IMPORTANT SECURITY ALERT: 3CX Desktop App Security Vulnerability

UPDATE 31/03/2023 - 08:30BST: Whilst believed to be unaffected, 3CX is recommending the removal of the MacOS Desktop app. A new update is starting to be rolled out to all users, however this will take 24-48hrs to be available to all customers and will happen automatically via an overnight update. Please note the following statement from 3CX with regards to the Desktop App;

"In a day or two from now, we will have another Electron App rebuilt from the ground up with a new signed certificate. This is expected to be completely secure. We strongly recommend that you avoid using the Electron App unless there is absolutely no alternative. The Electron App update that we are releasing today is considered to be secure but there is no guarantee given that we only had 24 hours to make the necessary adjustments."

-

Note: If your business is protected by One2Call’s Endpoint Defence and Response service, you are protected from this attack. Find out more below.

According to an article published late on March 29th, on March 22, 2023, cybersecurity firm SentinelOne detected a surge in behavioural detections of a trojanized version of 3CXDesktopApp —  the desktop voice and video conferencing software that 3CX provides as part of their service — that One2Call provide to their customers as part of their 3CX service.

SentinelOne has not yet confirmed whether the Mac installer is also affected by the malware. The trojanized Windows 3CXDesktopApp is the first stage of a multistep attack. It pulls ICO files appended with base64 data from Github, leading to a third-stage infostealer DLL which could be used for other malicious means such as gathering system data, browsing data, or potentially session data (see recent Linus Tech Tips Hack Article). However, this is currently being actively investigated.

The ongoing investigation includes other applications like the Chrome extension, which could also be used to stage attacks. The compromise includes a code signing certificate used to sign the trojanized binaries. The investigation into the threat actor behind this supply chain attack is ongoing. The attacker has registered a large set of infrastructure starting from February 2022, but SentinelOne has not yet found any obvious connections to existing threat clusters.

What is the 3CX Desktop App?

The 3CXDesktopApp is developed by 3CX, a business communications software company. The 3CX has approximately 600,000 customer companies with 12 million daily users. The software is widely used in various sectors, including automotive, food and beverage, hospitality, manufacturing and more.

PBX software such as 3CXDesktopApp is a desirable target for attackers because it is widely used by businesses across the world. Attackers can monitor an organisation’s communications and modify call routing. There have been other instances where attackers have used PBX and Voice over Internet Protocol (VOIP) software to deploy additional payloads, such as the 2020 campaign against Digium VOIP phones using a vulnerable PBX library, FreePBX.

What can you do?

For any One2Call customers who already have SentinelOne  —  or Endpoint Defence and Response through One2Call  —  no action is needed at this time as you are already protected. The detections prevented the malicious installers from running and immediately quarantined them.

As this is an ongoing investigation, One2Call advise that all users should remove the 3CXDesktopApp until further notice and should remain vigilant of the web app. Any security updates or recommendations provided by SentinelOne or 3CX should be followed.

3CX have confirmed that the GitHub Repository has since been shut down, and domains contacted by this compromised library have already been reported. The majority have been taken down overnight and a new Windows App is in development.

At this time we have been advised that a new 3CX version is in development and is due to be released on Friday, March 31st. As 3CX auto-updates overnight, we expect that all customers will be able to download this latest version through the web client by Monday, April 3rd, at the latest. 

How can you protect yourself from these types of attacks?

Endpoint Defence and Response is designed to detect these malicious ‘Zero Day’ attacks by using artificial intelligence to monitor for malicious activity on your endpoints  —  including your businesses Desktops and Laptops  —  and actively stop these types of attacks.

Any One2Call customers with their Endpoint Defence and Response service remain protected. If you would like to find out more about Endpoint Defence and Response, fill out the form below and a member of the One2Call team will reach out with more details.

Contact One2Call to find out how you can stay protected.

https://www.one2call.net/