Threat Alert: 3CXDesktopApp Supply Chain Attack

A widely used and legitimate softphone application is hiding unexpected malicious activity, possibly tied to a nation-state hacking group, that could allow attackers to gain unfettered movement inside victims’ networks, according to CrowdStrike.

CrowdStrike, an ExtraHop technology partner, observed the malicious activity in 3CXDesktopApp, a software-based phone application from 3CX, on March 29. The 3CXDesktopApp is available for Windows, macOS, Linux and mobile operating systems, but CrowdStrike observed the malicious activity on Windows and macOS, CrowdStrike researchers noted in a blog post.

The malicious activity caught by the CrowdStrike Falcon endpoint detection and response (EDR) platform can beacon back to IT systems controlled by attackers and deploy second-stage malware payloads, CrowdStrike said. In limited cases, the activity can allow hands-on keyboard attacks, in which attackers inside a compromised environment can use keystrokes and commands to move laterally across the victim’s network.

CrowdStrike Intelligence said it suspects the malicious activity is linked to Labyrinth Chollima, a threat actor tied to the government of North Korea.

3CXDesktopApp is a widely used voice-over-IP app, according to Palo Alto Networks’ Unit 42 research group. The Palo Alto Networks Cortex Xpanse product has detected more than 247,000 IP addresses in 199 countries using 3CX apps, Unit 42 said in a blog post. The most widely targeted countries included the U.S., the U.K., Germany, Australia, and France. Palo Alto Networks is also an ExtraHop technology partner.

Unit 42 identified the activity as a supply chain attack, in which cybercriminals target less secure elements in a supply chain, in this case a softphone app, to launch their attacks.

Between March 9 and 30, Palo Alto Networks blocked the CXDesktopApp process from running shellcode at 127 customers, Unit 42 said. Because Palo Alto Networks’ defenses blocked the shellcode, the cybersecurity company was unable to obtain the secondary payload used in the attack to determine its capabilities, Unit 42 said.

3CX issued a security alert to its customers on March 30. The company has taken down links to the affected software and plans to release a new Windows version, 3CX CISO Pierre Jourdan wrote. Customers should use the company’s web-based app until then, he advised.

“This appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware,” he added. “The vast majority of systems, although they had the files dormant, were in fact never infected.”

Companies using the softphone app should search for it in their IT environments, take remediation steps outlined by CrowdStrike in its blog post, and use tools like CrowdStrike Falcon and ExtraHop Reveal(x) to detect and shut down the malicious activity.

A rising number of sophisticated attacks point to the need for companies to deploy a network detection and response (NDR) solution, like ExtraHop Reveal(x) 360, alongside an endpoint detection and response (EDR) platform, like CrowdStrike Falcon. The combination of NDR and EDR forms a more complete extended detection and response (XDR) solution to stop attackers every step of the way. Just recently, ExtraHop announced it had expanded its partnership with CrowdStrike via a new integration that allows customers to ingest network data from Reveal(x) 360 in CrowdStrike Falcon LogScale.

Through its application and device discovery capabilities, Reveal(x) 360 can help organizations determine which devices in their organization are running the 3CXDesktopApp, and thus, may be vulnerable to this particular supply chain attack. Reveal(x) 360 can help organizations detect supply chain attacks by using cloud-scale AI behavioral monitoring on every device, including application servers, to alert them to the early warning signs of a supply chain intrusion. Reveal(x) 360 discovers every device and workload on a network, and identifies software, hardware, users, and more. This provides a complete picture of the potential attack surface for supply chain attackers—from devices to cloud workloads and containers.