Hackers Compromise 3CX Phone Provider, Jeopardizing Operations of Thousands of Businesses

Category: Application Security | Industry: Global | Level: Tactical | Sources: CrowdStrike, SentinelOne & Sophos

The desktop app of 3CX, an enterprise phone company providing phone systems to over 600,000 companies with more than 12 million daily users, has been compromised by hackers through a supply-chain attack. This has potentially affected thousands of businesses, including major companies such as American Express, Mercedes-Benz, BMW, Coca-Cola, McDonald's, the Holiday Inn, IKEA, Honda, Toyota, and the UK's National Health Service (NHS). The impact of the attack on these companies is still uncertain. While several cybersecurity firms, including Sentinel One, Sophos, and CrowdStrike, have reported the intrusion, there are varying opinions on the identity of the group responsible. CrowdStrike believes it's Labyrinth Chollima (aka Lazarus Group), a North Korean hacking group, and further describes the attack as having "suspected nation-state involvement," but Sentinel One does not see any clear connections to existing threat clusters, dubbing the attack as "SmoothOperator." Although Sophos did not weigh in on the threat actor involved, the company provided insight into the attack with an analysis reported by Sophos's vice president of managed threat response stating, "The attackers have managed to manipulate the application to add an installer which uses DLL sideloading to ultimately retrieve a malicious, encoded payload." According to cybersecurity firms, the attackers are targeting both Windows and macOS operating systems.

Anvilogic Use Cases:

• AVL_UC17332 - 3CXDesktopApp.exe Execution

‍