Cybersecurity researchers have warned of threat actors abusing a flaw in a VoIP solution (opens in a new tab) used by some of the world's biggest brands.
Several cybersecurity companies have raised the alarm about 3CX, including Sophos and CrowdStrike, saying that threat actors are actively targeting users of compromised 3CX desktop clients on Windows and macOS.
The 3CX VoIP platform has over 600.000 customers and more than 12 million daily users, according to a report by BleepingComputer, with clients including American Express, Coca-Cola, McDonald's, BMW and many more.
Steal sensitive data
Vulnerable versions of the 3CXDesktop application include 18.12.407 and 18.12.416 for Windows and 18.11.1213 for macOS. One of the Trojan-infected clients was digitally signed in early March with a legitimate 3CX certificate issued by DigiCert, according to the post.
"Malicious activity includes tagging of actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, manual keyboard activity," CrowdStrike explains. "The most common post-exploitation activity observed to date is the creation of an interactive command shell," the Sophos report said.
Another cybersecurity firm, SentinelOne, added that the malware is capable of stealing system information, as well as data stored in Chrome, Edge, Brave and Firefox browsers. These often include login credentials and payment information.
As investigators fail to reach a consensus on the identities of the attackers, CrowdStrike suspects Labyrinth Collima, a North Korean state-sponsored hacking group.
"LABYRINTH CHOLLIMA is a subset of what has been described as the Lazarus Group, which includes other DPRK-linked adversaries, including SILENT CHOLLIMA and STARDUST CHOLLIMA."
The company acknowledged the attack on its blog and confirmed that it was working on a fix:
"We regret to inform our partners and customers that our Electron Windows application delivered in Update 7, version numbers 18.12.407 and 18.12.416, includes a security issue. Antivirus vendors have reported the executable '3CXDesktopApp.exe' and in many cases uninstalled it," the ad says. "The problem appears to be one of the bundled libraries that we compiled into the Windows Electron app via GIT. We're still investigating the question so we can provide a more detailed answer later today."
"In the meantime, we deeply apologize for what happened and will do everything in our power to make up for this mistake."
Via: BleepingComputer (Opens in a new tab)