Supply Chain Attack against 3CXDesktopApp

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

4:00pm, 31 March 2023

TLP Rating: Clear

Supply Chain Attack against 3CXDesktopApp

Versions of the 3CX software have been compromised, signed, and distributed, resulting in malicious activity.

What's happening

What this means

Affected versions of the 3CX software have been turned into trojans.

This includes beaconing to command-and-control (C2) servers, deploying additional payloads such as information stealing malware, and in some cases hands-on-keyboard activity.

There is a 7-day delay before reaching out to external C2 servers. More information about this can be found on the huntress link in the ‘more information’ section below. 

The information stealing malware accesses system information such as hostname, domain name, OS information and browser history information from Brave, Chrome, Edge and Firefox browsers.

More information about the information stealing malware can be found on the Volexity link in the ‘more information’ section below.

What to look for

How to tell if you're affected

Versions of the 3CX Desktop App affected on Windows include:

  • 18.12.407, and
  • 18.12.416.

Versions of the 3CX Desktop App affected on Mac include:

  • 18.11.1213,
  • 18.12.402,
  • 18.12.407, and
  • 18.12.416.

What to do

Mitigation

If you have used one of the affected software versions, we encourage you to uninstall the affected application, check for published IOCs and malicious activity.

IOC’s can be found on the CrowdStrike and Sentinel One links in the ‘more information’ section below.

3CX is encouraging affected users to uninstall the app and use the Progressive Web App (PWA) Client as an alternative..

More information

 

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384