Cybersecurity researchers say a vulnerability in the desktop app from VoIP provider 3CX is being actively exploited in supply chain attacks, leading to possible hands-on-keyboard activity by advanced threat actors, including nation-state actors.
According to researchers, malicious activity was observed coming from a legitimate signed binary, 3CXDesktopApp — a softphone application from 3CX. Cybersecurity firm CrowdStrike says the activity includes beaconing to hacker-controlled infrastructure, deployment of second-stage payloads and in a small number of cases, hands-on-keyboard activity.
According to CrowdStrike, the activity has been detected on the Windows and macOS versions of the 3CXDesktopApp.
Vulnerability management firm Tenable says the following versions of the 3CX desktop apps are affected:
- Windows 18.12.407
- Windows 18.12.416
- macOS 1811.1213
- macOS latest
The second-stage payloads are reported to be hosted on a public GitHub repository that has since been removed, Tenable researchers say, but they were used to download a third-stage information stealer, allowing attackers to collect information from popular web browsers such as Google Chrome Microsoft Edge, Brave and Mozilla Firefox.
Publicly reported research indicates that these attacks began as early as March 22, but Tenable cites a BleepingComputer report that suggests the activity could have begun around the beginning of March.
In addition, the GitHub repository containing the second-stage payloads was first populated in late December 2022, Tenable researchers say. The attacks have been corroborated by several other security vendors, including SentinelOne and Sophos, the latter of which calls it a DLL sideloading attack.
According to Tenable, researchers believe the supply chain attack against 3CX is being carried out by a sub-group of the Lazarus Group, a North Korean nation state actor. The issue has been assigned CVE-2023-29059.
According to 3CX, incident response and forensics firm Mandiant, now a subsidiary of Google, is investigating the incident. Customers should use the company’s web-based PWA app and not the electron app while the company makes sure it is secure.
Follow the company’s blog for more information, including recommended mitigations. For security analysis and indicators of compromise, read blogs from CrowdStrike, Tenable, SentinelOne, Fortinet and Sophos.
