Skip Navigation

March 30, 2023 |

3CX Supply Chain Compromise

Last updated: June 9, 2023

On 30 March 2023, business communication solutions and software provider 3CX reported that their product was breached as part of a supply chain attack. The company notified customers who may have been affected and is working on enhancing the security of their product. We recommend following the mitigations provided below in order to ensure that affected users are protected from this threat.

Details

Beginning on 22 March 2023, users reported their 3CX desktop application being flagged by security solutions as malicious with detections initially thought to be false positives. Around 29 March, several security companies confirmed malicious activity emanating from legitimately signed binaries for 3CX Desktop App. 3CX Desktop App is a native desktop application for a private automatic branch exchange (PABX) software built using the same Electron framework as Teams and WhatsApp. 

On 29 March 2023, 3CX launched an investigation into the compromise. According to a statement from the company, the products affected by this security issue are: Electron Windows App shipped in Update 7, version numbers 18.12.407 and 18.12.416, as well as Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, and 18.12.416.

Based on the information available on 30 March 2023, researchers have evidence suggesting that the threat actor behind this attack is North Korean state-sponsored threat group known as Labyrinth Chollima, a subgroup of Lazarus. The group has successfully added a backdoor to the 3CX Desktop App installer, which is signed with a valid code signing certificate, and has been using this access to then deploy an information stealer.

3CX notified their customers who may have been affected and released an update for some configurations. The company is also planning to issue a new signing certificate for the product.

At Field Effect, we are actively looking for indicators of activity associated with this threat and for any indication that our customers may have been impacted. We are closely monitoring the evolution of this compromise and all indicators are being immediately added to the Covalence monitoring service as they are published. We are also continuously assessing the Covalence monitoring around broader techniques used by this threat actor to ensure that our clients are protected.

Recommendations

We recommend following the 3CX guidance below, applying vendor recommendations and installing the latest updates, when available.

We also advise that you monitor 3CX updates as it is a developing situation. Meanwhile, we recommend uninstalling the affected product until the Electron App is rebuilt for your 3CX configuration and signed with a new certificate.

As a precautionary measure, we recommend that those running the affected versions investigate their network for the indicators of compromise provided by vendors, or for any recent signs of abnormal activity.

References

3CX Advisory