Preventing the Exploitation of 3CX

2 min. readlast update: 03.30.2023
This is a developing situation, and we will continue to update this article as more information is made available.

 What is the 3CX Exploitation?  

There is known exploitation of the 3CXDesktopApp which is beaconing out to malicious FQDNs. 

From 3CX 3CX Security Alert for Electron Windows App | Desktop App 

ThreatLocker Recommendations

 ThreatLocker has created two suggested policies for this vulnerability.  

Customers who use 3CX should add these suggested policies to their 3CX application definitions.

  1. 3CX [Reported] (Built-In) contains these two versions of the desktop app and blocks the malicious SHA256 hashes: Version 18.12.407 & 18.12.416 

The malicious SHA256 files have been identified.

  • SHA256 Hash dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc    
  • Operating System Windows  
  • Installer SHA256 Hash aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868     
  • File Name 3cxdesktopapp-18.12.407.msi     

  • SHA256 Hash fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 
  • Operating System Windows   
  • Installer SHA256 Hash 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983   
  • File Name 3cxdesktopapp-18.12.416.msi 

 To add this policy: 

  1. Open Add Suggested Policies 
  2. Select the first policy in the list, it should be 3CX [Reported] (Built-In) 
  3. Click Add Suggested Policies 
  4. Deploy the policy by clicking the “Click to Deploy Policies” button  

     

undefined

 2. 3CX Phone Systems (Ringfenced) This policy will add extensive ringfencing to the 3CX app, stopping it from interacting with nearly all other system locations.   

 *Remember to permit needed FQDNs prior to pressing “Click to Deploy Policies” or your VOIP systems will be Ringfenced and blocked. Additionally, we encourage diligent monitoring of network activity to add exclusions as needed.  

To add this policy 

  1. Click the Add Suggested Policies button 
  2. Select 3CXPhone System (Ringfenced) 
  3. Click Add Suggested Policies 
  4. Deploy by clicking “Click to Deploy Policies”  

undefined

 External Resources 

3CX Security Alert for Electron Windows App | Desktop App 

Threat alerts from SentinelOne for desktop update initiated from desktop client | Page5 | 3CX Forums 

// 2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers // : crowdstrike (reddit.com) 

  

Please reach out to a Cyber Hero for more information.

Was this article helpful?