Security Advisory - 3CX Software Active Campaign

Summary:

The 3CXDesktopApp, a softphone application for Windows and Mac computers made by 3CX, appears to have been compromised and is being used in an active supply chain attack.   Once compromised, the malware is used to beacon back to the attacker’s infrastructure, drop additional payloads and spawn interactive command shells.

The RocketCyber SOC is actively hunting for indicators of compromise across all customer environments.  We are seeing this attack being exploited in the wild.  Upon detection of a compromise, a Security Incident will be created (sent via email or PSA ticket) and the SOC will contact the emergency number(s) configured in the customer’s account with details.

You must enable the IOC App to receive this detection – if you do not have this app enabled, please follow the instructions at: https://helpdesk.kaseya.com/hc/en-gb/articles/10293423639313-IOC-Detection-App

Background & Details:

3CX is a VoIP IPBX company that makes phone systems – one component is a softphone application that customers run from their Windows or Mac computer.  CrowdStrike and Sentinel One first detected abnormal behavior from the 3CXDesktopApp and the attack leverages 3CX code signing certificates and a trojanized installer which is indicative that the application itself has been compromised.

The 3CXDesktopApp is typically leverages the following paths:

*\ProgramData\3CXPhone (Windows)

*\AppData\Local\Programs\3CXDesktopApp (Windows)

/Applications/3CX Desktop App.app (MacOS)

Recommended Actions:

It is recommended to uninstall the 3CXDesktopApp from machines until further guidance is available from 3CX.

If RocketCyber detects a compromise, isolate the machine and closely monitor the environment.  Given this is a new attack and a fluid situation which is evolving – a compromised machine may have additional beacons, footholds and malware installed that is obfuscated.  It is best practice to treat the machine as untrusted and wipe the computer to ensure the threat is removed.

Indicators of Compromise

Credit to CrowdStrike for disclosing details to the security community:

Domains:

akamaicontainer[.]com

akamaitechcloudservices[.]com

azuredeploystore[.]com

azureonlinecloud[.]com

azureonlinestorage[.]com

dunamistrd[.]com

glcloudservice[.]com

journalide[.]org

msedgepackageinfo[.]com

msstorageazure[.]com

msstorageboxes[.]com

officeaddons[.]com

officestoragebox[.]com

pbxcloudeservices[.]com

pbxphonenetwork[.]com

pbxsources[.]com

qwepoi123098[.]com

sbmsa[.]wiki

sourceslabs[.]com

visualstudiofactory[.]com

zacharryblogs[.]com

github[.]com/IconStorages/images

Hashes:

SHA-1    20d554a80d759c50d6537dd7097fed84dd258b3e

SHA-1    bf939c9c261d27ee7bb92325cc588624fca75429

SHA-1    cad1120d91b812acafef7175f949dd1b09c6c21a

 

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section