SECURITY WARNING: 3CX Customers
Kai Kashefi - March 29, 2023
2 min read
3CX Desktop App is a softphone application from 3CX, recently compromised by a threat actor known as LABYRINTH CHOLLIMA. Falcon OverWatch first discovered the compromise on March 29, 2023. It includes malicious activity such as beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and hands-on keyboard training.
The 3CX Desktop App is available for Windows, macOS, Linux, and mobile, and malicious activity has been observed on both Windows and macOS. Therefore, taking appropriate actions to protect your systems against this attack is essential.
Here are some simple steps to take to protect your systems against the 3CX Desktop App attack:
-
Check if you have 3CX Desktop App installed on your system, and if so, what version you are running.
-
Ensure you have antivirus software deployed on applicable systems, such as CrowdStrike or SentinelOne.
-
Review threat alerts from SentinelOne for any desktop updates initiated from the 3CX Desktop App.
-
Check for any suspicious activity related to 3CX Desktop App, including beaconing to the domains listed in CrowdStrike's atomic indicators section.
-
If your antivirus software detects any threats related to 3CX Desktop App, take appropriate actions to contain and remediate the threats.
-
Contact your account manager or haloSync for further guidance and support if you are a Falcon Complete or SentinelOne customer.
Remember to stay vigilant and take appropriate actions to protect your systems against the 3CX Desktop App attack. This is a dynamic situation, and updates will be provided as they become available.
-
Reddit thread and 3CX forums discussing the 3CX Desktop App attack and potential actions to take: https://www.reddit.com/r/msp/comments/125sxuo/3cx_likely_comprised_take_action/
-
3CX community thread discussing threat alerts from SentinelOne for the desktop update initiated from the desktop client: https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/
-
Reddit thread discussing SentinelOne's detection of 3CX Desktop App: https://www.reddit.com/r/3CX/comments/123nhte/heads_up_sentinel_one_no_likey_3cx_u7_client/
-
CrowdStrike Reddit thread on the 3CX Desktop App attack: https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
The dangers
The compromise of 3CX Desktop App poses a significant danger to companies as it allows threat actors to access and control their systems. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and hands-on keyboard activity. If left undetected, this attack can compromise sensitive information, cause financial loss, and damage the company's reputation. Therefore, companies must act appropriately to protect their systems against this attack and stay vigilant for any suspicious activity.