A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack.
3CX is a VoIP IPBX software development company whose 3CX Phone System is used by more than 600,000 companies worldwide and has over 12 million daily users.
The
company's customer list includes a long list of high-profile companies and organizations like American Express, Coca-Cola, McDonald's, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and the UK's National Health Service (who
published an alert on Thursday).
According to alerts from security researchers from Sophos and CrowdStrike, the attackers are targeting both Windows and macOS users of the compromised 3CX softphone app.
"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike's threat intel team
said.
"The most common post-exploitation activity observed to date is the spawning of an interactive command shell," Sophos added in an advisory issued via its Managed Detection and Response service.
While CrowdStrike suspects a North Korean state-backed hacking group it tracks as
Labyrinth Collima is behind this attack, Sophos' researchers say they "cannot verify this attribution with high confidence."
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
