Hackers compromise 3CX desktop app in a supply chain attack


Level 76
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack.

3CX is a VoIP IPBX software development company whose 3CX Phone System is used by more than 600,000 companies worldwide and has over 12 million daily users.

The company's customer list includes a long list of high-profile companies and organizations like American Express, Coca-Cola, McDonald's, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and the UK's National Health Service (who published an alert on Thursday).

According to alerts from security researchers from Sophos and CrowdStrike, the attackers are targeting both Windows and macOS users of the compromised 3CX softphone app.

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike's threat intel team said.

"The most common post-exploitation activity observed to date is the spawning of an interactive command shell," Sophos added in an advisory issued via its Managed Detection and Response service.

While CrowdStrike suspects a North Korean state-backed hacking group it tracks as Labyrinth Collima is behind this attack, Sophos' researchers say they "cannot verify this attribution with high confidence."


Level 26
Top Poster
Aug 17, 2017

Cooperation Is Required to Continue Making Progress​

The burden of responsibility for reducing supply chain risk historically has been on the victim, with the onus on individual enterprises to prevent their own fate, rather than on the parties responsible for releasing insecure software in the first place. It is time for that paradigm to shift, and the Biden administration's recently announced National Cybersecurity Strategy, which aims to recalibrate this dynamic, is a significant step in the right direction.

The strategy is centered around five pillars, the third of which is to "shape market forces to drive security and resilience." It is here that the heavy burden of security is lifted from end users and shared with the vendors who introduce vulnerable software to the marketplace. Too often, the strategy notes, "software makers are able to leverage their market position to fully disclaim liability by contract."
  • Like
Reactions: piquiteco

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.