3CX Supply Chain Attack — Here's What We Know So Far
Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack
Supply-chain attacks compromise trusted vendors or dependencies, potentially reaching downstream systems; verify provenance and limit access before deployment.
Search across headline titles and summaries.
Background for this topic.
Supply chain is the network of suppliers, software developers, service providers, components, and processes used to build and deliver an organization’s products or services. In a security threat model, it extends the trust boundary beyond the organization: a compromised supplier account, build system, software dependency, update mechanism, or hardware component can introduce malicious code, expose credentials, or undermine systems used by many customers.
Effective protection starts with mapping critical suppliers, dependencies, data flows, and access, then applying risk-based due diligence and least-privilege, segmented access. For software, maintain an inventory such as a software bill of materials, verify signed artifacts and update provenance where feasible, and monitor dependencies for vulnerabilities or unexpected changes. Contracts and technical controls should support timely notification and investigation. Response plans should cover revoking supplier access, isolating affected versions or integrations, determining exposure, and coordinating remediation with the provider.
Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack
Booby-trapped app, apparently signed and shipped by 3CX itself after its source code repository was broken into.
Windows and Mac versions of the software were compromised to deliver infostealers
Miscreants hit downstream customers with infostealers Two security firms have found what they believe to be a supply chain attack on communications software maker 3CX – and the vendor's boss is advising users to switch to the progressive web app until the 3CX desktop client is updated.…
3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company's customers in an ongoing supply chain attack. [...]
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company's customers in an ongoing supply chain attack. [...]