Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2023.0059
Active Intrusion Campaign Targeting 3CX Customers
30 March 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: 3CX Desktop App
Operating System: Windows
macOS
Resolution: None
OVERVIEW
On March 22, it has come to the attention of some security vendors that there
has been malicious activity originating from a legitimate
signed binary, namely the 3CXDesktopApp. This softphone application,
developed by 3CX, has been observed to exhibit nefarious behaviour such as
beaconing to infrastructure likely controlled by the threat actor LABYRINTH CHOLLIMA. [1]
IMPACT
The most frequently observed post-exploitation activity entails beaconing
to infrastructure that is under the control of the threat actor, the deployment
of second-stage payloads, the generation of an interactive command shell,
and in select instances, hands-on-keyboard activity. [1] [2]
The following versions were reported to be affected:
3cxdesktopapp-18.12.407.msi and 3cxdesktopapp-18.12.416.msi for Windows, and
3CXDesktopApp-18.11.1213.dmg and 3cxdesktopapp-latest.dmg for Mac. [3]
MITIGATION
Currently, no mitigations or patches have been released by 3CX regarding this incident.
Nonetheless, various security vendors have updated their detection engines and released some
Indicators of Compromise (IoCs) related to this event. [1] [2]
REFERENCES
[1] CrowdStrike Falcon Platform Detects and Prevents Active Intrusion
Campaign Targeting 3CXDesktopApp Customers
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
[2] Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
[3] Hackers compromise 3CX desktop app in a supply chain attack
https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZCTvQMkNZI30y1K9AQiBWg/+MbsaTqF4fURySJ8RJg1CCheuYOd74qou
P+Pn0SN3oQAQv1Q2D2qLgcfbjT8m/FTG3qFBpak21wzTZbHLJFsV3l0bQu2NluTD
TXnlRMRrVbymy+yoB1zMgJ/Jn4QA9n7P5na3iUXlVDVVHSBt1D0ULPORxdRUE5+8
Uy75L0YsGHzDkJ7RYzveWbd2GIKZ2mIJ7NutC27MNmLLEMBwGT6D9PK+yQhrcRLs
dwgbqWnOHFcgpcCxFtxPC8RT8qKFJFSFwfAzuT7AM74SUnQN/ZpAIHLCY63N80GN
Y7+LLuGdEPWWSVznvHND6g4uCLLpKoPXXgPq3rrT4jDm3l66/XtzKpHaVLHb4hTX
Nw+jw07y/0aPbDXc2vCEp/HYavffZ3LdgzZyqRh271F6ogzWooc4FuDMWzdFdrP2
Z5bYd3FoaTomwCxN/5uBX77jHWPH2NsEoIcAxKQsnDcu9gERp2SmF5vAo5nr8xcX
kAAbdeqXvlPMzeqPbxiFWhDM+l9toOQuQZQlBus7UHSgPpGusFwn/l5kkmsadt45
FlBJhsRARWnc24FNi88n32GksMJ3BW+PM+ClBC2KwKhH6SUujBGT2bEODzwzySJU
/BBlQ4fBaBPPTFBvHNDcmbo8eqjNm493v0lwG4EQaMs6FRr178vxx8q6EPtIsMxx
Lcdjpe+uyKk=
=J2/0
-----END PGP SIGNATURE-----