Active Intrusion Campaign Targeting 3CX DesktopApp
Legitimate versions of 3CX DesktopApp have been compromised and are being actively exploited
Summary
Legitimate versions of 3CX DesktopApp have been compromised and are being actively exploited
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
3CX has released a Security Alert to address a 'security issue' in several versions of 3CX DesktopApp. The most recent versions of 3CX DesktopApp have been reportedly compromised by an advanced persistent threat group and have been distributed to customers.
The attacker could leverage the malicious applications to perform further malicious activity including the remote deployment of second stage malware.
Known exploitation of 3CX DesktopApp
Where organisations have found evidence of compromise they should call 0300 303 5222 or email [email protected] immediately.
CrowdStrike have reported malicious activity originating from legitimate, signed versions of 3CX DesktopApp. Observed activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. CrowdStrike have attributed the activity to an advanced persistent threat group.
Threat updates
| Date | Update |
|---|---|
| 3 Apr 2023 |
Affected platform changes
We have updated this cyber alert to reflect a change in the versions of Affected platfoms. We have added the following information: 3CX DesktopApp for macOS
|
Remediation advice
Affected organisations are required to immediately uninstall affected versions of 3CX DesktopApp.
3CX have advised that they are looking to publish an updated version of their Windows client, and that their Web Client / Progressive Web Application (PWA) can be used as an alternative - https://www.3cx.com/user-manual/web-client/
Definitive source of threat updates
Last edited: 3 April 2023 1:10 pm