BlueTeam CheatSheet *3CX-Event-March2023* | Last updated: 2023-04-06 0926 UTC

20230331-TLP-WHITE_3CX-event.md

Security Advisories / Bulletins / vendors Responses linked to 3CX compromise event

General

What's 3CX?

• 3CX evolved from its roots as a PBX phone system to a complete communications platform, offering customers a simple, flexible, and affordable solution to call, video and live chat.

What's happening?

• Per several report the building environment of 3CX for the DesktopApp (MAC & Windows) has been compromised
• The recent releases (details given below) have been compromised to include malicious code inside it
• More details available regarding the compromise with the graphics by Thomas Roccia:
• 3CX Supplychain Attack Windows
• 3CX Supplychain Attack Apple

Reach of the compromise

• Per 3CX website, likely numbers not updated:
• 190 Countries
• 600K+ installations
• 12M+ users

Affected ?

• You can check the dedicated website :
• https://checkmyoperator.com/
• NOTA: You also need to check manually the compromise!

Affected Releases

• The following releases & platforms are affected
• Microsoft / Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416.
• Mac / Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 are also affected.

CVE Number

• Unusual thing, a CVE number been assigned to this attack based on CWE-506.
• CVE NVD Link : https://nvd.nist.gov/vuln/detail/CVE-2023-29059

Vendor response

• 3CX DesktopApp Security Alert
• 3CX DesktopApp Security Alert - Mandiant Appointed to Investigate
• Chrome blocks latest 3CX MSI installer

Vendor Forum Threads about AV detecting 3CX

• https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/
• https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/

NOTA

• Thanks to Crowdstrike for the burn of this with their Reddit post they did the right thing.

CyberSecurity vendors blogs

Crowdstrike

• https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
• https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/

SentinelLabs

• https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

Sophos

• https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/

Huntress

• https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats

Elastic ecurity Labs

• https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack

Reversing Labs

• https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update

PAN

• https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/

Trend Micro Research

• https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html

Volexity

• https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/

Checkpoint Research

• https://twitter.com/_CPResearch_/status/1641424448740810754

Objective See

• https://objective-see.org/blog/blog_0x73.html
• https://objective-see.org/blog/blog_0x74.html

Fortinet

• https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised

Orange Cyberdefense

• https://www.orangecyberdefense.com/global/blog/research/3cx-voip-app-supply-chain-compromise

Symantec (Broadcom)

• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack

Cyble

• https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack/

Nextron Systems

• https://www.nextron-systems.com/2023/03/31/using-thor-lite-to-scan-for-indicators-of-lazarus-activity-related-to-the-3cx-compromise/
• https://twitter.com/nextronsystems/status/1643147003155587072

Automox

• https://www.automox.com/blog/3cx-desktop-app-compromised

Malwarebytes

• https://www.malwarebytes.com/blog/news/2023/03/3cx-desktop-app-used-in-a-supply-chain-attack

Rapid7

• https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/

Talos (Cisco)

• https://blog.talosintelligence.com/3cx-softphone-supply-chain-compromise/

Trustwave

• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/

Blackberry

• https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022

VMware

• https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html

Threat Radar

• https://threatradar.net/3cx-in-the-wild/

Kaspersky

• https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/

Todyl

• https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign

Splunk

• https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html

Zscaler

• https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023

Microsoft

• https://security.microsoft.com/threatanalytics3/89ed5a4c-622c-4641-8111-246eae37e200/analystreport

Errors, typos, something to say ?

• If you want to add a link, comment or send it to me
• Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak