Share This:

This is a follow-up to the 3CX supply chain attack threat advisory. A malware was found in the 3CX VoIP Desktop Application, which has been delivered to users through legitimate 3CX updates. 3CX has since released security updates, and below are indicators of compromise (IoC) and recommendations to help limit the impact of the 3CX supply chain attack.

Affected versions

On March 28, 2023, 3CX released a security advisory stating that their Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416, included a security issue. Endpoint Detection & Response and antivirus vendors have flagged the 3CXDesktopApp.exe and in many cases, uninstalled it. Additionally, Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 are also affected.

It is recommended that all customers should uninstall the desktop app and switch to the PWA client instead. The malware shipped with the 3CXDesktopApp.exe can beacon to threat actor-controlled infrastructure, deploy second-stage payloads, and, in a small number of cases, conduct hands-on-keyboard activity. The most common post-exploitation activity observed to date is the spawning of an interactive command shell. 3CX has since released a security update for the issue and is working with law enforcement to investigate the incident. The Barracuda SOC team has created specific detections for this security incident and will continue to monitor the situation.

Indicators of compromise

Through public threat research, we have concluded the following to be indicators of compromise:

Hashes:

  • dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
  • aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
  • fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
  • 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
  • c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02
  • 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
  • 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
  • 4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f
  • 5a017652531eebfcef7011c37a04f11621d89084f8f9507201f071ce359bea3f
  • 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
  • fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7
  • 5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a
  • a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
  • 87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c

Domains:

  • akamaicontainer[.]com
  • akamaitechcloudservices[.]com
  • azuredeploystore[.]com
  • azureonlinecloud[.]com
  • azureonlinestorage[.]com
  • dunamistrd[.]com
  • glcloudservice[.]com
  • journalide[.]org
  • msedgepackageinfo[.]com
  • msstorageazure[.]com
  • msstorageboxes[.]com
  • officeaddons[.]com
  • officestoragebox[.]com
  • pbxcloudeservices[.]com
  • pbxphonenetwork[.]com
  • pbxsources[.]com
  • qwepoi123098[.]com
  • sbmsa[.]wiki
  • sourceslabs[.]com
  • visualstudiofactory[.]com
  • zacharryblogs[.]com

What are the recommendations?

Barracuda SOC recommends the following actions to limit the impact of this supply chain attack:

  • Disable or uninstall the 3CXDesktopApp: If you are using the 3CXDesktopApp, consider disabling or uninstalling it until the issue has been resolved. This will reduce your exposure to the potential risks associated with the compromised software.
  • Identify and isolate any systems having deployed the 3CXDesktopApp. Security researchers have published several indicators of compromise (IOCs) to aid network defenders in the detection of malicious activity.
  • Update your security software: Make sure your antivirus software and other security tools are up-to-date and configured to detect and block any malicious activity related to the 3CXDesktopApp.
  • Monitor your accounts and systems: Keep a close eye on your accounts and systems for any signs of unauthorized access or suspicious activity. If you notice anything unusual, report it immediately to your IT department or security team.
  • Stay informed: Stay up to date on the latest developments regarding the supply chain compromise and the status of the 3CXDesktopApp. Follow the vendor’s official communication channels for updates and guidance on how to proceed.
  • Use vendor documentation: please ensure that you apply any available security patches. Information on how to do this can be located here: https://www.3cx.com/blog/news/desktopapp-security-alert-updates/
  • Consider alternative solutions: While the 3CXDesktopApp is compromised, consider alternative solutions that can provide similar functionality without the associated risks. Your IT department or security team may be able to recommend alternative software that is more secure.

References

For more in-depth information about the recommendations, please visit the following links:

  • https://www.3cx.com/community/threads/3cx-desktopapp-security-alert-mandiant-appointed-to-investigate.119973/
  • https://www.3cx.com/blog/news/desktopapp-security-alert-updates/
  • https://www.3cx.com/blog/news/desktopapp-security-alert/
  • https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
  • https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

If you have any questions, please contact our Security Operations Center.


Share This:
Anika Jishan

Posted by Anika Jishan

Anika is a Cybersecurity Analyst at Barracuda MSP. She's a security expert, working on our Blue Team within our Security Operations Center. Anika supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *