Pondurance is actively tracking the on-going supply chain attack campaign aimed at the software-based phone system 3CX


Posted by our trusted partner, Crowdstrike, “On March 29, 2023 Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp — a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.”

SentinelOne released an article attributing the supply chain attack to the group SmoothOperator. Within the article, SentinelOne identified in its research a “multi-stage attack chain unfolding.” The company observed the use of the 3CXDesktopApp application as a shellcode loader, which loads a dynamic link library (DLL) and then calls out GitHub storage to download ICO files. 

3CX is a software-based private branch exchange phone system developed by the company 3CX. From its website, the company has over 600,000 companies using its product and over 12 million users every day.  

3CX CEO, CTO and Founder Nick Galea posted to the company’s community forum on March 30 at 5:27 a.m. EST the following statement: “As many of you have noticed the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7. It was reported to us last night and we are working on an update to the DesktopApp which we will release in the coming hours.”

What To Do Now?

As a Pondurance trusted client, you received notification of the evolving situation via Scope on the evening of Wednesday, March 29. Pondurance recommended at that time, with the limited information available, that clients uninstall the 3CXDesktopApp and place users on the 3CX Web Client.

This advice remains in place today as noted in the post from 3CX this morning, Thursday, March 30. Until 3CX releases a new build, we recommend using the Progressive Web Application (PWA), which is supported by Chrome and Edge.

We'll Keep You Updated

If you’re a Pondurance client, the good news is that you’ve got a great team of highly skilled security professionals who know what to look for, who understand a threat when they see one, and who can take action to mitigate threats immediately. We are monitoring for usage of this application as well as associated indicator of compromise (IOC) exploits and contacting each customer directly.

We’ll stay on top of this evolving situation and report on any new important findings related to this latest supply-chain attack.

If you think you’re experiencing an incident and need help, contact our Incident Response hotline at 888-385-1720.