The 3CX supply chain cyberattack uncovered this week may have been active for longer than first thought, according to new information.
The attack impacts a 3CX voice over IP (VoIP) application and affects organisations all over the world, including but not limited to France, Germany, the Netherlands, the UK and the US.
According to telemetry analyzed by WithSecure Intelligence, a compromised version of the macOS-based installer was seen in early February 2023, while Windows-based installers were seen trending in mid-March 2023.
Tim West, head of WithSecure’s Threat Intelligence team, warns that while some steps have been taken to mitigate the threat, organisations should consider additional measures until the situation has stabilised.
“Working with other researchers in the industry, we’ve been able to ascertain that recent versions of 3CX’s desktop VoIP application had been compromised by an actor prior to the build process, resulting in poisoned, yet trusted, installer files being pushed to customers.
“On Windows hosts, malware requires an external connection to a Github repository that has since been removed. This means it is likely that without threat actor intervention, current infection chains will fail. This is not necessarily the case for all MacOS samples observed,” he says.
“Until such a time comes that 3CX are able to provide assurance, organisations may wish to mitigate the risk by removing, or restricting 3CX applications from internet facing positions. This action will stop 3CX software from working to its intended purpose. 3CX recommends uninstalling the desktop application, and using Progressive Web App clients instead.”