Researchers are warning organizations to be aware of a recently uncovered supply chain attack Worldwide
March 2023 by WithSecure™
The attack impacts a 3CX VOIP application and affects organizations all over the world. WithSecure Intelligence researchers have observed affected organizations in several different countries, including but not limited to France, Germany, the Netherlands, the UK, and the US.
The attack has been ongoing since early February. According to telemetry analyzed by WithSecure Intelligence, a compromised version of the macOS-based installer was seen in early Feb 2023, while Windows-based installers were seen trending in mid-March 2023.
Tim West, head of WithSecure’s Threat Intelligence team, warns that while some steps have been taken to mitigate the threat, organizations should consider additional measures until the situation has stabilized.
“Working with other researchers in the industry, we’ve been able to ascertain that recent versions of 3CX’s desktop VOIP application had been compromised by an actor prior to the build process, resulting in poisoned, yet trusted, installer files being pushed to customers. On Windows hosts, malware requires an external connection to a Github repository that has since been removed. This means it is likely that without threat actor intervention, current infection chains will fail. This is not necessarily the case for all MacOS samples observed.
Until such a time comes that 3CX are able to provide assurance, organizations may wish to mitigate the risk by removing, or restricting 3CX applications from internet facing positions. This action will stop 3CX software from working to its intended purpose. 3CX recommends uninstalling the desktop application, and using Progressive Web App clients instead.”