Today 3CX confirmed North Korea was behind last month's supply chain attack.

Based on the Mandiant investigation into the intrusion, the hacking group has been identified as UNC4736, which has a strong North Korean connection.

The attackers compromised 3CX systems using the Taxhaul (or TxRLoader) malware, which deployed a second-stage malware downloader called Coldcat, as identified by Mandiant.

The malware achieved persistence on infected systems via legitimate Microsoft Windows binaries, making it more challenging to detect. In addition, the malware automatically loaded during system start-up on all affected devices, providing the attackers with remote access over the internet.

MacOS systems targeted during the attack were also infiltrated with a malware called Simplesea, which Mandiant is currently analyzing to determine if it overlaps with previously known malware families.

UNC4736 deployed malware on 3CX's network, connecting to numerous command-and-control (C2) servers under the attackers' control. The exact method used by the attackers to conduct the supply chain attack remains undisclosed by 3CX.

The day after the news surfaced on March 29, 3CX confirmed its 3CXDesktopApp Electron desktop client had been compromised.

In response to the attack, 3CX recommended customers remove the impacted Electron desktop client from all Windows and macOS devices and switch to the progressive web application (PWA) Web Client App.

Security researchers have developed a web-based tool to assist 3CX users in determining whether the attack has potentially impacted their IP address.

It's important to note that the Linux version of the 3CX PBX is not affected, thus safe to use.

3CX's Phone System is used by over 600,000 companies worldwide, with daily users exceeding 12 million.