3CX VoIP App Compromised By Supply Chain Attack: Security Researchers

The desktop app from 3CX has been affected in the attack, which is being used by the threat actor to target 3CX customers, according to researchers from several cybersecurity vendors.


A desktop communications app from 3CX has been infected by malicious code in a software supply chain attack, and the compromised app is now actively being used by a threat actor to target 3CX customers, according to researchers from several cybersecurity vendors.

Researchers from CrowdStrike, Sophos and SentinelOne published blog posts Wednesday detailing their findings on an attack that appears to have compromised the 3CX desktop app, disclosing that they’ve observed malicious activity originating from a trojanized version of the desktop VoIP app from 3CX. The attack has involved utilizing a code-signing certificate to provide the software’s trojanized binaries with legitimacy, according to researchers.

[Related: 3CX Supply Chain Attack: 8 Biggest Things To Know]

Sponsored post

3CX does not list a media relations contact on its website but CRN has reached out to the company for comment through a sales contact form on its website. The vendor reports on its website that it has more than 600,000 customers, with sales exclusively through its network of 25,000 partners.

Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.

According to Sophos researchers, the affected 3CX application “has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.”

“The software is a digitally signed version of the softphone desktop client for Windows and is packaged with a malicious payload,” the Sophos researchers wrote in the company’s blog post.

As of its Wednesday evening, Sophos said it has only confirmed that Windows is affected, while CrowdStrike researchers wrote in the vendor’s blog that malicious activity has been detected on macOS as well as Windows.

“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” the CrowdStrike researchers wrote. The company said that its intelligence team has been in contact with 3CX about the attack.

SentinelOne researchers, which dubbed the campaign “SmoothOperator,” disclosed that they observed a “spike in behavioral detections of the 3CXDesktopApp” starting on March 22.

“The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain,” the researchers wrote in the SentinelOne post. The SentinelOne researchers also reported they haven’t yet been able to confirm that the Mac installer has been trojanized.

“Our ongoing investigation includes additional applications like the Chrome extension that could also be used to stage attacks,” the SentinelOne researchers wrote.

Notable past software supply chain compromises have included the widely felt attacks on SolarWinds, Kaseya and Codecov.