Hackers working on behalf of the North Korean government have pulled off a massive supply chain attack on Windows and macOS users of 3CX, a widely used voice and video calling desktop client, researchers from multiple security firms said.
The attack compromised the software build system used to create and distribute Windows and macOS versions of the app, which provides both VoIP and PBX services to “600,000+ customers,” including American Express, Mercedes-Benz, and Price Waterhouse Cooper. Control of the software build system gave the attackers the ability to hide malware inside 3CX apps that were digitally signed using the company’s official signing key. The macOS version, according to macOS security expert Patrick Wardle, was also notarized by Apple, indicating that the company analyzed the app and detected no malicious functionality.
In the making since 2022
“This is a classic supply chain attack, designed to exploit trust relationships between an organization and external parties,” Lotem Finkelstein, Director of Threat Intelligence & Research at Check Point Software, said in an email. “This includes partnerships with vendors or the use of a third-party software which most businesses are reliant on in some way. This incident is a reminder of just how critical it is that we do our due diligence in terms of scrutinizing who we conduct business with.”