Several cyber security companies have warned of an ongoing supply chain assault that targets the communications software provider and the company’s customers by utilizing a trojanized version of a commonly used voice and video calling desktop program.
The company software-based phone system is used by more than 600,000 businesses around the world, including leading automotives, food and beverage, and a hospital, with 12 million daily users.
A director of threat intelligence and research described the attack as “a classic supply chain attack, designed to exploit trust relationships between an organization and external parties; this includes partnerships with vendors or the use of a third-party software that most businesses are reliant on in some way.”
The delivery of trojanized Desktop App installers used in the attack allows info stealer malware to be installed inside corporate networks. This malware can access user profiles for Google Chrome, Microsoft Edge, Brave, and Firefox and collect information about the system, stealing data and stored credentials.
The release of second-stage payloads, beaconing to actor-controlled infrastructure, and, in a few instances, “hands-on-keyboard activity” are some other harmful activities that have been seen.
Both the Windows and macOS versions of the hacked program are being attacked, according to security experts. The Linux, iOS, and Android versions seem unaffected now.
On March 22, cybersecurity researchers claimed they first saw suspicious behavior. They promptly looked into the abnormalities, which led them to find that some organizations were attempting to install a trojanized version of the desktop program that had been signed with a valid digital certificate.
A representative of the affected desktop app noted that the company is aware of a “security issue” affecting its Windows and MacBook applications and that this appears to have been a “targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored” hacker. According to cybersecurity experts, the infamous Lazarus Group subsection Labyrinth Chollima from North Korea carried out the supply-chain hack.
Customers of the impacted desktop app firm are being advised to delete and reinstall the software as a solution. The business has since expressed its sincere regret for what happened and has committed to making amends in every way possible.
It is not known how many businesses may have been compromised by the desktop app supply-chain assault.
