On March 29, 2023, multiple security sources began to flag the 3CX VoIP Desktop App, from 3CX, as containing malware that allows attackers control of the workstation it’s installed on.  3CX response is to uninstall 3CX Desktop App until an uninfected version of the software can be published.

The Cytracom Desktop is uncompromised and immediately available for use.  https://www.cytracom.com/downloads

All ControlOne subscribers benefit from the proactive implementation of platform-wide restrictions associated with the published indicators of compromise associated with the 3CX Desktop App and malicious command-and-control (C2) communications. Additionally, Device Posture Assessment capabilities can be configured to isolate all hosts running the 3CX Desktop App from the rest of your network until the software has been removed or remediated.

While the incident investigation is ongoing, at the time of this writing, it is believed nation state actors from North Korea are behind the supply chain attack.  We have seen this type of behavior before and consider this a sophisticated attack that requires resources available to nation states; however, we expect these types of compromises to become more commonplace as the compute resources become cheaper.

Cytracom is fully invested in producing the best, most secure experience for its partners and subscribers.  We continue to make significant investments in our software supply chain and threat detection capabilities to assure the software available is secure and uncompromised.

This type of attack highlights the importance of software security and the need to carefully monitor and control the software supply chain to prevent attacks like this from occurring. Regardless of Cytracom’s assurances in production of secure software, Partners and subscribers should also be vigilant about updating their software and verifying the authenticity of any updates before installing them.

What is a Supply Chain Attack?

A supply chain attack is a type of cyber attack that targets the software supply chain by compromising one of the components used in the software development process. The goal of this attack is to infect the software with malware or malicious code, which can then be used to gain access to sensitive data or systems.

In the case of the 3CX VoIP Desktop App supply chain attack, the attackers compromised the update mechanism used by the software to deliver updates to users. They were able to replace the legitimate software update with a malicious version that contained a backdoor, allowing them to access and control the victim's system.

The attack was carried out in three stages:

1. Compromising the software vendor's update server: The attackers gained access to the server used by the 3CX VoIP Desktop App vendor to deliver updates to users. This could have been done through a variety of means, such as phishing attacks or exploiting vulnerabilities in the server software.
2. Replacing the legitimate update with a malicious version: Once the attackers had access to the update server, they replaced the legitimate update with a version that contained a backdoor. This backdoor allowed the attackers to remotely access and control the victim's system.
3. Delivering the malicious update to users: The compromised update was then delivered to users through the software's automatic update mechanism. Once installed, the malicious version of the software provided the attackers with a persistent backdoor into the victim's system.

If you are a ControlOne partner and have questions, please contact support@cytracom.com. If you are not yet a ControlOne partner and would like a demo, email partner@cytracom.com or request a demo online here.