What Happened

Recently, 3CX – a renowned VoIP provider – experienced a supply chain breach that had a significant impact on its desktop application. Reports indicate that one of the libraries employed in the 3CXDesktopApp was attacked, thus enabling malicious activity to take place. This was brought to light in a post by Crowdstrike on March 29th, 2023. 3CX has since confirmed today that their desktop application was compromised via an infected library used by the app.

Crowdstrike detected what they have referred to as “hand-on-keyboard” in a small number of cases. This suggests that rather than depending solely on automated tools, the perpetrator of this malicious act was manually controlling it. Crowdstrike also mentioned that they saw second-stage payloads being downloaded in some cases but the specifics are unknown at this time.

This incident brings to light an increasing danger of supply chain assaults, where a hacker aims at a third-party feature or service utilized by a goal organization, rather than targeting it directly. Such an attack can be tricky to discover since it allows a culprit to access their victim’s systems via an evidently legitimate route.

While it is unknown how exactly the attackers were able to gain access, what’s certain is that other firms may have also been affected by this same attack vector. Companies must take all possible measures to ensure the safety of their third-party services and components to better protect themselves from such threats.

Who’s Responsible

Currently, there is no confirmed source of the attack. Yet, ransomware groups are a likely culprit, considering their prior attacks on supply chains and external parts. This instance demonstrates the significant risk that ransomware poses to organizations and the necessity for strong cybersecurity measures to be taken in order to guard against these kinds of invasions.

What We’re Doing

CyberMaxx is actively blocking the domains provided by Crowdstrike since yesterday’s (3/29) announcement.

CyberMaxx searched existing EDR customers for the indicators provided by Crowdstrike after the information became available (3/29).

What You Should Do

Companies should be checking their logs for connections to the domains from Crowdstrike – Found here. If companies are using the 3CXDesktopApp, 3CX has recommended that the client be uninstalled and replaced with a new client. Contact 3CX support if you need guidance on this. If the company has an MDR services provider, contacting them immediately is also recommended.