Hackers have compromised 3CX, a popular videoconferencing and business phone management application used by more than 600,000 companies.
Multiple cybersecurity providers, including CrowdStrike Holdings Inc., issued warnings about the breach on Wednesday. CrowdStrike believes the hackers behind the breach are associated with a North Korean state-backed threat actor known as Labyrinth Chollima. According to the company, the hackers are using the compromised 3CX application to launch cyberattacks against users.
The 600,000 companies that use 3CX include major enterprises such as Coca-Cola Co., McDonald’s Corp. and BMW AG. The software has about 12 million daily users worldwide.
According to BleepingComputer, signs that CX3 has been compromised began emerging more than a week ago. On March 22, multiple customers reported that their antivirus software had flagged the application as malicious. The malicious version of the CX2 application was shipped more than two weeks earlier, on March 3.
The malware sends data it steals to remote infrastructure controlled by the hackers. According to a SentinelOne Inc. analysis, some of that infrastructure was prepared as early as last February.
As part of the cyberattack, the hackers packaged malicious code into the 3CX desktop client’s installer. The Windows and Mac versions are both affected. Moreover, customers that already have 3CX installed received an update that likewise contains the malicious code.
According to CrowdStrike, the malicious installer and update are signed. Code signing is a cybersecurity method that allows a company to confirm it developed a piece of software. Using the method, a computer can verify that an application it’s about to install was downloaded from the original source and not a malicious server.
Pierre Jourdan, chief security information officer at 3CX, stated in a blog post that the malicious code appears to have originated from one of the “bundled libraries” the company uses. A library is an externally developed code component that engineers incorporate into their software. Jourdan didn’t provide technical details about the malicious component.
According to SentinelOne, the malicious 3CX application deploys malware on users’ machines through a three-phase process. The first phase involves a pair of malicious DLL files that the hackers added to the desktop client. After activating, the two files download more malicious code from a GitHub repository. In the third phase, the code downloaded from GitHub installs data stealing malware.
That malware can collect data about the device on which it’s running, as well as exfiltrate information from applications such as Chrome. It reportedly uses several different tactics to access sensitive files. Among others, the malware is capable of activating an interactive command shell, a program used by administrators to change the configuration of a computer and retrieve system data.
“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike researchers detailed in an advisory.
Cybersecurity products from CrowdStrike, SentinelOne and multiple other antivirus providers automatically block the malicious 3CX client. In a forum post this morning, 3CX Chief Executive Officer Nick Galea reportedly advised customers to uninstall the application. Galea added that the company is working on an update that will remove the malware and promised a “full report” about the incident later today.