On March 29, 2023, several reports of a potential security issue affecting a popular business communication installation and update package from 3CX appeared, which was later confirmed by the vendor themselves in a formal security alert.
From a very high level, affected versions of the 3CX DesktopApp application that was being provided by the vendor themselves was infected with malicious software components, and customers who either freshly installed or obtained the update through other means may have downloaded the compromised package.
Trend Micro Research has a detailed blog - Developing Story: Information on Attacks Involving 3CX Desktop App that contains more specific detailed information on the attack itself.
The issue was said to be limited to the Electron (non-web versions) of their Windows package (versions 18.12.407 & 18.12.416) and macOS clients (versions 18.11.1213, 18.12.402, 18.12.407 & 18.12.416). The PWA (web-based) does not appear to be affected, and the vendor is recommending that customer migrate to this version.
This article will cover some available detections/protection of the observed components, along with updated recommendations as they become available.
Using Trend Micro Products for InvestigationThe following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Vision One™
Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Trend Micro Apex One. The following outline some of the components of Trend Vision One that can used for investigation.
Curated Intelligence Reports
An updated Curated Intelligence Report in Trend Vision One for this campaign has been added that will automatically conduct some endpoint activity sweeping for XDR customers that have this enabled.
Mitigations, Trend Micro Protection, and Detection Against Exploitation
First and foremost, it is always highly recommended that users apply the vendor's patches when they become available and is feasible. As of now, 3CX has one of two recommendations for updating the software:
1. Users can migrate to the PWA (web-based) version of the application.
2. An updated version of the Windows Electron app has been released by 3CX: 18.12.422 (macOS version is still TBD).
In addition, it is advised that customers delete any and all versions of affected installers that they may have in file repositories or other storage.
In addition to the formal app update, Trend Micro does have some supplementary detection/protection patterns that may help provide additional protection against further potential exploits.
Preventative Rules, Filters & DetectionTrend Micro Web Reputation Services (WRS) Protection
As outlined in our blog there are several domains that were identified as malicious Command & Control (C&C) points that impacted systems were observed to try and communicate to. Trend Micro has blocked all of the known domains, and all of Trend Micro products that contain Web Reputation protection block communications to these domains.
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring) for Endpoint, Servers (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.), Mail & Gateway (e.g. Cloud App Security, ScanMail for Exchange, IMSVA)
- Starting with Trend Micro Smart Scan Pattern (cloud-based) TBL 21474.300.40 / (agent) 18.353.00, known exploits associated with this vulnerability are being detected as:
- TrojanSpy.Win64.ICONICSTEALER.THCCABC (stealer payload)
Additional InformationWhile 3CX has communicated they believe that this was part of a sophisticated targeted attack with specified targets and the vast majority of systems with evidence of malicious code were actually not infected - we believe to err on the side of caution as the situation appears to be fluid.
Cybersecurity experts, including Trend Micro Research, are continuing to monitor, investigate and apply learnings to additional recommendations for customers that believe that they may have been impacted.
- In addition to replacing the affected installer and removing known malicious components from networks, customers are also strongly advised to review any suspicious or irregular activity and/or communication both internally and outbound from your network.
- If you have any reason to believe that you may have been adversely impacted, consider updating critical credentials, including but not limited to applying 2FA where applicable and changing key passwords.
Trend Micro will continue to provide updates and additional recommendations and guidance as more information becomes available.
- Trend Micro Blog - Developing Story: Information on Attacks Involving 3CX Desktop App (Includes IOCs and blocked domains)
- 3CX DesktopApp Security Alert