How to Protect Your Organization from Cyber Attacks After the 3CX Desktop App Breach

With the rise of cyber attacks, organizations must stay vigilant to protect their data. Unfortunately, a recent incident involving 3CX VoIP has highlighted that even reputable companies are vulnerable to attack. On March 22, customers reported receiving security alerts indicating that the 3CX Desktop App was marked malicious by various security software vendors such as SentinelOne, CrowdStrike, and ESET. 

In this blog post and related articles below, we'll take a closer look at this shocking incident and what organizations can do to help prevent similar attacks in the future. We'll also advise how your businesses or practice should respond if and when they discover an intrusion into their system. So let's get started! 

3CX is a VoIP IPBX software development company whose 3CX Phone System is used by 600,000+ companies worldwide. 3CX has over 12 million daily users. The company's customer list includes many high-profile companies and organizations like American Express, Coca-Cola, McDonald's, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and the National Health Service - United Kingdom. 

Multiple customers in 3CX's forums have stated that they have been receiving alerts starting one week ago, on March 22, saying that the VoIP client app was marked as malicious by SentinelOne, CrowdStrike, ESET, Palo Alto Networks, and SonicWall security software. Specifically, SentinelOne detected "penetration framework or shellcode" while analyzing the 3CXDesktopApp.exe binary, ESET tagged it as a "Win64/Agent.CFM" trojan, and Sophos flagged it as "Troj/Loader-AF." 

The same certificate used to sign the malicious version of the 3CX Desktop App was also discovered in the older versions of 3CX VoIP software. It means the compromise occurred at some point before the release of the malicious version.

When security researchers dug deeper, they discovered that 3CX had unknowingly downloaded a malicious library during the build process of its Windows Electron App. This malicious library, identified as "LitecoinMiner," was believed to have been injected into the 3CX code by a hacker who accessed their development environment. 

3CX CEO Nick Galea confirmed in a forum post that the Desktop Application was compromised and urged customers to uninstall the app's BETA version and switch to the PWA client instead. They also said they are investigating the incident further and will provide an update once their investigation is complete. 

Several of our Partners, including, Todyl and ThreatLocker, are actively tracking a malicious actor campaign targeting users of the 3CX softphone telephony platform. According to Todyl's recent announcement, both preventions and detections across multiple Todyl modules have been released, in addition to active threat hunting from the MXDR Team. 

As a best practice, ThreatLocker suggests users continually evaluate their allow list, removing unneeded and unused policies, and applying Ringfencing to every application possible, only permitting each application access to what it needs and nothing more. For assistance with applying Ringfencing to the 3CX application, please contact our CyberSecurity experts at ICU Computer Solutions. 

Fortunately, there are many other steps that large and small enterprises can take to help protect their systems from similar types of attacks. First, ensuring that all installed software is up to date with the latest security patches and antivirus definitions is essential. It can be accomplished manually or automated by taking advantage of a Patch Management system offered by ICU Computer Solutions as part of our Managed IT and Cyber Security package. Additionally, organizations should always use a layered approach to Cyber Security – employing both proactive and reactive measures to detect and prevent malicious activity as quickly as possible. 

All organizations, large and small, should monitor their network traffic closely for any suspicious activity and promptly update their web application firewalls (WAF) if necessary. And most importantly, they must establish an incident response plan and train their staff to handle potential breaches effectively.

All businesses should consider investing in professional Cyber Security measures!

‍

At ICU Computer Solutions, we provide a range of services, from Cyber Security Risk Assessments to Penetration Testing, which can help organizations identify potential vulnerabilities before they become exploited by malicious actors. If you're a business or medical practice looking for advice on protecting your data and assets, please visit our website today and contact ICU Computer Solutions for a FREE Consultation.

We will help identify and mitigate all potential threats. 

‍

The incident involving 3CX VoIP is yet another reminder of how vulnerable companies are to malicious cyber attacks. In order to prevent similar breaches from occurring in the future, all organizations should take proactive steps to ensure that their systems are secure – including regularly updating software, monitoring network traffic, and establishing an effective incident response plan. Protecting your organization from cyber attacks is an ongoing process, but these steps can help ensure that your data remains secure. 

Related articles: 

Threat Advisory: 3CX Softphone Telephony Campaign (From: Todyl)

Cybersecurity in the News: 3CX Desktop App Compromise (From: ThreatLocker)

Hackers compromise 3CX desktop app in a supply chain attack

3CX Desktop App Supply Chain Attack Leaves Millions at Risk - Urgent Update on the Way! 

You may also like these related blog posts: 

The Importance of Managed IT and Cybersecurity in the Healthcare Industry

8 Key Questions that Medical Practices should ask when selecting their Managed IT Services Provider

‍

( Posted by Andrew Juras on 3/31/23 )