A malicious version of 3CXDesktop has been spotted by cybersecurity researchers, indicating a possible attack on its developer’s supply chain. The dangerous edition delivers all the functionality of the original, but comes with malicious files that, when executed on the system, download malware from remote servers, as if this were part of the normal installation process.
The app, whose version for computers has more than 12 million downloads, would be distributed globally. The report by the cybersecurity company Check Point Software, although it does not provide details on the spread or the entry vector of the exploitation, points out that this is a classic case of attack on the supply chain, when criminals gain access to legitimate networks or systems to insertion of malicious content.
“The scam is designed to exploit trust relationships between an organization and external parties, including partnerships with vendors or the use of third-party software,” explains Lotem Finhkelstein, Director of Threat Intelligence and Research at Check Point Software. According to him, it was not possible to detect when the malicious entries were inserted into the legitimate application.
In any case, the fact is that, when installed on a system, it also opens the doors to malware, which can be used to steal data or create backdoors for new intrusions, in just two examples. When we talk about corporate software, espionage is always considered, while the risk of information leakage increases significantly.
delay in action
When considering the list of 3CX customers, which includes names like American Express, McDonald’s, Coca-Cola, BMW, Honda, Mercedes-Benz and AirFrance, as well as UK government bodies, the case takes on more serious contours. These traits became even more complex when the reports emerged about a week ago on the company’s support forums, without any immediate action being taken.
The manufacturer only recognized the problem this Thursday (30), confirming the compromise of desktop applications. While the company is evaluating what happened, the security recommendation is to uninstall previous versions and apply a new one, in addition to carrying out security scans to detect any malware downloaded to the system.
Going further, the CEO of 3CX, Nick Galea, stated that the attack on the supply chain did not happen due to an invasion of the company’s internal systems, something that had been considered in association even with threat actors linked to rival governments. According to the executive, the problem was located in libraries linked to the Windows Eletron application, downloaded from GitHub and which were compromised by criminals. Such elements have already been removed from current versions of the Voice over IP application.
With information from Bleeping Computer.
