[German]Warning to customers of phone system provider 3CX. Its 3CX Desktop app has probably been infected with malware via a supply chain attack. At least, that's what various reports from security companies as well as posts on reddit.com suggest. Here's an overview of what I've found out so far after a quick reader tip (thanks for that).
3CX is an international developer of VoIP IPBX software. The 3CX phone system, an open standards software-based phone system, was originally only usable on Windows, but since 2016 can also be used on Linux and cloud platforms. 3CX Desktop App is an application that can be used to make calls directly on the desktop using a headset. 3CXDesktopApp is available for Windows, macOS, Linux and mobile devices.
Hints about compromise
A blog reader emailed me a few hours ago to alert me to the reddit.com thread 3CX likely comprised, take action. EThere is a suspicion that the software – specifically its 3CX Desktop App – might be compromised. On reddit.com, there is the second thread // 2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers // with more information.
Security vendor CrowdStrike reports that on March 29, 2023, their Falcon OverWatch product observed unexpected malicious activity originating from a legitimate signed binary, 3CXDesktopApp – a softphone application from 3CX. The malicious activities include beaconing of actor-controlled infrastructure, second-stage payload delivery, and in a few cases, keyboard activity.
The products Falcon Prevent and Insight have behavioral prevention measures and atomic detections that target 3CXDesktopApp misuse. OverWatch has notified customers where hands-on keyboard activity has been observed, and Falcon Complete is in contact with customers where the 3CXDesktopApp is present.
The 3CXDesktopApp is available for Windows, macOS, Linux and mobile devices. At the time of writing, activity was observed on both Windows and macOS. CrowdStrike's intelligence team is in contact with 3CX. It is suspected that the threat actor LABYRINTH CHOLLIMA is active on a national level.
It's a developing story. CrowdStrike plans to post more information when available in the reddit.com thread 3CX likely comprised, take action. Currently, CrowdStrike customers can already find advice there on how to behave and what defensive measures are available. Meanwhile, CrowdStrike has also published a blog post CCrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers on the topic.
ThreadLocker has details
Security vendor ThreatLocker has also received reports of a possible 3CX desktop application compromise. In response, the security vendor has published the blog post Unconfirmed 3CX Desktop App Compromise as of March 29, 2023, where more details can be found.According to this security vendor, all executables of the potentially compromised versions 18.12.416 and 18.12.407 of the 3CX desktop app have been blocked for execution in its own security software. The vendor recommends blocking access to read and write files and access to the Internet in the app.
Other security vendors like SentinelOne also seem to have been deleting the compromised apps from systems since the beginning of the week (27'/28.3.2023) (see screenshot above). The whole thing seems to have been observed since last week. I haven't found any official notification on the 3CX website yet, and the compromised app is said to have still been downloadable at the time of writing this post here. However, on the 3CX forum there is this post on the subject. The colleagues from Bleeping Computer have collected some more hints in this post.
Addendum: We have now an official statement 3CX DesktopApp Security Alert from 3CX that says:
We regret to inform our partners and customers that our Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416, includes a security issue. Anti Virus vendors have flagged the executable 3CXDesktopApp.exe and in many cases uninstalled it.
The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT. We're still researching the matter to be able to provide a more in depth response later today. Here's some information on what we've done so far.
3CX says that the domain, that is contacted by the malicious code, has been taken down. Also the comprimised GitHub repository has been removed. 3CX is working on a new, clean desktop app.
Cookies helps to fund this blog: Cookie settings