IMPORTANT SECURITY ALERT: 3CX Desktop App Security Vulnerability
30th March 2023
Does your business use 3CX? Do you have Endpoint Defence and Response in addition to your Anti-Virus? If your answers are YES to the first and NO to the second, you must read this security article.
UPDATE 05/04/2023 – 08:30BST:
On April 4th 3CX released an update on their forum regarding the status of the Desktop application. As part of this update 3CX also provided updates on the extent of the Cyber Attack, however more information will be provided soon. See the update below;
1 - The Windows Electron App 18.12.425 has come back with the all clear from Mandiant.
2 - The main difference with 18.12.422 is that it has been signed with a new certificate.
3 - We hope to push this version to customers tomorrow.
4 - We still recommend using the PWA Web App.
5 - We are currently building a new version Update 7a - should be in QA by next week - which has
a - Password hashing
b - BLF panel for PWA dialer.
c - Improved install screen in web client.
6 - We only have a handful of cases reported to us where malware has actually been triggered. And these reports still require verification. Furthermore after removal of the infected files using anti virus software no further malicious outbound traffic has been observed. Of course this may change but this is the status as of today.
7 - We are taking the opportunity to strengthen our policies, practices, and technology to protect against future attacks.
What does this mean for your business? As the release should be published by 3CX today (April 5th), most businesses should have this update applied over night. Meaning that by tomorrow (April 6th) you should be able to download the latest version of the 3CX Desktop App for Windows and MacOS, this version has been independently checked by a 3rd party Cyber Security firm Mandiant to ensure it is safe for install.
UPDATE 31/03/2023 - 08:30BST:
Whilst believed to be unaffected 3CX is recommending the removal of the MacOS Desktop app. A new update is starting to be rolledout to all users, however this will take 24-48hrs to be available to all customers and will happen automatically via an overnight update. Please note the following statement from 3CX with regards to the Desktop App;
"In a day or two from now, we will have another Electron App rebuilt from the ground up with a new signed certificate. This is expected to be completely secure. We strongly recommend that you avoid using the Electron (Desktop) App unless there is absolutely no alternative. The Electron (Desktop) App update that we are releasing today is considered to be secure but there is no guarantee given that we only had 24 hours to make the necessary adjustments.”
Note: If your business is protected by One2Call’s Endpoint Defence and Response service, you are protected from this attack. Find out more below.
According to an article published late on March 29th, on March 22, 2023, cybersecurity firm SentinelOne detected a surge in behavioural detections of a trojanised version of 3CXDesktopApp, the desktop voice and video conferencing software that 3CX Provides as part of their service and that we provide to our customers as part of our 3CX service. SentinelOne has not yet confirmed whether the Mac installer is also affected by the malware. The trojanised Windows 3CXDesktopApp is the first stage of a multi-stage attack that pulls ICO files appended with base64 data from Github, leading to a third-stage infostealer DLL that is currently being analysed, but could be used for other malicious means such as gathering system data, browsing data, or potentially session data (see recent Linus Tech Tips Hack Article), however this is currently being actively investigated.
The ongoing investigation includes other applications like the Chrome extension, which could also be used to stage attacks. The compromise includes a code signing certificate used to sign the trojanised binaries. The investigation into the threat actor behind this supply chain attack is ongoing. The attacker has registered a large set of infrastructure starting from February 2022, but SentinelOne has not yet found any obvious connections to existing threat clusters.
What is the 3CX Desktop App?
The 3CXDesktopApp is developed by 3CX, a business communications software company. The 3CX has approximately 600,000 customer companies with 12 million daily users. The software is widely used in various sectors, including automotive, food and beverage, hospitality, manufacturing and more.
PBX software, such as 3CXDesktopApp, is a desirable target for attackers because it is widely used across businesses across the world and attackers can monitor an organisation’s communications, modify call routing. There have been other instances where attackers have used PBX and Voice over Internet Protocol (VOIP) software to deploy additional payloads, such as the 2020 campaign against Digium VOIP phones using a vulnerable PBX library, FreePBX.
What can you do?
Any customers who already have SentinelOne, or Endpoint Defence and Response through One2Call, no action is needed at this time as you are already protected. The detections prevented the malicious installers from running and immediately quarantined them.
As this is an ongoing investigation, we advise that all users should remove the 3CXDesktopApp until further notice and should remain vigilant of the web app, and follow any security updates or recommendations provided by SentinelOne or 3CX. 3CX have confirmed that the GitHub Repository has since been shut down, domains contacted by this compromised library have already been reported, with the majority taken down overnight and that a new Windows App is in development.
At this time we have been advised that a new 3CX version is in development and is due to be release on Friday March 31st. As 3CX auto updates over night, we expect that all customers will be able to download this latest version through the web client by Monday, April 3rd, at the latest. Please stay tuned for further updates.
How can you protect yourself from these types of attack?
Endpoint Defence and Response is designed to be able to detect these malicious ‘Zero Day’ attacks by using artificial intelligence to monitor for malicious activity on your endpoints, including your businesses Desktops and Laptops, and actively stop these types of attack. As such any customers with our Endpoint Defence and Response service remain protected. If you would like to find out more about Endpoint Defence and Response, fill out the form below and a member of our team will reach out to your with more details.
Contact One2Call to find out how you can stay protected.