Organizations in Europe, North America, and Australia account for the highest percentage of victims impacted by the high-profile 3CX supply chain attack that came to light last week, according to reports from cybersecurity firms Fortinet and Blackberry.

3CX is a software-based private branch exchange (PBX) based on the SIP (Session Initiation Protocol) standard. It enables extensions to make calls via the public switched telephone network (PSTN) or via Voice over Internet Protocol (VoIP) services. The 3CXDesktopApp is available for Windows, macOS, Linux and mobile.

The system is used by more than 600,000 companies worldwide, including high-profile organizations such as Toyota, BMW, Coca-Cola, IKEA, McDonald’s, American Express, Turkish Airlines, NHS, and others.

The trojanized 3CX Desktop App is part of a multi-stage attack that utilizes a malicious sideloaded DLL that contains instructions and a payload within another DLL via an encrypted blob with the shellcode, which tries to pull ICO files from GitHub (currently down) that contain various URIs for download, where the payload is ultimately loaded and installed to the target environment.

According to Fortinet's data, based on the number of devices connecting to attacker-controlled infrastructure, Italy is the country with the highest percentage of victims (16.26%), followed by Germany (13.79%), Austria (11.88%), the United States (11.41%), South Africa (6.69%), Australia (6.21%), Switzerland (5.36%), the Netherlands (4.04%), Canada (3.95%), and the United Kingdom (2.92%). In terms of regional data, Europe is at the top with 60%, followed by North America with 16%.

“This may indicate that the threat actor is mainly targeting enterprises in those regions – however, this is uncertain. This could be indicative of 3CX product's geographic customer base - including the possibility of various multinational corporations operating inside those regions,” Fortinet says.

Blackberry telemetry showed attack attempts against healthcare, pharmaceutical, information technologies, and financial organizations in Australia, the US, and the UK. The researchers say that initial samples and network infrastructure analysis indicate that the initial phase of the 3CX supply chain operation took place somewhere between the end of summer and the beginning of fall 2022.

At present, it’s unclear how the threat actors behind this hack managed to gain initial access to the 3CX systems. A recent report from BleepingComputer suggests that the attackers took advantage of CVE-2013-3900, a 10-year-old signature verification bypass vulnerability in Windows that allows a remote hacker to execute arbitrary code on the system.

As for the culprit behind the 3CX supply chain hack, cybersecurity firm CrowdStrike believes that a North Korean state-sponsored hacker group Lazarus Group (aka Labyrinth Collima, APT38, UNC4034, and Zinc) may be responsible for this operation.