4:00pm, 31 March 2023
TLP Rating:
Supply Chain Attack against 3CXDesktopApp
Versions of the 3CX software have been compromised, signed, and distributed, resulting in malicious activity.
What's happening
What this means
Affected versions of the 3CX software have been turned into trojans.
This includes beaconing to command-and-control (C2) servers, deploying additional payloads such as information stealing malware, and in some cases hands-on-keyboard activity.
There is a 7-day delay before reaching out to external C2 servers. More information about this can be found on the huntress link in the ‘more information’ section below.
The information stealing malware accesses system information such as hostname, domain name, OS information and browser history information from Brave, Chrome, Edge and Firefox browsers.
More information about the information stealing malware can be found on the Volexity link in the ‘more information’ section below.
What to look for
How to tell if you're affected
Versions of the 3CX Desktop App affected on Windows include:
- 18.12.407, and
- 18.12.416.
Versions of the 3CX Desktop App affected on Mac include:
- 18.11.1213,
- 18.12.402,
- 18.12.407, and
- 18.12.416.
What to do
Mitigation
If you have used one of the affected software versions, we encourage you to uninstall the affected application, check for published IOCs and malicious activity.
IOC’s can be found on the CrowdStrike and Sentinel One links in the ‘more information’ section below.
3CX is encouraging affected users to uninstall the app and use the Progressive Web App (PWA) Client as an alternative..
More information
- 3CX official site – 3CX Security Alert for Electron Windows App | Desktop App External Link
- CrowdStrike – CrowdStrike Prevents 3CXDesktopApp Intrusion Campaign External Link
- Sentinel One– SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack - SentinelOne External Link
- Huntress - 3CX VoIP Software Compromise & Supply Chain Threats External Link
- Volexity - 3CX Supply Chain Compromise Leads to ICONIC Incident External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.