3CX Desktop Application Exploit
Date of Notice: 03/30/2023
Action Level - Critical
We have been made aware of an active intrusion campaign targeting 3CX customers. On 29 March 2023, Crowdstrike Falcon Overwatch observed unexpected malicious activity from a legitimate, signed binary, 3CXDesktopApp. The malicious activity includes reaching out to actor-controlled infrastructure, deploying second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. While the majority of malicious domains have already been taken down, we recommend updating any affected versions of the desktop app in your environment.
- 3CXDesktopApp - Windows
- 3CXDesktopApp - MacOS
Attackers have been able to trigger the exploit remotely from within the application
The vendor has confirmed that the exploit has been used by attackers in the past few days.
3CX recommends use of their PWA application, which is web-based and has similar functionality, in place of the desktop app. Update to a current supported version of 3CXDesktopApp if the desktop application is needed.