By March 22, security firm Sentinel One saw a spike in behavioral detections of the 3CXDesktopApp. Preparations for the sophisticated operation began no later than February 2022, when the threat actor registered a sprawling set of domains used to communicate with infected devices. The attack came to light late on Wednesday, when products from various security companies began detecting malicious activity coming from legitimately signed binaries for 3CX desktop apps. Security firm CrowdStrike said the infrastructure and an encryption key used in the attack match those seen in a March 7 campaign carried out by Labyrinth Chollima, the tracking name for a threat actor aligned with the North Korean government. This incident is a reminder of just how critical it is that we do our due diligence in terms of scrutinizing who we conduct business with.” “This includes partnerships with vendors or the use of a third-party software which most businesses are reliant on in some way. “This is a classic supply chain attack, designed to exploit trust relationships between an organization and external parties,” Lotem Finkelstein, Director of Threat Intelligence & Research at Check Point Software, said in an email. The macOS version, according to macOS security expert Patrick Wardle, was also notarized by Apple, indicating that the company analyzed the app and detected no malicious functionality. The attackers somehow gained the ability to hide malware inside 3CX apps that were digitally signed using the company’s official signing key. Through means that aren't yet clear, the attack managed to distribute Windows and macOS versions of the app, which provides both VoIP and PBX services to “ 600,000+ customers,” including American Express, Mercedes-Benz, and Price Waterhouse Cooper. Hackers working on behalf of the North Korean government have pulled off a massive supply chain attack on Windows and macOS users of 3CX, a widely used voice and video calling desktop client, researchers from multiple security firms said.
0 Comments
Leave a Reply. |