(Updated 12/04/23 – 09:30BST) SECURITY ALERT: 3CX Desktop App Security Vulnerability
UPDATE 12/04/2023 – 09:30BST: Mandiant’s initial investigation into the 3CX intrusion and supply chain attack attributes the activity to a North Korean-linked group, UNC4736. They discovered that the attackers infected targeted 3CX systems with Windows-based TAXHAUL (AKA “TxRLoader”) malware, which decrypts and executes shellcode located in a file named <machine hardware profile GUID>.TxR.0.regtrans-ms. The malware uses the Windows CryptUnprotectData API to decrypt the shellcode with a unique cryptographic key for each compromised host. After decrypting and loading the shellcode, a complex downloader named COLDCAT is executed. A YARA rule was provided for hunting TAXHAUL, but users are advised to test it in a controlled environment before deploying it in production.
Mandiant also identified a MacOS backdoor called SIMPLESEA, which is still being analysed for potential overlap with other known malware families. It communicates via HTTP and supports a range of backdoor commands such as shell command execution, file transfer, and configuration updating. The malware achieves persistence on Windows systems through DLL side-loading, which allows it to operate within the context of legitimate Microsoft Windows binaries and reduces the likelihood of detection. Read the full article here.
We would like to reiterate that businesses that are protected by Endpoint Detection & Response were protected from the attack and no action was needed. If you would like to find out more about EDR: Click Here
UPDATE 11/04/2023 – 10:30BST: After the latest release of the 3CX Desktop App (Version 18.12.425), we have downloaded and tested this app internally, as well as run our own security scans, and we are confident that 3CX users can now download the latest version of the Desktop app.
UPDATE 05/04/2023 – 08:30BST: On April 4th 3CX released an update on their forum regarding the status of the Desktop application. As part of this update 3CX also provided updates on the extent of the Cyber Attack, however more information will be provided soon. See the update below;
- The Windows Electron (Desktop) App 18.12.425 has come back with the all clear from Mandiant.
- The main difference with 18.12.422 is that it has been signed with a new certificate.
- We hope to push this version to customers tomorrow.
- We still recommend using the PWA Web App.
- We are currently building a new version Update 7a – should be in QA by next week – which has
- Password hashing
- BLF panel for PWA dialer.
- Improved install screen in web client.
- We only have a handful of cases reported to us where malware has actually been triggered. And these reports still require verification. Furthermore after removal of the infected files, no further malicious outbound traffic has been observed. Of course this may change but this is the status as of today.
- We are taking the opportunity to strengthen our policies, practices, and technology to protect against future attacks.
What does this mean for your business? As the release should be published by 3CX today (April 5th), most businesses should have this update applied over night. Meaning that by tomorrow (April 6th) you should be able to download the latest version of the 3CX Desktop App for Windows and MacOS, this version has been independently checked by a 3rd party Cyber Security firm Mandiant to ensure it is safe for install.
UPDATE 03/04/2023 – 09:30BST: A new 3CX version has been released to all customers automatically over the weekend. However, based on a statement from 3CX, the current version and a future version are currently under review for vulnerabilities. At this time we advise that customers only use the Web or “PWA” versions of 3CX on Desktop/Laptop until further notice.
UPDATE 31/03/2023 – 08:30BST: Whilst believed to be unaffected, 3CX is recommending the removal of the MacOS Desktop app. A new update is starting to be rolledout to all users, however this will take 24-48hrs to be available to all customers and will happen automatically via an overnight update. Please note the following statement from 3CX with regards to the Desktop App;
“In a day or two from now, we will have another Electron (Desktop) App rebuilt from the ground up with a new signed certificate. This is expected to be completely secure. We strongly recommend that you avoid using the Electron (Desktop) App unless there is absolutely no alternative. The Electron (Desktop) App update that we are releasing today is considered to be secure but there is no guarantee given that we only had 24 hours to make the necessary adjustments.“
Note: If your business is protected by One2Call’s Endpoint Detection and Response service, you are protected from this attack. Find out more below.
According to an article published late on March 29th, on March 22, 2023, cybersecurity firm SentinelOne detected a surge in behavioural detections of a trojanised version of 3CXDesktopApp, the desktop voice and video conferencing software that 3CX Provides as part of their service and that we provide to our customers as part of our 3CX service. SentinelOne has not yet confirmed whether the Mac installer is also affected by the malware. The trojanised Windows 3CXDesktopApp is the first stage of a multi-stage attack that pulls ICO files appended with base64 data from Github, leading to a third-stage infostealer DLL that is currently being analysed, but could be used for other malicious means such as gathering system data, browsing data, or potentially session data (see recent Linus Tech Tips Hack Article), however this is currently being actively investigated.
The ongoing investigation includes other applications like the Chrome extension, which could also be used to stage attacks. The compromise includes a code signing certificate used to sign the trojanised binaries. The investigation into the threat actor behind this supply chain attack is ongoing. The attacker has registered a large set of infrastructure starting from February 2022, but SentinelOne has not yet found any obvious connections to existing threat clusters.
What is the 3CX Desktop App?
The 3CXDesktopApp is developed by 3CX, a business communications software company. The 3CX has approximately 600,000 customer companies with 12 million daily users. The software is widely used in various sectors, including automotive, food and beverage, hospitality, manufacturing and more.
PBX software, such as 3CXDesktopApp, is a desirable target for attackers because it is widely used across businesses across the world and attackers can monitor an organisation’s communications, modify call routing. There have been other instances where attackers have used PBX and Voice over Internet Protocol (VOIP) software to deploy additional payloads, such as the 2020 campaign against Digium VOIP phones using a vulnerable PBX library, FreePBX.
What can you do?
Any customers who already have SentinelOne, or Endpoint Detection and Response through One2Call, no action is needed at this time as you are already protected. The detections prevented the malicious installers from running and immediately quarantined them.
As this is an ongoing investigation, we advise that all users should remove the 3CXDesktopApp until further notice and should remain vigilant of the web app, and follow any security updates or recommendations provided by SentinelOne or 3CX. 3CX have confirmed that the GitHub Repository has since been shut down, domains contacted by this compromised library have already been reported, with the majority taken down overnight and that a new Windows App is in development.
At this time we have been advised that a new 3CX version is in development and is due to be release on Friday March 31st. As 3CX auto updates over night, we expect that all customers will be able to download this latest version through the web client by Monday, April 3rd, at the latest. Please stay tuned for further updates.
How can you protect yourself from these types of attack?
Endpoint Detection and Response is designed to be able to detect these malicious ‘Zero Day’ attacks by using artificial intelligence to monitor for malicious activity on your endpoints, including your businesses Desktops and Laptops, and actively stop these types of attack. As such any customers with our Endpoint Detection and Response service remain protected. If you would like to find out more about Endpoint Detection and Response, fill out the form below and a member of our team will reach out to your with more details.
Latest News Stories
Kim, Intake Transport
Pav is brilliant, always quick to help us and resolve issues meaning minimal impact on our business.
Danielle, Tremark Associates Ltd
Jordan dealt with both my issues quickly and were both sorted within the hour.
Harry Lynford, Image Data
Great service and very helpful.