Windows app for business voip service 3CX spreads malware after supply chain attack
The official desktop client of voip service 3CX has been taken over by hackers and is spreading malware after a supply chain attack. The company confirmed this on Thursday. 3CX is urging users to use its web app and is working on a solution.
3CX confirms the hack on his website. The company says Update 7 of its Windows desktop app “contains a security vulnerability.” This concerns version numbers 18.12.407 and 18.12.416. The problem appears to be in one of the bundled libraries that 3CX has compiled into its Windows app via Git. The issue affected users who installed the app using the official installer and users who updated their existing installation.
The company says it is investigating the issues and will provide more details later on Thursday. The domains accessed by the compromised libraries have been reported according to 3CX. Most of them are now off the air. A GitHub repository listed in the domains has also been taken offline. The company speaks of a targeted attack from an advanced persistent threat, ‘maybe even state sponsored’. CrowdStrike also speaks of a possible attack by state hackers.
The attackers carried out a complex supply chain attack, according to 3CX. The infected desktop app is said to be the first stage in a chain of attacks. Hackers are said to have distributed a new payload to certain users in the form of an infected dll. It could then be used to steal system and browser information from Chrome, Edge, Brave and Firefox, says security company SentinelOne. 3CX states that this has not happened to most users, even if they did have an infected client installed. In many cases, antivirus software would also have blocked the infected client. The exact impact is not yet known.
3CX says it is currently working on a new Windows app without the security issue. The company will also issue a new certificate. That could take at least 24 hours, 3CX reports. In the meantime, the company recommends users to use its PWA app. That is an app that requires no installation and runs entirely in a web browser.
3CX offers, among other things, a telephone system for use in offices. The 3CX Phone System used by more than 600,000 companies and has a total of 12 million users. below 3CX customers include companies such as McDonald’s, Coca-Cola, Pepsi, IKEA, the Massachusetts Institute of Technology and the British NHS.