If your business uses 3CX for VoIP phone service, you should immediately check to see if you’ve been affected by their desktop application being compromised. Confirmed by 3CX yesterday, the Windows desktop application versions 18.12.407 & 18.12.416 and Mac application versions 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 are affected.
A digitally signed and trojanized version of the 3CX V desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack. The full scale of the attack is currently unknown.
“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike’s threat intel team said.
This appears to have been a targeted attack from an advanced persistent threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected claims 3CX.
The company said it’s engaging the services of Google-owned Mandiant to review the incident. In the interim, it’s urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422.
3CX has evolved from its roots as a PBX phone system to a complete communications platform. They operate in over 190 countries, with 600,000+ installations, and over million users.
3CX Remediation
If your business has any of the affected versions installed, we recommend the following steps:
- Uninstall the 3CX desktop application from all PCs and MACs.
- Reset 3cx credentials for all users.
- Begin using the PWA web based application instead.
- Affected user accounts should have their login passwords reset.
- Enable Multi Factor Authentication where able.
- Any site where credential harvesting could have occurred from Chrome/Edge, etc should have the password reset.
- Invalidate any persistence tokens for sites like Microsoft 365, Google, etc.
- Invest in EDR (Endpoint Detection & Response) if you haven’t already.
3CX Security Alert Conclusion
If you need assistance remediating this 3CX security alert, contact Pennyrile Technologies. We can assist with 3CX removal and securing your network. For additional information, you can follow the 3CX thread here.