SmoothOperator – 3CX Supply Chain Attack
Supply chain attacks have become a major concern for organizations worldwide due to their potential to cause significant damage. The SolarWinds attack affected thousands of organizations, and now, a similar attack has occurred with the 3CX supply chain. 3CX is a VoIP Communication company with 12 million daily users, and in March 2023, SentinelOne uncovered a devastating attack where threat actors trojanized 3CXDesktopApp in a supply chain attack to infect thousands of users worldwide.
The attack compromised the supply chain of 3CXDesktopApp, including both Windows and MacOS installers. During installation of the application, a trojanized library was sideloaded and connected to a Command and Control Server. After fingerprinting the machine, it was observed downloading the next stage payload, which is an infostealer. It has functionality, including gathering system information and browser information from Chrome, Edge, Brave, and Firefox browsers, and in some cases, we observed backdoor malware to carry out their cyber espionage.
This research will provide insights into the complexities of the 3CX supply chain attack and serve as a guide to organizations to implement measures that can enhance their cybersecurity posture against such attacks.
Mr. Dinesh Devadoss
Dinesh Devadoss, a Staff Threat Hunter at SentinelOne WatchTower, considers himself to be a wanderer in the binary world. He graduated with a Bachelor of Science degree in Computer Science Engineering. He has extensive experience in threat hunting, malware research, threat intelligence, forensics, and studying about threat evolution. In the past, he has presented his research at the AVAR and Virus Bulletin conferences. His passion (bordering on addiction) is to extensively research malware targeting macOS.
Mr. Niranjan Jayanand
I am Senior Manager with SentinelOne taking care of WatchTower Threat hunting program from APJ region and also work as Principal Threat Intel Analyst with a demonstrated history of Threat group hunting, malware reversing, blogging, presenting in conferences, webinars and podcasts etc. Our team partners with MDR and DFIR analysts to stay ahead of attackers and provide actionable intelligence for our customers proactively. My latest work involves discovery and reporting of CISCO ASA vulnerability abused by Akira ransomware group.