- Jordan Albaladejo
3CX Business VOIP Desktop App Hacked - Supply Chain Attack (Smooth Operator)
Following our recent YouTube video series, covering 3CX recent threats, we wanted to take the opportunity to take a deep dive in a blog post, bringing together everything we are currently aware of for this ongoing 3CX supply chain attack and vulnerability.
See our first video here:
3CX Business VOIP Desktop App Hacked - Possible Supply Chain Attack - YouTube
See our follow up update video here:
(Update) 3CX Business VOIP Desktop App Hacked - Supply Chain Attack - YouTube
So, what has happened and what do you need to be aware of:
On March 22, 2023, SentinelOne EDR made the first detections of the 3CXDesktopApp vulnerability, nicknamed "Smooth Operator."
See original blog post here: SmoothOperator
The 3CXDesktopApp is a communication tool used by many large corporations worldwide, including Mercedes-Benz, Toyota, Coco-Cola, American Express, Honda, BMW, Airfrance Wilson, and McDonald's.
During first detections the malware payload was dormant and would stay in this state for 7 days, leading up to the 29/03/2023.
Further investigation, post execution it was revealed that the threat originated through
"bundled libraries that [3CX] compiled into the Windows Electron App via GIT".
See original form post here: 3CX DesktopApp Security Alert | 3CX Forums
Electron Framework is used by 3CXDesktopApp as the foundation open-source platform for their craft desktop applications.
The update was breached to reach out to a threat-actor's controlled repository, where the "real" payload would be unloaded. This "payload" included a trojanized package for the Mac environment and an info-sealing malware on the Windows environment, targeting the affected client's browser's data. It could possibly lead to a breach of saved passwords and credentials, possibly also leading to a session token (session Hi-Jack) exploit.
This infomation was first discover on 29/03/2023 as, not all instances of the dormant malware were/would be activated until this time, indicating a targeted approach to this attack. 3CX has mentioned in their official security update that this malware has possible ties to a state-sponsored effort.
See 3CX Security Alert: 3CX Security Alert for Electron Windows App | Desktop App
On March 29, 2023, 3CX CEO, Nick Galea, reported that the issue was first reported to them, and they are working towards resolving the issue.
See original form post here: 3CX DesktopApp Security Alert | 3CX Forums
3CX has since appointed Mandiant, a renowned American cybersecurity firm and subsidiary of Google, and the market leader in threat intelligence. With their help, 3CX will be able to review this incident in full.
See more about Mandiant here: Threat Intelligence Solutions
3CX has notified all partners with a security alert email earlier this morning (31/03/2023 8:54am AEST), advising them the following:
"[their] electron windows app shipped in Update 7, version numbers 18.12.407 & 18.12.416, included a severe security issue. [They] since learned that Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 have also been affected. Fortunately, anti-virus vendors flagged the executable 3CXDesktopApp.exe and blocked it." "In response to this incident, 3CX has appointed Mandiant a renowned American cybersecurity firm and subsidiary of Google - and the market leader in threat intelligence. With their help we will be able to review this incident in full. Whilst their investigation is underway, we ask you to follow the instructions below immediately."
Following this, 3CX also shared crucial instructions to follow to avoid a possible breach and to protect sensitive information from falling into the wrong hands. These instructions shared were as follows:
"Customers on 3CX Hosted / StartUP - No Action Needed
3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically. Servers will be restarted and the new Electron App MSI/DMG will be installed on the server. We recommend that you DO NOT install or deploy the Electron App. This update is only to ensure that the trojan has been removed from the 3CX Server where Desktop Apps are stored and in case any users decide to deploy the app anyway. During the restart there might be disruption for a few minutes while we restart your server.
Use PWA on the Clients / Desktops
Uninstall the Electron App
Follow these steps to uninstall the Electron App for Mac or Windows
Type “Control Panel”, Enter
Select “Programs and Features”
Find 3CX Desktop App, select and press “Uninstall”.
Go to “Applications”
Tap on “3CX Desktop APP”
Right click then “Move to Bin”
Ensure that it isn’t also present on Desktop otherwise delete it from there as well.
Empty the Bin.
Use PWA instead of the Electron APP - Here's How!
Login to the Web Client.
You have two options:
EITHER click on the OS icon below the user avatar. A new dialog will open, select “Web App (PWA)” and then hit the “Install” button.
OR click on the “Install button” (A screen with an arrow) located in the address bar and confirm.
To set the app to auto start
On Google Chrome: Open your Chrome browser and type ‘chrome://apps’ into the address bar. Right click on “3CX” and enable “Start app when you sign in”.
On Microsoft Edge: On Edge, select to Auto-start in the dialog that appears after installation.
PWA only works on Google Chrome and Microsoft Edge - not on Safari or Firefox
You can read more in the Web Client user manual.
Avoid Using the Electron App Unless Absolutely Essential
In a day or two from now, we will have another Electron App rebuilt from the ground up with a new signed certificate. This is expected to be completely secure. We strongly recommend that you avoid using the Electron App unless there is absolutely no alternative. The Electron App update that we are releasing today is considered to be secure but there is no guarantee given that we only had 24 hours to make the necessary adjustments
More Information to Come - Transparency Assured
We are still working to decipher the full extent of the attack and we promise full transparency as soon as we are clear on everything. We don’t want to jump the gun and make wrong assumptions. Please follow our Forum and blog as well as our LinkedIn, Twitter, Facebook and Instagram pages as we’ll continue to update our customers and partners regularly.
Our Continued and Very Sincere Apologies
We continue to offer our very sincere apologies to all our partners and customers worldwide. The entire 3CX team continues to work around the clock.
The 3CX Team"
We at Ingest services will be keeping a close eye on Mandiant's post investigation findings, until then this is what we have found and the current available findings regarding this massive threat to an industry staple, 3CX, the PABX/VOIP solution providers.
Further notable credits:
SentinelOne's Blog Post (Smooth Operator)
First 3CX Community Forum post
Tom Lawrence from Lawrence Systems
Post alerting the public on IT Business Owners Group (Facebook)
Crowdstrike Reddit alert/post
John Hammond - Github Twitter Post
3CX CEO Original Forum Post
3CX DesktopApp Security Alert | 3CX Forums
Huntress Blog Post:
3CX VoIP Software Compromise & Supply Chain Threats
John Hammond YouTube Video Explanation
3CX VOIP Compromised & Supply Chain Threat - YouTube
Contributions to blog post:
Edited by ChatGPT, a large language model trained by OpenAI, based on the GPT-3.5 architecture.