Supply chain attack targets millions of phone system users through trojanized 3CX app

Cybersecurity firms have been warned of a supply chain attack targeting downstream customers using a trojanized 3CX software

Multiple cybersecurity firms have warned of a supply chain attack using a trojanized version of 3CX's software to target downstream customers. 

3CX is a phone system developer used by more than 600,000 organizations worldwide, including American Express, BMW, McDonald’s, and the U.K.'s National Health Service. The attack, dubbed "Smooth Operator," involves the delivery of trojanized 3CXDesktopApp installers to install infostealer malware inside corporate networks, capable of stealing data and stored credentials from Google Chrome, Microsoft Edge, Brave, and Firefox user profiles. 

Researchers report that attackers are targeting both the Windows and macOS versions of the compromised VoIP app. The Linux, iOS, and Android versions appear to be unaffected. The attackers are believed to be the North Korean threat actor Labyrinth Chollima, a subgroup of the notorious Lazarus Group. It appears to be a targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored. 

If you are a 3CX user, the company suggests uninstalling the app and installing it again or using its PWA client as a workaround. While we don't know how many organizations have been potentially compromised, Shodan.io reports that there are currently over 240,000 publicly exposed 3CX phone management systems. 

Stay vigilant and take immediate action if you suspect any suspicious activity.