3CX announces a serious security issue with its VoIP service for Windows and Mac. The company is working on a completely new app and recommends using the web version in the meantime.

In a notification on the website, 3CX states that it is Update 7 of the Electron Windows App, which includes versions 18.12.407 & 18.12.416. Mac users should also be on their guard, as versions 18.12.407 & 18.12.416 of Elektron Mac are also said to be affected. 3CX delivers Voice over IPservices to businesses and has big names such as Coca-Cola, McDonalds and Ikea in its client base.

3CX is still investigating what exactly is going on, but the security issue is said to be due to compiled Git libraries. Most of the compromised domains would have been reported and taken offline by the company. In most cases, infected clients would also have been blocked by antivirus software, CISO Pierre Jourdan reassures me somewhat.

Attack on the supply chain

Still, 3CX fears the leak is just the beginning of a supply chain attack. The security companies SentinelOne, Sophos and Check Point Research also come to this conclusion. Attackers’ intention is to distribute infected DLL files to VoIP service users. This is how they inject malware into a system to steal victim’s system and browser information.

In a reply to our editors, Sophos explains more about how it works. “The attackers managed to manipulate the application to include an installer that uses DLL sideloading to eventually retrieve a malicious, encrypted payload. The tactics and techniques are not new, they are similar to DLL sideloading activities we have seen before.”

Ever since the famous SolarWinds incident, everyone in the IT world has known that supply chain attacks can wreak havoc. “This is a classic supply chain attack designed to exploit relationships of trust between an organization and external parties, including partnerships with suppliers or the use of third-party software on which most organizations depend in some way. This incident reminds us how important it is that we carefully consider who we do business with,” said Lotem Finkelstein of Check Point Research.

New Windows app

3CX therefore suspects that “sophisticated” actors are behind the attack and does not rule out a state attack itself. We are currently working on a completely new Windows client, but it will take at least 24 hours to be ready. In the meantime, users can continue to use the web app, which the company says is still secure.

3CX will release more information about the vulnerability shortly. We will therefore continue to monitor the situation.