3CX Desktop Application Exploit
Date of Notice: 03/30/2023
Action Level - Critical
Description
We have been made aware of an active intrusion campaign targeting 3CX customers. On 29 March 2023, Crowdstrike Falcon Overwatch observed unexpected malicious activity from a legitimate, signed binary, 3CXDesktopApp. The malicious activity includes reaching out to actor-controlled infrastructure, deploying second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. While the majority of malicious domains have already been taken down, we recommend updating any affected versions of the desktop app in your environment.
Affected Versions
- 3CXDesktopApp - Windows
- 3CXDesktopApp - MacOS
Attack Vector
Attackers have been able to trigger the exploit remotely from within the application
Attack Feasibility
The vendor has confirmed that the exploit has been used by attackers in the past few days.
Remediation
3CX recommends use of their PWA application, which is web-based and has similar functionality, in place of the desktop app. Update to a current supported version of 3CXDesktopApp if the desktop application is needed.
Vendor Resources
https://www.3cx.com/blog/news/desktopapp-security-alert/
https://supportportal.crowdstrike.com/s/article/Tech-Alert-CrowdStrike-Tracking-Active-Intrusion-Campaign-Targeting-3CX-Customers (Crowdstrike login required)