• United States



UK Editor

UK NCSC advises all businesses to address 3CX DesktopApp security issue

Apr 05, 20232 mins
CyberattacksMalwareSupply Chain

3CX has advised customers running affected versions to uninstall the software and use the browser-based web app until a new version is available.

The UK’s National Cyber Security Centre (NCSC) has advised all UK businesses to take action over a severe security issue in the 3CX DesktopApp that threat actors are actively exploiting. The issue came to light last week when 3CX CEO Nick Galea announced that the 3CX DesktopApp has malware in it that affects the Windows Electron client for customers running update 7.

The exploit was reported to 3CX by security researchers at Sophos, Crowdstrike, and SentinelOne. The vendor published a security alert which advises customers running affected versions to uninstall the software and use the browser-based web app PWA until a new version is available. The NCSC strongly urged all UK organizations running this software to consult the vendor advisory and take the recommended actions in it.

3CX is a Voice Over Internet Protocol (VoIP) IPBX software development company. The 3CX DesktopApp allows users to make calls, chat, video conference, and check voicemail using their desktop.

Researchers discover 3CX supply chain attack

Researchers observed malicious activity originating from a Trojanized version of the 3CX DesktopApp. “The software is a digitally signed version of the softphone desktop client for Windows and is packaged with a malicious payload,” Sophos said in a blog post.

A threat actor has abused the application to add an installer that communicates with command-and-control servers, Sophos said. “The Trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub and ultimately leads to a third-stage infostealer DLL still being analyzed as of the time of writing,” SentinelOne said. CrowdStrike discovered that the malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and hands-on-keyboard activity.

The information stealer can gather system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers. 3CX has appointed Mandiant cybersecurity firm to help it review this incident in full.

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author