Hackers continue to stalk businesses at full capacity. In recent days, computer security researchers have alerted about the massive attack that the supply chain is receiving, directed at users of the VoIP 3CX telephony system, infecting 3CX Desktop App on both Windows and macOS, Linux and mobile devices.
According to security researchers from Sophos and CrowdStrike, hackers are attacking users via an application that appears to be digitally signed with a valid 3CX certificate. The CEO of 3CX, Nick Galea, stated in this way that “as many of you have noticed, the 3CX desktop application has a malware. It affects the Windows Electron client for customers running the 7” update.
Consequences on more than 500,000 companies
3CX is a VolP IPBX software development company whose 3CX Phone System has more than 12 million daily users in 190 countries, so the consequences of the cyberattack are large. Its desktop app allows customers to make calls, chat, video conference, and check voicemail.
As reported and expected in the face of such an attack, the list of those affected is very extensive and it is that more than 600,000 companies have been affected by malicious activity. Among these firms that have been altered by what has already been named by researchers as SmoothOperator, there are brands popularly known throughout the world such as American Express, BMW, Air France, Pepsi, Toyota, Honda or IKEA.
Since last March 29, CrowdStrike alerted to the presence of this malicious activity that came from the 3CX VoiceOver Internet Protocol (VOIP) desktop client, to continuously attack the supply chain. The American cybersecurity technology company stated in this regard that “malicious activity includes signaling to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on keyboard activity.” .
For the American security company SentineOne, “the Trojanized 3CXDesktopApp is the first stage of a multi-stage attack chain that extracts ICO files attached with base64 data from GitHub and, ultimately, leads to a third-party data-stealing DLL.” stage that is still being analyzed at the time of writing this article”
For its part, Sophos, a British security software and hardware company, stated that “the most common post-exploitation activity observed to date is the generation of an interactive command shell.” With that, cybercriminals can take full control of the victim’s computer and that is that they can collect information, steal data and save credentials of the user profiles of the browsers Google Chrome, Microsoft Edge, Brave and Mozilla Firefox.
New update for 3CX Desktop App
Applied malware appears in all software versions that were released by 3CX after March 3, thus alluding to 18.12.407 and 18.12.416 for Windows, and 18.11.1213 and later in the case of macOS. Faced with such a security invasion, the international software developer 3CX, already works on a new software update for its desktop app which is expected to be launched in the next few hours in order to stop the attack.
While this arrives and becomes effective for customers, the 3CX company has recommended users to use PWA (Progressive Web Application), and also to uninstall and reinstall their application.
