Hackers infect popular 3CX communications application with malware

/in


Hackers have compromised 3CX, a popular videoconferencing and business phone management application used by more than 600,000 companies.

Multiple cybersecurity providers, including CrowdStrike Holdings Inc., issued warnings about the breach on Wednesday. CrowdStrike believes the hackers behind the breach are associated with a North Korean state-backed threat actor known as Labyrinth Chollima. According to the company, the hackers are using the compromised 3CX application to launch cyberattacks against users.

The 600,000 companies that use 3CX include major enterprises such as Coca-Cola Co., McDonald’s Corp. and BMW AG. The software has about 12 million daily users worldwide. 

According to BleepingComputer, signs that CX3 has been compromised began emerging more than a week ago. On March 22, multiple customers reported that their antivirus software had flagged the application as malicious. The malicious version of the CX2 application was shipped more than two weeks earlier, on March 3.

The malware sends data it steals to remote infrastructure controlled by the hackers. According to a SentinelOne Inc. analysis, some of that infrastructure was prepared as early as last February.

As part of the cyberattack, the hackers packaged malicious code into the 3CX desktop client’s installer. The Windows and Mac versions are both affected. Moreover, customers that already have 3CX installed received an update that likewise contains the malicious code.

According to CrowdStrike, the malicious installer and update are signed. Code signing is a cybersecurity method that allows a company to confirm it developed a piece of software. Using the method, a computer can verify that an application it’s about to install was downloaded from the original source and not a malicious server.

Pierre Jourdan, chief security information officer at 3CX, stated in a blog post that the malicious code appears to have originated from one of the “bundled libraries” the company uses. A library is an externally developed code component that engineers incorporate into their software. Jourdan didn’t provide technical details about the malicious component.

According to SentinelOne, the malicious 3CX…

Source…