The Defender's Guide to the 3CX Supply Chain Attack

How it happened, why it matters, and what's being done about it.

What the heck is going on?

This all kicked off on Wednesday with SentinelOne’s release of a post that looked at a campaign dubbed “Smooth Operator”, which essentially found that the 3CX Voice Over Internet Protocol (VOIP) desktop client - used by some 600,000 companies worldwide and over 12 million daily users - had been compromised with a malicious update.

Moreover, Huntress Labs found 242,519 internet-exposed 3CX phone management systems as of the 30th March, and a further 2,783 instances in their customer networks running the trojanized software.