Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2023.0059 Active Intrusion Campaign Targeting 3CX Customers 30 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: 3CX Desktop App Operating System: Windows macOS Resolution: None OVERVIEW On March 22, it has come to the attention of some security vendors that there has been malicious activity originating from a legitimate signed binary, namely the 3CXDesktopApp. This softphone application, developed by 3CX, has been observed to exhibit nefarious behaviour such as beaconing to infrastructure likely controlled by the threat actor LABYRINTH CHOLLIMA. [1] IMPACT The most frequently observed post-exploitation activity entails beaconing to infrastructure that is under the control of the threat actor, the deployment of second-stage payloads, the generation of an interactive command shell, and in select instances, hands-on-keyboard activity. [1] [2] The following versions were reported to be affected: 3cxdesktopapp-18.12.407.msi and 3cxdesktopapp-18.12.416.msi for Windows, and 3CXDesktopApp-18.11.1213.dmg and 3cxdesktopapp-latest.dmg for Mac. [3] MITIGATION Currently, no mitigations or patches have been released by 3CX regarding this incident. Nonetheless, various security vendors have updated their detection engines and released some Indicators of Compromise (IoCs) related to this event. [1] [2] REFERENCES [1] CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ [2] Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ [3] Hackers compromise 3CX desktop app in a supply chain attack https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZCTvQMkNZI30y1K9AQiBWg/+MbsaTqF4fURySJ8RJg1CCheuYOd74qou P+Pn0SN3oQAQv1Q2D2qLgcfbjT8m/FTG3qFBpak21wzTZbHLJFsV3l0bQu2NluTD TXnlRMRrVbymy+yoB1zMgJ/Jn4QA9n7P5na3iUXlVDVVHSBt1D0ULPORxdRUE5+8 Uy75L0YsGHzDkJ7RYzveWbd2GIKZ2mIJ7NutC27MNmLLEMBwGT6D9PK+yQhrcRLs dwgbqWnOHFcgpcCxFtxPC8RT8qKFJFSFwfAzuT7AM74SUnQN/ZpAIHLCY63N80GN Y7+LLuGdEPWWSVznvHND6g4uCLLpKoPXXgPq3rrT4jDm3l66/XtzKpHaVLHb4hTX Nw+jw07y/0aPbDXc2vCEp/HYavffZ3LdgzZyqRh271F6ogzWooc4FuDMWzdFdrP2 Z5bYd3FoaTomwCxN/5uBX77jHWPH2NsEoIcAxKQsnDcu9gERp2SmF5vAo5nr8xcX kAAbdeqXvlPMzeqPbxiFWhDM+l9toOQuQZQlBus7UHSgPpGusFwn/l5kkmsadt45 FlBJhsRARWnc24FNi88n32GksMJ3BW+PM+ClBC2KwKhH6SUujBGT2bEODzwzySJU /BBlQ4fBaBPPTFBvHNDcmbo8eqjNm493v0lwG4EQaMs6FRr178vxx8q6EPtIsMxx Lcdjpe+uyKk= =J2/0 -----END PGP SIGNATURE-----