Warning: Advanced Persistent Threat actors are actively exploiting a 3CX 0-Day vulnerability
Updates on the 3CX Security Alert for Electron Windows App
3CX Security Alert for Electron Windows App | Desktop App
Threat actors are actively exploiting a Supply chain 0-day vulnerability in the 3CX desktop app (Windows/Mac) to install malware that highly impacts the confidentiality, integrity and availability of the internal and external communication services that are managed via the application.
Attackers can use the compromised application to monitor, reroute or block communication (VoIP, videoconferencing). Once a system is compromised with malware, an attacker can use this entry point to elevate privileges compromising the victim’s system and then move laterally to compromise other systems. In some cases, hands-on keyboard activity was detected as well as the presence of an infostealer malware.
The Threat actor seems to be a North-Korean state-sponsored group (likely APT (Advanced Persistent Threat) Labyrinth Chollima).
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
3CX is a company that provides solutions for business communication. One of these solutions “Electron Desktop app” has been compromised by a threat actor that is possibly a nation state sponsored threat group.
The 3CX app is a private automatic branch exchange (PABX) software that provides several communication functions for its users, including video conferencing, live chat, and call management.
On the 29th of March security solutions provider Crowdstrike alerted on malicious activity coming from a legitimate, signed binary, 3CXDesktopApp (Electron). The malicious activity included beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.
Further research on this activity led to uncovering a supply chain attack. The compromised installer was obtained via the official website of 3CX. Not only new installations of the application, but also updates of older installations, install the compromised version.
The attacks follow these steps: • 3CXDesktopApp.exe installer sideloads the “ffmpeg.dll” that has been trojanized.
• The “ffmpeg.dll” then sideloads “d3dcompiler_47.dll” that contains encrypted shellcode
• This file then accesses an attacker controlled Github repository that downloads and decrypts to load shellcode.
• This shellcode then gets executed to connect to a C2 server.
According to 3CX it is likely that the issue stems from one of the bundled libraries that they compiled into the Windows Electron App via GIT. Although this is not confirmed yet. 3CX also mentioned that most of the domains used by the Threat actor have been taken down.
- 3CX Electron Windows App Update 7
- Version 18.12.407
- Version 18.12.416
- 3CX Electron Mac App
- Version 18.11.1213
- Version 18.12.402
- Version 18.12.407
- Version 18.12.416
Other software such as mobile app, legacy Windows application and PWA (web) app are not impacted since these do not depend on the Electron framework.
- 3CX advises customers that have a self-hosted and on-premise solution to install update 18.12.422. More information can be found on Updates on the 3CX Security Alert for Electron Windows App
- 3CX advises customers that are on 3CX Hosted/StartUP don’t need to take action. Their instance will be automatically updated during the night.
- 3CX advises to uninstall the Electron App on all clients. Steps can be found on Updates on the 3CX Security Alert for Electron Windows App
- 3CX advises to use the Web App
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been (possibly) compromised, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.