View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

NCSC warns of cybersecurity danger posed by 3CX desktop app vulnerability

The vulnerability is apparently being exploited by North Korea's Lazarus hacking gang.

By Claudia Glover

The UK’s National Cyber Security Centre (NCSC) has warned businesses about a “severe security issue” in the 3CX desktop app. The exploit is the source of an ongoing supply chain attack believed to be perpetrated by North Korean hacking gang Lazarus, targeting cryptocurrency companies. The attack could become far more serious, with 3CX’s software installed on many corporate networks around the world.

A backdoor found in 3CX desktop could have grievous consequences for the global customer base. (Photo by monticello/Shutterstock)

Dubbed Gopuram by security company Kaspersky, the vulnerability has been used occasionally since 2020, but experienced a spike in March, with ten cryptocurrency companies confirmed as being targeted so far. 

The 3CX desktop app is used by businesses to make, schedule and monitor voice and video calls. The company says its software is used by 600,000 businesses worldwide, with more than 12 million individual users.

Severe security issue in 3CX Desktop App could lead to a global supply chain attack

The NCSC said today that “threat actors are actively exploiting” the “severe security issue,” in the 3CX desktop app. The agency is urging any company using the app to download the workarounds released by the organisation, while it continues to work towards an update.

Kaspersky says it has “medium to high confidence,” that Lazarus is behind the current spate of attacks. They were initially thought to be cyber-espionage related, designed to drop infostealing malware on targeted organisations. However, the use of Gopuram means it is likely Lazarus is the perpetrator. 

Lazarus’s main modus operandi appears to be stealing cryptocurrency. Earlier this year the gang, along with another North Korean hacking group APT38, were revealed by the FBI to be behind the theft of $100m in crypto assets from the Horizon coin bridge in June

The gang is also behind the Axie Infinity hack worth $600m, according to the US Treasury Department.

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

How does the 3CX attack work?

The victims in the 3CX attacks are made up of a handful of cryptocurrency companies.

Engineers from security company CrowdStrike posting on Reddit, said their investigations have revealed that “the malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity”.

The attack is a multi-stage chain, with the initial step involving a compromised version of the 3CX desktop app, according to cybersecurity vendor Trend Micro. Its report said: “The decrypted code seems to be the backdoor payload that tries to access the IconStorages GitHub page to access an ICO file, containing the encrypted C&C server that the backdoor connects to in order to retrieve the possible final payload.”

The report explains how damaging this bug could become. “Due to its widespread use and its importance in an organisation’s communication system, cybercriminals can cause major damage (for example, by monitoring or rerouting both internal and external communication) to businesses that use this software.”

To mitigate the problem, 3CX recommends uninstalling the desktop and using the Progressive Web App client instead, while it works towards an update that solves the problem.

Read more: HolyGhost ransomware from North Korea targets SMEs

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.