3CX Supply Chain Attack: What Happened and What You Need to Do?
Software supply-chain attacks, a technique where hackers tamper with commonly used applications to distribute their malicious code to a vast number of devices, have become a significant problem. These attacks are both covert and capable of causing widespread damage. However, the most recent attack of this kind, orchestrated by hackers purportedly working for the North Korean government, involved hiding their code in the installer for a widely used VoIP application called 3CX. Surprisingly, the goal of this attack appears to be mundane: gaining access to a few cryptocurrency companies.
3CX is a provider of private branch exchange (PBX), video conferencing, and live chat software. 3CX can be deployed on-premises on either Windows or Linux, or it can be hosted in your own cloud account or by 3CX.
The CEO of 3CX, Nick Galea, has confirmed that their company has fallen victim to a cyber attack. In response to this incident, the company's primary objective is to maintain transparency by sharing accurate and reliable details about the attack and the actions they are taking. As the investigation continues, the situation is rapidly evolving, and the company aims to provide validated information that can help their clients take actionable steps. To determine the root cause of the incident and prevent future occurrences, 3CX is working closely with their advisers from Mandiant.
According to Kaspersky's security incident analysis, the supply-chain hackers behind the 3CX attack were observed using it as a means to introduce a highly adaptable backdoor program called Gopuram into targeted devices. The researchers referred to this as the "final payload" of the attack. Additionally, Kaspersky noticed that the malware carried a distinctive signature of North Korean cyber-activity. This was based on previous observations of Gopuram's usage on the same network where AppleJeus, another malware associated with North Korean hackers, was present.
On March 29th 2023, 3CX received reports from a third party of a malicious actor exploiting a vulnerability in our product. 3CX took immediate steps to investigate the incident, retaining Mandiant, leading global cybersecurity experts. Initial investigation suggested the incident was carried out by a highly experienced and knowledgeable hacker. 3CX is currently working closely with law enforcement and other authorities.
What 3CX is Doing?
3CX is taking several measures to address the cyber-attack. With the assistance of Mandiant, the company is conducting a comprehensive investigation that involves an in-depth security review of their web client and PWA app. Mandiant engineers are meticulously scrutinizing the source code of the web and Electron apps to identify and validate any potential vulnerabilities. The company has also received an overwhelming amount of support from the security industry and research community. They have offered valuable insights and data that have aided in the investigation.
As a gesture of appreciation for their customers' patience and support during this difficult time, 3CX is extending their subscriptions by three months, free of charge. The company has communicated the details of this extension to their partners via email. The automatic application of the extension will take place in the upcoming weeks, and further updates on this matter will follow.
What We Recommend You Do Now?