3CX

2023 - 3 - 31

Post cover
Image courtesy of "Trend Micro"

Information on Attacks Involving 3CX Desktop App (Trend Micro)

In late March 2023, security researchers revealed that threat actors were actively abusing a popular business communication software from 3CX.

- Detection name File name IT and security teams should also scan for confirmed compromised binaries and builds and monitor for anomalous behavior in 3CX processes, with a particular focus on command-and-control (C&C) traffic. These B64 strings seem to be C&C domains that the shellcode tries to connect to for downloading other possible payloads. Upon execution of 3CXDesktopApp.exe, ffmpeg.dll, which seems to be a trojanized or patched DLL, will be loaded. Trend Micro Smart Scan Pattern (cloud-based) TBL 21474.300.40 can detect these files as Trojan.Win64.DEEFFACE.A. It seems that the final stage has information-stealing functionality. The decrypted code seems to be the backdoor payload that tries to access the IconStorages GiHub page to access an .ico file containing the encrypted command-and-control (C&C) server that the backdoor connects to in order to retrieve the possible final payload. The attack is reportedly a multi-stage chain in which the initial step involves a compromised version of the 3CX desktop app. Note that the process exits when the page is inaccessible. The company also mentioned that they are working on an update to the desktop app.

Post cover
Image courtesy of "Naked Security"

Supply chain blunder puts 3CX telephone app users at risk (Naked Security)

Internet telephony company 3CX is warning its customers of malware that was apparently weaseled into the company's own 3CX Desktop App by cybercriminals who ...

3CX has apparently already reported the known-bad URLs that the malware uses for further downloads, and claims that “the majority [of these domains] were taken down overnight.” The company also says it has temporarily discontinued availability its Windows app, and will soon rebuild a new version that’s signed with a new digital signature. That article also lists the detection names that Sophos products will use if they find and block any elements of this attack in your network. The advantage is that it does not require any installation or updating and Chrome web security is applied automatically.” IoCs tell you how to find evidence you were attacked, in the form of URLs that might show up in your logs, known-bad files to seek out on your computers, and more. - Check your computer and your logs for tell-tale signs of the malware. - Wait for further advice from 3CX as the company finds out more about what happened. The malicious add-ons in the booby-trapped version could have arrived either in a recent, fresh installation of the app from 3CX, or as the side-effect of an official update. When you’re reviewing your own company’s own code, [A] you have probably seen it before, and [B] you may very well have attended the meetings in which the changes now showing up in your diffs were discussed and agreed. The malware-laced versions were apparently built and distributed by 3CX itself, so they have the digital signatures you’d expect from the company, and they almost certainly came from an official 3CX download server. You’re more likely to be tuned into, and more proprietorial – sensitive, if you wish – about changes in your own code that don’t look right. You can also find a [useful list](https://github.com/sophoslabs/IoCs)of so-called IoCs, or indicators of compromise, on the [SophosLabs GitHub](https://github.com/sophoslabs/IoCs)pages. [malware actually works](https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/)on our sister site, Sophos News, where Sophos X-Ops has published [analysis and advice](https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/)to help you in your threat hunting.

Post cover
Image courtesy of "TechTarget"

3CX desktop app compromised, abused in supply chain attack (TechTarget)

Security vendors detected malicious activity in 3CX's desktop app and discovered the software was compromised in a supply chain attack.

"This update is only to ensure that the trojan has been removed from the 3CX Server where Desktop Apps are stored and in case any users decide to deploy the app anyway." According to SentinelOne's report, the Trojanized 3CX desktop app is the first part of a multi-stage attack chain targeting both Windows and Mac users. But Galea noted that 3CX plans to update the servers overnight with a new version of the Electron app, which may cause brief disruptions in service. In a follow-up advisory on Thursday afternoon, Nick Galea, CEO, CTO and founder of 3CX, said the company hired Google subsidiary Mandiant to investigate the attacks. However, forum moderators appeared to dismiss the issue to an error on SentinelOne's part and advised customers to contact the endpoint security vendor to resolve the problem. SentinelOne's platform automatically detected and blocked the [Trojanized](https://www.techtarget.com/searchsecurity/definition/Trojan-horse) executable for about a week. "The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike wrote in a blog post. [security advisory](https://www.3cx.com/blog/news/desktopapp-security-alert/) Thursday morning from CISO Pierre Jourdan alerting customers that several versions of its Electron Windows app contained a "security issue." It added that the campaign was connected to North Korean state-sponsored hacking group Labyrinth Chollima, also known as [Lazarus Group](https://www.techtarget.com/searchsecurity/news/252448325/Lazarus-Group-hacker-charged-in-Wannacry-Sony-attacks) or APT 38. We're still researching the matter to be able to provide a more in-depth response later today," Jourdan said. "We recommend that you DO NOT install or deploy the Electron App," Galea wrote in the latest advisory. [published research](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/) on the supply chain attacks and revealed that it observed a spike in behavioral detections of the 3CXDesktopApp.exe starting on March 22.

