Supply Chain Attack on 3CX: digital attack on popular enterprise VoIP software. (CVE-2023-29059)


On March 30, Cybersecurity firm CrowdStrike said it had observed a digital attack on users of the software package 3CX. This attack is also called a supply chain attack – in which a software vendor’s distribution and/or update channels are abused to distribute rogue software.

3CX is a widely used and comprehensive Voice-over-IP (VoIP) software solution for businesses, used by telephone exchanges, among others. NFIR advises users of this software to take immediate action. The attack has been assigned the CVE number CVE-2023-29059.

The affected versions of the 3CX VoIP product involve at least the following:
Product Platform
3CX version 18.12.407
3CX version 18.12.416
Electron Windows
3CX version 18.11.1213 Electron MacOS 18.11
3CX version 18.12.402
3CX version 18.12.407
3CX version 18.12.416
Electron MacOS 18.12
NFIR recommends determining whether rogue versions of 3CX as described above are present on systems within your organization. The rogue versions are distributed by a rogue piece of software in 3CX Desktop App update 7. This update has been available since the end of March 2023, according to 3CX. If you detect an infected version, NFIR recommends incident response & digital forensics.

The following commands allow you to establish the presence of 3CX on devices within your organization:

Windows systems

# Checking if there is an active process related to 3CX

Get-WmiObject -Class Win32_Process -Filter "Name='3CXDesktopApp.exe'"

# Checking Windows registry

Get-ItemProperty -Path 'HKLM:【OFTWARE】' -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '3CX Desktop App' }

# Control of 3CX user profiles.

Test-Path -Path C:C:C.

MacOS systems

# Check for presence of program on macOS in /Applications

ls '/Applications' | grep '3CX'

# Checking for the presence of a folder within Application support folder

if [ -d /Users/*/Library/Application Support/3CXDesktop App/ ]; then echo "3CXDesktop exists"; fi

Based on publicly available information, at least the following rogue domain names have been identified:
Domain names
akamaicontainer[.]com msedgepackageinfo[.]com
akamaitechcloudservices[.]com msstorageazure[.]com
azuredeploystore[.]com msstorageboxes[.]com
azureonlinecloud[.]com officeaddons[.]com
azureonlinestorage[.]com officestoragebox[.]com
dunamistrd[.]com pbxcloudeservices[.]com
glcloudservice[.]com pbxphonenetwork[.]com
qwepoi123098[.]com zacharryblogs[.]com
sbmsa[.]wiki pbxsources[.]com
sourceslabs[.]com journalide[.]org
NFIR recommends configuring the above domain names within IDS/IPS/EDR solutions as detection rules. This is an ongoing current situation in which new indicators of an infection may become available. If you suspect you have been affected by this supply-chain attack, NFIR advises you to have incident response & forensic investigations done into whether your systems have been affected.

It is important for your organization to take at least the following steps:

  1. Check publicly available Indicators-of-Compromise (IoCs) on your systems to determine if any systems may have been compromised, or have external preventive research performed on your systems.
    1. Following the opinion of the NCSC advises NFIR to remove the rogue versions of the 3CX software and wait until a "safe" version is published by the software vendor - in the meantime, 3CX recommends using the PWA variant of the application - 3CX Security Alert for Electron Windows App | Desktop App.
  2. Prepare your organization for the situation when patches need to be executed unexpectedly (outside the regular update timeframes) and apply patches in a controlled manner according to the procedure usual for your organization.
  3. If your organization is using 3CX, NFIR recommends always having forensics performed to determine if your environment has been compromised.

Do you have systems where the risk is high (for example, systems with very sensitive or special personal data)? If so, do you possibly have indications that the system cannot be mitigated and/or updated immediately? Then consider temporarily disabling the system until it can be updated.

If your organization is suspected to have been the victim of an attack, the urgent advice is to have research conducted into the cause, to what extent attackers may have compromised other systems and what information may have been accessed unauthorized.

  1. If possible, disconnect affected systems from the network, but leave them on (in connection with any traces such as volatile memory - RAM);
  2. Have the affected systems forensically examined; ensure adequate backups;
  3. Reset your passwords and user data;
  4. Report to the Police;
  5. Consider filing a report with the Personal Data Authority.

Does your organization currently have an incident? Our Computer Emergency Response Teams
(CERT) are available to organizations 24/7 to support IT Security Incidents.
Then call 088 133 0700 and we will do our best to help you as soon as possible.

Learn more about our Incident Response Service

Does your organization currently have an incident? Our Computer Emergency Response Teams (CERT) are available to organizations 24/7 to support IT Security Incidents.

Then call 088 133 0700 and we will do our best to help you as soon as possible. Here you will find more information about our Incident Response service.

Disclaimer: NFIR has made every effort to make this information accurate and reliable. However, the information provided is without any guarantee of any kind and its use is entirely at the risk of the user. NFIR assumes no responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided.