Date: March 30, 2023
This Alert is intended for IT professionals and managers of notified organizations.
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
On March 29, 2023, security researchers published reports detailing a new supply chain compromise affecting the 3CXDesktopApp Footnote 1Footnote 2. The reports describe the researchers’ observations of malicious activity originating from legitimately signed 3CXDesktopApp binaries.
Reported malicious behaviours include beaconing to malicious infrastructure, deployment of second-stage payloads and hands-on-keyboard activity by the threat actors Footnote 1.
3CXDesktopApp is available on multiple platforms, and reports currently indicate that both Windows and MacOS versions are affected Footnote 1Footnote 4. In particular, 3CX has identified the following versions as being affected Footnote 4:
- 3CXDesktopApp for Windows – versions 18.12.407 and 18.12.416
- 3CXDesktopApp for Mac – versions 18.11.1213, 18.12.402 and 18.12.416
At the time of this report, the primary impact reported due to this compromise is the theft of system and browser information, including browsing history Footnote 2. The Cyber Centre is aware of reports that credentials stored in the browser may have also been stolen Footnote 5.
Organizations are encouraged to identify and isolate any systems having deployed the 3CXDesktopApp. Security researchers have published several indicators of compromise (IOCs) to aid network defenders in the detection of malicious activity Footnote 1Footnote 2.
3CX recommends that the client-based electron app is uninstalled from systems and that customers instead use the priority web application (PWA), a web-based client, to ensure that the latest updates are installed Footnote 4.
The Cyber Centre wishes to highlight that mitigation efforts resulting from the compromise of systems by competent threat actors may require more than simply mitigating individual issues, systems and servers. In cases such as these, based on the perceived sophistication of the threat actor involved, organizations should consider additional mitigative efforts besides simply the removal or updating of the product. The Cyber Centre recommends affected customers review the Cyber Centre joint cybersecurity advisory on technical approaches to uncovering and remediating malicious activity Footnote 3.
Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, email (firstname.lastname@example.org) or telephone (1-833-CYBER-88 or 1-833-292-3788).