Post cover
Image courtesy of "Ars Technica"

Trojanized Windows and Mac apps rain down on 3CX users in ... (Ars Technica)

Hackers working on behalf of the North Korean government have pulled off a massive supply chain attack on Windows and macOS users of 3CX, a widely used ...

The DLL file then used the list to download and run a final payload from one of the URLs. “After this step is finally accomplished, the final payload is downloaded from one of these URLs and executed.” [from Symantec](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack) indicates the compromised installers for Windows and Mac contain clean versions of the app with all of their normal functionality, preventing end users from suspecting anything is amiss. As is the case with 3CX, the SolarWinds hackers compromised the company's software build system and used it to distribute a backdoored update to [roughly 18,000 customers](https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/). The payload was encrypted and contained other defenses designed to prevent detection or analysis. That same day, 3CX users [started online threads](https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/) discussing what they believed were potential false-positive detections of 3CXDesktopApp by their endpoint security apps. Many of the attacker-controlled servers that infected machines reach out to have already been shut down, he added. [SolarWinds network management](https://arstechnica.com/information-technology/2020/12/russian-hackers-hit-us-government-using-widespread-supply-chain-attack/)software. Preparations for the sophisticated operation began no later than February 2022, when the threat actor registered a sprawling set of domains used to communicate with infected devices. “This includes partnerships with vendors or the use of a third-party software which most businesses are reliant on in some way. The attack came to light late on Wednesday, when products from various security companies began detecting malicious activity coming from legitimately signed binaries for 3CX desktop apps. [600,000+ customers](https://www.3cx.com/company/customers/),” including American Express, Mercedes-Benz, and Price Waterhouse Cooper.

Post cover
Image courtesy of "CSO Online"

3CX DesktopApp compromised by supply chain attack (CSO Online)

3CX will be releasing an update for the DesktopApp in the next few hours; meanwhile, users are urged to use the PWA Client instead.

Researchers observed malicious activity originating from a trojanized version of the 3CX DesktopApp. Crowdstrike, on the other hand, claims that the MacOS version has also been infected. 3CX is working on a software update for its 3CX DesktopApp, after multiple security researchers alerted the company of an active supply chain attack in it. The company has over 600,000 customers and 12 million users in 190 countries. As an immediate response, the company advised users to uninstall and reinstall the app. [3CX](https://www.3cx.com/company/) is a Voice Over Internet Protocol (VoIP) IPBX software development company.

Post cover
Image courtesy of "Help Net Security"

3CX customers targeted via trojanized desktop app - Help Net Security (Help Net Security)

Suspected state-sponsored threat actors have trojanized the official Windows desktop app of the widely used 3CX softphone solution.

Both companies (and 3CX said they were wrong. The other cybersecurity companies did not offer insight on who the attackers might be. EDRs from [@CrowdStrike], [@ESET], [@PaloAltoNtwks], and [@SentinelOne]flagged the binary. - 3cxdesktopapp-latest.dmg (macOS) [confirmed](https://objective-see.org/blog/blog_0x73.html) that the 3CX app for macOS has also been trojanized by the attackers. - 3CXDesktopApp-18.11.1213.dmg (macOS) - 3cxdesktopapp-18.12.416.msi (Windows) - 3cxdesktopapp-18.12.407.msi (Windows) [Sophos](https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/), and [SentinelOne](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/)) have provided indicators or compromise 3CX customers can use to find evidence of compromise on their systems. [Trend Micro](https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html) and [Crowdstrike](https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/) researchers say that macOS versions of the 3CX desktop app have been trojanized, as well. [says](https://www.3cx.com/blog/news/desktopapp-security-alert/) that the Windows version of the 3CX client app (based on the Electron framework) has been injected with malware, advised users to uninstall the app for the time being and use the PWA version until they are able to push out a clean version.

Post cover
Image courtesy of "CRN"

Hackers May Still Have Access To 3CX Supply Chain: Huntress ... (CRN)

Hackers behind an attack on 3CX and its customers may still have access to the 3CX software supply chain, a Huntress researcher says.

“Perhaps this may change the tradecraft we see in the coming days.” Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda. “This appears to have been a targeted attack from an advanced persistent threat, perhaps even state sponsored, that ran a complex supply chain attack” using the Windows version of the app, 3CX’s Jourdan “It is not yet clear whether or not adversaries still have access to the 3CX supply chain in order to poison future updates,” Hammond wrote. [wrote](https://www.crn.com/news/security/3cx-we-re-aware-of-complex-supply-chain-attack-) that the company is “working on a new Windows App that does not have the issue.” It’s possible the hackers behind a potentially far-reaching supply chain attack on 3CX and its customers may still be able to compromise additional updates by the vendor to the app, according to a security researcher from Huntress.

