3CX is a popular VoIP IPBX software development company that offers a range of services and solutions for businesses around the world. Their 3CX Phone System is used by over 600,000 companies and has over 12 million daily users. The platform is known for its ease of use and affordability, making it a popular choice for small to medium-sized businesses.
3CX is used by a long list of high-profile companies and organizations, including American Express, Coca-Cola, McDonald’s, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and the UK’s National Health Service. Unfortunately, this also makes 3CX a prime target for cyber attacks and highlights the importance of having robust security measures in place.
Recently, a digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client was used in an ongoing supply chain attack, targeting both Windows and macOS users. The attack involves beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and hands-on-keyboard activity. The most common post-exploitation activity observed to date is the spawning of an interactive command shell.
The attackers are suspected to be a North Korean state-backed hacking group known as Labyrinth Collima, which overlaps with other threat actors tracked as Lazarus Group by Kaspersky, Covellite by Dragos, UNC4034 by Mandiant, Zinc by Microsoft, and Nickel Academy by Secureworks.
To protect against potential cyber attacks, it’s important to have robust security measures in place. This includes keeping software up to date, using anti-virus software, and implementing multi-factor authentication. Additionally, it’s important to conduct regular security audits and penetration testing to identify vulnerabilities and address them before they can be exploited.