3CX Desktop App Security Alert | March 2023

There's a critical security issue in the 3CX Desktop App. Here's what you need to know.

Background

A threat actor compromised the 3CX VoIP DesktopApp resulting in malicious code being installed in the legitimate software. The app is now being used in supply chain attacks. Cyber security firms have attributed the attacks to state-sponsored threat actors, noting that the malicious activity affects both Windows and Mac environments.

Impact

The vulnerabilities affect the following 3CX products and versions:

  • Electron Windows App (shipped in Update 7) versions 18.12.407 and 18.12.416
  • Electron Mac App versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416

Next Steps

We encourage your organization to take the following steps to mitigate against potential attack:

  1. Uninstall 3CXDesktopApp on all platforms and remove artifacts left behind.
  2. 3CX recommends using the PWA client while they work on fixes for the desktop app.
  3. Retroactively hunt for indicators of compromise and block known-malicious domains.

We always recommend advanced EDR solutions enriched by active threat intelligence and proactive monitoring to stay on top of advanced threats like supply chain attacks.

Indicators of Compromise

We recommend blocking the following domains used by the backdoor:

akamaicontainer[.]com 
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
convieneonline[.]com
dunamistrd[.]com
glcloudservice.[.]
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
Soyoungjun[.]com
visualstudiofactory[.]com
zacharryblogs[.]com

File Hashes:

Compromised MSI: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868

ffmpeg.dll: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
d3dcompiler_47.dll: 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03