Hackers May Still Have Access To 3CX Supply Chain: Huntress Researcher

While communications app maker 3CX has acknowledged it is responding to the compromise of its Windows VoIP app, Huntress’ John Hammond said it’s unclear if attackers may still be able to ‘poison future updates.’

It’s possible the hackers behind a potentially far-reaching supply chain attack on 3CX and its customers may still be able to compromise additional updates by the vendor to the app, according to a security researcher from Huntress.

Reports from numerous cybersecurity researchers since Wednesday have pointed to an active campaign using the compromised app to target 3CX customers.

[Related: 3CX VoIP App Compromised By Supply Chain Attack: Security Researchers]

In a post Thursday, 3CX Chief Information Security Officer Pierre Jourdan wrote that the company is “working on a new Windows App that does not have the issue.”

However, it’s not certain that the threat actor’s access to the 3CX supply chain has been severed, wrote John Hammond, senior security researcher at Huntress, in a post Thursday.

“It is not yet clear whether or not adversaries still have access to the 3CX supply chain in order to poison future updates,” Hammond wrote. “Perhaps this may change the tradecraft we see in the coming days.”

Notable past software supply chain compromises have included the widely felt attacks on SolarWinds, Kaseya and Codecov.

3CX reports on its website that it has more than 600,000 customers, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.

Hammond cited the Shodan server search engine in disclosing that there are more than 242,000 publicly exposed phone management systems from 3CX.

The downloadable version of the 3CX desktop app that’s been available on the company’s public website has included the malware, he wrote.

Additionally, “installations already deployed will update,” Hammond wrote, ultimately pulling down malware that includes a backdoored dynamic link library (DLL) file.

The recommendation from 3CX executives is to uninstall the desktop 3CX client, he noted.

On Wednesday, researchers from CrowdStrike, Sophos and SentinelOne published blog posts detailing their findings on an attack that appears to have compromised the 3CX desktop app, disclosing that they’ve observed malicious activity originating from a trojanized version of the desktop VoIP app from 3CX.

The attack has involved utilizing a code-signing certificate to provide the software’s trojanized binaries with legitimacy, according to researchers.

“This appears to have been a targeted attack from an advanced persistent threat, perhaps even state sponsored, that ran a complex supply chain attack” using the Windows version of the app, 3CX’s Jourdan wrote in his post.

“We apologize profusely for what occurred and we will do everything in our power to make up for this error,” he wrote.

At present, a “definitive attribution is not yet clear” for the attack, Hammond wrote, but “the current consensus across the security community is that this attack was performed by a DPRK [North Korea] nation-state threat actor.”