The 3CX VoIP phone system is the latest victim of a massive supply chain attack, with multiple trojanized Windows and Mac applications that have been used to infiltrate the phone system.
The attack was first discovered on Wednesday when security firm Morphisec identified the malicious apps, which were identified as trojanized versions of authorized applications.
The trojanized apps were available for download on the official website of 3CX, the company that develops the VoIP phone system. According to Morphisec, the malicious versions were “signed with a valid 3CX code-signing certificate”, meaning that the attack was well-crafted.
The trojanized apps were being distributed to customers via the official update feature of the 3CX system. The malicious code was also hidden within the apps, making it harder for users to detect and weed out.
Once installed, the modified version of 3CX was able to download and execute remote commands on the system. This gave attackers the ability to access user information, as well as modify settings, compromise system security, and install other malicious software.
In response to the attack, 3CX has already issued a security patch to address the issue. The patch is reportedly being deployed automatically, but users are being urged to manually update the system to ensure they are fully protected.
Overall, this incident serves as a stark reminder of how vulnerable supply chain attacks can be. Organizations need to beef up their security measures to avoid these types of attacks, as well as educate their users on the dangers of downloading malicious applications.