3CX Hit by SmoothOperator

3CX, one of the world’s best known telephony applications, has been rocked by a devastating supply-chain attack that is infecting end-users.

The breach, designated ‘SmoothOperator’ is believed to affect both the 3CX Desktop app and PMA, 3CX’s recommended replacement. Once the trojanised payload is delivered to the 3CX end-user, it interacts with popular web browsers such as Chrome, Edge, Firefox and Brave – likely in an attempt to steal user data, including browser history, down the line.

In a video released earlier today – SentinelOne demonstrated the forensic detection of SmoothOperator which has risen dramatically in recent days. A sample of how the powerful endpoint security software blocks the threat can be seen in the video below.

Security analysts are rumoured to have discovered links to Labyrinth Collima, a North Korean Lazarus Group offshoot from Bureau 121 of the DPRK’s ‘Reconnaissance General Bureau.’ 3CX is believed to be in use by more than 12 million daily users around the world, among more than 600,000 organisations.

Managed detection and response specialists Huntress have published a wide-ranging report on the breach with a difficult verdict for organisations using 3CX:

“We anticipate that 3CX will not complete a root cause analysis of this incident for some time, and users should look for alternative telephony mechanisms for the foreseeable future.”

 

Remediation: organisations using 3CX are advised to…

1. Enforce mandatory password resets for all users.
2. Reset passwords for any web-based accounts which might have suffered credential harvesting via the user’s browser, and have multi-factor authentication (MFA) enabled for those accounts.
3. Invalidate any persistence tokens used for Microsoft 365, Google Workspace and other accounts that might allow automatic login without MFA.
4. Enable high security risk conditional access if using Microsoft Azure.

 

For Cyber Security expertise and assistance, please contact our team today.