The UK’s National Cyber Security Centre (NCSC) has warned businesses about a “severe security issue” in the 3CX desktop app. The exploit is the source of an ongoing supply chain attack believed to be perpetrated by North Korean hacking gang Lazarus, targeting cryptocurrency companies. The attack could become far more serious, with 3CX’s software installed on many corporate networks around the world.
Dubbed Gopuram by security company Kaspersky, the vulnerability has been used occasionally since 2020, but experienced a spike in March, with ten cryptocurrency companies confirmed as being targeted so far.
The 3CX desktop app is used by businesses to make, schedule and monitor voice and video calls. The company says its software is used by 600,000 businesses worldwide, with more than 12 million individual users.
Severe security issue in 3CX Desktop App could lead to a global supply chain attack
The NCSC said today that “threat actors are actively exploiting” the “severe security issue,” in the 3CX desktop app. The agency is urging any company using the app to download the workarounds released by the organisation, while it continues to work towards an update.
Kaspersky says it has “medium to high confidence,” that Lazarus is behind the current spate of attacks. They were initially thought to be cyber-espionage related, designed to drop infostealing malware on targeted organisations. However, the use of Gopuram means it is likely Lazarus is the perpetrator.
Lazarus’s main modus operandi appears to be stealing cryptocurrency. Earlier this year the gang, along with another North Korean hacking group APT38, were revealed by the FBI to be behind the theft of $100m in crypto assets from the Horizon coin bridge in June.
The gang is also behind the Axie Infinity hack worth $600m, according to the US Treasury Department.
How does the 3CX attack work?
The victims in the 3CX attacks are made up of a handful of cryptocurrency companies.
Engineers from security company CrowdStrike posting on Reddit, said their investigations have revealed that “the malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity”.
The attack is a multi-stage chain, with the initial step involving a compromised version of the 3CX desktop app, according to cybersecurity vendor Trend Micro. Its report said: “The decrypted code seems to be the backdoor payload that tries to access the IconStorages GitHub page to access an ICO file, containing the encrypted C&C server that the backdoor connects to in order to retrieve the possible final payload.”
The report explains how damaging this bug could become. “Due to its widespread use and its importance in an organisation’s communication system, cybercriminals can cause major damage (for example, by monitoring or rerouting both internal and external communication) to businesses that use this software.”
To mitigate the problem, 3CX recommends uninstalling the desktop and using the Progressive Web App client instead, while it works towards an update that solves the problem.