Security operations · 2 MIN READ · JON HENCINSKI · MAR 30, 2023 · TAGS: MDR
What happened?
The popular voice and video conference software, 3CXDesktopApp by 3CX, was recently compromised in an apparent supply chain attack. Attackers have trojanized 3CX installers to turn them into malicious tools used in multi-stage attacks.
Starting March 22, 2023, global 3CX users began reporting endpoint detection and response (EDR) quarantining of the 3CXDesktopApp for suspicious behavior. On March 29, CrowdStrike confirmed and published a report that both the Windows and MacOS versions of the application had been compromised in a supply chain attack.
According to 3CX, the following versions of 3CXDesktopApp are compromised:
- Windows versions 18.12.407 and 18.12.416
- Mac OS versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416.
Why does it matter?
3CX serves more than 600,000 companies worldwide and has over 12 million daily users. Given the vast interconnectedness of the contemporary cyber landscape, the ripple from supply chain attacks like this one creates risk exposure for a massive number of organizations.
What’re we doing for our customers?
First, we’re reviewing customer logs for evidence of attempted or successful compromise. We’ve also deployed global Be-on-the-Lookout (BOLO) rules to alert when we ingest any security telemetry that contains domains or known bad hashes linked to the attack.
Finally, we’ve reviewed all ingested alert signals going back 30 days. As we begin to observe vendor-written detections for this activity, we’ll evaluate these as part of Expel’s detection methodology.
We’re also monitoring open source channels for updates.
What should you do right now?
If you’re using the 3CXDesktopApp application, follow 3CX guidelines by utilizing the web application PWA instead of the desktop application. Next, implement the applicable patches and updates when appropriate and able.
3CX reports that the majority of the domains contacted by the compromised library have already been reported and taken down. However, we still recommend proactively blocking all known IOCs, check out this SecurityWeek article for reference.
What can you do longer term?
- Plan for supply chain attacks—The term “supply chain” can mean different things to different organizations. For many tech companies, your supply chain is a long list of cloud services that facilitate your day-to-day business. Assume attackers target you and plan accordingly.
- Have plans for alternative supply chain providers—We’re not saying you need a hot backup for all your cloud services, but it’s smart to have a contingency for potentially rapid provider shifts in the event of a catastrophic hack. This should be largely in line with your business continuity plans (which you’ve tested, right?).
- Prioritize asset management—When you learn about a compromised major vendor or software repository, you must be able to answer, “Are we impacted?” quickly and accurately.
- Be creative—Failures of imagination are a real (and really unfortunate) thing. And it can be very difficult to dream up attacks like SolarWinds Orion or vulnerabilities like Heartbleed. When planning tabletops, ask people around your company: “What’s the worst thing that could happen?” You might be surprised at the scenarios others are worrying about.
What next?
As we outlined, we’re keeping a close eye on this situation as it unfolds. We’ll update this post with big developments, but keep an eye on our socials (@ExpelSecurity) for additional recommendations as they emerge.
