3CX CEO suggests state-sponsored hackers behind supply chain malware attack

/in


Business communications firm 3CX confirmed the downloader for its voice over IP (VoIP) desktop software has been tampered with and now installs a version that sideloads malware onto a victim’s computer

The issue, dubbed ‘SmoothOperator’, is believed to be a supply chain malware attack carried out by a suspected state-sponsored threat actor, with attacks starting last week, according to user reports.

3CX revealed in a blog post on Thursday that it noticed a “security issue” in its Electron Windows App with Update 7, version numbers 18.12.407 & 18.12.416.

It added that antivirus vendors may have flagged the legitimate 3CXDesktopApp.exe and uninstalled it.

3CX said it was still researching the issue, but believes it originated in one of the bundled libraries it compiled into the Windows Electron App via GIT. The domains contacted by the compromised library have already been reported, with most shut off overnight, said CISO Pierre Jourdan.

“A GitHub repository which listed them has also been shut down, effectively rendering it harmless,” he said.

“Worth mentioning – this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware,” said Jourdan. “The vast majority of systems, although they had the files dormant, were in fact never infected.”

The company is currently working on a new Windows App that isn’t affected by the issue, and will also issue a new certificate for the app. Jourdan said this will take at least 24 hours.

He also encouraged customers to use its PWA app, which is completely web-based. “The advantage is that it does not require any installation or updating and chrome web security is applied automatically,” he said.

3CX CEO Nick Galea said in a company forum post that the issue was reported to the organisation on the evening of 29 March.

He recommended uninstalling the app and installing it again, and added that if customers are running Windows Defender it will uninstall it automatically. Galea said the company is going to analyse the issue and release a report later on Thursday, but is now only…

Source…