3CX, a VoIP IPBX software development company, is the target of an ongoing supply chain attack using a digitally signed and trojanized version of the 3CX Voice Over Internet Protocol desktop client. The attack is aimed at both Windows and macOS users of the 3CX softphone app. Researchers from Sophos and CrowdStrike warn that the attack includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in some cases, hands-on-keyboard activity.
The most common post-exploitation activity observed is the spawning of an interactive command shell. While CrowdStrike suspects a North Korean state-backed hacking group, Sophos says it "cannot verify this attribution with high confidence." SentinelOne and Sophos revealed that the trojanized 3CX desktop app is being downloaded in a supply chain attack dubbed SmoothOperator. This attack begins when the MSI installer is downloaded from 3CX's website, or an update is pushed to an already installed desktop application. We also heard from top women in cyber on what this attack means for the industry, how organizations can prevent themselves, and best practices for orgs to avoid becoming a victim of similar attacks.
Lorri Janssen-Anessi, Director, External Cyber Assessments, BlueVoyant
"The supply chain attack on business phone provider 3CX is clear evidence that threat actors will continue to scan, identify, and exploit vulnerabilities as they are identified. The understanding of the scale and impact of this compromise is still developing, but the recommendation is to act now to protect yourself and your organization against the potential increasing severity of this attack.
Follow the guidance by 3CX, government agencies, and others as it is presented and remediate immediately. The current 3CX recommendation is to uninstall the app containing malware and to switch to a different app.
Initial indications suggest that this may have been orchestrated by an Advanced Persistent Threat (APT), a stealthy threat actor, often state-sponsored. From our experience at BlueVoyant, every vulnerability, emerging threat, or zero-day should be addressed immediately, regardless of the responsible organization, APT or otherwise. Time is of the essence when these attacks and vulnerabilities are announced.
In addition to quick patching or protocol changes, a best practice to avoid negative impacts from incidents like this is to continuously monitor both your internal and external ecosystems. This monitoring enables a baseline so that when unexpected activities occur within your network, you can quickly address any abnormalities, and your security team can take steps to investigate and remediate them. You should also be aware of which third parties you are using and what their impact is on business operations. BlueVoyant has increasingly observed cyber criminals targeting vendors, suppliers, and other third parties, as they may have weaker security and be a route to compromise a target organization."
Kayla Underkoffler, Lead Security Technologist, HackerOne
“Cybersecurity professionals already face an uphill battle as defenders; our 2022 Attack Resistance Report found that about one-third of respondents monitor less than 75% of their attack surface, and almost 20% believe that over half of their attack surface is unknown or not observable. The complexity of attack surface monitoring compounds as attackers take the fight to a more granular level by targeting supply chain vulnerabilities.
And unfortunately, that’s exactly what we’re seeing. Malicious actors now strive to embed themselves more deeply within the enterprise tech stack because cybercriminals understand the potential impact of accessing the most sensitive areas of an organization’s network. This can be done through critical dependencies within the software supply chain or a seemingly unchecked corner of the environment.
That’s why it’s critical organizations understand what’s in their environment and how that software interacts with their critical business processes. It’s no longer enough to just document components and dependencies once in the development lifecycle and be done. Today, organizations must proactively consider new solutions to prevent attacks.
An example of tools in use today for active monitoring of software include IBM’s recently developed SBOM Utility and License Scanner: two open-source tools that facilitate and standardize SBOM policies for organizations. These help build a living, breathing inventory of what’s in use in an organization’s current environment so organzations can respond quickly to software supply chain disruptions. Ethical hackers are also proven to be creative resource, skilled at identifying open source and software supply chain vulnerabilities, as well as undiscovered assets that may impact an organization’s software supply chains.”