Consider IT will continue to monitor the situation as updates become available.
On the 29th of March malicious activity was detected as an illicit version of the 3CX VOIP desktop client has reportedly been used to target customers in a supply chain attack.
3CX’s customer list includes many high-profile companies such as American Express, Coca-Cola, McDonalds, BMW, Honda, AirFrance, NHS, Toyota, Mercedes-Benz, IKEA and HolidayInn.
Several antivirus vendors picked up the issue. The threat intel team from CrowdStrike said, “The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. “
Sophos added, “”The most common post-exploitation activity observed to date is the spawning of an interactive command shell”
The attack is thought to have been launched by a nation-state related hacking group, but this cannot be confirmed as the situation is still unfolding.
What’s been done to combat the threat so far?
In an update, 3CX said the “issue appears to be one of the bundled libraries that we compiled into the Windows Electron app via git” and that it’s further investigating the matter. So far:
-Illicit domains have been taken down – domains contacted by the compromised library have been reported and the majority removed overnight
-New windows app in progress – 3CX are working on a new windows app that does not have the issue
-Customers have been advised to use the PWA App instead – the PWA app is completely web based and does 95% of what the electron app does
ConsiderIT have immediately taken action this morning to secure any customers using 3CX.