Supply-chain attack on business phone provider 3CX could impact thousands of companies

Hackers may have compromised the networks of thousands of businesses due to a supply-chain attack on the enterprise phone company 3CX, which confirmed on Thursday its desktop app had been bundled with malware.

3CX provides office phone systems to more than 12 million daily users at over 600,000 companies, as it claims on its website, including Mercedes-Benz, Coca-Cola and the United Kingdom's National Health Service.

The extent of the impact on these companies is not yet clear. The Record has contacted them for comment. A spokesperson for Mercedes-Benz declined to respond. American Express said that despite being listed on 3CX’s website they were not a client of the company and did not use 3CX’s software.

In a statement published on the company’s community forum Thursday morning, founder and chief executive Nick Galea confirmed that “the 3CX DesktopApp has a malware in it.”

Later Thursday, the company’s chief information security officer, Pierre Jourdan, said the intrusion was the work of highly skilled hackers.

"Worth mentioning - this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware," Jourdan wrote on the company’s website.

Galea said the issue had been reported to the company on Wednesday night, when several cybersecurity companies including SentinelOne, Sophos and CrowdStrike had gone public with reports about the intrusion.

In a Twitter thread, Galea said it was "surprising" that SentinelOne's Juan Andres Guerrero-Saade had not reported the compromise to 3CX sooner.

Guerrero-Saade countered that SentinelOne's detections had been raised in 3CX's support forums since March 22nd but were not addressed.

“We were busy protecting customers, taking down the Github infra, and analyzing next stage payloads. Happy to collaborate in the future,” wrote Guerrero-Saade.

Following further criticism, Galea wrote: “Certainly not one of our finest weeks. I fully acknowledge this. We should have done a lot more and a lot faster. We apologize 150% to all concerned.”

CrowdStrike said there was "suspected nation-state involvement" in the attack by a group it calls Labyrinth Chollima and described as “one of the most prolific” hacking groups based in North Korea, although SentinelOne said “we don’t yet see obvious connections to existing threat clusters.”

Sophos reported that only the 3CX client on Windows machines appeared to be compromised, but Jourdan's post said that certain versions of the macOS were affected. Researcher Patrick Wardle also wrote a preliminary analysis of the Mac malware.

The compromised software was capable of sideloading malware designed to steal sensitive information from web browsers.

Mat Gangwer, the vice president of managed threat response at Sophos, explained: "The attackers have managed to manipulate the application to add an installer which uses DLL sideloading to ultimately retrieve a malicious, encoded payload."

Gangwer said the sideloading techniques were not novel and were similar to what was used in a campaign in which hackers used different malware in USB drives to compromise computers in Mongolia, Papua New Guinea, Ghana, Zimbabwe, and Nigeria.

Sophos did not say that the same threat actor is suspected of being involved in the 3CX attack.

Software providers have been on high alert for supply-chain intrusions since the 2020 attack on SolarWinds, which led to data breaches at companies and government agencies around the world.