Cybersecurity researchers have warned of threat actors abusing a flaw in a VoIP solution (opens in new tab) used by some of the world's biggest brands
Multiple cybersecurity companies have rung the alarm on 3CX, including Sophos, and CrowdStrike, saying threat actors are actively targeting users of compromised 3CX desktop clients on both Windows and macOS.
The VoIP platform from 3CX has more than 600,000 customers and more than 12 million daily users, according to a report by BleepingComputer, with customers including the likes of American Express, Coca-Cola, McDonald’s, BMW, and many others.
Stealing sensitive data
The vulnerable versions of the 3CXDesktop App include 18.12.407 and 18.12.416 for Windows and 18.11.1213 for macOS. One of the trojanized clients was digitally signed in early March, with a legitimate 3CX certificate issued by DigiCert, the publication found.
“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike says. “The most common post-exploitation activity observed to date is the spawning of an interactive command shell,” Sophos’ report reads.
Another cybersecurity firm, SentinelOne, added that the malware is capable of stealing system information, as well as data stored in Chrome, Edge, Brave, and Firefox browsers. These often include login credentials and payment information.
While the researchers can’t reach a consensus on the identity of the attackers, CrowdStrike suspects Labyrinth Collima, a North Korean state-sponsored hacking group.
“LABYRINTH CHOLLIMA is a subset of what has been described as Lazarus Group, which includes other DPRK-nexus adversaries, including SILENT CHOLLIMA and STARDUST CHOLLIMA.”
The company acknowledged the attack on its blog and confirmed it’s working on a fix:
“We regret to inform our partners and customers that our Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416, includes a security issue. Anti Virus vendors have flagged the executable 3CXDesktopApp.exe and in many cases uninstalled it,” the announcement reads. “The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT. We’re still researching the matter to be able to provide a more in depth response later today.”
“In the meantime we apologize profusely for what occurred and we will do everything in our power to make up for this error.”
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba