Administrators of 3CX VoIP systems are urged to uninstall the desktop client until a security update is released, after the discovery of a serious compromise of the softphone. As an alternative, customers are urged to install the web-based version, known as a PWA (Progressive Web App).
The desktop application has been compromised by an unknown threat actor to add an installer that communicates with various command-and-control (C2) servers.
This afternoon, researchers at Huntress Labs released a PowerShell script that can be used to check locations/versions of 3CX and run against the hashes to see if they’re bad.
Windows Defender is currently detecting this attack chain with the threat name Trojan:Win64/SamScissors.
At the time of the publication of this article, the 3CX CEO and CISO are urging administrators and users to uninstall the desktop client for 3CX and wait for an upcoming update to the 3CXDesktopApp. “Currently, we’re working on a new Windows App that does not have the issue,” said 3CX CISO Pierre Jourdan. “We’ve also decided to issue a new certificate for this app. This will delay things by at least 24 hours, so please bear with us.”
Jourdan said in a post that “this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected.”
In a blog, Huntress notes there are about 240,000 publicly exposed 3CX phone management systems. 3CX claims to have over 600,000 customers. 3CX DesktopApp is available for Windows, macOS, Linux, Android and iOS.
Already some security companies are saying the compromise has the potential to be as big as the SolarWinds Orion supply chain attack. It started with the compromise of a digital certificate, allowing an infected update of Orion with a backdoor called Sunburst to be accepted by customers’ IT systems. The 3CX desktop app was similarly compromised. According to ReversingLabs, attackers appended RC4 encrypted shellcode into the signature appendix of d3dcompiler.dll, a standard library used with OpenJS Electron applications such as 3CXDesktopApp.
The first firm to report something suspicious with the 3CX desktop app was Crowdstrike, which in a Reddit post on Thursday said malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.
Researchers at Threatlocker said the multi-stage attack uses a signed 3CX MSI file to extract two malicious DLL files. The 3CXDesktopApp.exe itself does not appear to be malicious. These malicious DLLs are responsible for delivering the payload.
Quickly, numerous EDR providers and antivirus solutions began to trigger and flag on the legitimate signed binary “3CXDesktopApp.exe.” According to Huntress, this application had begun an update process that ultimately led to malicious behavior and — after a delay — command-and-control communication to numerous external servers to download a backdoor.
The malware was timed to sleep for seven days before calling out to external C2 servers, Huntress notes. “The seven-day delay is peculiar,” the researchers wrote, “as you [IT teams] may not have seen further indicators immediately … and it may explain why some users have not yet seen malicious activity” – until Mar. 29.
In its research note, Sophos points out that on Mar. 22, users of 3CX began discussion of potential false-positive detections of 3CXDesktopApp by their endpoint security agents.
In a normal DLL sideloading scenario, Sophos said, the malicious loader (ffmpeg.dll) would replace the clean dependency; its only function would be to queue up the payload. However, in this case, that loader is entirely functional, as it would normally be in the 3CX product; instead, there’s an additional payload inserted at the DllMain function. This adds bulk, but may have lowered suspicions – the 3CX application functions as expected, even as the Trojan addresses the C2 beacon.
The repository hosting the C2 server endpoints has been taken offline, Huntress notes. “While this may hinder the execution of hosts updating to the current malicious version of 3CX,” it adds, “the real impact is unknown at this time. It is not yet clear whether or not adversaries still have access to the 3CX supply chain in order to poison future updates – perhaps this may change the tradecraft we see in the coming days.