Researchers say hackers have compromised the VoIP desktop client of 3CX's Phone System, used by 600K+ companies and 12M+ DAUs, in an ongoing supply chain attack
https://www.3cx.com/... Any vendor of software and services that pull in code from NPM, PIP, RubyGems etc … Eitan Erez : This supply chain attack started unfolding not long ago as 3CX VOIP desktop client was confirmed as compromised with malware - statement here https://www.3cx.com/... https://www.3cx.com/... … Kyle Hanslovan : Very busy night for our team. Within our partner base, Huntress has sent out 2,595 incident reports where the 3CXDesktopApp.exe binary matches known malicious hashes … Jason Duerden : Unfolding as we speak. SentinelOne Labs team has been tracking since March 22nd. For SentinelOne customers, no action is needed. … Tweets: @sophosxops : We have just updated our blog on the 3CX situation. Updated information includes: adding detail on affected versions, misuse of ffmpeg.dll, removal of malicious repository, comparison of PE shellcode loader to that used by Lazarus threat group... 1/2 https://news.sophos.com/... Patrick Wardle / @patrickwardle : 🔖 New Blog Post: “Ironing out (the macOS details) of a Smooth Operator"' The 3CX supply chain attack also impacted macOS (+was notarized by Apple🍎🤦🏻 ♂️) Read about discovering the macOS trojanization piece & uncovering it capabilities, IoCs, and more: https://objective-see.org/... @huntresslabs : Overnight, the Huntress team continued to research the 3CX VoIP Software Supply Chain Attack. Our latest findings, IOCs, and screenshots of our analysis can be found here: https://www.huntress.com/... Katie Nickels / @likethecoins : As usual, @HuntressLabs is one of my go-tos in a compromise like this because of their visibility + smart people diving in + ability to clearly communicate key info https://www.huntress.com/... Soufiane / @s0ufi4n3 : tldr : We are sorry. https://www.3cx.com/... Jamie Levy / @gleeda : This is what we currently know about the #3cx compromise. Awesome job @_JohnHammond @embee_research @GregAke and team at @HuntressLabs ! https://www.huntress.com/... #DFIR #malware #3CXpocalypse #supplychain #voip John Hammond / @_johnhammond : 3cx official post. https://www.3cx.com/... Chris Wysopal / @weldpond : This supply chain attack, dubbed ‘SmoothOperator’ by SentinelOne, starts when the MSI installer is downloaded from 3CX's website or an update is pushed to an already installed desktop application. https://www.bleepingcomputer.com/ ... John Hammond / @_johnhammond : I wrote up what we've been tracking with the #3CX supply chain threat. Digging into the attack vector, peeling backing the layers where we can — hopefully offering something of value! https://www.huntress.com/... @vxunderground : @CrowdStrike ... .@SentinelOne has released an in-depth analysis of the malware and payload, they have dubbed it ‘SmoothOperator’. The final payload exfiltrates data from web browsers Chrome, Edge, Brave, and Firefox. tl;dr largest data theft in history? https://www.sentinelone.com/ ... Kostas / @kostastsale : There is a cred harvesting aspect, as noted by SentinelOne 👇 https://www.sentinelone.com/ ... This happens after the payload is downloaded from GitHub and runs in memory. DPRK is once again looking to fund their operations by emptying your people's bank account and bitcoin wallets. @gi7w0rm : ⚠️ @SentinelOne is investigating an ongoing supply chain attack on the #3CXDesktopApp. 3CXDesktopApp is a voice and video conferencing Private Automatic Branch Exchange (PABX) enterprise call routing software developed by 3CX, a business communications https://www.sentinelone.com/ ...... https://twitter.com/...