On March 30, Cybersecurity firm CrowdStrike said it had observed a digital attack on users of the software package 3CX. This attack is also called a supply chain attack – in which a software vendor’s distribution and/or update channels are abused to distribute rogue software.
3CX is a widely used and comprehensive Voice-over-IP (VoIP) software solution for businesses, used by telephone exchanges, among others. NFIR advises users of this software to take immediate action. The attack has been assigned the CVE number CVE-2023-29059.
Product | Platform |
3CX version 18.12.407 3CX version 18.12.416 | Electron Windows |
3CX version 18.11.1213 | Electron MacOS 18.11 |
3CX version 18.12.402 3CX version 18.12.407 3CX version 18.12.416 | Electron MacOS 18.12 |
What potential impact does this Confluence vulnerability have?
The following commands allow you to establish the presence of 3CX on devices within your organization:
Windows systems
# Checking if there is an active process related to 3CX
Get-WmiObject -Class Win32_Process -Filter "Name='3CXDesktopApp.exe'"
# Checking Windows registry
Get-ItemProperty -Path 'HKLM:【OFTWARE】' -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '3CX Desktop App' }
# Control of 3CX user profiles.
Test-Path -Path C:C:C.
MacOS systems
# Check for presence of program on macOS in /Applications
ls '/Applications' | grep '3CX'
# Checking for the presence of a folder within Application support folder
if [ -d /Users/*/Library/Application Support/3CXDesktop App/ ]; then echo "3CXDesktop exists"; fi
How is the Confluence vulnerability detectable?
Domain names | |
akamaicontainer[.]com | msedgepackageinfo[.]com |
akamaitechcloudservices[.]com | msstorageazure[.]com |
azuredeploystore[.]com | msstorageboxes[.]com |
azureonlinecloud[.]com | officeaddons[.]com |
azureonlinestorage[.]com | officestoragebox[.]com |
dunamistrd[.]com | pbxcloudeservices[.]com |
glcloudservice[.]com | pbxphonenetwork[.]com |
qwepoi123098[.]com | zacharryblogs[.]com |
sbmsa[.]wiki | pbxsources[.]com |
sourceslabs[.]com | journalide[.]org |
visualstudiofactory[.]com |
Is there an action plan that your organization can follow?
It is important for your organization to take at least the following steps:
- Check publicly available Indicators-of-Compromise (IoCs) on your systems to determine if any systems may have been compromised, or have external preventive research performed on your systems.
- Following the opinion of the NCSC advises NFIR to remove the rogue versions of the 3CX software and wait until a "safe" version is published by the software vendor - in the meantime, 3CX recommends using the PWA variant of the application - 3CX Security Alert for Electron Windows App | Desktop App.
- Prepare your organization for the situation when patches need to be executed unexpectedly (outside the regular update timeframes) and apply patches in a controlled manner according to the procedure usual for your organization.
- If your organization is using 3CX, NFIR recommends always having forensics performed to determine if your environment has been compromised.
Do you have systems where the risk is high (for example, systems with very sensitive or special personal data)? If so, do you possibly have indications that the system cannot be mitigated and/or updated immediately? Then consider temporarily disabling the system until it can be updated.
What should your organization do in case of potential abuse?
If your organization is suspected to have been the victim of an attack, the urgent advice is to have research conducted into the cause, to what extent attackers may have compromised other systems and what information may have been accessed unauthorized.
- If possible, disconnect affected systems from the network, but leave them on (in connection with any traces such as volatile memory - RAM);
- Have the affected systems forensically examined; ensure adequate backups;
- Reset your passwords and user data;
- Report to the Police;
- Consider filing a report with the Personal Data Authority.
Does your organization currently have an incident? Our Computer Emergency Response Teams
(CERT) are available to organizations 24/7 to support IT Security Incidents.
Then call 088 133 0700 and we will do our best to help you as soon as possible.
Does your organization currently have an incident? Our Computer Emergency Response Teams (CERT) are available to organizations 24/7 to support IT Security Incidents.
Then call 088 133 0700 and we will do our best to help you as soon as possible. Here you will find more information about our Incident Response service.
Disclaimer: NFIR has made every effort to make this information accurate and reliable. However, the information provided is without any guarantee of any kind and its use is entirely at the risk of the user. NFIR assumes no responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided.