Mar 31, 2023 - Technology

Thousands of companies vulnerable in supply chain cyberattack

Illustration of a wrecking ball about to hit a computer.

Illustration: Aïda Amer/Axios

Thousands of companies using the same voice- and video-calling application are now at risk, as North Korean hackers carry out an ongoing supply chain attack, several cybersecurity companies warned earlier this week.

Driving the news: CrowdStrike warned Wednesday that North Korea-linked hackers are actively attaching malware to the Windows and MacOS versions of 3CX's video conferencing tool.

  • 3CX claims it has more than 12 million daily users and 600,000 enterprise customers, including Ikea, Toyota, BMW, Coca-Cola and McDonald's.
  • Researchers at other firms, including SentinelOne, Check Point Research and Huntress, each confirmed the ongoing attack.
  • The Cybersecurity and Infrastructure Security Agency said Thursday it's "aware" of the incident and encouraged organizations to hunt for indicators of compromise on their networks.

Why it matters: The malware started infecting users' devices as early as February, according to SentinelOne, and it's still unclear how many of 3CX's customers have been affected.

The big picture: A successful supply chain attack would mark a huge escalation in North Korea's hacking prowess. Typically researchers see them either carrying out espionage via email phishing campaigns or hacking crypto firms to fund the regime.

  • CrowdStrike believes the attack was carried out by "Labyrinth Chollima," which conducts espionage against the U.S. and South Korea for the North Korea regime's intelligence agency.

Between the lines: Supply-chain attacks are some of the hardest cyberattacks to prevent given businesses' limited visibility into their vendors' cybersecurity practices.

Be smart: 3CX CEO Nick Galea said in a blog post Thursday that customers should uninstall the app from their devices and avoid using the app "unless absolutely necessary."

  • "In a day or two from now, we will have another Electron App rebuilt from the ground up with a new signed certificate," Galea wrote. "This is expected to be completely secure."

What's next: It's going to take weeks until the public has a better understanding of how long the attack has been going on, who was impacted and what access North Korea was able to get.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper