30 March 2023
Recently 3CX, a large telephony software company announced several of their products were affected by what looks like an APT attack. They believe that malware was injected into a package they compiled into their Electron desktop products for Windows and Mac. No word if the linux desktops were affected. You can read more about it here: https://www.3cx.com/blog/news/desktopapp-security-alert/ and here: https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html
This isn’t the first time we’ve seen something like this. You may recall a similar method was used to infiltrate the SolarWinds products and distribute trojanized updates to customers. The file SolarWinds.Orion.Core.BusinessLayer.dll appeared to be a normal file often included with the product updates and caused a lot of problems especially for several US Government agencies.
The 3CX attack is most likely very sophisticated and complex. Inserting weaponized software into a company’s legitimate software stack is not something that somebody just woke up and did. They’ve hired Mandiant to find the details and may hear more in the near future.
Coincidentally, we were just talking about software in the supply chain on the Third Party Threat Hunters podcast (https://thirdpartythreathunting.com/blog/f/tpthunters-podcast-s1e3-chris-romeo-sboms-are-not-the-answer) with guest Chris Romeo. Check it out!