{"id":20892,"date":"2023-03-30T10:51:00","date_gmt":"2023-03-30T14:51:00","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/supply-chain-attack-on-3cx\/20892\/"},"modified":"2023-04-05T11:57:20","modified_gmt":"2023-04-05T07:57:20","slug":"supply-chain-attack-on-3cx","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/supply-chain-attack-on-3cx\/20892\/","title":{"rendered":"Supply-chain attack on 3CX clients"},"content":{"rendered":"<p>Various media sources are <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack\/\" target=\"_blank\" rel=\"nofollow noopener\">reporting<\/a> a mass supply-chain attack targeting <a href=\"https:\/\/en.wikipedia.org\/wiki\/3CX_Phone_System\" target=\"_blank\" rel=\"nofollow noopener\">3CX VoIP telephony system<\/a> users. Unknown attackers have managed to infect 3CX VoIP applications for both Windows and macOS. Now the cybercriminals are attacking their users via a weaponized application signed with a valid 3CX certificate. The list of those users is quite something \u2014 consisting of more than 600,000 companies, including well-known brands from all over the world (American Express, BMW, Air France, Toyota, IKEA). A number of researchers have dubbed this malicious attack SmoothOperator.<\/p>\n<p>Apparently, trojans are hiding in all versions of the software that were released after March 3; that is, builds 18.12.407 and 18.12.416 for Windows, and 18.11.1213 and newer for macOS. According to 3CX representatives, the malicious code got into the program because of some unnamed trojanized open-source component that was used by the development team.<\/p>\n<h2>The attack via trojanized 3CX software<\/h2>\n<p>Citing researchers from various companies, BleepingComputer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack\/\" target=\"_blank\" rel=\"nofollow noopener\">describes<\/a> the attack mechanism via a trojanized Windows client as follows:<\/p>\n<ul>\n<li>The user either downloads an installation package from the company\u2019s official website and runs it, or receives an update for an already installed program;<\/li>\n<li>Once installed, the trojanized program creates several malicious libraries, which are used for the next stage of the attack;<\/li>\n<li>The malware then downloads .ico files hosted on GitHub with additional lines of data inside;<\/li>\n<li>These lines are then used to download the final malicious payload \u2014 the one used to attack end users.<\/li>\n<\/ul>\n<p>The mechanism for attacking macOS users is somewhat different. You can find its <a href=\"https:\/\/objective-see.org\/blog\/blog_0x73.html\" target=\"_blank\" rel=\"nofollow noopener\">detailed description<\/a> on the website of the Objective-See non-profit foundation.<\/p>\n<h2>What are the hackers after?<\/h2>\n<p>The downloaded malware is able to gather information about the system, as well as steal data and save credentials from Chrome, Edge, Brave, and Firefox browsers\u2019 user profiles. In addition, attackers can deploy an interactive command shell, which, theoretically, allows them to do almost anything with the victim\u2019s computer.<\/p>\n<p>Kaspersky experts studied the backdoor used by attackers as a part of final payload. According to their analysis, this backdoor, dubbed Gopuram, was employed mainly in attacks on cryptocurrencies related companies. Experts also suspect that, according to a number of clues, the Lazarus group was behind the attack. Details on the Gopuram backdoor, along with indicators of compromise, can be found <a href=\"https:\/\/securelist.com\/gopuram-backdoor-deployed-through-3cx-supply-chain-attack\/109344\/\" target=\"_blank\" rel=\"nofollow noopener\">in a post on the Securelist blog<\/a>.<\/p>\n<h2>Why is this attack is especially dangerous?<\/h2>\n<p>According to the BleepingComputer, the trojanized version of the program is signed with a legitimate 3CX Ltd. certificate issued by Sectigo and timestamped by DigiCert \u2014 the same certificate used in earlier versions of the 3CX program.<\/p>\n<p>Moreover, according to Objective-See, the macOS version of the malware isn\u2019t only signed with a valid certificate, but also notarized by Apple! This means that the application is allowed to run on recent versions of macOS.<\/p>\n<h2>How to stay safe<\/h2>\n<p>The application\u2019s developers recommend urgently uninstalling trojanized versions of the program using the VoIP web client until the update is released.<\/p>\n<p>It\u2019s also wise to conduct a thorough investigation of the incident to make sure that attackers haven\u2019t had time to take over your company\u2019s computers. In general, in order to control what\u2019s happening on the corporate network and to timely detect malicious activity, we recommend using <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Managed Detection and Response (MDR)-class<\/a> services.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\">\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals are attacking 3CX VoIP telephony software users via trojanized applications.<\/p>\n","protected":false},"author":2698,"featured_media":20893,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[1328,1758,692,113],"class_list":{"0":"post-20892","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-macos","11":"tag-supply-chain","12":"tag-trojans","13":"tag-windows"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/supply-chain-attack-on-3cx\/20892\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/supply-chain-attack-on-3cx\/25459\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/supply-chain-attack-on-3cx\/28063\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/supply-chain-attack-on-3cx\/25758\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/supply-chain-attack-on-3cx\/26141\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/supply-chain-attack-on-3cx\/28597\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/supply-chain-attack-on-3cx\/34955\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/supply-chain-attack-on-3cx\/47698\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/supply-chain-attack-on-3cx\/20381\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/supply-chain-attack-on-3cx\/21004\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/supply-chain-attack-on-3cx\/29961\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/supply-chain-attack-on-3cx\/33596\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/supply-chain-attack-on-3cx\/26061\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/supply-chain-attack-on-3cx\/31770\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/supply-chain-attack-on-3cx\/31457\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/supply-chain\/","name":"supply chain"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20892","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2698"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20892"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20892\/revisions"}],"predecessor-version":[{"id":20910,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20892\/revisions\/20910"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20893"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20892"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}