Friday 31st March 2023

CTI Weekly: New supply chain campaign leverages the popular 3CX VOIP desktop client

Researchers recently reported on a supply chain compromise campaign that allegedly used a digitally signed and malicious copy of the 3CX Voice Over Internet Protocol desktop client to target the company’s clients. 3CX is a prominent software development company for VoIP IPBX, with a customer base of over 600,000 companies and more than 12 million daily users, including notable clients such as American Express, BMW, and the UK’s National Health Service. The attackers are targeting both Windows and macOS users of the compromised 3CX softphone app, deploying second-stage payloads, and performing hands-on-keyboard activity in a small number of cases. The malware also includes an information-stealer capable of stealing data and stored credentials from various user profiles.


The exploitation of 3CX DesktopApp has been identified as CVE-2023-29059 (OVSS:42). The CEO of 3CX stated that the compromise occurred as a result of an upstream vendor becoming infected, suggesting that FFmpeg was responsible as the malware payload resides there. However, FFmpeg has disputed this claim, stating that its source code was not compromised. These ongoing attacks are a reminder of the importance of supply chain security, and companies must remain vigilant to prevent such incidents from occurring.


Other news:


Two threat groups, SideCopy and Winter Vivern, are targeting government-related entities for intelligence-gathering. SideCopy is targeting India’s Ministry of Defence’s research and development wing using a new backdoor called ActionRAT, while Winter Vivern is targeting various political and military entities in Europe and the US.



The FBI warns of manufacturing-related thefts using Business Email Compromise tactics. Latitude Financial has also reported a data breach affecting over 14 million customer records.


Novel Malware

MacStealer targets macOS to extract sensitive information using Telegram for C2. Meanwhile, cryptocurrency users in 52 countries are being targeted with trojanised Tor browser installers.




Subscribe below for more and to discover other significant cyber criminals, nation-state and hacktivist news.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.