Active Intrusion Campaign Targeting 3CX DesktopApp

Legitimate versions of 3CX DesktopApp have been compromised and are being actively exploited

Threat ID:: CC-4291
Threat Severity:: High
Published:: 30 March 2023 1:05 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Legitimate versions of 3CX DesktopApp have been compromised and are being actively exploited

Affected platforms

The following platforms are known to be affected:

3CX DesktopApp for Windows

18.12.407 and 18.12.416 shipped in Update 7

3CX DesktopApp for macOS

18.11.1213 shipped with Update 6
18.12.402, 18.12.407, and 18.12.416 in Update 7

Threat details

Introduction

3CX has released a Security Alert to address a 'security issue' in several versions of 3CX DesktopApp. The most recent versions of 3CX DesktopApp have been reportedly compromised by an advanced persistent threat group and have been distributed to customers.

The attacker could leverage the malicious applications to perform further malicious activity including the remote deployment of second stage malware.

Known exploitation of 3CX DesktopApp

Where organisations have found evidence of compromise they should call 0300 303 5222 or email [email protected] immediately.

CrowdStrike have reported malicious activity originating from legitimate, signed versions of 3CX DesktopApp. Observed activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. CrowdStrike have attributed the activity to an advanced persistent threat group.

Threat updates

Date	Update
3 Apr 2023	Affected platform changes We have updated this cyber alert to reflect a change in the versions of Affected platfoms. We have added the following information: 3CX DesktopApp for macOS 18.11.1213 shipped with Update 6 18.12.402, 18.12.407, and 18.12.416 in Update 7

Date

Update

3 Apr 2023

Affected platform changes

We have updated this cyber alert to reflect a change in the versions of Affected platfoms. We have added the following information:

3CX DesktopApp for macOS

18.11.1213 shipped with Update 6
18.12.402, 18.12.407, and 18.12.416 in Update 7

Remediation advice

Affected organisations are required to immediately uninstall affected versions of 3CX DesktopApp.

3CX have advised that they are looking to publish an updated version of their Windows client, and that their Web Client / Progressive Web Application (PWA) can be used as an alternative - https://www.3cx.com/user-manual/web-client/

Definitive source of threat updates

https://www.3cx.com/blog/news/desktopapp-security-alert/

Last edited: 3 April 2023 1:10 pm