Supply chain attack against 3CX communications app could impact ... (Cybersecurity Dive)

Researchers warn a state-linked actor has launched malicious activity against a voice application widely used by major corporate customers.

The observed behavior included beaconing to infrastructure controlled by a threat actor, the deployment of second stage payloads, and in a small number of cases hands-on-keyboard activity. Its customers include major firms like PepsiCo, the U.K.'s National Health Service, Best Western and Air France, according to the 3CX website. [began to see a spike in behavioral detections](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/) starting on March 22. Other researchers have not been able to confirm activity on macOS. [according to Huntress](https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats). North Korea-linked threat actors are suspected in the attack.

Post cover
Image courtesy of "PCMag AU"

Uninstall Now: Hackers Hijack 3CX Desktop App to Deliver Malware (PCMag AU)

VoIP provider 3CX urges users to uninstall the desktop app, amid concerns that state-sponsored hackers may be behind the attack.

In the meantime, 3CX says users can use its [web-based app](https://www.3cx.com/user-manual/web-client/#h.85vdwzu7eh2a) as a substitute. [urging](https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/) users to uninstall the affected software, which includes versions 18.12.407 and 18.12.416 of the Windows app. It remains unclear how the hackers breached 3CX to hijack the desktop app. The company has also uncovered evidence the malicious activity is coming from the infamous North Korean state-sponsored group known as [Lazarus](/security/85665/us-charges-3-north-korean-hackers-for-trying-to-steal-13-billion), which the FBI tied to the 2014 Sony Pictures hack. “The vast majority of systems, although they had the files dormant, were in fact never infected,” it adds. [according](https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html) to security firm Trend Micro.

Post cover
Image courtesy of "Ars Technica"

3CX knew its app was flagged as malicious, but took no action for 7 ... (Ars Technica)

"It's not exactly our place to comment on it," 3CX rep says of malicious detection.

- From provider to provider - so at the end, you and the community would know if it is still save and sound? I think in this case at least, it makes more sense if the SentinelOne customers contact their security software provider and see why this happens. In a few cases, the attackers carried out “hands-on-keyboard activity” on infected machines, meaning the attackers manually ran commands on them. On Friday, a day later, and again on the following Monday and Tuesday, more users reported receiving the SentinelOne warning. Wouldn't it be nice if you from 3CX would contact SentinelOne and figure out if this is a false positive or not? Users soon decided the detection was a false positive triggered by a glitch in the SentinelOne product.

Post cover
Image courtesy of "CRN"

3CX Supply Chain Attack: 8 Biggest Things To Know | CRN (CRN)

CRN looks at the supply chain attack on 3CX phone system software, which is being likened to the attacks on SolarWinds and Kaseya.

Like with the SolarWinds breach, the 3CX attack poses a major concern because “the attacker needs to only carry off one successful attack to get their bad code somewhere, and then thousands of people download that bad code,” said Christopher Budd, senior manager of threat research at Sophos, an interview with CRN Thursday. Reports from researchers at numerous security vendors since Wednesday have pointed to an active campaign using a compromised version of the 3CX app to target the company’s customers. And it could end up being an even bigger supply chain attack than SolarWinds, given that 3CX reports having more than 600,000 customers, double the number of SolarWinds customers at the time of the attack on that company.

Post cover
Image courtesy of "The Register"

Do you use comms software from 3CX? What to do next after biz hit ... (The Register)

Two security firms have found what they believe to be a supply chain attack on communications software maker 3CX – and the vendor's boss is advising users ...

“As many of you have noticed, the 3CX DesktopApp has a malware in it. The group primarily conducts espionage operations aimed at US and South Korea militaries. Supply chain attacks have been a growing threat since 2020’s Solar Wind incident. The comms company serves a broad variety of industries and Only thing you don't have is hotkeys and BLF. The biz claims it has more than 12 million daily users, and is or has been used by more than 600,000 organizations. It affects the Windows Electron client for customers running update 7. It really does 99 percent of the client app and is fully web based and this type of thing can never happen. [Solar Winds](https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear_us_government/), and the [Kaseya](https://www.theregister.com/2021/11/08/revil_ransomware_operators/) crisis that followed. [told](https://www.theregister.com/2023/03/03/solarwinds_supplychain_security/) The Reg earlier this month of supply chain attacks. “We strongly recommend using our PWA client instead. As many of you have noticed, the 3CX DesktopApp has a malware in it

Explore the last week