3CX Supply Chain Attack Advisory

ByAddigy April 5, 2023April 5, 2023

CrowdStrike has recently reported an active supply chain attack targeting 3CX customers. Malicious activity was observed in the 3CXDesktopApp which involved contacting command & control infrastructure and payload deployment. This application is used as a voice and video conferencing platform.

It is suspected that LABYRINTH CHOLLIMA is behind the attacks, a nation state-actor operating on behalf of North Korea, which affects both the Windows and macOS versions of the software. Patrick Wardle of Objective-See, confirmed that the macOS version was trojanized.

As this is an ongoing attack, details are scarce. We will provide updates as the investigation unfolds. At the moment, it is recommended to remove instances of the 3CXDesktopApp software from your environment.

Indicators of compromise for macOS:

~/Library/Application Support/3CX Desktop App/UpdateAgent
~/Library/Application Support/3CX Desktop App/.main_storage
~/Library/Application Support/3CX Desktop App/.session-lock
3CXDesktopApp-18.11.1213.dmg
3CXDesktopApp-18.12.416.dmg
3cxdesktopapp-latest.dmg

Use Addigy’s newly published Community Fact to help you identify devices that may have Indicators of Compromise.

3CX Supply Chain Attack Advisory

Guide: Use Apple Configurator on iOS to Enroll macOS devices into Apple Business Manager

Costs & Benefits of MDM Migration

Best Security Practices Around MacOS

Automatically Assign Policies Based on Device & User Attributes with Flex Policies

What Apple’s Discontinuation of Fleetsmith Means for Companies

Key Takeaways for System and Kernel Extensions on macOS

Latest Articles

Security. Scalability. Apple Expertise.

Company

Support

Resources

Similar Posts

Security. Scalability. Apple Expertise.

Company

Support

Resources