A blame game seems to have started, after an ongoing supply chain attack that utilizes a trojanized version of the 3CX Voice Over Internet Protocol (VoIP) desktop client was uncovered.
According to the CEO of 3CX, the recent supply chain attack was not caused by their own company, but instead resulted from an upstream vendor being compromised, specifically naming FFmpeg as the source of the malware payload.
However, FFmpeg has denied any involvement, stating that they do not release compiled binaries.
3CX and the supply chain attack
Security researchers uncovered a supply chain attack on 3CX, a communications software vendor used by over 600,000 organizations worldwide, including high-profile clients such as Mercedes Benz, Coca-Cola, and American Express.
The attack is believed to have targeted the vendor’s VoIP systems, affecting the Windows Electron client for customers running update 7.
Customers have reported suspicious activity on the software maker’s forums since March 22, but only today has 3CX CEO Nick Galea confirmed the malware infection.
The malicious activity observed in the supply chain attack includes activities such as beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and hands-on keyboard activity.
3CX has acknowledged the security issue, specifying that it affects the Update 7 for Electron Windows App with version numbers 18.12.407 and 18.12.416, as well as the Electron Mac App with version numbers 18.11.1213, 18.12.402, 18.12.407, and 18.12.416.
According to SentinelOne, the trojanized 3CXDesktopApp is just the first stage in a multi-stage attack chain that aims to steal information from Chrome, Edge, Brave, and Firefox.
“The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing,” said the SentinelOne threat assessment report.
“Our investigation into the threat actor behind this supply chain is ongoing. The threat actor has registered a sprawling set of infrastructure starting as early as February 2022, but we don’t yet see obvious connections to existing threat clusters,” it added.
3CX, FFmpeg, and blame game
“Unfortunately this happened because of an upstream library we use became infected,” said CEO Nick Galea in a discussion in the 3CX blog post about the possible root cause.
The discussion indicated FFmpeg, the free and open-source software project consisting of a suite of libraries and programs for handling video, audio, and other multimedia files and streams.
The response has been removed since then.
“There have been several incorrect reports that FFmpeg has been involved in the distribution of malware,” said a tweet by @FFmpeg.
“FFmpeg only provides source code and the source code has not been compromised. Any “ffmpeg.dll” that has been compromised is the responsibility of the vendor,” it added.
There have been several incorrect reports that FFmpeg has been involved in the distribution of malware.
FFmpeg only provides source code and the source code has not been compromised. Any "ffmpeg.dll" that has been compromised is the responsibility of the vendor.
— FFmpeg (@FFmpeg) March 30, 2023
3CX supply chain crisis: present status
Over 600,000 companies 3CX Voice Over Internet Protocol (VOIP) Windows desktop client, with about 12,000,000 users. The ripple effects of 3CX has been huge.
Cybersecurity company Sophos has identified a MacOS variant infected. Patrick Wardle, the creator of the Mac security website and tool suite Objective-See, confirmed on March 30 that MacOS installer is trojanized.
“We have identified the limited deployment of a second-stage payload for Mac infections. We have updated our IOCs to reflect MacOS components. Our telemetry now sets the earliest infection attempt as March 8, 2023,” said the SentinelOne report.
A 3CX user and who has the company’s Desktop App on Windows or macOS should uninstall it right away and check the computer and its logs for “tell-tale signs of the malware”, warned the Spohos report on the situation.
“The malware-laced versions were apparently built and distributed by 3CX itself, so they have the digital signatures you’d expect from the company, and they almost certainly came from an official 3CX download server,” said the report.
“In other words, you aren’t immune just because you steered clear of alternative or unofficial download sites. Known-bad product version numbers can be found in 3CX’s security alert.”