Hackers modified an enterprise communication company’s installation software in an attack that could steal credentials and other information from companies around the world, according to an analysis published Wednesday.
Researchers with cybersecurity firm SentinelOne’s SentinelLabs team traced illicit activity flagged by its detection systems back to the installation software from a company called 3CX, which according to its website provides video conferencing and online communication products to companies such as Toyota, McDonalds, Pepsi and Chevron. In total, the company says it serves some 12 million customers globally.
This sort of large-scale attack that takes advantage of a company’s supply chain — similar to how attackers leveraged a flaw within a SolarWinds product update to install backdoors inside its customers’ networks — can be difficult to defend against and could lead to devastating consequences for victims. It’s also the kind of operation that is typically associated with a nation-state hacking group.
“This is an op that has been going on for a while,” said Juan Andrés Guerrero-Saade, senior director of SentinelLabs, noting that a GitHub repository associated with the campaign dates back to early December. Other infrastructure associated with the campaign date back as far as February 2022. He added that early indications suggest “at least attempted victims upwards of 1,000 organizations, which means that it’s got to be a much larger number beyond our visibility.”
The campaign could be seen as an “enabler operation,” Guerrero-Saade added, noting that the attackers are infecting many enterprises, stealing credentials and other information, “and then figure out what you want to do with the next stage of the operation.”
Attacks on software such as this are attractive because “in addition to monitoring an organization’s communications, actors can modify call routing or broker connections into voice services from the outside,” the SentinelLabs team said in an analysis published late Wednesday.
SentinelLabs, the research arm at SentinelOne, has not attributed the attack it is calling “SmoothOperator” to any particular hacking group. But researchers at the cybersecurity firm Crowdstrike said in a blog post Wednesday that the attacks are likely the work of a group it calls “Labyrinth Chollima,” its name for one of the most prolific North Korean hacking units.
That group is known in the cybersecurity industry more widely as part of the “Lazarus Group,” which the U.S. government has linked to North Korean-directed malicious cyberactivity.
SentinelLabs has seen some “TTP” overlaps with North Korean-aligned hacking efforts, but so far the evidence is not conclusive, Guerrero-Saade said.
CrowdStrike also posted an alert to Reddit saying it had “observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp,” that included “beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.” The app is available for Windows, macOS, Linux and mobile platforms, CrowdStrike said in a subsequent blog post, but so far their detections had only observed the malicious activity on Windows and macOS.
3CX has global headquarters in Florida but offices around the world. 3CX CEO Nick Galea said in a statement posted to the company’s support form Thursday morning that the company learned of the issue with its 3CX DesktopApp late Wednesday and that the company would release an update “in the coming hours.”
He added that “my team and myself apologize profusely for this issue.”
A blog posted by company CISO Pierre Jourdan Thursday listed the app versions affected in the campaign and noted that “the majority” of the domains used as part of the campaign have been taking down, “effectively rendering it harmless.” Jourdan added that “this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected.”
On Wednesday a user listed as a “Bronze Partner” in the company’s support forum posted an apparent response from a company contact saying that the company was aware of the issue, and another from “3CX Support” saying that the “issue reported is due to some virus scanners picking up the desktop app as a virus for some reason.”
Christian Vasquez contributed reporting.
Updated March 30, 2023: This story was updated to include commentary and details from the 3CX CEO and CISO.
Updated March 29, 2023: This story was updated to reflect the most accurate details in an ongoing investigation into the suspected supply chain cyberattack.