Hackers Insert Data-Stealing Malware into 3CX VoIP Phone System Used by 600,000 Organizations

3CX has warned users of its DesktopApp voice and video-calling client about a successful supply-chain attack that inserts malware into their code. Versions of the software for both Windows and macOS have been compromised. 3CX says its software-based phone system is used by 12 million people daily, on behalf of 600,000 organizations. As explained by cybersecurity firm Crowdstrike on their subreddit, software updates install malware that steals information from the infected computers.

The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.

A follow-on blog by Crowdstrike reported that the likely source of this attack is one of North Korea’s most active hacker/espionage teams, LABYRINTH CHOLLIMA, one of several units associated with North Korea’s infamous Lazarus Group.

Once active, the HTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7, 2023 campaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH CHOLLIMA.

In contrast, security researchers from Sophos were less confident about attributing responsibility to LABYRINTH CHOLLIMA. But like most companies that fall victim to hackers, 3CX’s security alert emphasized the sophistication of the attackers.

Worth mentioning – this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware.

3CX recommends that customers uninstall the affected app and switch to using an alternative app instead. An alert issued by the security function of the UK’s National Health Service, one of 3CX’s customers, echoed the need to urgently uninstall the software.

Affected organisations are required to immediately uninstall affected versions of 3CX DesktopApp.

3CX have advised that they are looking to publish an updated version of their Windows client, and that their Web Client / Progressive Web Application (PWA) can be used as an alternative…

One of the biggest challenges we face this century is establishing trust when interacting with other parties over a network. Many proposed solutions involve digital certificates and electronic signatures, but they are not the panacea that some would like us to believe. The malware-infected versions of 3CX’s desktop apps were signed using a valid digital certificate. Nor can we simply rely on big tech businesses to protect the rest of us. Apple is the only company in the world with a market capitalization worth more than USD2.5tn but they notarized the infected version of this app for macOS. This effectively means Apple checked this app using the cybersecurity resources at their disposal but they still did not find the malware it contained.

Societies need to put more resources into cybersecurity but no amount of resources will ever be enough. We also need to question philosophies that insist it is beneficial to keep concentrating more information, wealth and power in systems. The more we rely on networks, the more vulnerable we become, even if most of humanity has yet to appreciate this fact. North Korea is just one of the countries relentlessly pursuing their objectives through a cyber cold war that cannot de-escalate because so few of the public understand its scale or significance. More fundamental design decisions need to be made in order to curtail a process where systems become more and more attractive targets as their number of users grow. But none of the world’s leaders, whether they work in business or government, are motivated to make those decisions. They always think bigger is better. This is bad news for ordinary people, whose interests will be trampled upon because information is so readily stolen.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.