A VoIP service used by some of the world's biggest firms has been hacked

Trojan
(Image credit: wk1003mike / Shutterstock)

Cybersecurity researchers have warned of threat actors abusing a flaw in a VoIP solution used by some of the world's biggest brands

Multiple cybersecurity companies have rung the alarm on 3CX, including Sophos, and CrowdStrike, saying threat actors are actively targeting users of compromised 3CX desktop clients on both Windows and macOS.

The VoIP platform from 3CX has more than 600,000 customers and more than 12 million daily users, according to a report by BleepingComputer, with customers including the likes of American Express, Coca-Cola, McDonald’s, BMW, and many others. 

Stealing sensitive data

The vulnerable versions of the 3CXDesktop App include 18.12.407 and 18.12.416 for Windows and 18.11.1213 for macOS. One of the trojanized clients was digitally signed in early March, with a legitimate 3CX certificate issued by DigiCert, the publication found.

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike says. "The most common post-exploitation activity observed to date is the spawning of an interactive command shell," Sophos’ report reads.

Another cybersecurity firm, SentinelOne, added that the malware is capable of stealing system information, as well as data stored in Chrome, Edge, Brave, and Firefox browsers. These often include login credentials and payment information.

While the researchers can’t reach a consensus on the identity of the attackers, CrowdStrike suspects Labyrinth Collima, a North Korean state-sponsored hacking group.

"LABYRINTH CHOLLIMA is a subset of what has been described as Lazarus Group, which includes other DPRK-nexus adversaries, including SILENT CHOLLIMA and STARDUST CHOLLIMA."

The company acknowledged the attack on its blog and confirmed it’s working on a fix:

“We regret to inform our partners and customers that our Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416, includes a security issue. Anti Virus vendors have flagged the executable 3CXDesktopApp.exe and in many cases uninstalled it,” the announcement reads. “The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT. We’re still researching the matter to be able to provide a more in depth response later today.”

“In the meantime we apologize profusely for what occurred and we will do everything in our power to make up for this error.”

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.