Supply Chain Attack Through 3CX Desktop App

Description

UPDATE #1 2023/03/31: Updated protection section with additional protections.


FortiGuard Labs is aware that a digitally signed 3CX desktop app was reportedly used in a supply chain attack against 3CX Voice over Internet Protocol (VoIP) customers. A previously unknown infostealer was deployed to the victims at the end of the infection chain. At this time, Windows and MacOS versions were reportedly trojanized.


The 3CX desktop app is a popular software phone client that enables users to make calls, have live chats, hold video conference calls, and is available for Windows, MacOS, Linux, Android and iOS. 3CX claims more than 600,000 companies use their service and to have a userbase of more than 12 million.


Why is this Significant?

This is significant because 3CX, a very popular software phone client that the company claims to serve more than 600,000 companies, was reportedly trojanized to deliver an unknown infostealer to victims through a supply chain attack.


How Widespread is the Attack?

Currently there is no indication available as to how widespread the attack is. FortiGuard Labs is closely monitoring the situation and will update this Threat Signal when new information becomes available.


Who is Behind this Attack?

Unconfirmed reports suggest LAZARUS group may be the perpetrator of this attack.


Who is LAZARUS?

LAZARUS, also known as APT38/HIDDEN COBRA has been linked to multiple high-profile, financially-motivated attacks in various parts of the world - some of which have caused massive infrastructure disruptions. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that almost netted nearly $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, LAZARUS would have pulled off a heist unlike any other. Although LAZARUS failed in their attempt, they were still able to net around 81 million dollars in total. The most infamous attack attributed to Lazarus was the Wannacry Ransomware attack, which resulted in massive disruption and damage worldwide to numerous organizations, especially those in manufacturing. Various estimates of the impact were in the hundreds of millions of dollars, with some estimates claiming billions. Other verticals which this group has targeted include critical infrastructures, entertainment, finance, healthcare, and telecommunication sectors across multiple countries.


What Malware is Delivered to the Victims of this Supply Chain Attack?

A previously unknown infostealer that collects system information and steals information from popular Web browsers was reportedly deployed to the victims.


Has the Vendor Released an Advisory?

3CX released an advisory on March 30th, 2023. See the Appendix for a link to "3CX DesktopApp Security Alert".


What is the Status of Protection?

FortiGuard Labs currently has the following AV signatures in place for some of the known and available files involved in this attack:


  • W64/Agent.CFM!tr
  • OSX/Agent.CN!tr
  • Riskware/Sphone_XC3

FortiGuard Labs has the following IPS signature in place to detect backdoor activities associated with this attack:


  • 3CX.DesktopApp.SupplyChain.Backdoor (default action is set to "pass")


Currently available network IOCs are blocked by Webfiltering.


FortiEDR detects installation of the 3CX Desktop App with a dynamic code exception event:


FortiEDR also blocks the final payload making a network connection to C2:



FortiGuard Labs has released a new Application Control signature that will detect attempted 3CX access activity which was released in definitions set (23.528):

  • 3CX


Regarding FortiAnalyzer, a knowledge base article that contains detailed insight on how to detect activities related to the 3CX Supply Chain attack can be found here.


Latest details of all protections can be found in the FortiGuard 3CX Supply Chain Attack Outbreak Alert.

description-logoOutbreak Alert

Security researchers observed that the threat actors abused a popular business communication software by 3CX. The reports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was trojanized and is being used to attack multiple organizations.

View the full Outbreak Alert Report

Telemetry