3CXDesktopApp

This live blog contains information regarding the 3CXDesktopApp vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on April 3, 2023.

Update 3 April 2023

18:00 | We updated our blog about the 3CXDesktopApp incident with the latest information. On the 1st of April 2023 3CX has published an update on the current situation and recommended actions for those organizations using 3CXDesktopApp.

At this moment it is recommended to uninstall the 3CX Electron Desktop Application from systems running Windows or MacOS. Instead, it is possible to use the PWA Web Client App, or the legacy Desktop Application if mandatory functionality is missing. Furthermore, it is recommended to continue monitoring your environment with up-to-date AV and/or EDR solutions for potential malware.

Based on the latest information, the following versions of the 3CX Electron Desktop Application are affected:

Windows
- 18.12.407
- 18.12.416
MacOS
- 18.11.1213 shipped with Update 6
- 18.12.402
- 18.12.407
- 18.12.416 in Update 7

Update 30 March 2023

14:00 | This is an ongoing and evolving incident. More information might be added to this liveblog at a later stage.

The Voice over IP (VoIP) desktop client 3CXDesktopApp, version numbers 18.12.407 and 18.12.416, likely contains a library which has been altered by a threat actor to perform supply chain attacks.

When the 3CXDesktopApp is used in your environment, it can be used to download malicious payloads to the system it is installed on. Currently, these payloads appear to be information stealing malware. At this moment only the 3CXDesktopApp for the Microsoft Windows OS has been determined to contain the malicious code. Research is on-going whether 3CX browser extensions and the MacOS, iOS, or Android applications contain similar malicious code.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Vulnerability information

The Voice over IP (VoIP) desktop client 3CXDesktopApp, version numbers 18.12.407 and 18.12.416, likely contains a library which has been altered by a threat actor to perform supply chain attacks.

Potential Risk

The current payloads have been identified as information stealing malware. This type of malware may extract sensitive information from a system, including, but not limited to, credentials and browser bookmarks. While additional threats have not yet been seen, due to the nature of the risk, the threat actor may change their tactics and malware at any given time.

Detail info

Currently, the recommendation is to deinstall the 3CXDesktopApp until a secure version becomes available. In the meantime, 3CX recommends using their 3CX Web Client instead.

If you’re currently using the 3CXDesktopApp in your IT environment and suspect malicious activity may have taken place, please contact the Tesorion Computer Emergency Response Team. T-CERT offers specialist support 24/7. In emergencies, we are available to support you and do all we can to get the situation under control as soon as possible.

Tesorion SOC is actively threat hunting the current SOC customer base for indicators of attack. Additionally, known network related indicators of compromise were added to the Tesorion Immunity blacklist.

Sources

More information is available at:

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.