Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon

See all Threat Responses

Date: 30-03-2023 

On Wednesday the 29th of March 2023, CrowdStrike reported malicious activity from a signed binary of the 3CXDesktopApp software[1]. We advise to uninstall the 3CXDesktopApp software completely from the endpoints until a newer version has been released by 3CX.

3CX Desktop App is a softphone application from 3CX which is used for Voice over IP (VoIP) and telephony services. Based on the information available at the time of writing, the compromised binary is the first stage of a multi-stage attack chain. The malicious activity observed includes connecting to an infrastructure controlled by a threat actor. This threat actor controlled infrastructure is then used to deliver the payloads for the subsequent stages. According to the sources[2], the final stage appears to be an info-stealer malware which is downloaded on the affected endpoint.

Impact

We assess the impact of this campaign as High since the campaign involves deployment of an 'infostealer' through the 3CX software. Usage of the compromised software give the adversary full access to the accounts and data on the system where the update is installed. This can lead to full compromise of the IT Infrastructure. At the time of writing, the compromised binary of 3CXDesktopApp is being actively abused. 

Risk

As the campaign uses signed binary of the 3CXDesktopApp which is widely used, the risk of potential compromise of endpoints is High. Furthermore, the updates are automatically installed.

What should you do?

Based on the information available at the time of writing the 3CXDesktopApp client applications for both Windows and MacOS are impacted.

Northwave customers that are covered by Northwave's EDR service are already adequately protected at this point.

To other readers, we advise to following remediation steps:

      1. Search your software inventory for 3CX software.If Microsoft Defender for Endpoint is available, the following Hunting Query can be used to search for 3CX software:

        DeviceTvmSoftwareEvidenceBeta
        | where SoftwareName contains "3CX"
      2. Uninstall the 3CXDesktopApp software completely from the endpoints. If the software is critical for business functions, web based version of the application should be used.

      3. Secondly, we advise to add the hashes of the detected atomic indicators[3] to the Endpoint Detection and Response application and scan the endpoints which had the 3CXDesktopApp software installed. A scan from Thor-lite scanner with updated signatures can also be executed on the endpoints to detect malicious activity from the compromised 3CXDesktopApp software[4].If Microsoft Defender for Endpoint is available, the following Hunting Query can be used to search for known malicious versions used in this campaign:

      4. DeviceFileEvents
        | where SHA256 == "dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc" or SHA256 == "fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405" or SHA256 == "92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61" or SHA256 == "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb" or SHA256 == "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868" or SHA256 == "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983" or SHA256 == "5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290" or SHA256 == "e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec" or SHA256 == "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
      5. If the compromised executables were discovered on the endpoint, please reset all credentials used on that endpoint, reset all active sessions and enforce multi-factor authentication (MFA).

What will Northwave do?

Northwave has added the indicators of compromise to its detection platform and has already reached out to the customers where this threat was detected. We will continue to monitor this dynamic situation and will provide updates for significant developments. Clients of Northwave's Endpoint Detection & Response are currently adequately protected against this threat.

See all Threat Responses

Sources:

[1]: https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ 

[2]: https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ 

[3]: https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ 

[4]: https://twitter.com/cyb3rops/status/1641339448053858304 

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.