Cyber security analysts warn of hackers exploiting vulnerability in VoIP solution (opens in a new tab) used by some of the world’s biggest brands
Many cybersecurity companies have sounded the alarm at 3CX, including Sophos and CrowdStrike, claiming that cybercriminals are actively targeting users of infected 3CX desktop clients on both Windows and macOS.
3CX’s VoIP platform has more than 600,000 customers and more than 12 million daily users, according to a report by BleepingComputer, with customers including American Express, Coca-Cola, McDonald’s, BMW, and many more.
Theft of sensitive data
The vulnerable versions of 3CXDesktop are 18.12.407 and 18.12.416 for Windows and 18.11.1213 for macOS. As stated in the publication, one of the infected clients was digitally signed in early March with a legitimate 3CX certificate issued by DigiCert.
“Malicious activity includes sending signals to actor-controlled infrastructure, deploying second-stage payloads, and, in a small number of cases, hands-on keyboard activities,” says CrowdStrike. “The most common post-exploitation observed so far is the spawning of the interactive command shell,” the Sophos report reads.
Another cybersecurity company, SentinelOne, added that the malware can steal system information as well as data stored in Chrome, Edge, Brave and Firefox browsers. They often include login details and payment information.
While researchers cannot reach a consensus on the identity of the attackers, CrowdStrike suspects Labyrinth Collima, a North Korean state-sponsored hacker group.
“LABYRINTH CHOLLIMA is a subset of what has been described as the Lazarus Group, which includes other DPRK-nexus opponents including SILENT CHOLLIMA and Stardust CHOLLIMA.”
The company confirmed the attack on its blog and confirmed that it was working on a fix:
“We regret to inform our partners and customers that our Electron Windows application, delivered in update 7, version numbers 18.12.407 and 18.12.416, contains a security issue. Antivirus vendors flagged the 3CXDesktopApp.exe executable and in many cases uninstalled it,” reads the announcement. “The problem seems to be with one of the bundled libraries we compiled into the Windows Electron application via GIT. We are still investigating the matter to be able to provide a more detailed answer today.”
“In the meantime, we are very sorry for what happened and we will do everything we can to fix this error.”
By: Beeping Computer (opens in a new tab)