Supply Chain Attack against 3CXDesktopApp
Versions of the 3CX software have been compromised, signed, and distributed, resulting in malicious activity.
What this means
Affected versions of the 3CX software have been turned into trojans.
This includes beaconing to command-and-control (C2) servers, deploying additional payloads such as information stealing malware, and in some cases hands-on-keyboard activity.
There is a 7-day delay before reaching out to external C2 servers. More information about this can be found on the huntress link in the ‘more information’ section below.
The information stealing malware accesses system information such as hostname, domain name, OS information and browser history information from Brave, Chrome, Edge and Firefox browsers.
More information about the information stealing malware can be found on the Volexity link in the ‘more information’ section below.
What to look for
How to tell if you're affected
Versions of the 3CX Desktop App affected on Windows include:
- 18.12.407, and
Versions of the 3CX Desktop App affected on Mac include:
- 18.12.407, and
What to do
If you have used one of the affected software versions, we encourage you to uninstall the affected application, check for published IOCs and malicious activity.
IOC’s can be found on the CrowdStrike and Sentinel One links in the ‘more information’ section below.
3CX is encouraging affected users to uninstall the app and use the Progressive Web App (PWA) Client as an alternative..
- 3CX official site – 3CX Security Alert for Electron Windows App | Desktop App External Link
- CrowdStrike – CrowdStrike Prevents 3CXDesktopApp Intrusion Campaign External Link
- Sentinel One– SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack - SentinelOne External Link
- Huntress - 3CX VoIP Software Compromise & Supply Chain Threats External Link
- Volexity - 3CX Supply Chain Compromise Leads to ICONIC Incident External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.