There is a new supply chain attack targeting customers of a phone system with 12 million users

Several security companies have sounded the alarm an active supply chain attack using a trojanized version of 3CX widely used client for voice and video calls to target downstream customers.

3CX is the developer of a software-based phone system used by more than 600,000 organizations worldwide including American Express, BMW, McDonald’s and the UK’s National Health Service. The company claims to have more than 12 million daily users around the world.

Researchers at cybersecurity firms CrowdStrike, Sophos and SentinelOne published blog posts on Wednesday describing a SolarWinds-style attack — dubbed a “Smooth Operator” by SentinelOne — that deploys 3CXDesktopApp installers with trojans to steal Infostealer- Install malware on corporate networks.

This malware is able to collect system information and steal data and saved credentials Google Chrome, Microsoft Edge, Brave and Firefox user profiles. Other observed malicious activity, according to CrowdStrike, includes beaconing onto an actor-controlled infrastructure, deployment of second-tier payloads, and in a small number of cases, “hands-on-keyboard activity.”

Security researchers report that attackers are targeting both the Windows and macOS versions of the compromised VoIP app. For now, the Linux, iOS, and Android versions don’t seem to be affected.

Researchers from SentinelOne said they first saw evidence of malicious activity on March 22 and immediately investigated the anomalies, leading to the discovery that some organizations were attempting to install a trojanized version of the 3CX desktop app that was compromised with signed with a valid digital certificate. Apple security expert Patrick Wardle too found that Apple notarized the malware, meaning the company checked it for malware and none was detected.

3CX CISO Pierre Jourdan said Thursday that the company is aware of a “security issue” affecting its Windows and MacBook applications.

Jourdan notes that this appeared to be a “targeted attack by an Advanced Persistent Threat, maybe even state-sponsored” hacker. CrowdStrike suspects that North Korean threat actor Labyrinth Chollima, a sub-group of the notorious Lazarus Group, is behind the supply chain attack.

As a workaround, the company 3CX is asking its customers to uninstall and reinstall the app, or alternatively use their PWA client. “In the meantime, we sincerely apologize for what happened and we will do everything in our power to rectify this mistake,” said Jourdan.

There are many things we don’t yet know about the 3CX supply chain attack, including how many companies may have been compromised. According to Shodan.io, a website that maps internet-connected devices, there are currently more than 240,000 3CX phone management systems publicly available.