WaterISAC is tracking open-source reports describing an ongoing supply chain attack against 3CX software and its customers. According to the reports, 3CXDesktopApp — a voice and video conferencing app — was trojanized, potentially leading to multi-staged attacks against users employing the vulnerable app. WaterISAC is currently unaware if the 3CX softphone is used across the water and wastewater systems sector, but is providing this information for broad awareness as this represents a supply chain compromise similar to the SolarWinds Orion and Kaseya incidents.

3CX is a VoIP IPBX software development company whose 3CX Phone System is utilized by more than 600,000 companies worldwide and has over 12 million daily users. According to security researchers, the threat actors behind this attack are targeting both Windows and macOS users of the compromised 3CX softphone app. One report notes the malicious activity involves beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of instances, hands-on-keyboard activity. Sophos reported the most common post-exploitation activity observed to date is the spawning of an interactive command shell. SentinelOne reports this malware is capable of harvesting system info and stealing data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles. CrowdStrike researchers believe North Korean sponsored threat actors are behind this attack, although other researchers are unable to verify attribution with high confidence.

3CX CEO Nick Galea confirmed Thursday morning in a forum post that the 3CX Desktop application was compromised to include malware. As a result, Galea is recommending all customers uninstall the desktop app and switch to the PWA client instead. Members who use 3CX are encouraged to review the following resources for more information and hunt for indicators of compromise (IOCs) to identify potential malicious activity.

Additional Resources:

• Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers (CrowdStrike)
• SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack (SentinelOne)
• 3CX users under DLL-sideloading attack: What you need to know (Sophos)
• 3CX Desktop App for Windows and macOS Reportedly Compromised in Supply Chain Attack (Tenable)
• 3CX VoIP Software Compromise & Supply Chain Threats (Huntress)
• 3CX DesktopApp Security Alert (3CX)
• Hackers compromise 3CX desktop app in a supply chain attack (BleepingComputer)